Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
German_Cruz
Contributor

malicious emails

Hello everyone

Every day I receive over 100 malicious emails of various types and with malicious links.

In my deployment, I have CheckPoint's MTA enabled. I've noticed that it works on links that have already been reported as malicious, but on new ones (meaning the domain or IP has been created less than 15 days ago and hasn't been reported as malicious), it doesn't remove the malicious link.

I have also created a GEO policy, to block IPs by country of origin.

To that end, I'm adding the IPs and domains to the CheckPoint anti-spam block lists.

But this activity is becoming endless.

I'd like to know if the following is possible:


• Add domains or IPs to the block lists in bulk mode
• How to block domains using patterns, for example:

[email protected]

“www-data”
@*. sueciadeorigem.cfd
@*. cfd
• Block based on a list of words matching the email subject, for example:

I appreciate your comments.

Regards.

Example of content email malisous

 

Olá, [email protected] 

Todos os relatórios financeiros foram revisados e estão prontos para serem apresentados.

Por favor, revise os relatórios e siga as orientações fornecidas para continuar com o processo.

Relatórios ref: 3078-a08797942024 21/03/2025.xlsx (0 KB)    <---- malicious link

Atenciosamente,

Antonella Lima

 

 

Example of the malicious addresses I receive:

[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]
[email protected]

 

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin

You can create your own Custom Application/Site Object that can be referenced in a Threat Prevention policy.
You could also do it through a custom indicator file. 

German_Cruz
Contributor

Thanks!!
I'm reviewing the information (custom indicator file) and testing.

The problem I see is that I can't use willdcards (and that's what I need to use willcards). Or a list of words contained in the sender's address.

Example:
[email protected] -> priscila1987@*.eagletrust.land  

[email protected]  -> avisodocumento566@*.vps.ovh.net

I'm wondering if I have to include all the addresses found in malicious links or if I can use some abbreviation.

Example:

hTTps://107.201.148.37.host.secureserver.net/W095s9aJaJDJg/MqMDDJgF4s36S5/6992222C6 
hTTps://107.201.148.37.host.secureserver.net/K04xcV4bOzVnIz8cyV7I/VyVUUIsOz8c5I8/69976816Z 
hTTps://107.201.148.37.host.secureserver.net/P15uRI19IBgQ1I2UXIRh1/BiBRRXpQuh61V6/4771542802D 

 

 

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond

I agree with Phoneboy. I believe there are examples how to do this in threat prevenbtion admin guide.

Andy

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ThreatPrevention_AdminGuide/...

Best,
Andy
"Have a great day and if its not, change it"

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events