cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
702
Views
0
Helpful
3
Replies

Content Filter ignores expanded URLs

aj4
Level 1
Level 1

Hi,

unfortunately I couldn't find a solution to this, so hopefully you are able to help

In our ESA cluster (AsyncOS 14.2.2-004) we use dictionaries to quarantine mails e.g. by links contained in body or attachments.
The filter is a simple body-dictionary-match.

Recently we receive mails with links to bit.ly (which is not filtered), that are expanded by ESA to a URL that is in a dictionary.
Is there a way to also have these expanded URLs examined by the Content Filter?
cisco-esa-01.png
(this is from message details, ohrmf.app.link would normally get filtered out)

Thanks in advance,
Amélie

3 Replies 3

UdupiKrishna
Cisco Employee
Cisco Employee

URL filtering's capability to expand a shorted URL is to verify the actual's reputation or category and take actions. But it doesn't re-write the email with the expanded URL.

When a different content filter with body scanning condition looks at the email, it can only see "bit.ly" but not the expanded URL. It's behaving as expected at the moment, but I do understand your ask.

Feel free to talk to TAC and see if there are any options that can be explored here though I feel there aren't many (may be an enhancement if nothing works out)

I concur on the enhancement request.
Easist enhancement would be a checkbox to rewrite expanded urls as their expanded version...


tulibsalim
Level 1
Level 1

firstly, clear the caches on your web browser and flush the DNS cache on your computer. cached data or outdates DNS records can sometimes causes issues with urls expansions. after clearing the caches and try accessing the urls again to see if the content filter recognizes them correctly. Regards.