This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
German_Cruz
Participant
2 weeks ago

malicious emails

Hello everyone

Every day I receive over 100 malicious emails of various types and with malicious links.

In my deployment, I have CheckPoint's MTA enabled. I've noticed that it works on links that have already been reported as malicious, but on new ones (meaning the domain or IP has been created less than 15 days ago and hasn't been reported as malicious), it doesn't remove the malicious link.

I have also created a GEO policy, to block IPs by country of origin.

To that end, I'm adding the IPs and domains to the CheckPoint anti-spam block lists.

But this activity is becoming endless.

I'd like to know if the following is possible:


• Add domains or IPs to the block lists in bulk mode
• How to block domains using patterns, for example:

www-data@consultoria02b.sueciadeorigem.cfd

“www-data”
@*. sueciadeorigem.cfd
@*. cfd
• Block based on a list of words matching the email subject, for example:

I appreciate your comments.

Regards.

Example of content email malisous

 

Olá, internal.user@mydomain.com 

Todos os relatórios financeiros foram revisados e estão prontos para serem apresentados.

Por favor, revise os relatórios e siga as orientações fornecidas para continuar com o processo.

Relatórios ref: 3078-a08797942024 21/03/2025.xlsx (0 KB)    <---- malicious link

Atenciosamente,

Antonella Lima

 

 

Example of the malicious addresses I receive:

acompanhamento@consultoria02b.cobrabrasil.sbs
central@consultoria06f.cobrabrasil.sbs
atendimento@consultoria01a.lincefrutabrasil.sbs
acompanhamento@consultoria05e.lincefrutabrasil.sbs
juridico@consultoria01a.lincebrasil.sbs
comunicacao@consultoria01a.lincebrasil.sbs
processual@consultoria04d.pinguimbrasil.sbs
juris@consultoria03c.cotiabrasil.sbs
documentos@consultoria03c.cotiabrasil.sbs
servico@consultoria03c.cotiabrasil.sbs
mensagem@consultoria03c.cotiabrasil.sbs
notificacao@consultoria02b.cotiabrasil.sbs
comunicacao@consultoria02b.cotiabrasil.sbs
oficial@consultoria02b.cotiabrasil.sbs
processo@consultoria02b.cotiabrasil.sbs
processual@consultoria02b.cotiabrasil.sbs
consulta@consultoria01a.serpentebrasil.sbs
acompanhamento@consultoria05e.serpentebrasil.sbs
registro.judicial@consultoria05e.lincebrasil.sbs
org@consultoria03c.cotiaburrabrasil.sbs
andamento@consultoria03c.cotiaburrabrasil.sbs
gestao@consultoria03c.cotiaburrabrasil.sbs
canal@consultoria03c.cotiaburrabrasil.sbs
notificacao@consultoria03c.cotiaburrabrasil.sbs
oficial@consultoria03c.cotiaburrabrasil.sbs
comunicado@consultoria03c.cotiaburrabrasil.sbs
registro.trt@consultoria01a.pinguimbrasil.sbs
comunicacao@consultoria03c.guaribabrasil.sbs
processo@consultoria03c.guaribabrasil.sbs
notificacao@consultoria05e.cotiabrasil.sbs
comunicacao@consultoria03c.lincefrutabrasil.sbs
acompanhamento@consultoria03c.lincefrutabrasil.sbs
coordenadoria@consultoria05e.serpentebrasil.sbs
controle@consultoria05e.cobrabrasil.sbs
notificacao@consultoria04d.serpentebrasil.sbs
alerta@consultoria03c.lincefrutabrasil.sbs
comunicado@consultoria02b.cotiaburrabrasil.sbs
acompanhamento@consultoria03c.cotiabrasil.sbs
informativo@consultoria03c.guaribabrasil.sbs
central.juridica@consultoria02b.guaribabrasil.sbs
coordenadoria@consultoria02b.guaribabrasil.sbs
consulta.legal@consultoria05e.lincefrutabrasil.sbs
diretoria@consultoria05e.lincefrutabrasil.sbs
info@consultoria03c.lincefrutabrasil.sbs
atendimento@consultoria03c.lincefrutabrasil.sbs
org@consultoria05e.lincefrutabrasil.sbs
documentos@consultoria03c.lincefrutabrasil.sbs
consulta.legal@consultoria01a.lincebrasil.sbs
consulta.legal@consultoria02b.pinguimbrasil.sbs
info@consultoria02b.pinguimbrasil.sbs
processual@consultoria02b.pinguimbrasil.sbs
juridico@consultoria02b.pinguimbrasil.sbs
digital@consultoria02b.pinguimbrasil.sbs
suporte.judicial@consultoria02b.pinguimbrasil.sbs
envio@consultoria04d.jacubrasil.sbs
painel@consultoria02b.pinguimbrasil.sbs
sistema@consultoria04d.jacubrasil.sbs
trt@consultoria04d.jacubrasil.sbs
canal@consultoria05e.lincefrutabrasil.sbs
portal@consultoria05e.lincefrutabrasil.sbs
consulta@consultoria05e.lincefrutabrasil.sbs
canal@consultoria03c.lincefrutabrasil.sbs
central@consultoria05e.lincefrutabrasil.sbs
consulta.legal@consultoria05e.lincebrasil.sbs
suporte@consultoria05e.lincefrutabrasil.sbs
resposta@consultoria05e.lincefrutabrasil.sbs
info@consultoria05e.lincefrutabrasil.sbs
painel@consultoria05e.lincefrutabrasil.sbs
digital@consultoria03c.lincefrutabrasil.sbs
sistema@consultoria03c.lincefrutabrasil.sbs
controle@consultoria03c.lincefrutabrasil.sbs
notificacao.trabalhista@consultoria06f.cobrabrasil.sbs
juridico@consultoria03c.lincebrasil.sbs
relatorio@consultoria03c.lincebrasil.sbs
processo@consultoria05e.jacubrasil.sbs
painel@consultoria04d.lincebrasil.sbs
comunicacao@consultoria05e.jacubrasil.sbs
boletim@consultoria05e.pinguimbrasil.sbs
institucional@consultoria06f.pinguimbrasil.sbs
aviso@consultoria02b.lincefrutabrasil.sbs
aviso@consultoria04d.serpentebrasil.sbs
oficial@consultoria02b.lincefrutabrasil.sbs
seguimento@consultoria03c.serpentebrasil.sbs
consulta@consultoria06f.cotiabrasil.sbs
coordenadoria@consultoria06f.cotiabrasil.sbs
diretoria@consultoria05e.lincebrasil.sbs
seguimento@consultoria02b.lincebrasil.sbs
registro@consultoria02b.lincebrasil.sbs

