RE: email content monitoring / effectiveness

[YashPal Singh <ysingh () quark co in>]

If money is not a problem, then NetDetector can recreate all mails, web
pages , chat session and  a lot more. So u just have to put it on your
network and then you can play the way you want. It is a IDS which records
all  packets (non-intrusively) on your network.

Yash

-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill () gilltechnologies com]
Sent: Wednesday, February 19, 2003 12:57 AM
To: James Kelly; Security-Basics
Subject: RE: email content monitoring / effectiveness


Thanks James,

Since Exchange 2000 has it's own built in OLEDB Provider, we could get the
SQL server to "LINK-UP" to the
Exchange 2000 as if it was another MS SQL server. All you have to do now is
run some scripts periodically to grab the mails from Exchange 2000 to SQL.
Best bet would be to use a DTS packages with ActiveX/COM scripts/code. This
codes/scripts could used ADO.

Cheers
Gill

-----Original Message-----
From: James Kelly [mailto:jim () essistants com]
Sent: Tuesday, February 18, 2003 2:17 PM
To: ssgill () gilltechnologies com
Subject: RE: email content monitoring / effectiveness


Yeah good call, I didn't even think of the fact that you can't replicate
the private store.  I think you hit the nail on the head with the
scripting deal, and between the two options of the other Exchange
server, or a SQL server, I think the SQL server would probably make the
better choice.  An SQL server license is slightly cheaper(to my
knowledge, its been a while since I have done purchasing, correct me if
I am wrong) then the exchange license, your not as limited space wise
(to the 16GB max of standard Exchange, and its definitely not worth
shelling out the extra cash for enterprise just for a goofy project like
this), and finally, you can probably do some pretty powerful searches
across all the email data you collect.

Good idea.

One question though, since you seem to be more familiar with the subject
then I am, what kind of structure is the private store set up in?
Basically what I'm getting at here is how are we capturing the data for
the "new email" so that we can send it to our shiny new (or old, it'll
run on some old hardware) SQL server?

Just curious, any info you know is appreciated.

Jim

-----Original Message-----
From: Sarbjit Singh Gill [mailto:ssgill () gilltechnologies com]
Sent: Monday, February 17, 2003 9:32 PM
To: James Kelly
Subject: RE: email content monitoring / effectiveness

I guess the other alternative would be to use the Event Sink
in Exchange to run scripts everytime a mail is put into the
SMTP Q for external delivery. The VBScript or VB code would
then use ADO and write the mail into a SQL server(better
capacity to hold huge data) or standalone dedicated Exchange
Server.

I don't think you can replicate the private folders(mailbox
database). You could create a mail-enabled folder in the
public tree and forward all mail copies to it. You could then
replicate this mail enabled folder to another exchange server.

I just don't like the plumbing which goes into all this
solutions for keeping a copy of all outgoing mails. :|

Anyway i guess the other alternative would be to use
a "Employee Management System" like WebSense but i am not
sure if Websense can grab all SMTP content and attributes..

