Phish Blocker
From UntangleWiki
Contents |
About Phish Blocker
Phish Blocker provides two layers of anti-phishing and one layer of anti-pharming protection:
Email Anti-phishing Protection
Phish Blocker inspects email for phish, or fraudulent, emails. A phishing email attempts to fraudulently acquire sensitive information, such as passwords and credit card details, by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email.
Phish Blocker scans all SMTP, POP, and IMAP email for the presence of phishing emails. The following illustration is an example of the type of email that Phish Blocker blocks.
Web Anti-phishing Protection
Phish Blocker uses Google's blocklist (also known as Safe Browsing) to provide anti-phishing protection as you browse the Internet. Google’s blocklist includes a list of known websites that trick you into disclosing sensitive information under false pretences. To ensure a high level of protection, Untangle Server updates Phish Blocker every six hours with updates to Google's blocklist. Even if you disabled automatic updates on your Untangle Server, your Phish Blocker receives Google's blocklist updates.
If you click on the URL in the phish email shown in Figure, Example Phishing Email, that link directs you to a site that is not registered to PayPal. That website is listed on Google's blocklist, so when you visit the website, Phish Blocker warns you that it's a phish website—protecting you against such website spoofing in the event that a phish email manages to pass the first barrier of protection, email anti-phishing protection.
Note: If you're a "techie" and want to learn about the intricacies of Google's blocklist, the specification is public.
Web Anti-pharming Protection
In addition to filtering out phishing emails and websites, Untangle Server Phish Blocker blocks pharming websites.
Pharming websites mimic legitimate sites (often banking or ecommerce) and use social engineering to trick users into forfeiting their user names, passwords and other sensitive information when they mistakenly log into the fraudulent sites. The web properties often use URLs that look similar to the target site. For example, replacing the “w” in wells fargo with two “v”s (vvellsfargo.com), adding an extra “i” to wachoviia.net, or by prefixing the target domain to the pharmer’s url, such as paypal.phishingsite.com. Further, pharming sites have become so well designed that visually determining the real from the fake has become nearly impossible.
Configuring Email Scanning for Phishing
To configure email scanning:
Before You Begin: If you have web mail (POP mail), configure your email program to download that mail automatically so that Phish Blocker can scan that email:
- Download Gmail To Outlook
- Download Gmail To Eudora
- Download Yahoo Mail To Outlook
- Download Hotmail To Outlook
- From Phish Blocker, do one of the following:
- If you have a local Microsoft Exchange Server, click the SMTP tab.
- If you use Outlook to download web mail, click the POP tab.
- If you use a rare, IMAP email client, click the IMAP tab.
- In the table, specify how you want Untangle Server to behave:
- Mark message. Causes the email message to have its subject changed to start with the phrase [Phish].... Users can then set up email client filter rules to cause such messages to be placed in special folders.
- Pass message. Causes the message to be passed on to the recipient, even though it was detected as phish.
- Block message. Applies only to SMTP mail. Causes the message to be blocked, meaning the sender believes it was delivered yet it was never forwarded to the recipient. Although neither sender nor recipient know the message was blocked, it will still be noted in the Event Log.
- Quarantine message. Applies only to SMTP mail. Causes the message to be quarantined. For more information on the operation of this feature, please refer to About Quarantine. As outlined in Creating Custom Policies, outgoing mail is not quarantined by default.
- Click the Save Settings button.
scan When the check box is selected, the Untangle Server scans email in both directions unless there is a custom policy that overrides these instructions. action if Phish detected This controls what actions Untangle Server should take on the message itself, should the message be determined to be phish:
About Phish Blocker Event Log
Phish Blocker provides two event logs:
Web Event Log
Use the following terms and definitions to understand the Phish Blocker's Web Event Log:
timestamp The time the event took place. action The action taken on the mail. The value depends on the mail protocol, but will contain descriptive text such as block or mark. client The client IP Address of the protocol client. Recall that for SMTP this is the sender of the mail, and for IMAP/POP the receiver of the mail. request A description of the request made (e.g. http://someurl/somepath.html). server The server IP Address. Recall that for SMTP this is the machine receiving the email, and for IMAP/POP the machine holding the inbox.
Email Event Log
Use the following terms and definitions to understand the Phish Blocker's Email Event Log:
timestamp The time the event took place. action The action taken on the mail. The value depends on the mail protocol, but will contain descriptive text such as block or mark. client The client IP Address of the protocol client. Recall that for SMTP this is the sender of the mail, and for IMAP/POP the receiver of the mail. subject The subject of the email. This may be blank if the email had no subject. receiver The recipient email address of the email. sender The sender of the email. Note that for phishing emails, this is almost never legitimate. server The server IP Address. Recall that for SMTP this is the machine receiving the email, and for IMAP/POP the machine holding the inbox.
