This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Data control filter for URL containing IP address?

Does anyone have a working regex or other data control filtering method to catch messages with IP addresses in a message body URL?

We have been getting hammered by both phishing scams and image spams using http://#.#.#.#/ URLs, and nothing that I have tried so far seems to want to work for catching this simple message fingerprint...



This thread was automatically locked due to age.
Parents
  • To do this properly you would need to create your own DLP and create specific reg'ex's for urls..  I should warn you right up front that you will not be able to pick and choose what hits and what does not.. 

    I don't really recommend it, nor would it be supported.. its something you would need to come up with. here is a sample kb to create a custom dlp for health numbers..  https://community.sophos.com/kb/en-us/112192

     

    before you do any of this you should ensure that you have sent in appropriate samples (from the user inbox, create a new message, drag and drop the offending mail as a .eml attachment)send it to is-spam@labs.sophos.com.   

    also ensure all of your spam settings are correct as per my kb here: https://community.sophos.com/kb/en-us/120802

    lastly, ensure that your appliance is not been filtered by IPS and is allowed to get out unobstructed, this will ensure dns lookups do not fail.. also ensure your dns is internally hosted and returning results in less than 200ms.

     

    If those requirements are met and your still having issues I would open a support ticket and refer the engineer to the samples you have submitted so they can have a look at the grade and escalate the samples if needed.

Reply
  • To do this properly you would need to create your own DLP and create specific reg'ex's for urls..  I should warn you right up front that you will not be able to pick and choose what hits and what does not.. 

    I don't really recommend it, nor would it be supported.. its something you would need to come up with. here is a sample kb to create a custom dlp for health numbers..  https://community.sophos.com/kb/en-us/112192

     

    before you do any of this you should ensure that you have sent in appropriate samples (from the user inbox, create a new message, drag and drop the offending mail as a .eml attachment)send it to is-spam@labs.sophos.com.   

    also ensure all of your spam settings are correct as per my kb here: https://community.sophos.com/kb/en-us/120802

    lastly, ensure that your appliance is not been filtered by IPS and is allowed to get out unobstructed, this will ensure dns lookups do not fail.. also ensure your dns is internally hosted and returning results in less than 200ms.

     

    If those requirements are met and your still having issues I would open a support ticket and refer the engineer to the samples you have submitted so they can have a look at the grade and escalate the samples if needed.

Children
No Data