This article applies to:
- MailMarshal (SEG) 8.2 and above
- PhishFilter
Question:
- How do I configure and use the PhishFilter with MailMarshal?
Background:
The PhishFilter is a heuristic filter that is aimed specifically at phishing. It looks at many structural and content traits of an email, and is trained on real phishing email samples. It incorporates URLDeep, a phishing URL Classifier based on deep learning technology.
PhishFilter is implemented as a MailMarshal Category Script.
Rules to use PhishFilter are present in the MailMarshal Default Rules 10.0.5 and above. See the MailMarshal Documentation page.
PhishFilter is also provided to all MailMarshal/SEG customers using version 8.2 or above, with current maintenance.
Prerequisites:
The following files must be present in the {Install}\Config directory. These files should be present on all systems that have current product maintenance.
- XML files
- Phishing.xml (the main category script)
- PhishFilter.xml (regularly updated filter file)
- URLDeepFilter.xml (settings for URLDeep)
- Other Files
- URLDeep.zip
- DeepEvals.dll
- Tensorflow.dll
Usage:
See the rules in the most recent MailMarshal Default Rules.
After Anti-Spam rules, but before Blended Threat URL-rewriting, create a category script rule that uses Phishing.xml.
- You can choose to move the messages to a quarantine folder. For example:
Where the message is Incoming
Where message is categorized as Phishing
Move the message to 'Phishing' with release action 'continue processing' - An alternative to blocking the message outright is to stamp the message with a warning. You could choose this option if false positives are a concern. The PhishFilter aggressively targets suspected phishing messages, and may occasionally flag non-phishing messages. An example rule to stamp a message is:
Where the message is Incoming
Where message is categorized as Phishing
Stamp the message with 'Warn Phishing'
- The 'Warn Phishing' stamp should be applied at the top of the messages. Sample text is:
WARNING: Please proceed with caution. This message may be a phishing attempt intended to steal your personal information. If you were not expecting this message, do not click on any links or attachments until you verify its authenticity.