Using IronPort c series to find SSN social security numbers

Unanswered Question
Jul 17th, 2010

We have IronPort C-series, M-series, and IEA appliances and are currently manually encrypting e-mails with the [send secure] subject string.  All of that is working great.   What we are now looking at is using the SSN smart tag in a content filter to start cleaning up our outgoing e-mails.  Currently I only have 'notify' as an action so that we can see where and how much of a problem we have.  That has run for a while and now we are getting ready to start possibly bouncing the mail back to the sender or automatically encrypting the outgoing e-mail with our IEA appliances.  The question that I have is currently not all of our internal users are licensed for the IEA so I can't just encypt everything that the SSN smart tag finds.    OK, so I can bounce the e-mail back to the users that are not licensed...   Sounds good...  well, what about false positives?  How do they get the e-mail sent that IronPort is stopping because of SSN false positives?

I've thought of a couple of ideas but would be interested in hearing what the other admins have come up with that works for them.     THANKS.

OH, does anyone know where CISCO put the old Knowledgebase?   I thought there was some great information there.

Jason

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
exMSW4319 Wed, 07/21/2010 - 00:07

Can't help regarding your main question, but the KB is now hidden under the main Cisco support page:

   http://www.cisco.com/web/ironport/index.html

My forum credentials work, but I may have repeated them if I signed up separately for Cisco support.

Once in, I get the URL

   http://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_alp.php?

which rather suggests it's the same old KB, 64 pages of 20 answers each. The style is also the same as of yore, but other features may be missing.

The documentation, for example, is now in the main Cisco Support columns. All of the manuals, release notes and CLI references appear to be there though I'm not seeing the same level of coverage for Asyncos much before 6.5

Alternatively try http://www.ironport.com/support/email_letter.html as a starting page.

Andreas Mueller Wed, 07/21/2010 - 01:27

Hello Jason,

two possible solutions here I can think of right now, depending on the number of not licensed users you are talking about. Solution #1 would be to create an outbound mail policy which has only sender addresses (list or LDAP group) as members that are not licensed for the IEA. So in this policy you can either disable the normal SSN filter, or use the one that only sends out notifications.  Solution #2 would be a dictionary with all the affected senders, and a content filter checking for these senders, with a delivery/skip all following filters action if it matches (as you will still have the normal SSN filter in place).

Hope that helps,

Andreas

Jason Meyer Wed, 07/21/2010 - 08:07

Thanks to both of you for your input.

Anyone else filtering on SSN numbers have any success stories or gotcha's to share?

Jason Meyer Thu, 07/22/2010 - 12:19

OK, I'm continuing to work through setting up social security numbers and have found that the smart identifier is working pretty accurately.  It has yet to have a false positive.

My question, I do not see a why to scan the subject header with a smart identifier, is this true?   Sadly, we do have users who are putting social security numbers in the subject field of outgoing e-mails.   HELP?

Jason

Christopher Smith Fri, 07/23/2010 - 12:37

HI Jason,

Currently the Smart ID function does not support scanning the subject or subject header for information. I would be glad to open a feature request so that this functionality can be considered for addition to an upcoming release.

Christopher C Smith

CSE
Cisco IronPort Customer Support 

Andreas Mueller Mon, 07/26/2010 - 07:22

Hello Jason,

indeed smart identifiers in the subject is not yet supported, the only workaround I'd think of is the use of a regular expression. Before the SSN identifier became available, I used the Regexes below to identify SSNs:

For message filters (subject == ) , use:

(^|\\s)[0-7][0-9]{2}[\\.\\- ]?[0-9]{2}[\\.\\- ]?[0-9]{4}($|\\s)

For content filters (subject contains) use:

(^|\s)[0-7][0-9]{2}[\.\- ]?[0-9]{2}[\.\- ]?[0-9]{4}($|\s)

Of course the results will not be 100% accurate due the nature of SSNs, most of the false positives are usually international telephone numbers.So a quarantine or bounce action would be appropriate for such filters.

Regards, Andreas

Jason Meyer Tue, 07/27/2010 - 07:35

Thanks Andreas, I really appreciate the input and the sample reg.ex. code.

Long live the IronPort Nation!

Jason

Jason Meyer Thu, 06/02/2011 - 08:16

So we have begun bouncing e-mails with SSNs in the body or attachments of e-mails and so far so good.  One of our staff tested the filter by putting in a SSN with no spaces or blanks...  like 123456789 and the filter did not catch it.   My explanation to them was that with just a nine digit number there would be too many false positives...    Correct?

Christopher Smith Thu, 06/02/2011 - 08:36

HI Jason,

You are correct. Without the use of a delimiter there would be a much higher number of false positives. This is because we would not be able to distinguish this number from any other 9 digit number. There has to be some form of seperator.

Christopher C Smith

CSE
Cisco IronPort Customer Support 

tbundy812 Thu, 06/02/2011 - 11:59

We bounce and quarantine a copy of anything with SSN. When a user calls, I release the Quarantined copy, and all is well. If you have too many users, this might be a pain tho...

I use outbound mail content filters and reg-ex. you have to have a regex that includes multiple seperators. I use these again for subject fields. While these are not perfect, they work quite well with very low false positives. You could continue to make more RegEX's but these seem to work for me.

Message Body or Attachment body-contains("*ssn", 1)
Message Body or Attachment body-contains("[0-9][1-9][1-9]\[0-9][1-9]\[0-9][0-9][0-9][1-9]\W",  1)
Message Body or Attachment body-contains("[0-9][1-9][1-9]/[0-9][1-9]/[0-9][0-9][0-9][1-9]\W", 1)
Message Body or Attachment body-contains("[0-9][1-9][1-9]\\[0-9][1-9]\\[0-9][0-9][0-9][1-9]\W",  1)
Message Body or Attachment body-contains("[0-9][1-9][1-9]\.[0-9][1-9]\.[0-9][0-9][0-9][1-9]\W",  1)

Message Body or Attachment body-contains("[0-9][1-9][1-9]\-[0-9][1-9]\-[0-9][0-9][0-9][1-9]\W",  1)

Here is the subject field example, i have subject field filters with identical RegEx to the filters above. All of these i put in one content filter and apply to outbound email. I also look for other items of interest, such as CC and Contract numbers

Subject Header subject == "[0-9][1-9][1-9]\[0-9][1-9]\[0-9][0-9][0-9][1-9]\W"

Actions

This Discussion

Related Content