cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9788
Views
5
Helpful
19
Replies

URL filtering on ESA

Jason Meyer
Level 1
Level 1

So I've started to test the URL filtering capabilities on our C670s.  So far I have found that there are quite a few false positives or incorrectly categorized web sites.   Is there any mechanism in place to request a reclassification of a website?

 

Jason

19 Replies 19

Robert Sherwin
Cisco Employee
Cisco Employee

Thanks, next question:

What category would Cisco like me to use to suggest that a site is a phishing website asking for user's credentials?  There is no 'Phishing' category.  This is the website:  http://outlookwebsteam.zyro.com/

From the URL Filtering option on the ESA, we can see the Uncategorized URLs... unfortunately - that doesn't seem to carry over to the reporting side...

Google lookup for zyro.com shows them to be a Web Hosting company --- I'd report it as such based on the parent URL.

-Robert

But this would not help my cause of getting it reported as a phishing or malicious website.  It is clearly a 'phishing' website. 

Thoughts?

Here's another 'phishing' website:

http://alufelniakcio.com/media/jce/acc/

 

Cisco indicates it is a shopping page, it is not.

 

Here's another:

http://www.webmaintannportal.freehosto.com/

Cisco indicates it is not in our list.  I'd like to classify it as a phishing website so that it is blocked.  But there is no category for that, not even a category for malicious website.

 

Here's another:

http://hrererndnsernfrgnendndehrfdee.esy.es/

Cisco indicates it is a business and industry, it is not.  Again, a phishing/malicious website.

Thoughts?

I'll have to check and see.  Since this tool is not owned or managed from TAC, we'll need to work and see what options we have for the URL as missed vs. nature/intent as 'judged'.

-Robert

Just wondering if there is any movement on this.   Here's an example of a different vendors solution that works well:

http://www.fortiguard.com/ip_rep/index.php

 

Maybe use hacking?

Cisco, is this what you want us to do?  If the URL category is HACKING will it cause future e-mails with a URL of that classification to be blocked by URL filtering?

Have there been any advancements in URL filtering on the ESAs?

I'm still seeing a LOT of false positives on e-mails containing lots of URLs being incorrectly tagged and a LOT of missed phishing URLs.

 

My content filter is setup as url-reputation(-10.00, -9.50 , "") 

with the intention of only flagging the worst URLs.   

Currently I don't have a way to tell which URL in an e-mail caused the e-mail to be tagged so we know which URL to report to Cisco to be re-evaluated.

 

And still no 'Phishing' category.

Here's an e-mail that walked right through the IronPort ESA spam filtering and url filtering:

 

From: Holland, Randolph @ Regions
Sent: Friday, June 05, 2015 2:54 AM
To: Holland, Randolph @ Regions
Subject: E-Mailbox Upgrade

Take note of this important update that our new web mail has been improved with a new messaging system from Owa/outlook which also include faster usage on email, shared calendar,web-documents and the new 2015 anti-spam version. Please use the link below to complete your update for our new Owa/outlook improved web mail.

 

Click Link Here (http://www.studioareaimmobiliare.it/photos/6225/original/verify.html)

 

Connected to Microsoft Exchange

© 2014 Microsoft Corporation. All rights reserved

 

Hello Jason,

 

The categories for URL filtering would match Phishing URLs under malicious matching:

From the Link above;

Web reputation threat type:phishing

 

Typically the URL filtering builds and works off the WSA's reputation (WBRS) where -10 to -6 is generally on the malicious side.

 

As per Robert you can indeed track which URL in the email was tagged into your filter and mail_logs/tracking

Machine (ESA) (SERVICE)> outbreakconfig
 
Outbreak Filters: Enabled
 
Choose the operation you want to perform:
- SETUP - Change Outbreak Filters settings.
- CLUSTERSET - Set how the Outbreak Filters are configured in a cluster.
- CLUSTERSHOW - Display how the Outbreak Filters are configured in a cluster.
[]> setup
 
Outbreak Filters: Enabled
Would you like to use Outbreak Filters? [Y]>
 
Outbreak Filters enabled.
 
Outbreak Filter alerts are sent when outbreak rules cross the threshold (go
above or back down below), meaning that new messages of certain types could be
quarantined or will no longer be quarantined, respectively.
 
Would you like to receive Outbreak Filter alerts? [N]>
 
What is the largest size message Outbreak Filters should scan?
[262144]>
 
Do you want to use adaptive rules to compute the threat level of messages? [Y]>
 
Logging of URLs is currently disabled.
 
Do you wish to enable logging of URL's? [N]> Y
---
 
Then press enter through all the prompts and commit changes
 
This way now every time an email gets actioned by this content filter, we can run a simple grep command to pull out the URL that was blocked and the score.
So you can audit if these are actually malicious URLs and working as expected, and if there is false positive matches you can provide me the list of URLs and I can have our WBRS team correct it.
 
Log entries will look like this:
---
Fri Mar 13 16:20:08 2015 Info: MID 556 URL http://XXXXXXXXXXsale.com has reputation -8.95 matched url-reputation-rule

 

 

 

Hi Robert,

 

can we track which url blocked by the ESA?

 

Regards,

Sajid

Yes - you can log in the mail_logs the URL and reputation, as long as you have VOF enabled, and set to log URL with outbreakconfig and then:

  Do you wish to enable logging of URL's? [N]> y

See the attached KB that I am working on...

-Robert