Personal tools
Phish Blocker
From UntangleWiki
 Phish Blocker
|
|
About Phish Blocker
Phish Blocker provides pharming protection over the web and protection from phishing over both the web and email. Phish Blocker inspects email for phish, or fraudulent emails. A phishing email attempts to acquire sensitive information such as passwords and credit card details by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email.
Phish Blocker scans all SMTP, POP, and IMAP email.
Settings
This section reviews the different settings and configuration options available for Phish Blocker.
Email Settings
Before You Begin: If you have web mail (POP mail), configure your email program to download that mail automatically so that Phish Blocker can scan that email:
- Download Gmail To Outlook
- Download Gmail To Eudora
- Download Yahoo Mail To Outlook
- Download Hotmail To Outlook
- From Phish Blocker, do one of the following:
- If you have a local Microsoft Exchange Server, use the SMTP area.
- If you use Outlook to download web mail, use the POP3 area.
- If you use a rare, IMAP email client, use the IMAP area.
- In the table, specify how you want Untangle Server to behave:
- Mark. Causes the email message to have its subject changed to start with the phrase [Phish].... Users can then set up email client filter rules to cause such messages to be placed in special folders.
- Pass. Causes the message to be passed on to the recipient, even though it was detected as phish.
- Block. Applies only to SMTP mail. Causes the message to be blocked, meaning the sender believes it was delivered yet it was never forwarded to the recipient. Although neither sender nor recipient know the message was blocked, it will still be noted in the Event Log.
- Quarantine. Applies only to SMTP mail. Causes the message to be quarantined. For more information on the operation of this feature, please refer to About Quarantine. As outlined in Creating Custom Policies, outgoing mail is not quarantined by default.
- Click the Save button.
Scan SMTP/POP3/IMAP When the check box is selected, the Untangle Server scans email in both directions unless there is a custom policy that overrides these instructions. Action This controls what actions Untangle Server should take on the message itself, should the message be determined to be phish:
Web Settings
Phish Blocker uses Google's blocklist (also known as Safe Browsing) to provide anti-phishing protection as you browse the Internet. Google’s blocklist includes a list of known websites that trick you into disclosing sensitive information under false pretences. To ensure a high level of protection, Untangle Server updates Phish Blocker every six hours with updates to Google's blocklist. Even if you disabled automatic updates on your Untangle Server, your Phish Blocker receives Google's blocklist updates.
If you click on the URL in the phish email shown in Example Phishing Email, that link directs you to a site that is not registered to PayPal. That website is listed on Google's blocklist, so when you visit the website, Phish Blocker warns you that it's a phish website—protecting you against such website spoofing in the event that a phish email manages to pass the first barrier of protection, email anti-phishing protection.
Note: Advanced users can learn more about the intricacies of Google's blocklist by reading the specification, which is public.
In addition to filtering out phishing emails and websites, Untangle Server Phish Blocker blocks pharming websites.
Pharming websites mimic legitimate sites (often banking or ecommerce) and use social engineering to trick users into forfeiting their user names, passwords and other sensitive information when they mistakenly log into the fraudulent sites. The web properties often use URLs that look similar to the target site. For example, replacing the “w” in wells fargo with two “v”s (vvellsfargo.com), adding an extra “i” to wachoviia.net, or by prefixing the target domain to the pharmer’s url, such as paypal.phishingsite.com. Further, pharming sites have become so well designed that visually determining the real from the fake has become nearly impossible.
Event Log
Phish Blocker provides two event logs: Web Event Log and Email Event Log.
Web Event Log
Use the following terms and definitions to understand the Phish Blocker's Web Event Log:
timestamp The time the event took place. action The action taken on the mail. The value depends on the mail protocol, but will contain descriptive text such as block or mark. client The client IP Address of the protocol client. Recall that for SMTP this is the sender of the mail, and for IMAP/POP the receiver of the mail. request A description of the request made (e.g. http://someurl/somepath.html). server The server IP Address. Recall that for SMTP this is the machine receiving the email, and for IMAP/POP the machine holding the inbox.
