Hello Keith,you are correct

keithsauer507 · ‎07-15-2014

We have a problem of sometimes our IronPort C160 auto encrypting outgoing e-mail when it shouldn't be. One of the policies I see it hitting on is ABA Numbers, which is a smart identifier (I should say dumb identifier in this case because it is not contextual aware).

Is there any fix for this? In the source code of the message its just code that Outlook randomly inserts in the file. Here is a snippit of the code:

Matched content 278606812

body-contains("*aba",1)

/* List Definitions */
	@list l0
	{mso-list-id:278606812;
	mso-list-type:hybrid;
	mso-list-template-ids:-1980590060 67698705 67698713 67698715 67698703 67698713 67698715 67698703 67698713 67698715;}
	@list l0:level1
	{mso-level-text:"%1\)";
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
	@list l0:level2
	{mso-level-number-format:alpha-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:left;
	text-indent:-.25in;}
	@list l0:level3
	{mso-level-number-format:roman-lower;
	mso-level-tab-stop:none;
	mso-level-number-position:right;
	text-indent:-9.0pt;}

Andreas Mueller · ‎08-25-2014

Hello Keith,

you are correct that the ABA Identifier causes false positives, this also happens for SSN identifiers, simply because the format does not have any checksums or the like to confirm this is really an ABA or SSN. There are two possible approaches for that, one would be to purchase DLP, which is indeed contextual aware when it comes to this kind of data. Another approach without DLP would be at least one more condition to the ABA smart identifier, i.e. a dictionary with words like "account", "transfer", "bank" etc. Combining both conditions with a AND statement (only if all conditions match) should work without causing much more false positives. That's after all how DLP works as well.

Hope that helped,

Andreas

Overzelous ABA Numbers smart identifier