Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Outlook Redirect: Determining Sender

Created: 18 Oct 2012 • Updated: 18 Oct 2012 | 2 comments

Microsoft Outlook provides the ability to create a response rule to ReDirect an email you receive to another inbox. This works similar to AutoForward except that the Original Sender, not the redirecter, remains intact. Brian ---> Jorge Who Redirects---> Julio: Julio appears to receive an email from Brian. It now appears Brian was responsible for data leakage when in fact he had nothing to do with it.

After reviewing headers I determined that Outlook 2007 does not list the redirector anywhere on the email; only the original sender appears on the header information. Outlook 2010 lists the redirector as "Resent-From:" and maintans the original sender under "From:". This option in 2010 allows us to determine which emails have been redirected by searching for keyword "Resent-From:". Our hope is to block these redirected emails from exiting the network and sending an email to the redirector informing them of this.

The issue is Symantec DLP uses "From:" (Not Resent-From:) to determine the sender and, when an incident is generated on a 2010 redirect, the incident data shows the incorrect user. This leads to the notification message being sent to the incorrect employee.  

I am looking for guidance on how to address this. How do you deal with redirects in your own organization? Does DLP provide a way to change who gets displayed as the sender?

Your thoughts and comments are appreciated.

Discussion Filed Under:

Comments 2 CommentsJump to latest comment

zeeshan.mohammed1's picture

hi

acually i have a query .  i installed a DLP symantec in my client pc after installing he cont able to access his outlook the message displying otlk.dll . can u please give the suggession.

Jsneed's picture

You could write a policy that catches redirects (look in the envelope for Resent-From: and some text after it) and have them remediated with a flexresponse plugin (or manually).  In our environment we don't get very many of these so we just handle them manually.