Has anyone noticed any benefit in monitoring the POP3 protocol? We have been monitoring POP3 and have noticied all false positives. We have also noticed in the incidents that the source IP shows as an internal address and the destination IP address shows as external.For example I highly doubt that we have someone in our environment running a mail server on their personal Mac Book Pro and that Juno is connecting to that server to retreive their email. POP3 is only for retreiving email and does not have any sort of push function.
Is the reason it shows our internal computer as the source because the internal computer/smartphone is requesting email from Juno and then it receives email and DLP doesn't know which direction informaition is flowing? It just sees that the connection was initiated from inside and then it sees some sort of offending traffic in the session and it assumes that it is flowing outbound rather than inbound?