Cisco Cisco Email Security Appliance C190 White Paper

About This Document

This document is for Cisco® engineers and customers who deploy

Cisco Email Security products running AsyncOS for version 9.1 or

greater with a standard inbound license bundle or with Outbreak Filters

license.

Cisco Email Security provides a layered, in-depth approach to detecting

URL-based threats. These solutions use URL-based reputation

information in the Anti-Spam, Content Filters, and Outbreak Filters

engines, rewriting URLs for redirection to a Cisco provided proxy for

click-time scanning, and for reporting on the URLs clicked. It also

provides URL category controls inside Content Filters to address

unwanted incoming URLs. This document covers the configuration of

these features, including:

•

Enabling URL features

•

Enabling Web Interaction Tracking

•

Configuring URL reputation blocks in Content Filters

•

Configuring URL categories in Content Filters

•

Configuring Outbreak Filters

•

Using reporting functions

Introduction

URL features on Cisco® Email Security products provide malicious URL

detection, remediation, and reporting for messages containing malicious

and unwanted URLs. In addition, URLs rewritten by the solution are

tracked, giving email administrators visibility into the users clicking

these URLs and the disposition of the scanning performed by the Cisco

powered proxy.

Filters engine, and Outbreak Filters engine make use of the same

URL reputation and category information as the Cisco Web Security

Appliance and Cloud Web Security solutions. This allows:

•

The Anti-Spam engine to use URL reputation components in judging

if a message is spam

•

Outbreak Filters to use URL reputation components to determine the

threat level and intention of a message, and

•

Email administrators to use URL reputation and categorization

information to quarantine messages; block, rewrite, or defang URLs;

modify messages; and more

Technical Details

Cisco Email Security products use the URL reputation and categorization

information provided by Cisco Talos in real time. They pull this URL

category and reputation data in real time from the cloud, cache it for

best performance, and use the data in detecting spam, email-borne

threats, and unwanted URLs.

Cisco Anti-Spam uses URL reputation components in scoring messages

and determining disposition. If a message is on the edge of scoring as

spam and contains URL with poor reputation, it will be pushed over the

edge and considered spam. Outbreak Filters target blended threats—

such as email messages that contain a vector outside of email, a URL

for a user to open, or a phone number for them to call and confirm

banking information. Outbreak Filters scans messages, looking for

approximately 20 categories of threats and scams, and will use the

URL reputation components in scoring messages and their intent.

For instance, is this message trying to get a user to confirm banking

information? Send money? Verify credentials?

In AsyncOS 8.5, two new Content Filter conditions were added to

support URL controls: URL Category and URL Reputation. These new

conditions let the email administrator identify messages with specific

reputation score ranges and categories, such as pornography and

hate speech, and take specific actions: quarantine or block messages;

defang, rewrite, or replace URLs; add warning messages to the body or

prepend warnings to subject lines; send copies to another recipient;

and more.

Rewriting URLs is visible to end users. They will see the URL being

scanned in their browser and either a block page or be asked a

question about going to the website if no malware or malicious intent is

found. Wherever possible, Content Filters, Outbreak Filters, and other

options with user-visible impacts on mail flows should be rolled out in a

controlled fashion. Cisco recommends communicating the changes to

the user community and starting with an internal IT group before rolling

out to all users.

Cisco Email Security How-To Guide

How-To Protect Against URL-Based Attacks

Cisco Public