Overview
In this article, you will learn how to determine why the MailEssentials Anti-Phishing (PURBL) Anti-Spam filter blocked or allowed a message as part of the troubleshooting process.
Introduction
Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal or sensitive information, such as passwords and credit card numbers. This is usually achieved by sending emails that convince the recipient to visit a malicious website by clicking on the URI in the message.
The Anti-Phishing plug-in checks email messages for URIs to known phishing sites and keywords and blocks such emails. However, there may be scenarios where customers open support requests wanting to understand why the plug-in blocked or allowed specific messages against their expectations.
The next steps outline the troubleshooting process to determine the reason behind the actions taken by the Anti-Phishing plug-in:
- Prerequisites
- An email was blocked by the Anti-Phishing filter
- An email was allowed by the Anti-Phishing filter
Prerequisites
- Find the Message-ID of the email in question by either obtaining it from the headers of the message itself or by looking for it in the MailEssentials Dashboard > Logs > Details tab. Refer to this linked article for more information on Reading Email Headers to extract the Message ID
- With tracing enabled, navigate to
..\GFI\MailEssentials\AntiSpam\DebugLogs
and locate the log file for the Anti-Phishing module. The log file name isase_purbl.gfi_log.txt
- This is the debug log for the Anti-Phishing Module and corresponds to the GFI MailEssentials > Anti-Spam > Anti-Spam Filters > Anti-Phishing on the configuration UI as well as the phishing_keywords table in config.mdb.
- Open the debug log file in a text editor and search for the Message-ID obtained in step 1.
- Refer to the scenarios below to determine the reasons behind the action taken by the Keyword Filter module. Pay close attention to the lines in bold to understand what happened and why.
Purbl AP Status: [Enabled]
Purbl (Keywords) AP Status: [Enabled]
Purbl (Blocklist) AP Status: [Enabled]
Purbl (Blocklist) Path: [L:\Program Files (x86)\GFI\MailEssentials\Antispam\Data\blocklist.db]
Purbl (Blocklist) CacheTTL: [345600000]
Phishing Keyword [paypal] - List of keywords used by the module
Preparing to load Antiphishing data ...
Anti-Phishing data is up-to-date
If the module is disabled, the log file will indicate:
Purbl (Keywords) AP Status: [Disabled]
Purbl (Blocklist) AP Status: [Disabled]
Phishing Keywords Check [disabled]
Once you establish that the Anti-Phishing configuration was loaded, use the examples below to interpret and determine why the message was either blocked or allowed:
An email was blocked by the Anti-Phishing filter:
The plug-in performs two checks:
First check:
The email is blocked by the PURBL module if the following conditions are all true:
- Any part of the MIME FROM of the email is found in the PURBL keyword list.
Normally Phishing emails try to fake an email address used by the targeted legitimate company. - Any part except the hostname of the URLs in the message body is found in the PURBL keyword list.
Let’s take for example an email, which has the following details:
- MIME Sender: newsletters@ebay.de
- URL: http://pics.ebaystatic.com/aw/pics/myemails/R201.../images/logo_paypal.gif
In this case, two terms (‘ebay’ and ‘paypal’) are found in the phishing_keywords table.
If the URL in the example was www.ebay.com/page.html, the email would not have been blocked, since the keyword would have been found in the hostname part of the URL.
Below is the logging information that is generated when a message is blocked because of the first check explained above:
"ase_purbl","MIME Sender: newsletters@ebay.de"
"ase_purbl","URLs Extracted [72]"
"ase_purbl","Phishing Keywords Check [enabled]"
"ase_purbl","Phishing Blocklist Check [enabled]"
"ase_purbl","Phishing keyword found in mime from ..."
"ase_purbl",">> spammy: [http://pics.ebaystatic.com/aw/pics/myemails/R201.../images/logo_paypal.gif]"
"ase_purbl","Spam detection result: [AP Keywords: detected] [AP Blocklist: not detected]"
"ase_purbl","Setting actions data ..."
"ase_purbl","Informing ASE [2]..."
"ase_purbl","Setting block report to: 'Message is a scam email phishing '"
The list of keywords is loaded from the config.mdb
DB file, in the phishing_keywords
table, and can also be edited from the Anti-Phishing filter configuration:
- Open the MailEssentials Configuration UI
- Navigate to Anti-Spam > Anti-Phishing
- Open the Keywords tab.
- Add, update or remove the keywords present in the list.
Second Check:
If the first check does not block the message, the Anti-Phishing module will retrieve all the URLs from the message body, and, after stripping the URL of data that is not important for the check, the URL is encoded.
The encoded URL is checked against a database of encoded hashes for phishing URIs. This is a 3rd party database from NetCraft (https://www.netcraft.com/). The database is found in the Data directory and is called blocklist.db
and is updated often, approximately once every 10 minutes.
An advanced algorithm is used to hash the encoded URL, and the new hash is checked against the entries in the PURBL database. If a match is found, the email is blocked. More than one match can be found in the database.
