Personal tools
Phish Blocker
From UntangleWiki
 Phish Blocker
|
|
About Phish Blocker
Phish Blocker protects users from phishing attacks over the web (HTTP) and email (SMTP/POP3/IMAP). It inspects email for fraudulent emails, also known as phish. A phishing email attempts to acquire sensitive information such as passwords and credit card details by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email.
Settings
This section reviews the different settings and configuration options available for Phish Blocker.
SMTP
These settings apply only to the SMTP protocol.
- Scan SMTP: This enables or disables SMTP scanning.
- Action: The action taken on the message if the Spam Score is high enough.
- If set to Mark, "[Phish]..." will be prepended to the email subject line and it will be delivered. If set to Pass, the message will be delivered as originally sent. Drop will inform the sending server the mail was sucesfully delivered, but Untangle will drop the mail so it is never delivered. Quarantine will send the mail to users' email quarantine for them to release or delete as they see fit. For more information, refer to Quarantine.
POP and IMAP
The settings under each heading apply only to that protocol. They are grouped here together because emails transferred using these protocols cannot be quarantined due to how these protocols operate, only marked or dropped.
- Scan POP3/IMAP: This enables or disables scanning of the respective protocols.
- Action: The action taken on the message if the Spam Score is high enough.
- If set to Mark, "[Phish]..." will be prepended to the email subject line and it will be delivered. If set to Pass, the message will be delivered as originally sent.
Web
These setting apply only to the HTTP protocol.
- Enable Phish web filtering: This enables or disables scanning web traffic for phish.
Event Log
Use the following terms and definitions to understand the Event Logs:
Email Event Log
| Name | Description |
|---|---|
| Timestamp | The time the event took place. |
| Receiver | The email address of the recipient. |
| Sender | The email address of the sender - for spam, this is often blank. |
| Subject | The subject of the email. |
| Action | The action taken on the email. |
| Client | The IP address of the client that made the request. |
| Server | The IP address of the server that received the request. |
Web Event Log
| Name | Description |
|---|---|
| Timestamp | The time the event took place. |
| Action | The action taken on the request. |
| Client | The IP address of the client that made the request. |
| Request | |
| Server | The IP address of the server that received the request. |
Related Topics
Phish Blocker FAQs
How can I exempt email addresses from Phish Blocker scanning?
The From-Safe List at Config > Email > From-Safe List is respected by Phish Blocker; it will pass any emails entered there in either Global or User-based safelists.
Where can I get more information on phish filtering for the web?
Phish Blocker leverages Google's Phishing Protection protocol, more information on it is available here.
When marking IMAP messages, the subject of the mails changes to [Phish]... only after I click on the message. Why is this?
Most IMAP clients first fetch summary information about emails (subject, sender) so the end user can see a preview list of messages. Only when the user selects the message is the actual content of the message retrieved from the server. It is then that Untangle is able to scan the message. Unfortunately some email clients do not detect the change in subject and update their preview list.
How do I stop sending daily Quarantine Digests?
Use the Send Daily Quarantine Digest Emails at Config > Email > Quarantine.
Why are users not receiving a Quarantine Daily Digest?
Verify your email configuration at Config > Email - make sure they receive the test email. If they do not, you can check the mailer log on the Untangle to see if there was an error, the file is /var/log/exim4/mainlog.
Why can't my off-site users get their Quarantine Digests?
The most common reason is that the Quarantine Digest has a URL with a private IP while they need a URL with a public IP. You'll need to verify a few settings:
- Under Config > Administration, make sure that Enable Outside HTTPS Administration is checked.
- Under Config > Administration > Public Address, choose Use Hostname or Use Manually Specified IP as appropriate.
- If using Use Hostname, make sure your hostname is properly configured and publicly resolvable at Config > Networking > Hostname. If you're using a Dynamic IP, it's recommended to set up Dynamic DNS on the same page.
What happens to email when the recipient is not on the quarantinable address list?
If you removed the wildcard and manually created a quarantinable address list, the Spam Blocker passes but marks the email as [Spam] for those that are not on the list.
What will happen if my rules are set to quarantine but the receiver's address cannot be quarantined?
The Quarantinable Addresses rules take precedence over the actions for email rules. In this situation, the email would be marked rather than quarantined.
Can I have Untangle drop mail that is not to valid users?
No as Untangle does not have a list of valid emails for your site. It is suggested that your configure your email server to not accept mail for invalid users. This is the default for almost all mail servers except Microsoft Exchange - the links below are instructions on how to configure your email server.
Why is mail not passing between my Exchange servers?
The Untangle Server forces Extended SMTP (ESMTP) to fall back to SMTP so that the transmitting emails may be scanned. When two Exchange servers are setup such that they require ESMTP communication, all communications will fail. This is enforced by transparent rewriting of the "EHLO" command to "HELO" and appropriate keywords are also stripped.
This can be fixed by adding a Bypass Rule for communication between the servers.
