Data Loss Prevention

Hello Team,

It's my first post so let me say hello!

Could you please advise on the scenario below:

1. User sends an email on behalf of shared mailbox.

2. Network prevent for email detects violation and blocks the message from sending outside.

How  to find who is the real vilolator? - I was thinking of additional headers but it seems X-Headers are not taken from the message so this cannot be used.

I would appreciate your comments.

hi,

 there is two possible scenarii :

- if shared mailbox has only "send on behalf" privilege, DLP will be able to identify real sender without doing anything special (there is a header dedicated to that in SMTP protocol (Sender))

- if shared mailbox has "send as" privilege, the one usually you dont have any clue of who really send the message cause SMTP does not track real sender, it will be really more complicated:

    - if this happens always to same policy try to switch it at endpoint level if you can. like this you will have windows login used to send email

   - if you have a full and up to date referential of workstation IP addresses, you can use it to identify who is real sender. you may add this parameter and this referential as source for your plugin which compute user identity

  - you could always ask messaging team for investigation if it is a one time case

Regards

Hello Stephane, thank you for your answer.

I was mostly focused on how to populate sender email when Send As permission is used..

With regards to:

- IP Database 

for SMTP traffic IP addres of the sender is not passed to the lookup plugin so can't be used.

- Send of behalf permission,

If I am not mistaken Symantec DLP takes user email address from the "From:" header. Could you please shed more light how it will work for Send of Behalf messages where indeed "Sender:" header is present? According to RFC 5322 "sender:" header will contain real user who sent the message but I am not sure how to pass this to a lookup plugin?

Regards,