Cisco Cisco Email Security Appliance C160 Mode D'Emploi
14-16
Cisco AsyncOS 8.0.1 for Email User Guide
Chapter 14 Outbreak Filters
Managing Outbreak Filters (GUI)
Message Subject
You can alter the text of the Subject header on non-viral threat messages containing modified links by
prepending or appending certain text strings to notify users that the message has been modified for their
protection.
prepending or appending certain text strings to notify users that the message has been modified for their
protection.
Note
White space is not ignored in the Message Subject field. Add spaces after (if prepending) or before (if
appending) the text you enter in this field to separate your added text from the original subject of the
message. For example, add the text
appending) the text you enter in this field to separate your added text from the original subject of the
message. For example, add the text
[MODIFIED FOR PROTECTION]
with a few trailing spaces if you are
prepending.
Note
The Message Subject field only accepts US-ASCII characters.
URL Rewriting and Bypassing Domains
If the message’s threat level exceeds the message modification threshold, the Outbreak Filters feature
rewrites all URLs in the message to redirect the user to the Cisco web security proxy’s splash page if
they click on any of them. (See
rewrites all URLs in the message to redirect the user to the Cisco web security proxy’s splash page if
they click on any of them. (See
for more information.) If the message’s
threat level exceeds the quarantine threshold, the appliance also quarantines the message. If a small
scale, non-viral outbreak is in progress, quarantining the message gives TOC time to analyze any suspect
websites linked from possible outbreak messages and determine whether the websites are malicious.
CASE uses updated Outbreak Rules from SIO to rescan the message to determine if it is part of the
outbreak. After the retention period expires, the appliance releases the message from the quarantine.
scale, non-viral outbreak is in progress, quarantining the message gives TOC time to analyze any suspect
websites linked from possible outbreak messages and determine whether the websites are malicious.
CASE uses updated Outbreak Rules from SIO to rescan the message to determine if it is part of the
outbreak. After the retention period expires, the appliance releases the message from the quarantine.
AsyncOS rewrites all of the URLs inside a message except for the ones pointing to bypassed domains.
The following options are available for URL rewriting:
•
Enable only for unsigned messages. This option allows AsyncOS to rewrite URLs in unsigned
messages that meet or exceed the message modification threshold, but not signed messages. Cisco
recommends using this setting for URL rewriting.
messages that meet or exceed the message modification threshold, but not signed messages. Cisco
recommends using this setting for URL rewriting.
Note
The Email Security appliance may rewrite URLs in a DomainKeys/DKIM-signed message and
invalidate the message’s signature if a server or appliance on your network other than the Email
Security appliance is responsible for verifying the DomainKeys/DKIM signature.
invalidate the message’s signature if a server or appliance on your network other than the Email
Security appliance is responsible for verifying the DomainKeys/DKIM signature.
•
Enable for all messages. This option allows AsyncOS to rewrite URLs in all messages that meet or
exceed the message modification threshold, including signed ones. If AsyncOS modifies a signed
message, the signature becomes invalid.
exceed the message modification threshold, including signed ones. If AsyncOS modifies a signed
message, the signature becomes invalid.
•
Disable. This option disables URL rewriting for Outbreak Filters.
You can modify a policy to exclude URLs to certain domains from modification. To bypass domains,
enter the IPv4 address, IPv6 address, CIDR range, hostname, partial hostname or domain in the Bypass
Domain Scanning field. Separate multiple entries using commas.
enter the IPv4 address, IPv6 address, CIDR range, hostname, partial hostname or domain in the Bypass
Domain Scanning field. Separate multiple entries using commas.
Threat Disclaimer
The Email Security appliance can append a disclaimer message above the heading of a suspicious
message to warn the user of its content. This disclaimer can be in HTML or plain text, depending on the
type of message.
message to warn the user of its content. This disclaimer can be in HTML or plain text, depending on the
type of message.