I am after some advice, we are currently implementing the DLP Policy engine for all of our Outbound messages, and have had very good success with some of the policies, but there there is one that is not producing the results that we would have expected.
The Transmission of Contact Information policy based on the description "Identifies email transmissions that contain contact information, such as employee or customer names, addresses or email addresses."
However we are finding that it is not picking up customer data, it is just picking up email signatures. We have made changes to which severities it blocks (Critical only) but it doesn't seem to make a difference.
We have it as the last Polciy to be applied, so it may be that other polcies are picking things up before this, but we can't turn it to block if it is going to stop emails based purly on the signature.
Has anyone esle out there had similar issues or advise for this?
what surprises me a bit is that you write the classifier only matches on signatures, indeed the Contact Information classifier looks for data that appears to contain names, addresses, etc. But since many emails contain this information in the signature, the classifier requires *more than one* contact in the text before it triggers. Maybe in your case of positive matches those were messages replied back and forward and therefore containing multiple addresses? In any way, if you want to test that policy/classifier, please use a message that contains at least three addresses. It does not matter if these addresses are valid or use national/international formatting, I have tested with addresses from US/UK/Germany/Australia/Russia etc. and they all were detected without problems.
On another note, we have configured the Contact Policy to only action on Critical Severities, all the other severities it does nothing with.
I just want to run thgouh a scenario, if I were to have the Contact policies as the 3rd policy and to only action on the Critical Severities. One of our user's sends an email with enough contact details to trigger the medium severtieis and also some DVLA numbers.
As the message has already triggered the Contact Policy all be it that no action has been taken with the message, then would the message still be passed to the DLVA policy further down the list, or would the message be delivered?
DLP will allways check all DLP policies that you have enabled for a certain mail policy the sender/recipient hits. Reason behind that is that every DLP policy can be configured for a specific action, i.e. deliver,quarantine, or drop. Using "Deliver" can have multiple reasons, i.e. enabling Encryption of a message, redirecting to an alternate host, sending a notification, etc... However, delivery will not skip the other policies (unlike you know that from content filters), and if another match occurs on these other policies, the actions will be used accordingly. Also means if you have one policy set to deliver on a positive match, and all other policies to quarantine or drop, the most restrictive action will be used, so even if a positive match occurs on that policy where you deliver, a second match on the other policies would mean that the message gets quarantined or dropped.
Thanks for that, I was hoping this ewas the case. However I am now confussed.
When we setup the DLP Policies originally, we want to ensure that emails that were being sent securly were excluded from any DLP scanning. To that end we setup a content rule that inserts a Message Tag.
We then setup a DLP Rule called DLP Ignore that Filters Messages if the tag is present and looks for the message tag we added in the rule. Based on what the support engineer was telling us this had to be the first rule as DLP works on a first match only.
Based on what you have told me I would therefore expect that if a messaeg contained a Credit Card number and relevent details and therefore triggers the PCI-DSS policy that then bounces the message, even if it was marked as being send securely and had the Message Tag added, then the message should be bounced as "Bounce" in more restrictive than "Deliver".
Unless of course the "Filter Message Tags" option does something that overrides the fact that the message should be scanned by the other policies.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...