Re: Screening Outgoing Mail for Content

[Bennett Todd <bet () mordor net>]

1998-08-04-10:10:41 Bruce B. Platt:
> Someone asked me to suggest a method to screen outbound mail for content.
>
> That is, to screen all messages destined outside the local domain for
> certain key words and then forward the message to an internal "censor" if it
> contains words on the "forbidden" word list.
>
> They are looking to "ensure" that outbound mail doesn't contain information
> which may compromise the interests of one of their clients if sent to
> another client. They have no internet connection, and no outbound mail as a
> consequence of this concern.

Not too hard to set up. If you aren't already doing so, you can run smap/smapd
from fwtk; Guy posted a script to log all email passing through that. Adding
on an fgrep to control whether to let it on through or shunt it aside for
human (or censor) processing would be easy.

Hope your users don't regard their email delivery as time-critical, because
any stop list encompassing enough to have a small ``miss'' rate is going to
have a ``false-hit'' rate that's probably many times the actual incident rate.

A possibility to consider instead is shunting aside a copy of all email
that passes through, for offline analysis and possible followup. That's the
approach Guy took. His results suggest that if you're clever at automating
text processing, one individual should be able to read all the ``interesting''
email for a company of a thousand or so people in a couple of hours per day.

-Bennett