Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1663
Views
0
Helpful
2
Replies

false positives - double meaning words

The-Messenger
Level 1
Level 1

‎07-12-2011 08:18 AM

I apologize in advance if I’ve missed this discussion, I figure there would be one but couldn’t search it.

Does Ironport have a method for scoring words could be profanity or sexual content depending on the intent? I’ve seen some systems that will use phrases as well as words and give a word a positive score if there are other specific words that go along with it.

Is there any way to do this with the Ironport?

Is there any way to allow a word based on the sentence or phrase around the word.

Labels:
0 Helpful
2 Replies 2

Enrico Werner
Cisco Employee
Cisco Employee

‎07-13-2011 06:12 AM

Hi,

on the IronPort appliance you can work with dictionaries. By default there is a profiantiy and sexual content dictionary available. You also can create your own dictionaries.For each term, you specify a “weight,” so that certain terms can trigger filter conditions more easily. When AsyncOS scans messages for the content dictionary  terms, it “scores” the message by multiplying the number of term  instances by the weight of term. Two instances of a term with a weight  of three would result in a score of six. AsyncOS then compares this  score with a threshold value associated with the content or message  filter to determine if the message should trigger the filter action.

Best regards,

Enrico

0 Helpful

exMSW4319
Level 3
Level 3

‎08-02-2011 09:47 AM

One of the difficulties of content-scanning is that no algorith available to us at this time is going to be able to work out the context of the message. For that reason when you construct a filter to deal with profanity you must create a mechanism to deal with cases where a block is not required; for example when a customer complaint or worse still litigation requires that expletives be stated for the record. The possible solutions here are to have a separate policy for addresses that might handle that type of traffic, to reject mail with an explanatory notice or to quarantine or forward such mail for manual intervention. The first method invites misuse, the second provokes senders to play obfuscation guessing games with your dictionaries and the third may attract a wholely impractical volume of work.

A dictionary can be made more reliable by avoiding the use of ambiguous words. This does not mean that you do not scan for them; instead, you include words that would be found in conjunction with the profanity. For example, if you scan for the word "tit" then you may get many false positives from binary attachments. If instead you scan for the phrases "her tit", "my tit" and "your tit" then you have far less chance of a false positive.

When testing any new filter you should of course either include a condition so that it only works with your test address, or create an entire policy which only applies to your test address. You then test your test environment before giving it something new to test!

0 Helpful
Customers Also Viewed These Support Documents