Cisco Cisco Email Security Appliance C170 사용자 가이드
10-16
Cisco IronPort AsyncOS 7.6 for Email Configuration Guide
OL-25136-01
Chapter 10 Outbreak Filters
Message Modification
Enable Message Modification if you want the appliance to scan messages for non-viral threats, such as
phishing attempts or links to malware websites.
phishing attempts or links to malware websites.
Based on the message’s threat level, AsyncOS can modify the message to rewrite all of the URLs to
redirect the recipient through the Cisco web security proxy if they attempt to open the website from the
message. The appliance can also add a disclaimer to the message to alert the user that the message’s
content is suspicious or malicious.
redirect the recipient through the Cisco web security proxy if they attempt to open the website from the
message. The appliance can also add a disclaimer to the message to alert the user that the message’s
content is suspicious or malicious.
You need to enable message modification in order to quarantine non-viral threat messages.
Message Modification Threat Level
Select a Message Modification Threat Level threshold from the list. This setting determines whether to
modify a message based on the threat level returned by CASE. A smaller number means that you will be
modifying more messages, while a larger number results in fewer messages being modified. Cisco
recommends the default value of 3.
modify a message based on the threat level returned by CASE. A smaller number means that you will be
modifying more messages, while a larger number results in fewer messages being modified. Cisco
recommends the default value of 3.
Message Subject
You can alter the text of the Subject header on non-viral threat messages containing modified links by
prepending or appending certain text strings to notify users that the message has been modified for their
protection.
prepending or appending certain text strings to notify users that the message has been modified for their
protection.
Note
White space is not ignored in the Message Subject field. Add spaces after (if prepending) or before (if
appending) the text you enter in this field to separate your added text from the original subject of the
message. For example, add the text
appending) the text you enter in this field to separate your added text from the original subject of the
message. For example, add the text
[MODIFIED FOR PROTECTION]
with a few trailing spaces if you are
prepending.
Note
The Message Subject field only accepts US-ASCII characters.
URL Rewriting and Bypassing Domains
If the message’s threat level exceeds the message modification threshold, the Outbreak Filters feature
rewrites all URLs in the message to redirect the user to the Cisco web security proxy’s splash page if
they click on any of them. (See
rewrites all URLs in the message to redirect the user to the Cisco web security proxy’s splash page if
they click on any of them. (See
for more information.) If the message’s
threat level exceeds the quarantine threshold, the appliance also quarantines the message. If a small
scale, non-viral outbreak is in progress, quarantining the message gives TOC time to analyze any suspect
websites linked from possible outbreak messages and determine whether the websites are malicious.
CASE uses updated Outbreak Rules from SIO to rescan the message to determine if it is part of the
outbreak. After the retention period expires, the appliance releases the message from the quarantine.
scale, non-viral outbreak is in progress, quarantining the message gives TOC time to analyze any suspect
websites linked from possible outbreak messages and determine whether the websites are malicious.
CASE uses updated Outbreak Rules from SIO to rescan the message to determine if it is part of the
outbreak. After the retention period expires, the appliance releases the message from the quarantine.
AsyncOS rewrites all of the URLs inside a message except for the ones pointing to bypassed domains.
The following options are available for URL rewriting:
•
Enable only for unsigned messages. This option allows AsyncOS to rewrite URLs in unsigned
messages that meet or exceed the message modification threshold, but not signed messages. Cisco
recommends using this setting for URL rewriting.
messages that meet or exceed the message modification threshold, but not signed messages. Cisco
recommends using this setting for URL rewriting.