RE: email content monitoring / effectiveness

From: Sarbjit Singh Gill (ssgill@gilltechnologies.com)
Date: 02/18/03

  • Next message: Chris Travers: "Re: DMZ and VPN"
    From: "Sarbjit Singh Gill" <ssgill@gilltechnologies.com>
    To: "James Kelly" <jim@essistants.com>, "Security-Basics" <security-basics@securityfocus.com>
    Date: Wed, 19 Feb 2003 03:27:29 +0800
    
    

    Thanks James,

    Since Exchange 2000 has it's own built in OLEDB Provider, we could get the
    SQL server to "LINK-UP" to the
    Exchange 2000 as if it was another MS SQL server. All you have to do now is
    run some scripts periodically to grab the mails from Exchange 2000 to SQL.
    Best bet would be to use a DTS packages with ActiveX/COM scripts/code. This
    codes/scripts could used ADO.

    Cheers
    Gill

    -----Original Message-----
    From: James Kelly [mailto:jim@essistants.com]
    Sent: Tuesday, February 18, 2003 2:17 PM
    To: ssgill@gilltechnologies.com
    Subject: RE: email content monitoring / effectiveness

    Yeah good call, I didn't even think of the fact that you can't replicate
    the private store. I think you hit the nail on the head with the
    scripting deal, and between the two options of the other Exchange
    server, or a SQL server, I think the SQL server would probably make the
    better choice. An SQL server license is slightly cheaper(to my
    knowledge, its been a while since I have done purchasing, correct me if
    I am wrong) then the exchange license, your not as limited space wise
    (to the 16GB max of standard Exchange, and its definitely not worth
    shelling out the extra cash for enterprise just for a goofy project like
    this), and finally, you can probably do some pretty powerful searches
    across all the email data you collect.

    Good idea.

    One question though, since you seem to be more familiar with the subject
    then I am, what kind of structure is the private store set up in?
    Basically what I'm getting at here is how are we capturing the data for
    the "new email" so that we can send it to our shiny new (or old, it'll
    run on some old hardware) SQL server?

    Just curious, any info you know is appreciated.

    Jim

    -----Original Message-----
    From: Sarbjit Singh Gill [mailto:ssgill@gilltechnologies.com]
    Sent: Monday, February 17, 2003 9:32 PM
    To: James Kelly
    Subject: RE: email content monitoring / effectiveness

    I guess the other alternative would be to use the Event Sink
    in Exchange to run scripts everytime a mail is put into the
    SMTP Q for external delivery. The VBScript or VB code would
    then use ADO and write the mail into a SQL server(better
    capacity to hold huge data) or standalone dedicated Exchange
    Server.

    I don't think you can replicate the private folders(mailbox
    database). You could create a mail-enabled folder in the
    public tree and forward all mail copies to it. You could then
    replicate this mail enabled folder to another exchange server.

    I just don't like the plumbing which goes into all this
    solutions for keeping a copy of all outgoing mails. :|

    Anyway i guess the other alternative would be to use
    a "Employee Management System" like WebSense but i am not
    sure if Websense can grab all SMTP content and attributes..

    Cheers
    Gill

    ---- Original message ----
    >Date: Mon, 17 Feb 2003 21:02:33 -0500
    >From: James Kelly <jim@essistants.com>
    >Subject: RE: email content monitoring / effectiveness
    >To: ssgill@gilltechnologies.com
    >
    >Good question, I had to do this for a client once, and it
    was a
    >nightmare, and they only had 20 users. They outsourced
    their email
    >through the same company that did their web hosting.
    Implementing it
    >was actually pretty easy, they had a little webmail
    configuration tool,
    >and you could set each account to do all kinds of things like
    >autorespond, or forward mail to another box. What we did
    was set each
    >account to forward to an account called "collect" and we
    connected to
    >the server (by POP3) and downloaded all the mail to a single
    standalone
    >outlook installation on a server. We also took precautions
    to keep
    >archived stuff encrypted so that if someone ever hacked the
    box they
    >didn't have all of the company's email history in plain text
    right
    >there.
    >
    >As far as doing this with Exchange, I haven't done enough
    time on
    >exchange to really be an expert, but one idea would be to
    have a
    >standalone server runs private folder replication from the
    real server.
    >Now I don't know if its possible to do this, but at the same
    time make
    >it inactive as an actual email server per se. It seems to
    me this is a
    >goofy solution though, do you think you could just create a
    script to
    >dump it on another machine? We just can't forget about
    protecting that
    >data, maybe pass it to a server, then encrypt it in some
    soft of archive
    >file. I don't really know... I'm sure somebody else on-list
    can make
    >some suggestions, it must have come up before. If not, and
    you do come
    >up with anything, let me know.
    >
    >Jim
    >
    >
    >
    >-----Original Message-----
    >From: Sarbjit Singh Gill
    [mailto:ssgill@gilltechnologies.com]
    >Sent: Monday, February 17, 2003 8:17 PM
    >To: James Kelly
    >Subject: RE: email content monitoring / effectiveness
    >
    >Thanks for feedback Jim.
    >
    >The financial institiution i was with a few years ago, used
    >to dump a copy of all outgoing mails into a dedicated
    >mailbox. I did not think of the filling up issue, but
    somehow
    >the Exchange 5.5 never filled up. I guess the admin was
    >backing up almost everyday.
    >
    >what if i wanted to keep a copy of every mail that has left
    >the server to the internet. WOuld keeping a copy of it be
    the
    >only way. ?
    >
    >
    >Kind Regards
    >Gill
    >
    >---- Original message ----
    >>Date: Mon, 17 Feb 2003 19:47:56 -0500
    >>From: James Kelly <jim@essistants.com>
    >>Subject: RE: email content monitoring / effectiveness
    >>To: ssgill@gilltechnologies.com
    >>
    >>You might want to be careful about keeping "copies" of mail
    >on an
    >>exchange server, at least when you don't have the
    enterprise
    >edition. I
    >>don't know which flavor your running, but while enterprise
    >edition is
    >>limited to your disk space, plan vanilla is limited to I
    >believe 16 gigs
    >>(correct me if I'm wrong in that, it's close if not exact)
    >for your
    >>public and private stores (that's 16 each). Now while I
    >have never
    >>actually had an exchange server that was under my care fill
    >up, from
    >>what I understand it's a huge pain in the ass, and takes
    >some doing to
    >>get it going again. Again, this may or may not be an
    issue,
    >depending
    >>on the version of exchange that is running, and the
    quantity
    >of mail
    >>you're seeing. Because keeping a copy of every email will
    >effectively
    >>double your space used for storing email, it might be a
    >better idea to
    >>take messages off server, and examine them there at your
    >leisure (or in
    >>real time).
    >>
    >>Jim
    >>
    >>
    >>
    >>-----Original Message-----
    >>From: Sarbjit Singh Gill
    >[mailto:ssgill@gilltechnologies.com]
    >>Sent: Sunday, February 16, 2003 10:29 AM
    >>To: security-basics@securityfocus.com
    >>Subject: RE: email content monitoring / effectiveness
    >>
    >>Greetings Lawrence,
    >>
    >>Why don't you just keep a copy of every mail that goes out
    >from your
    >>exchange into a mailbox dedicated for the job. Then run
    some
    >scripts to
    >>check for keywords. You could use any script which can talk
    >to file
    >>system
    >>or you could even use http WEBDav or (ASP - ADO -- SQL
    >query ----
    >>Exchange
    >>2k). You could then search for anything you need.
    >>
    >>Cheers
    >>Gill
    >>
    >>-----Original Message-----
    >>From: theog [mailto:theog@theog.org]
    >>Sent: Friday, February 14, 2003 5:56 AM
    >>To: laurence_field@yahoo.com; security-
    >basics@securityfocus.com
    >>Subject: Re: email content monitoring / effectiveness
    >>
    >>
    >>Try viruswall from Trend Micro http://www.antivirus.com
    >>----- Original Message -----
    >>From: "laurence field" <laurence_field@yahoo.com>
    >>To: <security-basics@securityfocus.com>
    >>Sent: Wednesday, February 12, 2003 7:50 AM
    >>Subject: email content monitoring / effectiveness
    >>
    >>
    >>> I would like to get feedback on the quality/usefulness
    >>> of email content monitoring tools available on the
    >>> market.
    >>>
    >>> Our problem: We need to identify users and monitor
    >>> email content (scary) as some staff are sending
    >>> "gossip" to the press about our public internet system
    >>> reliability, pending IPO gossip / info etc. which then
    >>> escalates to professional bodies / governments whom in
    >>> turn start formal investigations - all over an
    >>> email!!! (we are a financial company).
    >>>
    >>> Our mail systems are predominately MS Exchange 2000.
    >>> We are reviewing some software solutions at the moment
    >>> to increase our logging of what email is going
    >>> out/content etc. The volume of email is stagering and
    >>> should the "bad" users be technically savvy, there
    >>> seems to be no real way of catching said users who
    >>> breach our security policy. Additionaly, how well do
    >>> these systems work by catching key words?
    >>>
    >>> I recently heard of a new technology that seems
    >>> smarter than just key word searches but havent been
    >>> able to track it down to-date.
    >>>
    >>> If anybody could recommend any solutions/feedback on
    >>> this issue it would be very helpful to us.
    >>>
    >>> Many thanks
    >>>
    >>> Laurence
    >>>
    >>> __________________________________________________
    >>> Do you Yahoo!?
    >>> Yahoo! Shopping - Send Flowers for Valentine's Day
    >>> http://shopping.yahoo.com
    >>>
    >>
    >>
    >
    >Sarbjit Singh Gill
    >ssgill@gilltechnologies.com
    >
    >

    Sarbjit Singh Gill
    ssgill@gilltechnologies.com



    Relevant Pages