Email Event Log
Use the following terms and definitions to understand the Phish Blocker's Email Event Log:
timestamp The time the event took place. action The action taken on the mail. The value depends on the mail protocol, but will contain descriptive text such as block or mark. client The client IP Address of the protocol client. Recall that for SMTP this is the sender of the mail, and for IMAP/POP the receiver of the mail. subject The subject of the email. This may be blank if the email had no subject. receiver The recipient email address of the email. sender The sender of the email. Note that for phishing emails, this is almost never legitimate. server The server IP Address. Recall that for SMTP this is the machine receiving the email, and for IMAP/POP the machine holding the inbox.
Related Topics
Phish Blocker FAQs
When configuring my Untangle Server to mark phishing emails received over IMAP, the subject of the mails changes to [PHISH]... only after I click on the message. Why?
Most IMAP clients first fetch summary information about emails (subject, sender) so the end user can see a preview list of messages. Only when the user selects (clicks on) the message is the actual content of the message retrieved from the server. It is then that the Untangle Server is able to scan the message. Unfortunately, some email clients do not detect the change in subject and update their preview list.
If an unwanted email (spam, phishing, etc) is received for an email address that cannot be quarantined, but my rules are set to quarantine, What happens?
The Quarantinable Addresses rules take precedence over the actions for email rules. In this situation, the email would be marked rather than quarantined.
Why is blocking (or quarantining) of emails not an option for POP or IMAP?
POP and IMAP work differently than SMTP. When POP and IMAP are used, the client requests the mail when the user clicks on the email. At that point the message is downloaded from the server and scanned. Even if the application determines the message is spam, it still must be delivered to the client because the client is waiting and will not be able to read mail unless something is delivered. As a result, only MARK is an option.
Why can't I block superspam for POP and IMAP emails like I can for SMTP?
For the same reason that you can't quarantine POP/IMAP spam. The message is not scanned until it is requested by the mail client. At that point, the message (even if it is spam) must be delivered to the client to complete the transaction.
Why does the Event Log report the sender as my bank, yet it was fraudulent? Why does it not report the real sender?
One of the characteristics of phishing emails is that they use deception to change the apparent sender of an email. Although Untangle Server can detect the email as a phishing attempt, there is no way to determine the true sender.
Why is Subject (or sender) blank for some emails in the Event Log?
Not all emails (especially spam emails) have subjects. Some spammers also use tricks to cause there to be no detectable sender.
Why is mail not passing between my Exchange servers?
The Untangle Server forces Extended SMTP (ESMTP) to fall back to SMTP so that the transmitting emails may be scanned. When two Exchange servers are setup such that they require ESMTP communication, all communications will fail. This is enforced by transparent rewriting of the "EHLO" command to "HELO" and appropriate keywords are also stripped.
This can be avoided by adding a special "No Rack" policy or a Bypass rule for communication for these two servers. To add a "Bypass Rule" go into config->networking->advanced->Bypass Rules and create a rule that describe the traffic between your two servers. To add a "No Rack" policy, enter the Policy Manager, Custom Policies and add two policies to be processed by "No Rack", one from server A to server B port 25, and one from server B to server A port 25. The net effect is that any communications between these two servers will be ignored.
Can I forward my email to Untangle and then have Untangle forward the email to my mail server?
No. Untangle is a network gateway and is meant to be installed "in-line" with the traffic. Untangle does not store-and-forward mail. Untangle will transparently scan mail as it passes through it.
Can I have untangle drop mail that is not to valid users?
No. Untangle does not have a list of valid emails for your site. It is suggested that your configure your email server to not accept mail for invalid users. This is the default for almost all mail servers except Microsoft Exchange. The links below are instructions on how to configure your email server.
How do I stop sending Quarantine Daily Digests?
In Config > Email, you can uncheck the option for Send Daily Quarantine Digest Emails. This will prevent Quarantine Digests from being sent.
I don't send Daily Digests. How can I keep from running low on disk space?
This is generally not a problem, but if you have a small disk drive or you receive a huge volume of spam, you may need to shorten the number of days that you retain quarantined email for. This is adjustable in Config > Email.
