Documentation | Support

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working with Filters and Policies > Managing filters > Creating and configuring a filter > URL analysis
URL analysis
Administrator Help | Forcepoint Email Security | Version 8.5.x
URL analysis examines email content for embedded URLs and classifies them according to a Forcepoint database of known spam URLs. When the filter detects a URL in a message from a selected category, it applies any configured filter response, such as removing the URL or modifying the URL to neutralize it. Configure the URL analysis filter on the page Main > Policy Management > Filters > Add (or Edit) Filter.
This filter uses one of the following services to perform URL analysis:
*
Threat Intelligence Cloud Service, the cloud-hosted Forcepoint URL Database of classified URLs.
*
Filtering Service, used to access the local copy of the Forcepoint URL Database maintained by your web security product (Forcepoint Web Security or Forcepoint URL Filtering).
*
Linking Service, used with a Forcepoint Web Security on-premises solution to access the local copy of the URL Database as well as any custom categories you have created. This service also provides dynamic category mapping updates from the database.
The Filtering Service URL analysis performance can be more efficient than the Linking Service because the Filtering Service can perform bulk URL queries, whereas the Linking Service cannot. See URL analysis for more information about selecting a URL analysis service and integrating with Forcepoint Web Security solutions.
Dashboard charts summarize the instances of embedded URLs detected by the filter. A URL Analysis message type appears in the message type or message analysis result fields in presentation reports and dashboard charts. See Available dashboard charts.
When the URL analysis filter triggers, the default action is to drop the message and save it to the spam queue, where it may be released and delivered by a Personal Email Manager user. As a result, a message that contains a malicious link may be delivered to an inbox in your network.
Multiple URL analysis policy rules can be configured to detect and contain malicious URLs so that they cannot be released by a Personal Email Manager end user. When you configure a URL Analysis filter for this case, ensure that all Security URL categories are selected in the URL Categories list. See Managing filter actions to create a URL analysis filter action for handling email that may contain a malicious URL.
* 
Note 
A filter action option of "Resume message analysis" is also available so that message analysis can continue after a URL match is detected. See Creating and configuring a filter action.
Configure URL analysis filter
1.
From the section Filter Properties, in the list URL Categories, mark the check boxes for each URL category that the filter should detect.
Expand top-level categories; click the plus sign.
Select all sub-categories in a top-level category; when the category is expanded, click select all.
Deselect all sub-categories in a top-level category; click unselect all.
Select all categories; at the top of the URL Categories list, click All Categories.
 
* 
Note 
You can configure URL analysis policy rules to detect and contain malicious URLs so that they cannot be released by a Personal Email Manager end user. Configuration requires all URL categories under Security to be selected.
See Managing filter actions for information about creating a URL analysis filter action for handling email that may contain a malicious URL.
1.
From Filter response, mark the check box for one or both of the following filter responses; Modify matching URLs and Bypass URL analysis if message size exceeds.
*
Modify matching URLs
Selection displays options for modifying and neutralizing URLs. Select the desired response and notification options when a malicious URL is detected:
*
Remove matching URLs from message subject and body.
Neutralize URLs by rewriting the scheme and bracketing the last dot of the URL domain.
Selection changes a malicious URL as follows:
Before neutralization: http://www.malicious.com.ca/index.html
After neutralization :hXXp://www.malicious.com[.]ca/index.html
*
Rewrite URLs and link text labels with custom settings.
Enter the rewritten URL in the text field Rewritten URL or leave the field blank to remove URLs.
Enter the rewritten link text label in the text field Rewritten link text label or leave the field blank to remove link text labels.
*
(Optional) From the section Options, mark the check box Notify recipient when an email contains a modified URL.
In the text box, enter the desired notification text.
Maximum length of 8192 characters total, up to 990 characters per line; a line break is two characters. The %CATEGORY% variable can be used in the notification message to inform the recipient about the specific categories triggered by the filter.
Select where the notification should appear; Insert notification at top of message or Insert notification at bottom of message.
The default location is at the top of the message.
*
Bypass URL analysis if message size exceeds.
In the text field, enter a message size in KB (default is 3072).
Selection indicates to use message size to determine whether URL analysis is bypassed.
2.
Configure additional filter settings and click OK.
The URL analysis filter is saved.
Custom URLs and link text labels
The following variables can be used to rewrite URLs and link text labels with custom settings:
*
%NURI%: neutralized URL
*
%URI%: original URL
*
Using this variable may leave potentially malicious URLs exposed.
*
%LINKTEXT%: original link text label
*
Only available for HTML links.
*
%HOST%: domain name
*
%CATEGORY%: Forcepoint URL category name
The following table details examples of HTML links, HTML text, and plain text rewritten using the available variables.
 
Sample Link
Variable
Rewritten Link
HTML link:
<a href='http://www.malicious.com/
index.php'>here</a>
%URI%
http://www.malicious.com/index.php
%NURI%
hXXp://www.malicious[.]com/
index.php
%HOST%
www.malicious.com
%CATEGORY%
Adult Material
%LINKTEXT%
here
HTML text only:
http://www.malicious.com/index.php
%URI%
http://www.malicious.com/index.php
%NURI%
hXXp://www.malicious[.]com/
index.php
%HOST%
www.malicious.com
%CATEGORY%
Adult Material
Plain text:
http://www.malicious.com/index.php
%URI%
http://www.malicious.com/index.php
%NURI%
hXXp://www.malicious[.]com/
index.php
%HOST%
www.malicious.com
%CATEGORY%
Adult Material
Remove URL and neutralize URL
The following table details examples of removed and neutralized HTML links, HTML text, and plain text using the available variables.
 
