Cisco Cisco Email Security Appliance C690 User Guide
Chapter 10 Outbreak Filters
10-4
Cisco IronPort AsyncOS 7.5 for Email Configuration Guide
OL-25136-01
Phishing, Malware Distribution, and Other Non-Viral Threats
Messages containing non-viral threats are designed to look like a message from a
legitimate sources and often sent out to a small number of recipients. These
messages may have one or more of the following characteristics in order to appear
trustworthy:
legitimate sources and often sent out to a small number of recipients. These
messages may have one or more of the following characteristics in order to appear
trustworthy:
•
The recipient’s contact information.
•
HTML content designed to mimic emails from legitimate sources, such as
social networks and online retailers.
social networks and online retailers.
•
URLs pointing to websites that have new IP addresses and are online only for
a short time, which means that email and web security services do not have
enough information on the website to determine if it is malicious.
a short time, which means that email and web security services do not have
enough information on the website to determine if it is malicious.
•
URLs pointing to URL shortening services.
All of these characteristics make these messages more difficult to detect as spam.
The Outbreak Filters feature provides a multi-layer defense from these non-viral
threats to prevent your users from downloading malware or providing personal
information to suspicious new websites.
The Outbreak Filters feature provides a multi-layer defense from these non-viral
threats to prevent your users from downloading malware or providing personal
information to suspicious new websites.
If CASE discovers URLs in the message, it compares the message to existing
Outbreak Rules to determine if the message is part of a small-scale non-viral
outbreak and then assigns a threat level. Depending on the threat level, the Email
Security appliance delays delivery to the recipient until more threat data can be
gathered and rewrites the URLs in the message to redirect the recipient to the
Cisco web security proxy if they attempt to access the website. The proxy displays
a splash page warning the user that the website may contain malware.
Outbreak Rules to determine if the message is part of a small-scale non-viral
outbreak and then assigns a threat level. Depending on the threat level, the Email
Security appliance delays delivery to the recipient until more threat data can be
gathered and rewrites the URLs in the message to redirect the recipient to the
Cisco web security proxy if they attempt to access the website. The proxy displays
a splash page warning the user that the website may contain malware.
Outbreak Filters - Multi-Layered Targeted Protection
The Outbreak Filters feature uses three tactics to protect your users from
outbreaks:
outbreaks:
•
Delay. The Outbreak Filters feature delays messages that may be part of a
virus outbreak or non-viral attack by quarantining the message. While
quarantined, CASE receives updated Outbreak Rules and rescans the message
to confirm whether any of them is part of an attack. CASE determines the
rescan period based on the message’s threat level. See
virus outbreak or non-viral attack by quarantining the message. While
quarantined, CASE receives updated Outbreak Rules and rescans the message
to confirm whether any of them is part of an attack. CASE determines the
rescan period based on the message’s threat level. See
for more information.