Showing results for 
Search instead for 
Did you mean: 

Incoming Policy for hyperlinks

Level 1
Level 1

Is it possible to setup an incoming mail policy that checks the text of a hyperlink against the actual address of the link?  For example if someone receives an email with a hyperlink and the text in the email is "click here" and the link goes to then quarantine.

1 Reply 1

HI Craig,

This is a great question.  The IronPort appliance does actually check hyperlinks using web reputation scoring, but I don't think it goes as far as validating the address as you describe.  Currently there is not a method that will allow the appliance to validate a link. That type of functionality falls more in line with the WSA appliance.  The web reputation scoring (WBRS) more or less looks for links in email messages that have had a history of being problematic.

What is Web Reputation (WBRS)?

IronPort Web Reputation is an  innovative method that analyzes the behavior and characteristics of a  Web server, providing the latest defense in the fight against spam,  viruses, phishing, and spyware threats.

IronPort Web Reputation™  uses real-time analysis on a vast, diverse, and global dataset to detect  URLs that contain some form of malware. Web Reputation is a critical  part of IronPort’s security database, which protects customers from  blended threats – whether email or Web traffic.

Web Reputation  leverages data from IronPort’s Common Security Database (SenderBase ®  Network), the world’s largest email and Web traffic monitoring network.  tracks over 50 distinct parameters that are excellent indicators of a  URL’s reputation. Using sophisticated security modeling
and malware detection agents, IronPort evaluates these URLs based on these inputs. Some of the parameters include:

• URL categorization data

• Presence of downloadable code

• Presence of long, obfuscated End-User License Agreements (EULAs)

• Global volume and changes in volume

• Network owner information

• History of a URL

• Age of a URL

• Presence on virus / spam / spyware / phishing / pharming blacklist(s)

• URL typos of popular domains

• Domain registrar information

• IP address information

IronPort  Web Reputation differs from a traditional URL blacklist or whitelist in  that it analyzes a broad set of data and produces a highly granular  score of -10 to +10, instead of the binary “good” or “bad”  categorizations of most malware detection applications. This granular  score offers administrators increased flexibility; different security  policies can be implemented based on different Web Reputation scoring  ranges.

For further details, please read the Web Reputation whitepaper at:

Christopher C Smith


Cisco IronPort Customer Support

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: