auscom
asked on
Sniffing Email Traffic
Hey Guys,
We have an issue on our hands with emails going out to competitors containing important information.
Currently we're using Google Apps for Business and can easily enough track what happens on all of these Gapps accounts.
What I'd like to be able to do is try to sniff for all email data that leaves our network even if it is sent from someones private address preferably with automatic flagging on certain keywords or attachments.
We have a wide range of tech available to us from linux appliances, cisco's, palo alto gear etc but I am unsure where to start in order to achieve such tracking.
I'm fairly sure this is possible as I've seen full UTM appliances able to sniff through packets to find malicious items so I guess in theory sniffing for email messages would be along the same lines.
Thanks
We have an issue on our hands with emails going out to competitors containing important information.
Currently we're using Google Apps for Business and can easily enough track what happens on all of these Gapps accounts.
What I'd like to be able to do is try to sniff for all email data that leaves our network even if it is sent from someones private address preferably with automatic flagging on certain keywords or attachments.
We have a wide range of tech available to us from linux appliances, cisco's, palo alto gear etc but I am unsure where to start in order to achieve such tracking.
I'm fairly sure this is possible as I've seen full UTM appliances able to sniff through packets to find malicious items so I guess in theory sniffing for email messages would be along the same lines.
Thanks
It's possible; most email security is explicit tls, so cisco's inspect esmtp can disable that for you (google however often uses implicit tls on port 465 which cisco cannot disable, hence any mail sent on that port will be unreadable).
you can of course force port 25 and 465 traffic to an internal proxy, which would just leave out of band (mobile phones, removable media, that sort of thing) and webmail to cover.
Do note though - in many countries, this is highly illegal (even if your staff are on notice that the systems are for business use and subject to inspection) so you should run this past a lawyer or two before you start doing it.
you can of course force port 25 and 465 traffic to an internal proxy, which would just leave out of band (mobile phones, removable media, that sort of thing) and webmail to cover.
Do note though - in many countries, this is highly illegal (even if your staff are on notice that the systems are for business use and subject to inspection) so you should run this past a lawyer or two before you start doing it.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If it's a user on Gmail, it will be quite tough. That's because some appliances can break the https chain (using the internal certificate to sniff the traffic), but since Gmail is web based, there's no real "email" to scan. After all, you type in your message in the browser window, and when they press send, the gmail server sends the email, it's not something at the client side.
If it's Outlook with some POP3/IMAP/SMTP, then maybe it's possible. Plain text is easy to sniff. Secured traffic is harder. The user might know you're trying to sniff it though, as you need to provide the UTM/appliance's certificate, instead of the real certificate, to be able to sniff the traffic.