Sophos Email Appliance: Data Control Examples

  • Article ID: 67130
  • Rating:
  • 3 customers rated this article 4.3 out of 6
  • Updated: 29 Nov 2012

The following are examples of data that can be used to trigger CCL-based rules on the Sophos Email Appliance. Once you have created the sample rule, enter the data using the Policy Wizard, and then view the results in the quarantine and the mail log.

Each example recommends setting the quantity to "1". This ensures that the CCL is triggered. In practice, you may have to experiment with various custom settings to find the one that is right for your environment.

For more about implementing CCL-based rules, see the 'Data Control Deployment Guide' in the Email Appliance documentation.

 

Example: Credit Card Number

One of the most common types of data to be leaked from an organization is credit card numbers. Use the sample number shown below to see how the appliance handles messages containing a valid credit card number.

1. Create a Sample Rule

  1. In the Email Appliance's administrative interface, select Configuration > Policy > Data Control.
  2. On the Outbound tab, click Add.
  3. On the Rule Type wizard page, select Messages matching specific Sophos Content Control Lists (CCLs).
  4. Click Next.
  5. On the Rule Config page, in the CCL Name scroll box, select Credit or debit card numbers [Global].
  6. Click the green icon next to this CCL name.
  7. Select Use a custom quantity, and enter 1. This ensures that sensitivity is as high as possible.
  8. Click OK.
  9. Click Configure.
  10. Under Log Level, select all of the check boxes.
  11. Click OK.
  12. Click Next.
  13. On the Select Users page, click Select groups.
  14. In the Available text box, select Pilot Users, and click the >> button to move this group to the Selected groups text box.

    Important: You must configure a group of pilot users, or the policy rule is applied to all users.
  15. Click Next.
  16. On the Main Action tab, from the Message actions drop-down list, select Quarantine and continue.
  17. On the Rule Description page, in the Policy rule name text box, enter a meaningful name for the rule.
  18. Select Activate this rule, and click Save.

2. Testing with Sample Data

  1. Send a test email message to an external email address that contains the credit card number 4111-1111-1111-1111. This is a valid Visa number used for testing only. It is best to give the message a subject that can be easily spotted when looking through the mail log.
  2. Search the quarantine. You will see a corresponding entry for the email message sent in step 1. In the quarantine entry, click View message details. Select the Info tab to view information about which rule was triggered. In this case, it will indicate that the "Test CCLs - credit card" rule was triggered.
  3. Search the mail log. You will see a corresponding entry for the email message sent in step 1. Select the entry, then click View log details. The Content Inspection tab indicates that a credit card number was detected, triggering a violation. You can expand the description to view further details of the violation. There will be an additional entry, showing which qualifying terms were present. In this case, the term is "credit card," and it will highlight these terms.

Example: Social Security Number

Often, organizations want to prevent users from sending messages that contain social security numbers. Use the sample number shown below to see how the appliance handles messages containing valid social security numbers.

1. Create a Sample Rule

  1. In the Email Appliance's administrative interface, select Configuration > Policy > Data Control.
  2. On the Outbound tab, click Add.
  3. On the Rule Type wizard page, select Messages matching specific Sophos Content Control Lists (CCLs).
  4. On the Rule Config page, in the CCL Name scroll box, select Social security numbers [USA].
  5. Click the green icon next to this CCL name.
  6. Select Use a custom quantity, and enter 1. This ensures that sensitivity is as high as possible.
  7. Click OK.
  8. Under Log Level, select all of the check boxes.
  9. Click OK.
  10. Next.
  11. Select Users page, click Select groups.
  12. In the Available text box, select Pilot Users, and click the >> button to move this group to the Selected groups text box.

    Important: You must configure a group of pilot users, or the policy rule is applied to all users.
  13. Click Next.
  14. On the Main Action tab, from the Message actions drop-down list, select Quarantine and continue.
  15. On the Rule Description page, in the Policy rule name text box, enter a meaningful name for the rule.
  16. Select Activate this rule, and click Save.

2. Testing with Sample Data

  1. Send a test email message containing the social security number 078-05-1120 to an external email address. It is best to give the message a subject that can be easily spotted when looking through the mail log.
  2. Search the quarantine. You will see an entry corresponding to the email message that you sent in step 1. In the quarantine entry, click View message details. Click the Info tab to view information about which rule was triggered. In this case it will indicate that the "Test CCLs - USA Social Security numbers" rule triggered.
  3. Search the mail log. You will find a corresponding entry. Select the entry, then click View log details. The Content Inspection tab will show that a social security number was detected, triggering a violation. You can expand the description to view further details of the violation.

Example: Postal Addresses

Organizations usually want to prevent users from sending messages that disclose the mailing addresses of people within the organization. Use the sample address shown below to see how the appliance handles messages containing valid mailing addresses.

1. Create a Sample Rule

  1. In the Email Appliance's administrative interface, select Configuration > Policy > Data Control.
  2. On the Outbound tab, click Add.
  3. On the Rule Type wizard page, select Messages matching specific Sophos Content Control Lists (CCLs).
  4. On the Rule Config page, in the CCL Name scroll box, select Postal addresses [USA].
  5. Click the green icon next to this CCL name.
  6. Select Use a custom quantity, and enter 1. This ensures that sensitivity is as high as possible.
  7. Click OK.
  8. Under Log Level, select all of the check boxes.
  9. Click OK.
  10. Next.
  11. On the Select Users page, click Select groups.
  12. In the Available text box, select Pilot Users, and click the >> button to move this group to the Selected groups text box.

    Important: You must configure a group of pilot users, or the policy rule is applied to all users.
  13. Click Next.
  14. On the Main Action tab, from the Message actions drop-down list, select Quarantine and continue.
  15. On the Rule Description page, in the Policy rule name text box, enter a meaningful name for the rule.
  16. Select Activate this rule, and click Save.

2. Testing with Sample Data

  1. Send a test email message to an external email address that contains something resembling a valid US postal address. For example:

    123 Main Street
    Sometown, NY, 11345

    It is best to give the message a subject that can be easily spotted when looking through the mail log.
  2. Search the quarantine. You will see an entry corresponding to the email message sent in step 1. In the quarantine entry, click View message details. Click the Info tab to view information about which rule was triggered. In this case it will indicate that the "Test CCLs - USA Addresses" rule triggered.
  3. Search the mail log. You will find a corresponding entry. Select the entry, then click View log details. The Content Inspection tab will show that an address was detected, triggering a violation. You can expand the description to view further details of the violation.

 

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments