Data Loss Prevention

Hello,

Is there any way that Email Prevent could detect a non-empty BCC field in a message?

I know that it detects all E-mail addresses, regardless which field they are in, but I would like to detect any e-mail that has an address in the BCC field. 

Thanks in advance.

Greetings,

The nature of BCC is to not reveal  the added recipients, so you are going to have a challenge creating a rule on detecting it. See below:

https://askleo.com/how_do_i_view_the_list_of_bcced_recipients_on_an_email_ive_received/

Now, we may not be able to hit on the field, but I am not sure if outlook uses a flag when BCC is engaged, but the way it works is that BCC simply adds the recipient to the envelope. IF (unsure) outlook flags BCC use, you would be able to create a rule to detect that flag. 

Send 2 emails to yourself, one without a BCC, and one with, and then open in Notepad ++ (use the compare plugin). This will reveal the differences in the headers.

How to read email headers:
http://exchangeserverpro.com/how-to-read-email-message-headers/

Notepad++ compare:
http://www.davidtan.org/how-to-compare-two-text-files-using-notepad-plus/

Hope this helps.

Joseph

Joseph

Sour1,

I am not sure if this is possible for DLP does not break down the fields in the Email Headers, when it comes to policies.

Though you might be able to look for a keyword of "BCC" and ONLY look in the "Header". You may need to figure out how it tags the BCC people, so it may not be BCC to look for.

I would assume that the header BCC does not exist if it is empty. So by lookng for BCC in the header might mean it exists.

I am not sure if we see the BCC or if we process it as a tag.

Just a thought

Good Luck

Ronak

IF THIS ANSWERS YOUR QUESTION PLEASE MARKED THIS AS SOLVED

hello sour,

 If it was only based on email RFC, it would have been possible as user in Bcc are linked to a specific header named Bcc (with respect to To for recipient and Cc for recipient in copy of email).

 But your issue may be  that most email system (exchange or other system) will transform user in "Bcc" to user in "To" and remove all other recipient so like that no one is able to know that there was some Bcc recipient.

 You should check that by creating a policy with a regexp rule looking for "Bcc: \w+" (or even just loking for keyword Bcc in Headers) and then sending and email to one of your external email address and adding in Bcc an other external email address. So as usual for testing purpose compound this rule with a very specific keyword in body or subject so you will catch only your email and also add a rule that will match for sure so like that your email will generate an incident and you will just have to check on which criteria it has matched (simple one and/or not your compound rule with Bcc). you will also be able to open original message and have a look at it.

 regards.

Thank you everyone, all of your answers have been helpful. 

Indeed, when analysing the email header of the BCC recipient, I found out that Exchange put the line X-MS-Exchange-Organization-Recipient-P2-Type: Bcc in the header. This wasn't found in the header of the regular (TO) recipient. 

So in theory, DLP should be able to detect the added line in the header. I just dont know if Lotus does the same thing so I will need to test this out in my lab, which I am not near of at the moment. I will get back to you with the results.

Regards

Please make sure to mark this as a solution to your problem, when possible.