none
Problems with Outbound FOPE (in BPOS) Policy while filtering for CC# and SSN# -- false-positives, etc

    Pregunta

  • Hi there. We currently have a BPOS implementation that provides FOPE with our subscription. One of our security mail related requirements is that there must be an outbound policy in place to filter for CC# and SSN#.  The problem is, this policy is tripping up a lot of false positives. First it was cell/landline #'s, and now meeting invites/requests.

    I have a few questions:

    - in the FOPE admin tool, if it says "Most Recent Hits" and it has sender/recipient email, and time/date stamp, does that mean those mail items were rejected by the policy, or just being logged that it was scanned by the policy? if the item was rejected, we arent getting proper notifications to the alerts inbox we have configured

    - i have a CMS application that sends out mail via IIS/SMTP virtual server using the MS smarthost, mail.messaging.microsoft.com --- i got a report that mail wasnt going out properly from there, and that a test was done to confirm this. When I look in the \BadMail directory, I do see a BDR/BDP/BAD set of items, but they show 5.4.1 Relay Access Denies, not rejected. If the mail items were rejected b/c of the FOPE rule, what would the SMTP error code be? it would be rejected right?

    - has anyone successfully implemented egress filtering in FOPE for CC# / SSN#, that has the correct regular expressions to do this? seems like MS FOPE team would have this in place already for customers.

    - is there not a way on BPOS / FOPE implementation to get better reporting of what items were actually rejected 

    jueves, 12 de enero de 2012 7:59

Todas las respuestas

  • In order to catch CC# and SSN# always try to go for the REGEX option in Policy Rule. With REGEX we can involve variable combinations and give the exact combination which can be compared for the contents in an email.

    \d\d\d\-\d\d\-\d\d\d\d|\d\d\d\s\d\d\s\d\d\d\d

    \d\d\d\d\s\d\d\d\d\s\d\d\d\d\s\d\d\d\d|\d\d\d\d\s\d\d\d\d\d\d\s\d\d

    This will match 3 digits, a dash, 2 digits, a dash, and 4 digits. This will also match 3 digits, a space, 2 digits, a space, and 4 digits. These could be social security number patterns.

    This will match 4 digits, a space, 4 digits, a space, 4 digits, a space, and 4 digits. This will also match 4 digits, a space, 6 digits, a space, and 2 digits. These could be credit card number patterns.

    Articles to be followed : http://technet.microsoft.com/en-us/library/ff714963.aspx

    Understanding REGEX Syntax:http://technet.microsoft.com/en-us/library/ff714986.aspx

    To confirm the REGEX coding test it on : http://www.regexpal.com/

    -- Pradeep Samant (FOPE Rocks)

     

     

     

    • Propuesto como respuesta Resolver1988 miércoles, 18 de enero de 2012 6:50
    miércoles, 18 de enero de 2012 6:49
  • Hi Kapshure,

    Answer to your Questions:

    1) in the FOPE admin tool, if it says "Most Recent Hits" and it has sender/recipient email, and time/date stamp, does that mean those mail items were rejected by the policy, or just being logged that it was scanned by the policy? if the item was rejected, we arent getting proper notifications to the alerts inbox we have configured?

    Ans: Yes the Most recent Hits shows which all emails are filtered by the Policy, If it is a reject Policy it will silently drop the email without notification, if allowed rule it will By pass the Spam Filter and deliver to the user's inbox.

    2) I have a CMS application that sends out mail via IIS/SMTP virtual server using the MS smarthost, mail.messaging.microsoft.com --- i got a report that mail wasnt going out properly from there, and that a test was done to confirm this. When I look in the \BadMail directory, I do see a BDR/BDP/BAD set of items, but they show 5.4.1 Relay Access Denies, not rejected. If the mail items were rejected b/c of the FOPE rule, what would the SMTP error code be? it would be rejected right?

    Ans: IF the email is rejected because of Policy rule it will not send any notification or alert, unless you have configured one for the policy.

    5.4.1 Relay access Denied, This NDR occurs if no route exists for message delivery, or if the categorizer could not determine the next-hop destination.

    You can verify whether the email was rejected by policy rule or because of some another reason by simply doing a message trace. All you need is Sender, Recipient, date and timing, If you have message ID then you can search exact email.

    To Trace email --> Open https://admin.messaging.microsoft.com --> go to tools --> it will open the Message trace page, search for the message click on Details and there you go.. you will find the exact reason.

    (If you think there is something wrong in configuration contact FOPE help and Support)

    3) - has anyone successfully implemented egress filtering in FOPE for CC# / SSN#, that has the correct regular expressions to do this? seems like MS FOPE team would have this in place already for customers?

    Ans: See the Below Post by Pradeep Samant. He has Given the exact regex as per your need.

    4) is there not a way on BPOS / FOPE implementation to get better reporting of what items were actually rejected?

    Ans: you can get this ability, if you pull up the reports you will find which all emails were blocked because of Inbound Policy rule.

    Hope that answer all your Queries... If you want some clarification please let us know.

    FOPE Admin Guide Download:

    http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=282

     


    Thanks & Regards, Ritesh Hegde, Exchange,BPOS, FOPE, O365.
    lunes, 30 de enero de 2012 13:02