Completely correct and I also liked the "build a better idiot" comment. Assuming users have already been told "don't do that" and most of them comply, there will probably be more false positives than actual blocking of SSN's from such a filter. "There are seldom technological solutions to behavioral problems" is way overdue for mentioning in this thread... Carl From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Jabber Wock Sent: Tuesday, May 20, 2008 4:16 PM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] Re: question Hi, Actually it is not totally arbitrary. The format is xxx-yy-zzzz (the separators can be hyphen, space, or no separator). The "xxx" must be between 1 and 772. The "yy" and "zzzz" can be anything except 00 and 0000 respectively. Also, xxx cannot be "666" because of the controversal nature of this number especially in the SSN context. However, what if someone is legitimately sending a number 111223333 via email, and it is not a SSN but some other important and meaningful number (and it does not matter, that it is sent in cleartext for that conversation e.g. it might be the weight in milligrams of something they ordered). Will regular expressions alone detect whether this is a live SSN or not? Probably not. JW On 5/20/08, Michael B. Smith <michael@xxxxxxxxxxxxxxxxxxxxxxxx> wrote: You use regular expressions. It's an arbitrary nine-digit number. Exchange 2007 supports that too. Regards, Michael B. Smith MCSE/Exchange MVP http://TheEssentialExchange.com <http://theessentialexchange.com/> From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Sandra K. Hemker Sent: Tuesday, May 20, 2008 2:45 PM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] Re: question We don't use the feature here yet. I just know that it does exist. I'm not sure how any system could detect it well without the dashes. _____ From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Rick Boza Sent: Tuesday, May 20, 2008 2:16 PM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] Re: question Out of curiousity - how well does it handle malformed SSNs? What I mean is, assuming it looks for strings formatted as : ###-##-#### But what happens if it is formatted as ######### ? I know Postini has some great capability - I'm just wondering how comprehensive the filtering of SSN's really works out to be. You know what they say, if you try to idiot-proof the system, someone will always build a better idiot. Rick On Tue, May 20, 2008 at 2:01 PM, Sandra K. Hemker <sanhem@xxxxxxxxxxx> wrote: We use POSTINI spam\virus filter which is a subscribed to service and they give you the ability to set up OUTBOUND content management where it will search outgoing email for SSN's. _____ From: exchangelist-bounce@xxxxxxxxxxxxx [mailto:exchangelist-bounce@xxxxxxxxxxxxx] On Behalf Of Alex Sent: Tuesday, May 20, 2008 11:09 AM To: exchangelist@xxxxxxxxxxxxx Subject: [ExchangeList] question is there anybody out there using anything that would stop social security numbers from being emailed thru exchange 2003 thanks for your time in advance