mail sniffers

Aleksandar Milivojevic amilivojevic at pbl.ca
Mon Apr 25 13:53:41 UTC 2005 

Ankush Grover wrote:
> hey friends,
> 
>  One of my friend's office they have sniffers for mail.I explain the
> scenario in their office there is no internet connection given to the
> programmers or developers whatever they have is their official
> mails.They can only receive and send mails through their official mail
> ids.Whatever they send and receive is passed through some sniffers or
> some filters programs if something related to the company is going out
> they fire that developer or programmer.
> 
> What i want to know what kind of programs they are using to filter
> those mails.I don't know much about their setup as my friend is a
> software developer and he has very less knowledge about the system
> administration part.
> 
> Can anybody tell me about those sniffers and programs for filter or
> checking the mail traffic.
> 
> I would like to have such kind of setup in my office.

You sure you want to do it?  Unless it is clearly spelled out in 
employment agreement, you might be creating legal problems for yourself 
(depending on the jurisdiction you live in).  I'd check with legal 
department before proceeding.  If anything goes wrong and company gets 
sued, you'd better be able to point finger at your legal department, or 
they will surelly (and happily) point the finger to you (which could 
make you kind of unemployed rather quickly).

Said that, there are some specialized commercial packages that should do 
the job.  Don't know the names, just know that they exist.  Basically 
you set them up to look for catch phrases (for example, internal names 
of not-yet-published products, or some susspicious words).  There's 
nothing "out-of-the-box" in open source world.  There are some 
unspecialized programs that could be used to accomplish something like 
that, such as Snort (already mentioned in one of the replies you got). 
It is also trivial to write a filter (using Milter API) that will send a 
copy of all emails entering/leaving company to separate mailbox and/or 
save a copy of email onto disk, or do whatever you want with it.  Check 
the documentation (distributed with Sendmail source which is available 
at www.sendmail.org).

You can't do a thing if the user is using encryption (S/MIME or PGP). 
The only thing they can do in that case is raise an alarm that the user 
was using encryption (which hardly can be a reason to fire the user, 
unless his/hers contract specifically prohibits the use of encryption). 
  It's like you fired him because you saw him talking on his cell phone 
on the parking lot from your office window...

Also, you can't control what your users are doing from their personal 
accounts.  If you have somebody who is leaking internal information and 
if he is smart, he sure isn't going to leak it using company's email 
address.  He's going to do it from security of his/hers home.  Of 
course, unless your company is hiring the cheapest possible developers. 
  They usually don't have high enough IQ ;-)

-- 
Aleksandar Milivojevic <amilivojevic at pbl.ca>    Pollard Banknote Limited
Systems Administrator                           1499 Buffalo Place
Tel: (204) 474-2323 ext 276                     Winnipeg, MB  R3T 1L7

More information about the fedora-list mailing list