I am running the Sophos Virtual Email Appliance and it does a fair job of stopping what we do not want to get in, without getting a lot of false positives... Up until three days ago.
For the past three days I have been dealing with attacks targeting "higher up" users, each one starts in the early morning and usually after the first dozen or so, the email appliance realizes, "Oh this is spam" and starts quarantining the emails. All of the emails contain links to malicious websites located outside of the United States, specifically Vietnam and France. Time of Click Protection is enabled, but the URLs are not being treated as medium or high risk.
Happily (luckily?) none of the targeted users have clicked on malicious links, but it did get me to thinking. If you can whitelist URLs, forcing them to not be rewritten by Time Of Click protection, why not have the function to blacklist URLs, forcing them to be flagged as medium or high risk. Being able to add a list using wildcards with country code TLDs, ie; *.fr would stop what I have been dealing with this week without causing an influx of false positives by warning or blocking on unverified URLs.
This thread was automatically locked due to age.