 

 

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
a week ago

You can create your own Custom Application/Site Object that can be referenced in a Threat Prevention policy.
You could also do it through a custom indicator file. 

German_Cruz
Participant
a week ago
In response to PhoneBoy

Thanks!!
I'm reviewing the information (custom indicator file) and testing.

The problem I see is that I can't use willdcards (and that's what I need to use willcards). Or a list of words contained in the sender's address.

Example:
priscila1987@dctweb35.eagletrust.land -> priscila1987@*.eagletrust.land  

avisodocumento566@vps-tem0rk67.vps.ovh.net  -> avisodocumento566@*.vps.ovh.net

I'm wondering if I have to include all the addresses found in malicious links or if I can use some abbreviation.

Example:

hTTps://107.201.148.37.host.secureserver.net/W095s9aJaJDJg/MqMDDJgF4s36S5/6992222C6 
hTTps://107.201.148.37.host.secureserver.net/K04xcV4bOzVnIz8cyV7I/VyVUUIsOz8c5I8/69976816Z 
hTTps://107.201.148.37.host.secureserver.net/P15uRI19IBgQ1I2UXIRh1/BiBRRXpQuh61V6/4771542802D 

 

 

 

0 Kudos
the_rock
Legend
Legend
a week ago

I agree with Phoneboy. I believe there are examples how to do this in threat prevenbtion admin guide.

Andy

https://sc1.checkpoint.com/documents/R80.40/WebAdminGuides/EN/CP_R80.40_ThreatPrevention_AdminGuide/...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top