Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1834
Views
0
Helpful
4
Replies

Recommendation on filtering Web Bugs (aka 'Spymail')

Go to solution
Brian Kesler
Level 1
Level 1

‎01-31-2017 08:31 AM

I am looking for any recommendations on how you have filtered web bugs for inbound messages.  

I have an attorney that I work for that came across this article and wonders if we can somehow filter or detect when messages contain these web bugs.  An action has not been decided but I was wondering how we would create a filter to detect them.  Any advice or suggestions are welcomed.

Thanks!

Brian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎01-31-2017 09:25 AM

Hi Brian,

The Cisco ESA can protect against those bugs to some degree depending on the content of the emails flowing in. The ESA is able to look at the reputation of URLs in the emails and take the necessary action for example using content filters.

If web bugs show up in spam or malicious emails, IPAS will protect against them by marking the message spam/viral as appropriate. If the web bugs go to malicious pages, URL filtering should be suited to block the requests.

URL filtering steps are available here

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-00.html

Web bugs are not necessarily image attachments. They are typically formatted as a URL IMG tag embedded in an html formatted email. The image is typically a single pixel and mostly identified by their width and height.

For example,
<img src="some_url_path" alt="" width="1" height="1">

You could probably write a content filter to body scan the email for this content.

only-body-contains("width=\"1\" height=\"1\"", 1)

However, this would need to be tested and confirmed if you have an example email available.

Thanks
Libin Varghese

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Libin Varghese
Cisco Employee
Cisco Employee

‎01-31-2017 09:25 AM

Hi Brian,

The Cisco ESA can protect against those bugs to some degree depending on the content of the emails flowing in. The ESA is able to look at the reputation of URLs in the emails and take the necessary action for example using content filters.

If web bugs show up in spam or malicious emails, IPAS will protect against them by marking the message spam/viral as appropriate. If the web bugs go to malicious pages, URL filtering should be suited to block the requests.

URL filtering steps are available here

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118775-technote-esa-00.html

Web bugs are not necessarily image attachments. They are typically formatted as a URL IMG tag embedded in an html formatted email. The image is typically a single pixel and mostly identified by their width and height.

For example,
<img src="some_url_path" alt="" width="1" height="1">

You could probably write a content filter to body scan the email for this content.

only-body-contains("width=\"1\" height=\"1\"", 1)

However, this would need to be tested and confirmed if you have an example email available.

Thanks
Libin Varghese

0 Helpful

Go to solution
Brian Kesler
Level 1
Level 1
In response to Libin Varghese

‎02-02-2017 11:12 AM

Thanks for your quick response.  The Attorney that I work for was more worried that opposing counsel was secretly tracking who is opening an email that was sent from the opposing counsel rather than worrying if the url was malicious.

I will test out this suggestion and see what comes of it.

Thanks!

0 Helpful

Go to solution
Ravi Singh
Level 7
Level 7

‎01-31-2017 11:22 AM

Please check the below link for URL Filtering best practices.

ESA URL Filtering Enablement and Best Practices

0 Helpful

Go to solution
Jeff_Law_Firm
Level 1
Level 1

‎08-14-2018 09:04 AM

We were also concerned about Spymail. While the Cisco solution of looking for 1 pixel links can help, there are other ways the status of an e-mail can be tracked and communicated back to the sender. A new way is to play a silent audio file. This allows then sender to not only track who looked at the message, but to also see how long you had it open. After contacting several of our current vendors, we found out our solutions didn't have any protection from this type of reconnaissance.  We found a company, MailControl, that protects against Spymail, without the recipient noticing any difference. The solution is practically a set it and forget it type of solution. It is crazy the amount of Spymail we had been receiving and didn't know it. For more information, check out https://www.mailcontrol.net/. We are very happy with their solution and it is very cost effective.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents