Security Basics mailing list archives
RE: email content monitoring / effectiveness
From: YashPal Singh <ysingh () quark co in>
Date: Thu, 20 Feb 2003 09:33:55 +0530
If money is not a problem, then NetDetector can recreate all mails, web pages , chat session and a lot more. So u just have to put it on your network and then you can play the way you want. It is a IDS which records all packets (non-intrusively) on your network. Yash -----Original Message----- From: Sarbjit Singh Gill [mailto:ssgill () gilltechnologies com] Sent: Wednesday, February 19, 2003 12:57 AM To: James Kelly; Security-Basics Subject: RE: email content monitoring / effectiveness Thanks James, Since Exchange 2000 has it's own built in OLEDB Provider, we could get the SQL server to "LINK-UP" to the Exchange 2000 as if it was another MS SQL server. All you have to do now is run some scripts periodically to grab the mails from Exchange 2000 to SQL. Best bet would be to use a DTS packages with ActiveX/COM scripts/code. This codes/scripts could used ADO. Cheers Gill -----Original Message----- From: James Kelly [mailto:jim () essistants com] Sent: Tuesday, February 18, 2003 2:17 PM To: ssgill () gilltechnologies com Subject: RE: email content monitoring / effectiveness Yeah good call, I didn't even think of the fact that you can't replicate the private store. I think you hit the nail on the head with the scripting deal, and between the two options of the other Exchange server, or a SQL server, I think the SQL server would probably make the better choice. An SQL server license is slightly cheaper(to my knowledge, its been a while since I have done purchasing, correct me if I am wrong) then the exchange license, your not as limited space wise (to the 16GB max of standard Exchange, and its definitely not worth shelling out the extra cash for enterprise just for a goofy project like this), and finally, you can probably do some pretty powerful searches across all the email data you collect. Good idea. One question though, since you seem to be more familiar with the subject then I am, what kind of structure is the private store set up in? Basically what I'm getting at here is how are we capturing the data for the "new email" so that we can send it to our shiny new (or old, it'll run on some old hardware) SQL server? Just curious, any info you know is appreciated. Jim -----Original Message----- From: Sarbjit Singh Gill [mailto:ssgill () gilltechnologies com] Sent: Monday, February 17, 2003 9:32 PM To: James Kelly Subject: RE: email content monitoring / effectiveness I guess the other alternative would be to use the Event Sink in Exchange to run scripts everytime a mail is put into the SMTP Q for external delivery. The VBScript or VB code would then use ADO and write the mail into a SQL server(better capacity to hold huge data) or standalone dedicated Exchange Server. I don't think you can replicate the private folders(mailbox database). You could create a mail-enabled folder in the public tree and forward all mail copies to it. You could then replicate this mail enabled folder to another exchange server. I just don't like the plumbing which goes into all this solutions for keeping a copy of all outgoing mails. :| Anyway i guess the other alternative would be to use a "Employee Management System" like WebSense but i am not sure if Websense can grab all SMTP content and attributes.. Cheers Gill ---- Original message ----
Date: Mon, 17 Feb 2003 21:02:33 -0500 From: James Kelly <jim () essistants com> Subject: RE: email content monitoring / effectiveness To: ssgill () gilltechnologies com Good question, I had to do this for a client once, and it
was a
nightmare, and they only had 20 users. They outsourced
their email
through the same company that did their web hosting.
Implementing it
was actually pretty easy, they had a little webmail
configuration tool,
and you could set each account to do all kinds of things like autorespond, or forward mail to another box. What we did
was set each
account to forward to an account called "collect" and we
connected to
the server (by POP3) and downloaded all the mail to a single
standalone
outlook installation on a server. We also took precautions
to keep
archived stuff encrypted so that if someone ever hacked the
box they
didn't have all of the company's email history in plain text
right
there. As far as doing this with Exchange, I haven't done enough
time on
exchange to really be an expert, but one idea would be to
have a
standalone server runs private folder replication from the
real server.
Now I don't know if its possible to do this, but at the same
time make
it inactive as an actual email server per se. It seems to
me this is a
goofy solution though, do you think you could just create a
script to
dump it on another machine? We just can't forget about
protecting that
data, maybe pass it to a server, then encrypt it in some
soft of archive
file. I don't really know... I'm sure somebody else on-list
can make
some suggestions, it must have come up before. If not, and
you do come
up with anything, let me know. Jim -----Original Message----- From: Sarbjit Singh Gill
[mailto:ssgill () gilltechnologies com]
Sent: Monday, February 17, 2003 8:17 PM To: James Kelly Subject: RE: email content monitoring / effectiveness Thanks for feedback Jim. The financial institiution i was with a few years ago, used to dump a copy of all outgoing mails into a dedicated mailbox. I did not think of the filling up issue, but
somehow
the Exchange 5.5 never filled up. I guess the admin was backing up almost everyday. what if i wanted to keep a copy of every mail that has left the server to the internet. WOuld keeping a copy of it be
the
only way. ? Kind Regards Gill ---- Original message ----Date: Mon, 17 Feb 2003 19:47:56 -0500 From: James Kelly <jim () essistants com> Subject: RE: email content monitoring / effectiveness To: ssgill () gilltechnologies com You might want to be careful about keeping "copies" of mailon anexchange server, at least when you don't have the
enterprise
edition. Idon't know which flavor your running, but while enterpriseedition islimited to your disk space, plan vanilla is limited to Ibelieve 16 gigs(correct me if I'm wrong in that, it's close if not exact)for yourpublic and private stores (that's 16 each). Now while Ihave neveractually had an exchange server that was under my care fillup, fromwhat I understand it's a huge pain in the ass, and takessome doing toget it going again. Again, this may or may not be an
issue,
dependingon the version of exchange that is running, and the
quantity
of mailyou're seeing. Because keeping a copy of every email willeffectivelydouble your space used for storing email, it might be abetter idea totake messages off server, and examine them there at yourleisure (or inreal time). Jim -----Original Message----- From: Sarbjit Singh Gill[mailto:ssgill () gilltechnologies com]Sent: Sunday, February 16, 2003 10:29 AM To: security-basics () securityfocus com Subject: RE: email content monitoring / effectiveness Greetings Lawrence, Why don't you just keep a copy of every mail that goes outfrom yourexchange into a mailbox dedicated for the job. Then run
some
scripts tocheck for keywords. You could use any script which can talkto filesystem or you could even use http WEBDav or (ASP - ADO -- SQLquery ----Exchange 2k). You could then search for anything you need. Cheers Gill -----Original Message----- From: theog [mailto:theog () theog org] Sent: Friday, February 14, 2003 5:56 AM To: laurence_field () yahoo com; security-basics () securityfocus comSubject: Re: email content monitoring / effectiveness Try viruswall from Trend Micro http://www.antivirus.com ----- Original Message ----- From: "laurence field" <laurence_field () yahoo com> To: <security-basics () securityfocus com> Sent: Wednesday, February 12, 2003 7:50 AM Subject: email content monitoring / effectivenessI would like to get feedback on the quality/usefulness of email content monitoring tools available on the market. Our problem: We need to identify users and monitor email content (scary) as some staff are sending "gossip" to the press about our public internet system reliability, pending IPO gossip / info etc. which then escalates to professional bodies / governments whom in turn start formal investigations - all over an email!!! (we are a financial company). Our mail systems are predominately MS Exchange 2000. We are reviewing some software solutions at the moment to increase our logging of what email is going out/content etc. The volume of email is stagering and should the "bad" users be technically savvy, there seems to be no real way of catching said users who breach our security policy. Additionaly, how well do these systems work by catching key words? I recently heard of a new technology that seems smarter than just key word searches but havent been able to track it down to-date. If anybody could recommend any solutions/feedback on this issue it would be very helpful to us. Many thanks Laurence __________________________________________________ Do you Yahoo!? Yahoo! Shopping - Send Flowers for Valentine's Day http://shopping.yahoo.comSarbjit Singh Gill ssgill () gilltechnologies com
Sarbjit Singh Gill ssgill () gilltechnologies com
Current thread:
- Re: email content monitoring / effectiveness, (continued)
- Re: email content monitoring / effectiveness Douglas K. Fischer (Feb 13)
- Re: email content monitoring / effectiveness Mel (Feb 13)
- Re: email content monitoring / effectiveness theog (Feb 14)
- RE: email content monitoring / effectiveness Sarbjit Singh Gill (Feb 17)
- RE: email content monitoring / effectiveness Moeckel, Sharon (Feb 12)
- RE: email content monitoring / effectiveness David Ellis (Feb 13)
- RE: email content monitoring / effectiveness bryan_khoo (Feb 13)
- Re: email content monitoring / effectiveness bsec (Feb 14)
- RE: email content monitoring / effectiveness Krul Thomas (Feb 14)
- RE: email content monitoring / effectiveness Sarbjit Singh Gill (Feb 19)
- RE: email content monitoring / effectiveness YashPal Singh (Feb 20)