Sample Link
Remove URL
Neutralize URL
HTML link:
<a href='http://www.malicious.com/
index.php'>here</a>
<a href=''''>here</a>
<a href=''hXXp://www.
malicious[.]com/
index.php''>here</a>
HTML text only:
http://www.malicious.com/index.php
 
hXXp://www.malicious[.]
com/index.php
Plain text:
http://www.malicious.com/index.php
 
hXXp://www.malicious[.]
com/index.php
Customize URL and customize link text
The following tables detail examples of customized HTML links, HTML text, and plain text using the variables %URI% or %LINKTEXT%. URLs and link text labels are removed when the text fields Rewritten URL or Rewritten link text label are left blank.
Keep original URL and keep link text
 
Sample Link
Customized URL
Customized Link Text
Result
HTML link:
<a href='http://www.
malicious.com/index.php'>here</a>
%URI%
%LINKTEXT%
<a href=''http://www.
malicious.com/
index.php''>here</a>
HTML text only:
http://www.malicious.com/index.php
%URI%
%LINKTEXT%
http://www.malicious.
com/index.php
Plain text:
http://www.malicious.com/index.php
%URI%
%LINKTEXT%
http://www.malicious.
com/index.php
Neutralize URL and keep link text
 
Sample Link
Customized URL
Customized Link Text
Result
HTML link:
<a href='http://www.
malicious.com/index.php'>here</a>
%NURI%
%LINKTEXT%
<a href=''hXXp://www.
malicious[.]com/
index.php''>here</a>
HTML text only:
http://www.malicious.com/index.php
%NURI%
%LINKTEXT%
hXXp://www.malicious
[.]com/index.php
Plain text:
http://www.malicious.com/index.php
N%URI%
%LINKTEXT%
hXXp://www.malicious
[.]com/index.php
Customize URL and customize link text
 
Sample Link
Customized URL
Customized Link Text
Result
HTML link:
<a href='http://www.
malicious.com/index.php'>
here</a>
http://www.
urlEducation.com/
index.php
Original link belonging to
%CATEGORY% is malicious
<a href-
=''http://www.
urlEducation.com/
index.php''>
original link belonging
to Adult
Material is malicious</
a>
HTML text only:
http://www.malicious.com/
index.php
http://www.
urlEducation.com/
index.php
Original link belonging to %CATEGORY% is malicious
http://www.
urlEducation.com/
index.php
Plain text:
http://www.malicious.com/
index.php
http://www.
urlEducation.com/
index.php
Original link belonging to %CATEGORY% is malicious
http://www.
urlEducation.com/
index.php
Remove URL and keep link text
 
Sample Link
Customized Link Text
Result
HTML link:
<a href='http://www.malicious.com/
index.php'>here</a>
%LINKTEXT%
<a href=''''> here</a>
HTML text only:
http://www.malicious.com/index.php
%LINKTEXT%
 
Plain text:
http://www.malicious.com/index.php
%LINKTEXT%
 
Customize URL and keep link text
 
Sample Link
Customized URL
Customized Link Text
Result
HTML link:
<a href='http://
www.malicious.com/
index.php'>here</a>
http://www.
urlEducation.com/index.php
%LINKTEXT%
<a href=''http://www.
urlEducation.com/
index.php''>here</a>
HTML text only:
http://www.malicious.com/index.php
http://www.
urlEducation.com/index.php
%LINKTEXT%
http://www.
urlEducation.com/
index.php
Plain text:
http://www.malicious.com/
index.php
http://www.
urlEducation.com/index.php
%LINKTEXT%
http://www.
urlEducation.com/
index.php
Remove URL and customize link text
 
Sample Link
Customized Link Text
Result
HTML link:
<a href='http://www.malicious.com/
index.php'>here</a>
original %URI% is malicious and was cleared, please be careful with this link
<a href=''''>original http://www. malicious.com/index.php is malicious and was cleared, please be careful with this link</a>
HTML text only:
http://www.malicious.com/index.php
original %URI% is malicious and was cleared, please be careful with this link
 
Plain text:
http://www.malicious.com/index.php
original %URI% is malicious and was cleared, please be careful with this link
 
Analysis of URLs in file attachments
URLs in supported attachments can be scanned and classified by the on-premises Email Security system according to the configured filter options. Classifiable URLs in attachments triggered by the filter settings are handled like any other email content by the URL analysis filter action. A file attachment that triggers the URL filter is classified as a URL analysis message. Only the first 50KB of content in the email attachment is scanned. Functionality is not available for the Email Security Hybrid module. URLs can be extracted and analyzed from within the following file types:
*
.doc
*
.docm
*
.docx
*
.pdf
*
.ppt
*
.pptx
*
.rtf
*
.txt
*
.xls
*
.xlsm
*
.xlsx

Go to the table of contents Go to the previous page Go to the next page View or print as PDF
Working with Filters and Policies > Managing filters > Creating and configuring a filter > URL analysis
Copyright 2022 Forcepoint. All rights reserved.