Cheers
Gill

---- Original message ----
> Date: Mon, 17 Feb 2003 21:02:33 -0500
> From: James Kelly <jim () essistants com>
> Subject: RE: email content monitoring / effectiveness
> To: ssgill () gilltechnologies com
>
> Good question, I had to do this for a client once, and it
was a
> nightmare, and they only had 20 users.  They outsourced
their email
> through the same company that did their web hosting.
Implementing it
> was actually pretty easy, they had a little webmail
configuration tool,
> and you could set each account to do all kinds of things like
> autorespond, or forward mail to another box.  What we did
was set each
> account to forward to an account called "collect" and we
connected to
> the server (by POP3) and downloaded all the mail to a single
standalone
> outlook installation on a server.  We also took precautions
to keep
> archived stuff encrypted so that if someone ever hacked the
box they
> didn't have all of the company's email history in plain text
right
> there.
>
> As far as doing this with Exchange, I haven't done enough
time on
> exchange to really be an expert, but one idea would be to
have a
> standalone server runs private folder replication from the
real server.
> Now I don't know if its possible to do this, but at the same
time make
> it inactive as an actual email server per se.  It seems to
me this is a
> goofy solution though, do you think you could just create a
script to
> dump it on another machine?  We just can't forget about
protecting that
> data, maybe pass it to a server, then encrypt it in some
soft of archive
> file.  I don't really know... I'm sure somebody else on-list
can make
> some suggestions, it must have come up before.  If not, and
you do come
> up with anything, let me know.
>
> Jim
>
>
>
> -----Original Message-----
> From: Sarbjit Singh Gill
[mailto:ssgill () gilltechnologies com]
> Sent: Monday, February 17, 2003 8:17 PM
> To: James Kelly
> Subject: RE: email content monitoring / effectiveness
>
> Thanks for feedback Jim.
>
> The financial institiution i was with a few years ago, used
> to dump a copy of all outgoing mails into a dedicated
> mailbox. I did not think of the filling up issue, but
somehow
> the Exchange 5.5 never filled up. I guess the admin was
> backing up almost everyday.
>
> what if i wanted to keep a copy of every mail that has left
> the server to the internet. WOuld keeping a copy of it be
the
> only way. ?
>
>
> Kind Regards
> Gill
>
> ---- Original message ----
> > Date: Mon, 17 Feb 2003 19:47:56 -0500
> > From: James Kelly <jim () essistants com>
> > Subject: RE: email content monitoring / effectiveness
> > To: ssgill () gilltechnologies com
> >
> > You might want to be careful about keeping "copies" of mail
> on an
> > exchange server, at least when you don't have the
enterprise
> edition.  I
> > don't know which flavor your running, but while enterprise
> edition is
> > limited to your disk space, plan vanilla is limited to I
> believe 16 gigs
> > (correct me if I'm wrong in that, it's close if not exact)
> for your
> > public and private stores (that's 16 each).  Now while I
> have never
> > actually had an exchange server that was under my care fill
> up, from
> > what I understand it's a huge pain in the ass, and takes
> some doing to
> > get it going again.  Again, this may or may not be an
issue,
> depending
> > on the version of exchange that is running, and the
quantity
> of mail
> > you're seeing.  Because keeping a copy of every email will
> effectively
> > double your space used for storing email, it might be a
> better idea to
> > take messages off server, and examine them there at your
> leisure (or in
> > real time).
> >
> > Jim
> >
> >
> >
> > -----Original Message-----
> > From: Sarbjit Singh Gill
> [mailto:ssgill () gilltechnologies com]
> > Sent: Sunday, February 16, 2003 10:29 AM
> > To: security-basics () securityfocus com
> > Subject: RE: email content monitoring / effectiveness
> >
> > Greetings Lawrence,
> >
> > Why don't you just keep a copy of every mail that goes out
> from your
> > exchange into a mailbox dedicated for the job. Then run
some
> scripts to
> > check for keywords. You could use any script which can talk
> to file
> > system
> > or you could even use http WEBDav or (ASP - ADO -- SQL
> query ----
> > Exchange
> > 2k). You could then search for anything you need.
> >
> > Cheers
> > Gill
> >
> > -----Original Message-----
> > From: theog [mailto:theog () theog org]
> > Sent: Friday, February 14, 2003 5:56 AM
> > To: laurence_field () yahoo com; security-
> basics () securityfocus com
> > Subject: Re: email content monitoring / effectiveness
> >
> >
> > Try viruswall from Trend Micro http://www.antivirus.com
> > ----- Original Message -----
> > From: "laurence field" <laurence_field () yahoo com>
> > To: <security-basics () securityfocus com>
> > Sent: Wednesday, February 12, 2003 7:50 AM
> > Subject: email content monitoring / effectiveness
> >
> >
> > > I would like to get feedback on the quality/usefulness
> > > of email content monitoring tools available on the
> > > market.
> > >
> > > Our problem: We need to identify users and monitor
> > > email content (scary) as some staff are sending
> > > "gossip" to the press about our public internet system
> > > reliability, pending IPO gossip / info etc. which then
> > > escalates to professional bodies / governments whom in
> > > turn start formal investigations - all over an
> > > email!!! (we are a financial company).
> > >
> > > Our mail systems are predominately MS Exchange 2000.
> > > We are reviewing some software solutions at the moment
> > > to increase our logging of what email is going
> > > out/content etc. The volume of email is stagering and
> > > should the "bad" users be technically savvy, there
> > > seems to be no real way of catching said users who
> > > breach our security policy. Additionaly, how well do
> > > these systems work by catching key words?
> > >
> > > I recently heard of a new technology that seems
> > > smarter than just key word searches but havent been
> > > able to track it down to-date.
> > >
> > > If anybody could recommend any solutions/feedback on
> > > this issue it would be very helpful to us.
> > >
> > > Many thanks
> > >
> > > Laurence
> > >
> > > __________________________________________________
> > > Do you Yahoo!?
> > > Yahoo! Shopping - Send Flowers for Valentine's Day
> > > http://shopping.yahoo.com
>
> Sarbjit Singh Gill
> ssgill () gilltechnologies com

Sarbjit Singh Gill
ssgill () gilltechnologies com