Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2187
Views
0
Helpful
3
Replies

Link in body

jheadley
Level 1
Level 1

‎07-10-2012 05:52 AM

Is there a way to block an incoming message that contains only a link in the body of the message?

We have been receiving a lot of messages from clients where their computer or email account (primarily AOL) have been hacked and they are sending messages to all of their contacts.

I have a filter in place to catch messages with blank subject which would work but that will also catch legitimate messages.                  

Labels:
Preview file
18 KB
0 Helpful
3 Replies 3

Ken Stieers
VIP
VIP

‎07-10-2012 06:13 AM

Try looking at these...

http://www.regexguru.com/2008/11/detecting-urls-in-a-block-of-text/

If you take the first one:

\b(https?|ftp|file)://[-A-Z0-9+&@#/%?=~_|!:,.;]*[A-Z0-9+&@#/%=~_|]

I'd take off the word boundry at the front, and prepend ^ (beginning of line) and add $ at the end (end of line)...

^(https?|ftp|file)://[-A-Z0-9+&@#/%?=~_|!:,.;]*[A-Z0-9+&@#/%=~_|]$

Ehh, but that's going to catch any URL on a line by itself... (like the second line of this message..)

Maybe this, plus from AOL, plus a blank subject?

Ken

0 Helpful

jheadley
Level 1
Level 1
In response to Ken Stieers

‎07-10-2012 06:22 AM

Thanks.  I will give that a try.

I got it set right now to quartine any message with a blank subject from an AOL account and then BCC me so I know something tripped the filter.

I have a military email account and they strip all links in a message and replace it with a redirect to a banner page saying it  was stripped by policy.  I did not know if Ironport could also do something like that.

0 Helpful

sam mackenzie
Level 1
Level 1
In response to jheadley

‎08-03-2012 05:59 AM

There is a Message filter action called "Edit-body-text" which can replace text in the body of the email with other text, e.g. a message and a link to a web page somewhere which can show you the banner page you create?

If you look at ESA 7.5 Advanced guide.pdf on page 6-90-91 Edit Body Text Action it can show how to replace a URL and if you combine this with an if statement matching no subject and maybe AOL it can do what you want?

I just learnt about message filters so be careful with them, especially the Edit-body-text action since they are applied on all in/out emails it can have unintended side effects.

Good luck

0 Helpful
Customers Also Viewed These Support Documents