Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Replies 6 replies
  • Subscribers 0 subscribers
  • Views 2204 views
  • Users 0 members are here
Options
Suggested

[9.200][ANSWERED] SMTP: Data Protection not working for DENMARK

twister5800
Hi,

I have testet the "Data Protection" feature today, I have enabled ALL possible SophosLabs CCLs for Denmark, and set the Action to Allow and Notify for Administrator.

I have send mails with all kinds of secret stuff, phone numbers, bank accounts and social security numbers, but I was never notified.

Am I missing something or are the CCLs for Dk inaccurate?
Parents
  • 0
    Looks like this:
    2014:02:27-14:10:44 mail exim-in[21782]: 2014-02-27 14:10:44 [192.168.10.11] F= R= Accepted: from relay
    2014:02:27-14:10:45 mail exim-in[21782]: 2014-02-27 14:10:45 1WJ0jc-0005fK-35 ctasd reports 'Unknown' RefID:str=0001.0A0B0201.530F3955.001F,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    2014:02:27-14:10:45 mail exim-in[21782]: 2014-02-27 14:10:45 1WJ0jc-0005fK-35 martin@yyy.dk H=(EXCH01.twister.local) [192.168.10.11]:51122 P=esmtps X=TLSv1:RC4-SHA:128 S=3537 id=c90bc610b41a46038b230473654354cd@EXCH01.twister.local
    2014:02:27-14:10:45 mail exim-in[21782]: 2014-02-27 14:10:45 SMTP connection from (EXCH01.twister.local) [192.168.10.11]:51122 closed by QUIT
    2014:02:27-14:10:46 mail smtpd[4958]: QMGR[4958]: 1WJ0jc-0005fK-35 moved to work queue
    2014:02:27-14:10:50 mail smtpd[21792]: SCANNER[21792]: 1WJ0ji-0005fU-1l martin@yyy.dk R=1WJ0jc-0005fK-35 P=INPUT S=2448
    2014:02:27-14:10:54 mail smtpd[21792]: SCANNER[21792]: [DLP] Matching DLP expressions
    2014:02:27-14:10:54 mail smtpd[21792]: SCANNER[21792]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="192.168.10.11" from="martin@yyy.dk" to="martin@***.dk" subject="65310605" queueid="1WJ0ji-0005fU-1l" size="2448"
    2014:02:27-14:10:54 mail smtpd[21792]: SCANNER[21792]: 1WJ0jc-0005fK-35 => work R=SCANNER T=SCANNER
    2014:02:27-14:10:54 mail smtpd[21792]: SCANNER[21792]: 1WJ0jc-0005fK-35 Completed
    2014:02:27-14:10:54 mail exim-out[21806]: 2014-02-27 14:10:54 1WJ0ji-0005fU-1l => martin@***.dk P= R=dnslookup T=remote_smtp H=mailscan.***.dk [***.***.***.***]:25 X=UNKNOWN:AES256-SHA:256 C="250 OK id=1WJ0jm-0004Je-1y"
    2014:02:27-14:10:54 mail exim-out[21806]: 2014-02-27 14:10:54 1WJ0ji-0005fU-1l Completed
    2014:02:27-14:11:00 mail exim-out[21809]: 2014-02-27 14:11:00 Start queue run: pid=21809
    2014:02:27-14:11:00 mail exim-out[21809]: 2014-02-27 14:11:00 End queue run: pid=21809

    Should this not indicate that DLP was triggered:
    2014:02:27-14:10:54 mail smtpd[21792]: SCANNER[21792]: [DLP] Matching DLP expressions

    Thanks for telling about the hover-thing, I tried that, but it is now very informative, when I hover postcodes, I just tells me it looks for "postcode"?!

    Thanks for your reply :-)

    Mail example:
    Hejsa,

    Hermed postnummer 5800
    Mit cpr. 070177-2037

    Mvh. martin
    -------------------------
    Above is fake, but formatted in the same way.

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

Reply
  • 0
    Looks like this:
    2014:02:27-14:10:44 mail exim-in[21782]: 2014-02-27 14:10:44 [192.168.10.11] F= R= Accepted: from relay
    2014:02:27-14:10:45 mail exim-in[21782]: 2014-02-27 14:10:45 1WJ0jc-0005fK-35 ctasd reports 'Unknown' RefID:str=0001.0A0B0201.530F3955.001F,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    2014:02:27-14:10:45 mail exim-in[21782]: 2014-02-27 14:10:45 1WJ0jc-0005fK-35 martin@yyy.dk H=(EXCH01.twister.local) [192.168.10.11]:51122 P=esmtps X=TLSv1:RC4-SHA:128 S=3537 id=c90bc610b41a46038b230473654354cd@EXCH01.twister.local
    2014:02:27-14:10:45 mail exim-in[21782]: 2014-02-27 14:10:45 SMTP connection from (EXCH01.twister.local) [192.168.10.11]:51122 closed by QUIT
    2014:02:27-14:10:46 mail smtpd[4958]: QMGR[4958]: 1WJ0jc-0005fK-35 moved to work queue
    2014:02:27-14:10:50 mail smtpd[21792]: SCANNER[21792]: 1WJ0ji-0005fU-1l martin@yyy.dk R=1WJ0jc-0005fK-35 P=INPUT S=2448
    2014:02:27-14:10:54 mail smtpd[21792]: SCANNER[21792]: [DLP] Matching DLP expressions
    2014:02:27-14:10:54 mail smtpd[21792]: SCANNER[21792]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="192.168.10.11" from="martin@yyy.dk" to="martin@***.dk" subject="65310605" queueid="1WJ0ji-0005fU-1l" size="2448"
    2014:02:27-14:10:54 mail smtpd[21792]: SCANNER[21792]: 1WJ0jc-0005fK-35 => work R=SCANNER T=SCANNER
    2014:02:27-14:10:54 mail smtpd[21792]: SCANNER[21792]: 1WJ0jc-0005fK-35 Completed
    2014:02:27-14:10:54 mail exim-out[21806]: 2014-02-27 14:10:54 1WJ0ji-0005fU-1l => martin@***.dk P= R=dnslookup T=remote_smtp H=mailscan.***.dk [***.***.***.***]:25 X=UNKNOWN:AES256-SHA:256 C="250 OK id=1WJ0jm-0004Je-1y"
    2014:02:27-14:10:54 mail exim-out[21806]: 2014-02-27 14:10:54 1WJ0ji-0005fU-1l Completed
    2014:02:27-14:11:00 mail exim-out[21809]: 2014-02-27 14:11:00 Start queue run: pid=21809
    2014:02:27-14:11:00 mail exim-out[21809]: 2014-02-27 14:11:00 End queue run: pid=21809

    Should this not indicate that DLP was triggered:
    2014:02:27-14:10:54 mail smtpd[21792]: SCANNER[21792]: [DLP] Matching DLP expressions

    Thanks for telling about the hover-thing, I tried that, but it is now very informative, when I hover postcodes, I just tells me it looks for "postcode"?!

    Thanks for your reply :-)

    Mail example:
    Hejsa,

    Hermed postnummer 5800
    Mit cpr. 070177-2037

    Mvh. martin
    -------------------------
    Above is fake, but formatted in the same way.

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v19 Architect

Children
No Data
Unfiltered HTML