cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1516
Views
0
Helpful
11
Replies

Outbound Filter Help

My apologies up front. I am brand new to Ironport appliances.

I have 2 C350's working in a cluster. All inbound filters are working great. I want to take advantage of the outbound content filters to monitor for credit card numbers in messages. The problem have is that we send out order information to customers regarding their purchases. The order number is a 16 digit value that will in some cases pass a mod10 check, but hardly ever begin with the known credit card prefixes.

The problem in a nutshell:
1) Order number is a 16 digit value which appears in the subject and body.
2) The words "credit" and "card" appear in the body.

I need to create a filter that will catch legit credit card numbers, and not trigger in the order emails.

Any help is greatly appreciated. I will continue to read through the adv. user manual and forum posting.

Thanks in advance!

Ismael

11 Replies 11

Looks like I am making progress by creating 2 separate content filters to address my problem.

Basically, one content filter dedicated to the orders messages and one for all other senders. The threshold is higher on the orders messages. Seems to be working so far.

Can anyone tell me if the Credit Card smart filter contains dictionary terms built in to detect the words "credit" and "card" or is it just checking value length and check digit validation?

kluu_ironport
Level 2
Level 2

Here is a link to a SupportPortal KnowledgeBase article that gets into more detail on how Smart Identifers match things:

How Smart identifiers work

http://tinyurl.com/5vlanw


Concernig your question though, it looks like the Credit card number smart identifier only looks at the number regex. If you want word, "credit" and "card", you would need to have those keywords in another file and add an additional condition that compares this.


Looks like I am making progress by creating 2 separate content filters to address my problem. 

Basically, one content filter dedicated to the orders messages and one for all other senders. The threshold is higher on the orders messages. Seems to be working so far.

Can anyone tell me if the Credit Card smart filter contains dictionary terms built in to detect the words "credit" and "card" or is it just checking value length and check digit validation?

Thanks Kluu - I just finished reading through that article. It appears that many of the false positives I was receiving are dying down. I have a threshold set to 4 for messages coming from the orders sender, so I should be good.

I am correct in assuming the following:
1) a 16 digit value starting with a 4 will score a value of 2 in the filter (prefix starting with 4, and it is a 16 digit value)
2) the value passes a mod 10 to score a value of 1
3) Total score against the message = 3.
4) Threshold is set to 4, so the filter will not trigger an alert.

Thanks for the help...

Doc_ironport
Level 1
Level 1

 The order number is a 16 digit value that will in some cases pass a mod10 check, but hardly ever begin with the known credit card prefixes.


The Credit Card number smart identifier does use the prefix to determine if it's a valid CC number, not just the mod10 rule.

The problem is that that whilst some vendors are specific about the numbers their cards start with (eg, Discover, which always starts with 6011), other are less specific (Mastercard always start with 51-55) and some are very vague (Visa start with a 4).

So we have to presume that any 16 digit number that starts with a 4 and passes the mod10 check is a valid CC number. It's possible that no merchant has ever actually put out a card starting with (say) 4000, but as we're following the rules Visa publish we have to presume that's a valid prefix.

One option you have is to break out your order number differently to a credit card number. eg, instead of using either :
1234567890123456 or 1234 5678 9012 3456
(both of which look like CC numbers) print it as something like :
12345678 90123456 or 123 456 789 012 3456

In order to reduce the number of false positives we only detect numbers written as you would expect a credit card number to be. Break the number out differently and the smart identifier will let it past.

Excellent Doc...Much appreciated...

I'll see what I can do to get the business units to make a change on their side, but I expect to get a negative response. I am making head way reducing the false positives by creating multiple content filters to process the messages.

So far so good...

Thanks!

kluu_ironport
Level 2
Level 2

Also, in this testing / evalutation phase, I'd recommend for your action, your quarantine it to a system quaranitne (i.e Policy quarantine or one that you create yourself) so that you can review what it had matched on and make adjustments accordingly. Also, maybe sent yourself an alert w/ the event occurs.

Excellent Doc...Much appreciated...

I'll see what I can do to get the business units to make a change on their side, but I expect to get a negative response. I am making head way reducing the false positives by creating multiple content filters to process the messages.

So far so good...

Thanks!

The only action that takes place is to Notify a distribution list with the attached message so it can be evaluated. I haven't started looking at the quarantine features, but will start now that you mentioned it!! :lol:

kluu_ironport
Level 2
Level 2

You have two options w/ the quarantine:

1. quarantine the msg to the system quarantine(i.e Policy)


2. quarantine-copy

In the quarantine action, there is a checkbox for a Copy command. It does two things:

In addition to letting the message continue like normal, it will create a second copy of the message that will get quarantined to the System quarantine.

The system quarantine(i.e Policy) is only accessible by the admin of the IronPort appliance. The sender/recipient won't know about it.

Erich_ironport
Level 1
Level 1

The local quarantine is useful due to the fact it highlights the matched content.

You can also use the $MatchedContent action variable in your notification to see exactly what matched.

Erich

Quick Update. I have run into some problems correctly identifying the credit card numbers in outbound messages. So much so that I got Ironport support involved.

I set up action to send the messages to the system quarantine so I could review them. Some of the messages that were triggering the filter did not have one number in the body (I was only evaluating the body) which was really troubling. There was nothing there to be highlighted for review, yet the message ended up in quarantine.

After looking over the issue, Ironport support had me enable remote access so they could investigate further. I am running the latest release of Async OS. I have not had an update from support since I left the office (4PM CST).

I'll continue to update this post as I receive answers. Has anyone else seen the credit card smart filter trigger an alert when there is no numeric value in the message?

Ismael

kluu_ironport
Level 2
Level 2

If the message body had HTML code or an Excel/PDF, there may be a possiblity that data contained a random string of 16 digits separated by spaces.

Quick Update. I have run into some problems correctly identifying the credit card numbers in outbound messages. So much so that I got Ironport support involved.

I set up action to send the messages to the system quarantine so I could review them. Some of the messages that were triggering the filter did not have one number in the body (I was only evaluating the body) which was really troubling. There was nothing there to be highlighted for review, yet the message ended up in quarantine.

After looking over the issue, Ironport support had me enable remote access so they could investigate further. I am running the latest release of Async OS. I have not had an update from support since I left the office (4PM CST).

I'll continue to update this post as I receive answers. Has anyone else seen the credit card smart filter trigger an alert when there is no numeric value in the message?

Ismael

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: