Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

Outlook Redirect: Determining Sender

Created: 18 Oct 2012 • Updated: 18 Oct 2012 | 2 comments

Microsoft Outlook provides the ability to create a response rule to ReDirect an email you receive to another inbox. This works similar to AutoForward except that the Original Sender, not the redirecter, remains intact. Brian ---> Jorge Who Redirects---> Julio: Julio appears to receive an email from Brian. It now appears Brian was responsible for data leakage when in fact he had nothing to do with it.

After reviewing headers I determined that Outlook 2007 does not list the redirector anywhere on the email; only the original sender appears on the header information. Outlook 2010 lists the redirector as "Resent-From:" and maintans the original sender under "From:". This option in 2010 allows us to determine which emails have been redirected by searching for keyword "Resent-From:". Our hope is to block these redirected emails from exiting the network and sending an email to the redirector informing them of this.

The issue is Symantec DLP uses "From:" (Not Resent-From:) to determine the sender and, when an incident is generated on a 2010 redirect, the incident data shows the incorrect user. This leads to the notification message being sent to the incorrect employee.  

I am looking for guidance on how to address this. How do you deal with redirects in your own organization? Does DLP provide a way to change who gets displayed as the sender?

Your thoughts and comments are appreciated.

Discussion Filed Under:

Comments 2 CommentsJump to latest comment

zeeshan.mohammed1's picture

hi

acually i have a query .  i installed a DLP symantec in my client pc after installing he cont able to access his outlook the message displying otlk.dll . can u please give the suggession.

Jsneed's picture

You could write a policy that catches redirects (look in the envelope for Resent-From: and some text after it) and have them remediated with a flexresponse plugin (or manually).  In our environment we don't get very many of these so we just handle them manually.