The following logging is created by the second check as seen in the ase_purbl.gfi_log.txt:
"ase_purbl",">> Init Message [<SRVEXSMTP2W5k1Ed28k00000988@mail.eniaspa.it>]"
"ase_purbl","Context Refreshed: No"
"ase_purbl","Licensing check: Licensed"
"ase_purbl","<< Message Initialization"
"ase_purbl",">> Message Processing Block"
"ase_purbl","MIME Sender: support@cartasi.it"
"ase_purbl","[0x97864e0] _revision [253294] "
"ase_purbl","Scanning HTML body part"
"ase_purbl",">>"
"ase_purbl","MimeEntity Info => CTYPE: [text/html], CSET: [Windows-1251], LEN: [3268]"
"ase_purbl","Internationalized stream length: 6536"
"ase_purbl","Bytes read [6536]"
"ase_purbl","URLs Extracted [7]"
"ase_purbl","Phishing Keywords Check [enabled]"
"ase_purbl","Phishing Blocklist Check [enabled]"
"ase_purbl","[http://www.cartasi.in/CartaSi2.jpg] [65267] hpts: 3 pats: 1"
"ase_purbl",">> spammy: [http://www.cartasi.in/CartaSi2.jpg]"
"ase_purbl","<<"
"ase_purbl","Spam detection result: [AP Keywords: not detected] [AP Blocklist: detected]"
"ase_purbl","Setting actions data ..."
"ase_purbl","Informing ASE [2]..."
"ase_purbl","Setting block report to: 'Message is a scam email phishing'"
The line [http://www.cartasi.in/CartaSi2.jpg] [65267] hpts: 3 pats: 1
indicates the following:
- PURBL has just checked the URL http://www.cartasi.in/CartaSi2.jpg
- The PURBL
blocklist.db
has 65267 entries - The URL that has been checked has three parts (divided by dots "."). This is shown by
hpts: 3
. - PURBL (the Anti-Phishing filter) has found one match in the database, indicated by
pats: 1
.
- You can also get a hit on the cache which will be represented by a log entry similar to:
Cache hit for URL [www.lendingtree.com][LS:432858046]
- Keywords can be removed from the Anti-Phishing filter in the configuration or alternatively an email can be Whitelisted to exclude it from the Anti-Phishing checks. The cache and blocklist are however not configurable.
An email was allowed by the Anti-Phishing filter:
When an email is allowed by the Anti-Phishing filter, the log will show similar details as the following, signaling that PURBL (the Anti-Phishing filter) has found no matches in the database:
"ase_purbl",">> Message Processing Block"
"ase_purbl","MIME Sender: info@londondirect-jp.com"
"ase_purbl","[0x12999dd8] _revision [574268] "
"ase_purbl","Scanning TEXT body part"
"ase_purbl",">>"
"ase_purbl","MimeEntity Info => CTYPE: [text/plain], CSET: [UTF-8], LEN: [5200]"
"ase_purbl","Internationalized stream length: 10344"
"ase_purbl","Bytes read [10344]"
"ase_purbl","CModuleContext::ExtractUrls() <<"
"ase_purbl","Waiting 5 minutes on threads"
"ase_purbl","Done waiting...extracting unique urls..."
"ase_purbl","Found unqiue url [jp.com/link]"
"ase_purbl","Found unqiue url [http://www.lo]"
"ase_purbl","Found [2] Unique Urls"
"ase_purbl","CModuleContext::ExtractUrls() >>"
"ase_purbl","URLs Extracted [2]"
"ase_purbl","Phishing Keywords Check [enabled]"
"ase_purbl","Phishing Blocklist Check [enabled]"
"ase_purbl","Checking URL [http://www.lo]"
"ase_purbl","[http://www.lo] [91089] hpts: 2 pats: 0"
"ase_purbl","Checking URL [jp.com/link]"
"ase_purbl","[jp.com/link] [91089] hpts: 1 pats: 0"
"ase_purbl","<<"
"ase_purbl","Scanning HTML body part"
"ase_purbl",">>"
"ase_purbl","MimeEntity Info => CTYPE: [text/html], CSET: [UTF-8], LEN: [6864]"
"ase_purbl","Internationalized stream length: 13728"
"ase_purbl","Bytes read [13728]"
"ase_purbl","CModuleContext::ExtractUrls() <<"
"ase_purbl","Waiting 5 minutes on threads"
"ase_purbl","Done waiting...extracting unique urls..."
"ase_purbl","Found unqiue url [jp.com/link]"
"ase_purbl","Found unqiue url [http://www.lo]"
"ase_purbl","Found [2] Unique Urls"
"ase_purbl","CModuleContext::ExtractUrls() >>"
"ase_purbl","URLs Extracted [2]"
"ase_purbl","Phishing Keywords Check [enabled]"
"ase_purbl","Phishing Blocklist Check [enabled]"
"ase_purbl","Checking URL [http://www.lo]"
"ase_purbl","[http://www.lo] [91089] hpts: 2 pats: 0"
"ase_purbl","Checking URL [jp.com/link]"
"ase_purbl","[jp.com/link] [91089] hpts: 1 pats: 0"
"ase_purbl","<< "