Southern California Data Loss Prevention User Group

 View Only
  • 1.  DLP Network Monitor POP 3

    Posted Nov 29, 2012 06:51 PM

    Has anyone noticed any  benefit in monitoring the POP3 protocol? We have been monitoring POP3 and have noticied all false positives. We have also noticed in the incidents that the source IP shows as an internal address and the destination IP address shows as external.For example I highly doubt that we have someone in our environment running a mail server on their personal Mac Book Pro and that Juno is connecting to that server to retreive their email. POP3 is only for retreiving email and does not have any sort of push function.

    Is the reason it shows our internal computer as the source because the internal computer/smartphone is requesting email from Juno and then it receives email and DLP doesn't know which direction informaition is flowing? It just sees that the connection was initiated from inside and then it sees some sort of offending traffic in the session and it assumes that it is flowing outbound rather than inbound?


  • 2.  RE: DLP Network Monitor POP 3

    Posted Feb 17, 2013 11:31 AM

    Hi Dan ,

    can u explain it details about the advantage POP3. ?

  • 3.  RE: DLP Network Monitor POP 3

    Posted Feb 21, 2013 01:37 PM


    Track down the internal IP that is starting the connection. It is porbably a user getting their outside email, but it might not be.

    I'd also suggest someone check the acceptable use policy to see if this situation is covered or prohibited or not.

    Is POP3 used inside the company? If not, you could stop monitoring it.

    Oh, check with the firewall team, find out if POP3 is allowed inbound. If it is, then you would need to monitor it for protected data leaving the company.