cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
701
Views
0
Helpful
3
Replies

Content Filter ignores expanded URLs

aj4
Level 1
Level 1

Hi,

unfortunately I couldn't find a solution to this, so hopefully you are able to help

In our ESA cluster (AsyncOS 14.2.2-004) we use dictionaries to quarantine mails e.g. by links contained in body or attachments.
The filter is a simple body-dictionary-match.

Recently we receive mails with links to bit.ly (which is not filtered), that are expanded by ESA to a URL that is in a dictionary.
Is there a way to also have these expanded URLs examined by the Content Filter?
cisco-esa-01.png
(this is from message details, ohrmf.app.link would normally get filtered out)

Thanks in advance,
Amélie

3 Replies 3

UdupiKrishna
Cisco Employee
Cisco Employee

URL filtering's capability to expand a shorted URL is to verify the actual's reputation or category and take actions. But it doesn't re-write the email with the expanded URL.

When a different content filter with body scanning condition looks at the email, it can only see "bit.ly" but not the expanded URL. It's behaving as expected at the moment, but I do understand your ask.

Feel free to talk to TAC and see if there are any options that can be explored here though I feel there aren't many (may be an enhancement if nothing works out)