Sniffing Email Traffic

Hey Guys,

We have an issue on our hands with emails going out to competitors containing important information.

Currently we're using Google Apps for Business and can easily enough track what happens on all of these Gapps accounts.

What I'd like to be able to do is try to sniff for all email data that leaves our network even if it is sent from someones private address preferably with automatic flagging on certain keywords or attachments.

We have a wide range of tech available to us from linux appliances, cisco's, palo alto gear etc but I am unsure where to start in order to achieve such tracking.

I'm fairly sure this is possible as I've seen full UTM appliances able to sniff through packets to find malicious items so I guess in theory sniffing for email messages would be along the same lines.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

What types of email do you intend to sniff out?
If it's a user on Gmail, it will be quite tough. That's because some appliances can break the https chain (using the internal certificate to sniff the traffic), but since Gmail is web based, there's no real "email" to scan. After all, you type in your message in the browser window, and when they press send, the gmail server sends the email, it's not something at the client side.
If it's Outlook with some POP3/IMAP/SMTP, then maybe it's possible. Plain text is easy to sniff. Secured traffic is harder. The user might know you're trying to sniff it though, as you need to provide the UTM/appliance's certificate, instead of the real certificate, to be able to sniff the traffic.
Dave HoweSoftware and Hardware EngineerCommented:
It's possible; most email security is explicit tls, so cisco's inspect esmtp can disable that for you (google however often uses implicit tls on port 465 which cisco cannot disable, hence any mail sent on that port will be unreadable).

you can of course force port 25 and 465 traffic to an internal proxy, which would just leave out of band (mobile phones, removable media, that sort of thing) and webmail to cover.

Do note though - in many countries, this is highly illegal (even if your staff are on notice that the systems are for business use and subject to inspection) so you should run this past a lawyer or two before you start doing it.
Schuyler DorseyCommented:
I would probably go down the DLP route if this is a true risk to your business. While you can break SSL/TLS and look for keywords with the Palo Alto firewall, it's not a full DLP solution (I think they even call it DLP lite).

A DLP solution with endpoint agents would probably be the best solution for this - especially if your company has laptops. You could put in all the best network based stuff but if an employee takes the laptop out of the office to do it then it's all for not.
Allen FalconCEO & Pragmatic EvangelistCommented:
One of the issues you will have is email sent from Google Apps is not going to pass through your firewall, unless you setup a complex and costly relay system.

In these instances, the best solution will be a cloud-based DLP solution that is designed to work with and track activity in Gmail -- particularly when the web interface is used.

Most of the solutions use traditional DLP methods so they will catch the activity in the browser, but will not scan attachments.

Another piece of the solution is to setup filters/rules via the Admin Console in Google Apps.  This can be tricky and will require a bit of customization and work to maintain the list.

Finally, if you are losing information by email, those sharing info may also be sharing documents stored in Drive.  There are multiple tools that will scan the content of Drive docs, in near-real-time, and strip external sharing permissions based on rules you create.

The first step will be to prioritize your areas of risk, then address the problem holistically.  Not only with technology, but updated policies, and employee education/awareness.

(Disclaimer: As a reseller, we work with a number of DLP tools for the Google Apps environment, including those from Awareness Technologies, BetterCloud, and CloudLock.)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet / Email Software

From novice to tech pro — start learning today.