One of the more powerful capabilities of the content detection engine within Sendmail’s Sentrion appliance is the ability to add rules to respond to scenarios that security experts or messaging architects come up with.
I attended a briefing held by Verizon Business where Dr. Peter Tippett spent an hour or so going through the Verizon Business 2008 Data Breach Report. Many security and privacy professionals from the Rocky Mountain Front Range attended the informative and enlightening presentation about 500 data leakage events over the past four years.
During his presentation he briefly mentioned Sendmail’s Email Gateway technology. I am sure he didn’t expect anyone from Sendmail to be at this meeting but I figured that it was a good opportunity to speak with him. Several people asked questions and when I finally had the chance to engage him one-on-one I didn’t even have time to ask a question before he told me, “It would be great if the MTA could identify documents that had been renamed to carry a non-matching mime type.” The example he gave was the renaming of an executable or archive file to .txt, such as openme.exe to openme.txt. My mind began calculating the options and I began thinking about more comprehensive scenarios such as when files within a message are renamed within a nested Zip or an email that contained multiple attachments with and without mismatched extensions. At the time I wasn’t too sure that our content inspection engine was up to the task and then Tippett responded, “Don’t forget that you have to do the inverse.” My kneejerk reaction was “of course.” I thanked him for the suggestion and didn’t even get a chance to ask him the question I had intended.
What was the inverse? Fortunately the answer came to me swiftly; the inverse would be to identify a file name that was labeled as an .xls or .ppt that wasn’t an Excel file or PowerPoint presentation.
I honestly couldn’t get home fast enough to test out these scenarios within the lab.
Fortunately Sentrion’s engine is efficient in handling attachments within archives like Zip and tar files or literally any combination of multiple attachments. As a result of this event and in very short order today we have authored 10 policies that identify mismatched attachments specifically focusing on business related documents. The same business logic can be used for any mime type or file name extension. The complexity and completeness of the content inspection engine perfectly matches the capabilities offered in Sentrion’s complex routing features.
So if you are looking for a perfect mismatch, Sendmail’s Sentrion is a perfect solution.