HOWTO: Using PhishFilter with MailMarshal

Expand / Collapse

This article applies to:

  • MailMarshal (SEG) 8.2 and above
  • PhishFilter 


  • How do I configure and use the PhishFilter with MailMarshal?


The PhishFilter is a heuristic filter that is aimed specifically at phishing. It looks at many structural and content traits of an email, and is trained on real phishing email samples. It incorporates URLDeep, a phishing URL Classifier based on deep learning technology.

PhishFilter is implemented as a MailMarshal Category Script.

Rules to use PhishFilter are present in the MailMarshal 10.0.5 Default Rules. See the MailMarshal Documentation page.

PhishFilter is also provided to all MailMarshal/SEG customers using version 8.2 or above, with current maintenance.


The following files must be present in the {Install}\Config directory. These files should be present on all systems that have current product maintenance.

  • XML files
    • Phishing.xml (the main category script)
    • PhishFilter.xml (regularly updated filter file)
    • URLDeepFilter.xml (settings for URLDeep)
  • Other Files
    • URLDeep.zip
    • DeepEvals.dll
    • Tensorflow.dll


See the rules in the MailMarshal 10.0.5 Default Rules.

After Anti-Spam rules, but before Blended Threat URL-rewriting, create a category script rule that uses Phishing.xml

  • You can choose to move the messages to a quarantine folder. For example:

    Where the message is Incoming
    Where message is categorized as Phishing
    Move the message to 'Phishing' with release action 'continue processing'
  • An alternative to blocking the message outright is to stamp the message with a warning. You could choose this option if false positives are a concern. The PhishFilter aggressively targets suspected phishing messages, and may occasionally flag non-phishing messages. An example rule to stamp a message is:

    Where the message is Incoming
    Where message is categorized as Phishing
    Stamp the message with 'Warn Phishing'

  • The 'Warn Phishing' stamp should be applied at the top of the messages. Sample text is:

    WARNING: Please proceed with caution. This message may be a phishing attempt intended to steal your personal information. If you were not expecting this message, do not click on any links or attachments until you verify its authenticity.

To contact Trustwave about this article or to request support:

Rate this Article:

Add Your Comments

Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster