malicious emails

German_Cruz — Fri, 21 Mar 2025 18:31:47 GMT

Hello everyone

Every day I receive over 100 malicious emails of various types and with malicious links.

In my deployment, I have CheckPoint's MTA enabled. I've noticed that it works on links that have already been reported as malicious, but on new ones (meaning the domain or IP has been created less than 15 days ago and hasn't been reported as malicious), it doesn't remove the malicious link.

I have also created a GEO policy, to block IPs by country of origin.

To that end, I'm adding the IPs and domains to the CheckPoint anti-spam block lists.

But this activity is becoming endless.

I'd like to know if the following is possible:

• Add domains or IPs to the block lists in bulk mode
• How to block domains using patterns, for example:

www-data@consultoria02b.sueciadeorigem.cfd

“www-data”
@*. sueciadeorigem.cfd
@*. cfd
• Block based on a list of words matching the email subject, for example:

I appreciate your comments.

Regards.

Example of content email malisous

Olá, internal.user@mydomain.com

Todos os relatórios financeiros foram revisados e estão prontos para serem apresentados.

Por favor, revise os relatórios e siga as orientações fornecidas para continuar com o processo.

Relatórios ref: 3078-a08797942024 21/03/2025.xlsx (0 KB) <---- malicious link

Atenciosamente,

Antonella Lima

Example of the malicious addresses I receive:

acompanhamento@consultoria02b.cobrabrasil.sbs

central@consultoria06f.cobrabrasil.sbs

atendimento@consultoria01a.lincefrutabrasil.sbs

acompanhamento@consultoria05e.lincefrutabrasil.sbs

juridico@consultoria01a.lincebrasil.sbs

comunicacao@consultoria01a.lincebrasil.sbs

processual@consultoria04d.pinguimbrasil.sbs

juris@consultoria03c.cotiabrasil.sbs

documentos@consultoria03c.cotiabrasil.sbs

servico@consultoria03c.cotiabrasil.sbs

mensagem@consultoria03c.cotiabrasil.sbs

notificacao@consultoria02b.cotiabrasil.sbs

comunicacao@consultoria02b.cotiabrasil.sbs

oficial@consultoria02b.cotiabrasil.sbs

processo@consultoria02b.cotiabrasil.sbs

processual@consultoria02b.cotiabrasil.sbs

consulta@consultoria01a.serpentebrasil.sbs

acompanhamento@consultoria05e.serpentebrasil.sbs

registro.judicial@consultoria05e.lincebrasil.sbs

org@consultoria03c.cotiaburrabrasil.sbs

andamento@consultoria03c.cotiaburrabrasil.sbs

gestao@consultoria03c.cotiaburrabrasil.sbs

canal@consultoria03c.cotiaburrabrasil.sbs

notificacao@consultoria03c.cotiaburrabrasil.sbs

oficial@consultoria03c.cotiaburrabrasil.sbs

comunicado@consultoria03c.cotiaburrabrasil.sbs

registro.trt@consultoria01a.pinguimbrasil.sbs

comunicacao@consultoria03c.guaribabrasil.sbs

processo@consultoria03c.guaribabrasil.sbs

notificacao@consultoria05e.cotiabrasil.sbs

comunicacao@consultoria03c.lincefrutabrasil.sbs

acompanhamento@consultoria03c.lincefrutabrasil.sbs

coordenadoria@consultoria05e.serpentebrasil.sbs

controle@consultoria05e.cobrabrasil.sbs

notificacao@consultoria04d.serpentebrasil.sbs

alerta@consultoria03c.lincefrutabrasil.sbs

comunicado@consultoria02b.cotiaburrabrasil.sbs

acompanhamento@consultoria03c.cotiabrasil.sbs

informativo@consultoria03c.guaribabrasil.sbs

central.juridica@consultoria02b.guaribabrasil.sbs

coordenadoria@consultoria02b.guaribabrasil.sbs

consulta.legal@consultoria05e.lincefrutabrasil.sbs

diretoria@consultoria05e.lincefrutabrasil.sbs

info@consultoria03c.lincefrutabrasil.sbs

atendimento@consultoria03c.lincefrutabrasil.sbs

org@consultoria05e.lincefrutabrasil.sbs

documentos@consultoria03c.lincefrutabrasil.sbs

consulta.legal@consultoria01a.lincebrasil.sbs

consulta.legal@consultoria02b.pinguimbrasil.sbs

info@consultoria02b.pinguimbrasil.sbs

processual@consultoria02b.pinguimbrasil.sbs

juridico@consultoria02b.pinguimbrasil.sbs

digital@consultoria02b.pinguimbrasil.sbs

suporte.judicial@consultoria02b.pinguimbrasil.sbs

envio@consultoria04d.jacubrasil.sbs

painel@consultoria02b.pinguimbrasil.sbs

sistema@consultoria04d.jacubrasil.sbs

trt@consultoria04d.jacubrasil.sbs

canal@consultoria05e.lincefrutabrasil.sbs

portal@consultoria05e.lincefrutabrasil.sbs

consulta@consultoria05e.lincefrutabrasil.sbs

canal@consultoria03c.lincefrutabrasil.sbs

central@consultoria05e.lincefrutabrasil.sbs

consulta.legal@consultoria05e.lincebrasil.sbs

suporte@consultoria05e.lincefrutabrasil.sbs

resposta@consultoria05e.lincefrutabrasil.sbs

info@consultoria05e.lincefrutabrasil.sbs

painel@consultoria05e.lincefrutabrasil.sbs

digital@consultoria03c.lincefrutabrasil.sbs

sistema@consultoria03c.lincefrutabrasil.sbs

controle@consultoria03c.lincefrutabrasil.sbs

notificacao.trabalhista@consultoria06f.cobrabrasil.sbs

juridico@consultoria03c.lincebrasil.sbs

relatorio@consultoria03c.lincebrasil.sbs

processo@consultoria05e.jacubrasil.sbs

painel@consultoria04d.lincebrasil.sbs

comunicacao@consultoria05e.jacubrasil.sbs

boletim@consultoria05e.pinguimbrasil.sbs

institucional@consultoria06f.pinguimbrasil.sbs

aviso@consultoria02b.lincefrutabrasil.sbs

aviso@consultoria04d.serpentebrasil.sbs

oficial@consultoria02b.lincefrutabrasil.sbs

seguimento@consultoria03c.serpentebrasil.sbs

consulta@consultoria06f.cotiabrasil.sbs

coordenadoria@consultoria06f.cotiabrasil.sbs

diretoria@consultoria05e.lincebrasil.sbs

seguimento@consultoria02b.lincebrasil.sbs

registro@consultoria02b.lincebrasil.sbs

Re: malicious emails

PhoneBoy — Mon, 24 Mar 2025 21:26:50 GMT

You can create your own Custom Application/Site Object that can be referenced in a Threat Prevention policy.
You could also do it through a custom indicator file.

Re: malicious emails

German_Cruz — Wed, 26 Mar 2025 19:14:21 GMT

Thanks!!
I'm reviewing the information (custom indicator file) and testing.

The problem I see is that I can't use willdcards (and that's what I need to use willcards). Or a list of words contained in the sender's address.

Example:
priscila1987@dctweb35.eagletrust.land -> priscila1987@*.eagletrust.land

avisodocumento566@vps-tem0rk67.vps.ovh.net -> avisodocumento566@*.vps.ovh.net

I'm wondering if I have to include all the addresses found in malicious links or if I can use some abbreviation.

Example:

hTTps://107.201.148.37.host.secureserver.net/W095s9aJaJDJg/MqMDDJgF4s36S5/6992222C6
hTTps://107.201.148.37.host.secureserver.net/K04xcV4bOzVnIz8cyV7I/VyVUUIsOz8c5I8/69976816Z
hTTps://107.201.148.37.host.secureserver.net/P15uRI19IBgQ1I2UXIRh1/BiBRRXpQuh61V6/4771542802D

topic Re: malicious emails in Firewall and Security Management

malicious emails

Re: malicious emails

Re: malicious emails

Re: malicious emails