cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2182
Views
0
Helpful
5
Replies

Performing action on URLs that point to IP address

dkorell
Level 1
Level 1

I am often finding spam/malicious e-mails getting through our filters that have URLs that point to IP addresses. The URLs are tagged with a neutral URL score along with many thousands of other URLs everyday which is why I don't do block or quarantine based on neutral, positive or no scores.

 

Does anyone know of a good way to perform an action (notify, quarantine, etc) on a message with an IP address URL or possibly even defang just URLs with IP addresses?

1 Accepted Solution

Accepted Solutions

Mathew Huynh
Cisco Employee
Cisco Employee

Hello dkorell,

 

For this requirement to capture emails with URL links which are URLs and not hostnames (URL filtering should still be able to see if they are showing any malicious activity) but an alternative would be:

 

Creating a message or content filter to look for patterns rather than relying on URL filtering conditions as it does not have the option for IP URLs.

 

A condition of your filter would be something along the lines of:

Message body -> contains -> http:\/\/(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])

With a second condition of: message body -> contains -> https:\/\/(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])

 

However as you can see it relies heavily on regex and can be considered expensive depending how many mails flows through.

 

Your action would be to notify or take action accordingly.

My filter i used quarantine with a log-entry so i can see this in the mail_logs:

 

Sat Feb 10 13:45:52 2018 Info: MID 57633 Custom Log Entry: Test: http://10.66.71.1
Sat Feb 10 13:45:52 2018 Info: MID 57633 quarantined to "Policy" (content filter:matt_test)

 

One thing to note, I've ran this filter and tested in my lab environment - if you were to deploy this into your live production, please create a restrictive policy so it only affects emails from your address for testing purposes.

 

Thanks,

Matthew

View solution in original post

5 Replies 5

Mathew Huynh
Cisco Employee
Cisco Employee

Hello dkorell,

 

For this requirement to capture emails with URL links which are URLs and not hostnames (URL filtering should still be able to see if they are showing any malicious activity) but an alternative would be:

 

Creating a message or content filter to look for patterns rather than relying on URL filtering conditions as it does not have the option for IP URLs.

 

A condition of your filter would be something along the lines of:

Message body -> contains -> http:\/\/(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])

With a second condition of: message body -> contains -> https:\/\/(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])

 

However as you can see it relies heavily on regex and can be considered expensive depending how many mails flows through.

 

Your action would be to notify or take action accordingly.

My filter i used quarantine with a log-entry so i can see this in the mail_logs:

 

Sat Feb 10 13:45:52 2018 Info: MID 57633 Custom Log Entry: Test: http://10.66.71.1
Sat Feb 10 13:45:52 2018 Info: MID 57633 quarantined to "Policy" (content filter:matt_test)

 

One thing to note, I've ran this filter and tested in my lab environment - if you were to deploy this into your live production, please create a restrictive policy so it only affects emails from your address for testing purposes.

 

Thanks,

Matthew

Thanks for the regex suggestions. I'll give that a try. I always test just to my account first and then I move to production and just notify myself first to gauge how many legitimate e-mails are getting caught.

Hey Dkorell,

Thanks for the update, please keep me posted on how it goes.

Cheers,
Matthew

This has worked very well. About 70 spam e-mails stopped in the first day going to 5 people with no legitimate e-mails triggering it (which I wouldn't expect legitimate e-mails to use IPs). Thanks again for your help.

Hello Dkorell,



That is fantastic to hear :) Glad to have helped.



Regards,

Matthew


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: