Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1922
Views
0
Helpful
2
Replies

Viewing HTML formatted messages in the Centralized SPAM Quarantine

bnklein
Level 1
Level 1

‎10-06-2011 09:01 AM

Is there any way to view the text source of a HTML formatted message in the Centralized SPAM Quarantine?

Ironport renders a text view of Quarantined HTML formatted messages.  This view does not show underlying link references, only what is displayed to end users.  This makes it impossible to determine the malicious nature of a Quarantined message.  For example, this text view would not have shown that the displayed link to a .pdf document was actually pointing to a .scr in the "Here you have" email borne virus attack last year.  Nor would it allow a user or Ironport Operator to determine that pointers to otherwise legitimate looking sites were anything but legitimate.

Unless there is a way to display the text source of a HTML formatted message, only option is to release these Quarantined messages and ask the recipient to forward them to you for analysis, and hope that they don't do anything else with it.

Labels:
0 Helpful
2 Replies 2

Jussi Torhonen
Level 1
Level 1

‎10-07-2011 03:36 AM

I agree. Ironport exposess full set of SMTP headers for quarantined messages, but not that HTML formatted message. That makes it impossible to check suspectable messages for phishing styled links as you said. I opened a support ticket about this case and very accurately introduced the problem, but that person responsible of the ticket just did not understand my beef at all. The message from support was just, that 'yes you can preview formatted messages located in quarantine'. Hopefullty this time some more technical person will get the idea :-)

0 Helpful

Andreas Mueller
Level 4
Level 4
In response to Jussi Torhonen

‎10-07-2011 06:37 AM

Hello all,

at the moment the IronPort spam quarantine does not have a possibility to view the raw message body or source of HTML formatted messages, if have confirmed that for all current versions. As your arguments regarding links to malicious sites and files not being displayed are very reasonable, I have checked for a feature request on that, and as we have not had such a request yet, created a new one with your descriptions included. For your information, request number is 81469, for updates on the request please contact your Cisco IronPort Sales Representative refering to that number. I also added both of you as requestors.

Hope that helps, sorry that there was some misunderstanding in your first request regarding this Jussi.

Regards,

Andreas

0 Helpful
Customers Also Viewed These Support Documents