02-08-2018 09:40 AM - edited 03-08-2019 07:33 PM
I am often finding spam/malicious e-mails getting through our filters that have URLs that point to IP addresses. The URLs are tagged with a neutral URL score along with many thousands of other URLs everyday which is why I don't do block or quarantine based on neutral, positive or no scores.
Does anyone know of a good way to perform an action (notify, quarantine, etc) on a message with an IP address URL or possibly even defang just URLs with IP addresses?
Solved! Go to Solution.
02-09-2018 07:08 PM
Hello dkorell,
For this requirement to capture emails with URL links which are URLs and not hostnames (URL filtering should still be able to see if they are showing any malicious activity) but an alternative would be:
Creating a message or content filter to look for patterns rather than relying on URL filtering conditions as it does not have the option for IP URLs.
A condition of your filter would be something along the lines of:
Message body -> contains -> http:\/\/(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])
With a second condition of: message body -> contains -> https:\/\/(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])
However as you can see it relies heavily on regex and can be considered expensive depending how many mails flows through.
Your action would be to notify or take action accordingly.
My filter i used quarantine with a log-entry so i can see this in the mail_logs:
Sat Feb 10 13:45:52 2018 Info: MID 57633 Custom Log Entry: Test: http://10.66.71.1
Sat Feb 10 13:45:52 2018 Info: MID 57633 quarantined to "Policy" (content filter:matt_test)
One thing to note, I've ran this filter and tested in my lab environment - if you were to deploy this into your live production, please create a restrictive policy so it only affects emails from your address for testing purposes.
Thanks,
Matthew
02-09-2018 07:08 PM
Hello dkorell,
For this requirement to capture emails with URL links which are URLs and not hostnames (URL filtering should still be able to see if they are showing any malicious activity) but an alternative would be:
Creating a message or content filter to look for patterns rather than relying on URL filtering conditions as it does not have the option for IP URLs.
A condition of your filter would be something along the lines of:
Message body -> contains -> http:\/\/(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])
With a second condition of: message body -> contains -> https:\/\/(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])
However as you can see it relies heavily on regex and can be considered expensive depending how many mails flows through.
Your action would be to notify or take action accordingly.
My filter i used quarantine with a log-entry so i can see this in the mail_logs:
Sat Feb 10 13:45:52 2018 Info: MID 57633 Custom Log Entry: Test: http://10.66.71.1
Sat Feb 10 13:45:52 2018 Info: MID 57633 quarantined to "Policy" (content filter:matt_test)
One thing to note, I've ran this filter and tested in my lab environment - if you were to deploy this into your live production, please create a restrictive policy so it only affects emails from your address for testing purposes.
Thanks,
Matthew
02-13-2018 07:46 AM
Thanks for the regex suggestions. I'll give that a try. I always test just to my account first and then I move to production and just notify myself first to gauge how many legitimate e-mails are getting caught.
02-13-2018 10:43 PM
02-16-2018 12:02 PM
This has worked very well. About 70 spam e-mails stopped in the first day going to 5 people with no legitimate e-mails triggering it (which I wouldn't expect legitimate e-mails to use IPs). Thanks again for your help.
02-16-2018 07:53 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide