This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to quarantine or block emails containing embedded URL?

Email Protection is enabled on Sophos UTM 9, however some emails are allowed through to Exchange server that have embedded URL's linking to malicious websites.  This type of email also has a modified header to make the sender appear to be a local domain user.  

Adding the Subject line to the Expression Filter helps some, but since the subject text is usually generic and random some legitimate emails are being quarantined.  Is there a better way to quarantine or block these type of emails?

Thank you.



This thread was automatically locked due to age.
  • Hi Tracy,

    same Problem here. I can filter some Mails with a expression filter that looked for "/rechnung" in the text.
    But we receive many Mails with a cryptic URL, so the expression filter doesn't work in these cases.

    Filtering for "http" and "https" would produce too much false positives...our users would need to add many senders into the whitelist, this would be unreasonable.

    Many greetings,

    Sebastian

  • Hi Tracy, 

    Verify that the SPF check is defined, for blocking the spoofed Emails. Refer to, Sender Policy Framework (SPF): Astaro Security Gateway.

    Alongside, blocking of malicious URL's could be a part of Web Protection, hence if the User clicks on an URL and gets redirected to a malicious website, the request will be automatically blocked instead of blocking the Email, which could even cause false positives.

    Thanks

    Sachin Gurung
    Team Lead | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  |  Video tutorials
    Remember to like a post.  If a post (on a question thread) solves your question use the 'This helped me' link.

  • Thanks for your response, Sachingurung.  We do have the option for SPF checking enabled in the AntiSpam settings in Email Protection / SMTP on the Sophos UTM.  The Emails slipping pass the spam filters are more of a case of the Sender display name being spoofed, rather than the Sender address.

    I will look into using the Web Protection options to block the malicious URL's in the message body.  Appreciate the suggestion.

     

    Thanks,

    Tracy