|Email Plug-in (Reporting):||1.0.1-048|
|Email Plug-in (Encryption):||1.0.0-036|
So I've started to test the URL filtering capabilities on our C670s. So far I have found that there are quite a few false positives or incorrectly categorized web sites. Is there any mechanism in place to request a reclassification of a website?
Thanks, next question:
What category would Cisco like me to use to suggest that a site is a phishing website asking for user's credentials? There is no 'Phishing' category. This is the website: http://outlookwebsteam.zyro.com/
From the URL Filtering option on the ESA, we can see the Uncategorized URLs... unfortunately - that doesn't seem to carry over to the reporting side...
Google lookup for zyro.com shows them to be a Web Hosting company --- I'd report it as such based on the parent URL.
But this would not help my cause of getting it reported as a phishing or malicious website. It is clearly a 'phishing' website.
Here's another 'phishing' website:
Cisco indicates it is a shopping page, it is not.
Cisco indicates it is not in our list. I'd like to classify it as a phishing website so that it is blocked. But there is no category for that, not even a category for malicious website.
Cisco indicates it is a business and industry, it is not. Again, a phishing/malicious website.
I'll have to check and see. Since this tool is not owned or managed from TAC, we'll need to work and see what options we have for the URL as missed vs. nature/intent as 'judged'.
Just wondering if there is any movement on this. Here's an example of a different vendors solution that works well:
Cisco, is this what you want us to do? If the URL category is HACKING will it cause future e-mails with a URL of that classification to be blocked by URL filtering?
Have there been any advancements in URL filtering on the ESAs?
I'm still seeing a LOT of false positives on e-mails containing lots of URLs being incorrectly tagged and a LOT of missed phishing URLs.
My content filter is setup as url-reputation(-10.00, -9.50 , "")
with the intention of only flagging the worst URLs.
Currently I don't have a way to tell which URL in an e-mail caused the e-mail to be tagged so we know which URL to report to Cisco to be re-evaluated.
And still no 'Phishing' category.
Here's an e-mail that walked right through the IronPort ESA spam filtering and url filtering:
From: Holland, Randolph @ Regions
Sent: Friday, June 05, 2015 2:54 AM
To: Holland, Randolph @ Regions
Subject: E-Mailbox Upgrade
Take note of this important update that our new web mail has been improved with a new messaging system from Owa/outlook which also include faster usage on email, shared calendar,web-documents and the new 2015 anti-spam version. Please use the link below to complete your update for our new Owa/outlook improved web mail.
Click Link Here (http://www.studioareaimmobiliare.it/photos/6225/original/verify.html)
Connected to Microsoft Exchange
© 2014 Microsoft Corporation. All rights reserved
The categories for URL filtering would match Phishing URLs under malicious matching:
From the Link above;
|Web reputation threat type:||phishing|
Typically the URL filtering builds and works off the WSA's reputation (WBRS) where -10 to -6 is generally on the malicious side.
As per Robert you can indeed track which URL in the email was tagged into your filter and mail_logs/tracking
Machine (ESA) (SERVICE)> outbreakconfig
Outbreak Filters: Enabled
Choose the operation you want to perform:
- SETUP - Change Outbreak Filters settings.
- CLUSTERSET - Set how the Outbreak Filters are configured in a cluster.
- CLUSTERSHOW - Display how the Outbreak Filters are configured in a cluster.
Outbreak Filters: Enabled
Would you like to use Outbreak Filters? [Y]>
Outbreak Filters enabled.
Outbreak Filter alerts are sent when outbreak rules cross the threshold (go
above or back down below), meaning that new messages of certain types could be
quarantined or will no longer be quarantined, respectively.
Would you like to receive Outbreak Filter alerts? [N]>
What is the largest size message Outbreak Filters should scan?
Do you want to use adaptive rules to compute the threat level of messages? [Y]>
Logging of URLs is currently disabled.
Do you wish to enable logging of URL's? [N]> Y
Then press enter through all the prompts and commit changes
This way now every time an email gets actioned by this content filter, we can run a simple grep command to pull out the URL that was blocked and the score.
So you can audit if these are actually malicious URLs and working as expected, and if there is false positive matches you can provide me the list of URLs and I can have our WBRS team correct it.
Log entries will look like this:
Fri Mar 13 16:20:08 2015 Info: MID 556 URL http://XXXXXXXXXXsale.com has reputation -8.95 matched url-reputation-rule
Yes - you can log in the mail_logs the URL and reputation, as long as you have VOF enabled, and set to log URL with outbreakconfig and then:
Do you wish to enable logging of URL's? [N]> y
See the attached KB that I am working on...
Really a good document, for getting started with URL filtering.
What would make the URL filtering feature even better, is the ability to setup a custom blacklist, or category that can be used in filters to enter URLs we know are phishing or malicious.
I have seen a number of phishing, SPAM, urls that are setup in such a way that the root domain looks harmless. It's the trick for keeping your malicious domain from being marked as a malicious domain by content filters. A good example is http://security-upgrade.com/ which in many systems is just looked at as a security updated domain, but if you get the link is a malicious Adobe Flash domain. Really everything about the domain is bogus and it was only registered in the past week. This is what they do to get around URL content filters.
Sometimes a legit domain is compromised, and we just need to block it temporarily until it is fixed.
Thanks Paul. I'll take the suggestion as an Enhancement Request. As this feature is still new as of the 8.5.x release, it's a growing (and very popular) feature. So --- I am hoping that we'll continue to see improvements with the web security aspects of the OS. This and AMP are introducing a new learning curve for everyone.
Cisco Ironport is not having any phishing category.
Using the above link, how we can report phishing URL.
many emails with phishing url.
Check the boxes and then assign a category:
That's a very helpful paper, Robert.
Apologies for the thread necromancy, but this appears to be the best thread on URL filtering in the forum and I need to ask a very simple question.
I seem to have been confused by some of the initial statements on URL filtering when it was originally released. Does an ESA customer also have to be a WSA customer in order to make any practical use of the filter?
Do we have any guidelines on the likely bandwidth or CPU hits for turning the filtering on? We already have basic Outbreak filtering running.
Is it now possible to comment on the concerns over relatively fresh malign URLs that have yet to be categorised? Everything we've had to follow up this year has been zero-day, which would make the technique of relatively limited value.
No - you don't have to be a WSA customer, or have WSA running. All of this is on-board ESA. While the callout from the service goes through to the same cloud that WSA is using, it is independent.
Bandwidth/CPU - it honestly will boil down to the appliance size you have running, and then the other options you also have running. Some users enabling URL Filtering and the associated mail logging of the URL and score have seen small increase in CPU, others don't. If you have a heavy burdened appliance already, rule of thumb would be: know that you are turning this on, monitor and check your message flow and stats graphs post-implementation.
Fresh/Un-caught URLs that aren't in the system is always a threat - as the day-to-day methods and workarounds by most out there change daily, there is always the chance that a malicious URL goes un-noticed at first, then is re-scored later and caught. With URL filtering enabled and logging with the VOF setting, it's really the most helpful to have that running so you can in fact go through and look at the mail logs, getting the URL and scoring recorded for your administrative review.