08-23-2016 02:32 PM
Hi,
we are experiencing an increase of phishing mails containing shortened links from services like bit.ly, tinyurl.com or any other selfhosted solution.
The ESA does a lookup only with the shortening service website which is mostly neutral and therefore delivers the message.
I found the bug to this issue here: https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva56442/?reffering_site=dumpcr
Is there any way to filter those shortening services?
thank you
Solved! Go to Solution.
08-24-2016 03:12 AM
Have you tried setting up a filter just to log* the key details of mails featuring suspect URL domains?
It's arguable that URL shortening is for use in dead-tree (print) and SMS, and has no place in e-mail. If you see very little legitimate traffic being detected then you may be in a position to de-fang anything that matches. Of course, the numbers may show otherwise.
* logging the URL itself may not be good advice - I have a recollection of a bug that triggered when something complex hit the logging action. I personally keep samples to defend my rules, so am typically quarantining instead.
08-24-2016 03:12 AM
Have you tried setting up a filter just to log* the key details of mails featuring suspect URL domains?
It's arguable that URL shortening is for use in dead-tree (print) and SMS, and has no place in e-mail. If you see very little legitimate traffic being detected then you may be in a position to de-fang anything that matches. Of course, the numbers may show otherwise.
* logging the URL itself may not be good advice - I have a recollection of a bug that triggered when something complex hit the logging action. I personally keep samples to defend my rules, so am typically quarantining instead.
08-24-2016 10:26 AM
Hello,
The defect you listed doesn't mention a workaround, however, I would probably suspect that you could try setting up a Content Filter to either search for a condition of the shortened URL in the message body, or if you're seeing those URL's attached to a certain category then add a condition of that category. Then from there you can take action based on your needs.
Thanks!
-Dennis M.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: