Cisco Cisco Email Security Appliance X1070 User Guide
10-5
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 10 Outbreak Filters
Small scale, non-viral threats contain URLs to malicious websites that may be online for a short period
of time in order to evade detection by web security services or through URL shortening services in order
to circumvent web security by putting a trustworthy website in the middle. By quarantining messages
containing URLs that meet your threat level threshold, not only does CASE have the opportunity to
reevaluate the message’s content based on updated Outbreak Rules from SIO, but the messages can
remain in the quarantine long enough that the linked website may go offline or be blocked by a web
security solution.
of time in order to evade detection by web security services or through URL shortening services in order
to circumvent web security by putting a trustworthy website in the middle. By quarantining messages
containing URLs that meet your threat level threshold, not only does CASE have the opportunity to
reevaluate the message’s content based on updated Outbreak Rules from SIO, but the messages can
remain in the quarantine long enough that the linked website may go offline or be blocked by a web
security solution.
See
more information on how Outbreak Filters quarantine suspicious
messages.
Redirecting URLs
When CASE scans a message at the Outbreak Filters stage, it searches for URLs in the message body in
addition to other suspicious content. CASE uses published Outbreak Rules to evaluate whether the
message is a threat and then scores the message with the appropriate threat level. Depending on the threat
level, Outbreak Filters protects the recipient by rewriting all the URLs to redirect the recipient to the
Cisco web security proxy, except for URLs pointing to bypassed domains, and delaying the delivery of
the message in order for TOC to learn more about the website if it appears to be part of a larger outbreak.
See
addition to other suspicious content. CASE uses published Outbreak Rules to evaluate whether the
message is a threat and then scores the message with the appropriate threat level. Depending on the threat
level, Outbreak Filters protects the recipient by rewriting all the URLs to redirect the recipient to the
Cisco web security proxy, except for URLs pointing to bypassed domains, and delaying the delivery of
the message in order for TOC to learn more about the website if it appears to be part of a larger outbreak.
See
trusted domains.
After the Email Security appliance releases and delivers the message, any attempt by the recipient to
access the website is redirected through the Cisco web security proxy. This is an external proxy hosted
by Cisco that displays a splash screen that warns the user that the website may be dangerous, if the
website is still operational. If the website has been taken offline, the splash screen displays an error
message.
access the website is redirected through the Cisco web security proxy. This is an external proxy hosted
by Cisco that displays a splash screen that warns the user that the website may be dangerous, if the
website is still operational. If the website has been taken offline, the splash screen displays an error
message.
If the recipient decides to click the message’s URLs, the Cisco web security proxy displays a splash
screen in the user’s web browser to warn the user about the content of the message.
screen in the user’s web browser to warn the user about the content of the message.
shows
an example of the splash screen warning. The recipient can either click Ignore this warning to continue
on to the website or Exit to leave and safely close the browser window.
on to the website or Exit to leave and safely close the browser window.
Figure 10-1
Cisco Security Splash Screen Warning
The only way to access the Cisco web security proxy is through a rewritten URL in a message. You
cannot access the proxy by typing a URL in your web browser.
cannot access the proxy by typing a URL in your web browser.