I need to keep a Quarantine for everyone, but how do I limit who receives a Quarantine Digest?
You can decide whose spam can be quarantined, but they will receive a digest if you do that. You cannot turn the digest on or off for specific users once you have decided that they will or will not have a quarantine available.
How do I resend Quarantine Daily Digests?
You can resend digests by launching the Untangle Server's Request Quarantine Daily Digest Email window. Go to Resending Quarantined Daily Digests.
Why are users not receiving a Quarantine Daily Digest?
- The untangle server may not be configured to send email correctly. Check Config > Email
- Users might not have anything new in the quarantine. A daily digest is sent only if something new is in the quarantine.
- If this is happening for all users, make sure that you have not turned off the option for Quarantine Daily Digest delivery.
What happens to email recipients' email when those recipients are not on the quarantinable address list?
If you removed the wildcard (*) and created a quarantinable address list, the Spam Blocker passes but marks the email as [Spam]—for those that are not on the list.
Why does my Quarantine have emails for people who don't work here?
Spammers do not discriminate...they send spams in many ways to get their message into your mailbox. Untangle simply scans email for viruses, phishing attempts and spam. It does not look to see if the message is going to a valid recipient. In Config > Email > Quarantine > Quarantinable Addresses, change the Quarantinable Address from "*" to "*@<mycompany> ". Change <mycompany> to your company name. Only mail that is coming to your company will now be quarantined. Please note that spams may still come in for illegitimate email addresses that correspond to your domain name.
I have 600 messages in my quarantine. How can I go through them faster?
Look at the bottom of the Quarantine Digest. You can choose how many messages appear per page. You can set the maximum number to 25, 100, 1000 or all messages. That will help you go through them faster, but be warned. Choosing a high number causes a large web page to be loaded. Depending on how much memory your computer has available, that may cause your browser to crash...or worse.
I released an email from my Quarantine Digest. Where did it go?
It is likely that the email was captured again by Spam Blocker. To make sure this doesn't happen, go to Config > Email > Outgoing Server and note the From Address that is being used by Untangle. Add this address to Config > Email > From-Safe List. This will prevent Untangle from scanning any email being released from Quarantine Digest.
I get two copies of the Quarantine Digest. Why?
You are likely a member of a email distribution list and the quarantine is not configured properly. Let's use an example. You are a member of a list called sales@xyz.com. The list members are joebob@xyz.com, fredbob@xyz.com and bobbob@xyz.com. They all complain that they get two Quarantine Digests daily.
In the Quarantinable Forwards panel (Config > Email > Quarantine > Quarantinable Forwards), there is nothing listed. That means that each of these people gets a Quarantine Digest for their own email address as well as one for sales@xyz.com. Joe Bob is supposed to manage quarantines for the mailing list, so we should make an entry under distribution list address as sales@xyz.com and its corresponding send to address as joebob@xyz.com. That should take care of the problem. Don't forget to save your changes.
If there is a mailing list with a large number of members (hugelist@xyz.com) and you wish to have multiple people responsible for checking the quarantines, create a new email distribution list in your mail server (notsohugelist@xyz.com) that contains the email addresses for the people who have this responsibility, then set the Untangle Quarantine Forwards pair to hugelist@xyz.com and notsohugelist@xyz.com. Only those people who have the responsibility will get Quarantine Digests for the mail list.
Why can't my off-site users get their Quarantine Digests?
The most common reason is that the Quarantine Digest has a URL that has an IP address that is private (on the LAN). They need a URL that is accessible to the public. You can set that up as follows:
- In Config > Administration > Public Address, define an IP address that is accessible on the outside. Make sure to click the Enabled button.
- In Config > Administration, make sure that Enable Outside Quarantine Viewing is checked.
- In Config > Networking > Hostname, determine if you can give a name to the Untangle Server. Enter that if appropriate. If a hostname is defined and it is resolvable on public DNS servers, check the Hostname resolves publicly box. If you wish to use a hostname and one is not available for you, you may wish to use Dynamic DNS to associate a hostname with an IP address. Refer to Configuring Untangle Server To Use Dynamic DNS for more information.
