Microsoft Outlook provides the ability to create a response rule to ReDirect an email you receive to another inbox. This works similar to AutoForward except that the Original Sender, not the redirecter, remains intact. Brian ---> Jorge Who Redirects---> Julio: Julio appears to receive an email from Brian. It now appears Brian was responsible for data leakage when in fact he had nothing to do with it.
After reviewing headers I determined that Outlook 2007 does not list the redirector anywhere on the email; only the original sender appears on the header information. Outlook 2010 lists the redirector as "Resent-From:" and maintans the original sender under "From:". This option in 2010 allows us to determine which emails have been redirected by searching for keyword "Resent-From:". Our hope is to block these redirected emails from exiting the network and sending an email to the redirector informing them of this.
The issue is Symantec DLP uses "From:" (Not Resent-From:) to determine the sender and, when an incident is generated on a 2010 redirect, the incident data shows the incorrect user. This leads to the notification message being sent to the incorrect employee.
I am looking for guidance on how to address this. How do you deal with redirects in your own organization? Does DLP provide a way to change who gets displayed as the sender?
Your thoughts and comments are appreciated.