topic Re: MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x] in Firewall and Security Management

MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x]

Chinmaya_Naik — Wed, 10 Apr 2019 09:04:43 GMT

OS : R80.20 both Gateway and Management Server and also TE.

TE Engine Version : 58.990000298

HotFix : R80.20 Jumbo Hotfix Take_33

MTA : R80_20_mta Take 27

BLADE: Threat Emulation | Threat Extraction | Antivirus | AntiBot | IPS

We configure Gateway as a MTA.

We using both Threat Emulation and Threat Extraction only for SMTP traffic.

I did some testing and find below results.

Scenario1 : When we put malicious URL on mail body.

Results: Malicious URL was totally removed.

Scenario2 : When we put malicious URL on Mail Subject.

Results : Malicious URL was modified but not totally removed.

Scenario3 : When we put malicious URL on Mail Subject and also in Mail Body.

Results : Malicious URL was modified on Subject but not in the mail body , still the malicious URL in mail body showing as is it.

Scenario4 : For example I put genuine URL on Mail subject like "www.google.com" and put malicious URL in Mail body.

Results: Malicious URL was removed from Mail Body and no changes on Mail Subject.

QUERY : If I put the same malicious URL in a attachment then :

Is this malicious URL is totally we able to removed in attachment ?

Is this only remove the hyper link in attachment ?

Is this possible to modified the malicious URL in attachment ?

Also Scenario5: If I send a malicious URL with out "https or http" then URL is not able to detect.
So is URL reputation is only check if URL is in started from http or https only.

@Chinmaya_Naik

Re: MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x]

G_W_Albrecht — Wed, 10 Apr 2019 08:48:59 GMT

This is an interesting test - but except the used appliance TE100x, we do neithr know CP Version, TE engine version nor Jumbo take installed !

Re: MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x]

Chinmaya_Naik — Wed, 10 Apr 2019 09:06:49 GMT

Updated

We also plane to upgrade the MTA , HotFix and also TE Engine and check the behavior.

@Chinmaya

Re: MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x]

G_W_Albrecht — Wed, 10 Apr 2019 10:01:33 GMT

The TE engine itself is two steps from current - your version is from 16-Jan-19,

current Engine:58.990000617 from 31-Mar-19.

Jumbo HotFix : R80.20 Jumbo Hotfix Take_33 is from 08 January 2019, GA from 04 February 2019,

current General Availability Take 47 is from 24 February 2019, GA from 25 Mar 2019, Ongoing Take 73 (08 Apr 2019) is also available (but not yet supported by the MTA update package 😞

MTA : R80_20_mta Take 27,

current version is R80_20_mta Take 31 from 4.4.19

Re: MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x]

Chinmaya_Naik — Wed, 10 Apr 2019 10:08:06 GMT

@G_W_Albrecht

Thanks for your reply.

Yes I understand and I will update to latest version and check But have any body face this behavior yet ?

@Chinmaya_Naik

Re: MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x]

Chinmaya_Naik — Wed, 03 Jul 2019 05:54:19 GMT

Hi Team,

Anyone help me to clarify the concept.

I need a clear idea about how exactly MTA work with the malicious link when I send via Mail Body, Mail Subject and Attachment.

We need to give a clear idea to our customer.

Thanks in Advanced.

Regards

Chinmaya

Re: MTA malicious sites inside the | Mail Body | Mail Subject | Attachment [TE100x]

G_W_Albrecht — Wed, 03 Jul 2019 08:31:34 GMT

I would suggest to open a SR# with CP TAC to get answers on this !