topic Re: Email Link Analysis - does it look at all emails? in General Topics

Email Link Analysis - does it look at all emails?

joecbrown — Fri, 07 Aug 2020 13:35:10 GMT

I am curious to know if the organization I work at gets a blast email to 500 employee's from an external B2B marketer does the wildfire analysis get performed on all 500 identical emails or does it simply do it once knowing the email and links are identical.

Re: Email Link Analysis - does it look at all emails?

MP18 — Fri, 07 Aug 2020 16:15:18 GMT

@joecbrown

As per my knowledge WF maintains trusted domain list and it will examine the external email address only once.

Regards

Re: Email Link Analysis - does it look at all emails?

Remo — Fri, 07 Aug 2020 18:03:30 GMT

Actually yes, the firewall is doing the analysis for every email. It does not really care about the url, it simply forwards it to wildfire - in batches of 200 URLs per upload or all 2 minutes - depending on which limit is hit first. About the list of trusted sites I am not sure, as theoretically there is nothing like trusted site. On every website there is the potential risk that it gets hacked and will be used to host malware or exploit kits. But at least I think, there is a timer that a website is not ddos'ed by wildfire and only scanned for example max. once per hour or day. About a local check if the urls are identical, @jdelio could you say something about this? But often the links in such mass-emails aren't identical, every link is different to track which recepient clicks on the url.

Re: Email Link Analysis - does it look at all emails?

jdelio — Fri, 07 Aug 2020 20:48:43 GMT

@Remo and others..

From the official documentation on WildFire email analysis..

https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-concepts/email-link-analysis

It states:

"WildFire visits submitted links to determine if the corresponding web page hosts any exploits or displays phishing activity. A link that WildFire finds to be malicious or phishing is:

Recorded on the firewall as a WildFire Submissions log entry. The WildFire analysis report that details the behavior and activity observed for the link is available for each WildFire Submissions log entry. The log entry also includes the email header information—email sender, recipient, and subject—so that you can identify the message and delete it from the mail server, or mitigate the threat if the email has been delivered or opened.
Added to PAN-DB and the URL is categorized as malware.

The firewall forwards email links in batches of 100 email links or every two minutes (depending on which limit is hit first). Each batch upload to WildFire counts as one upload toward the upload per-minute capacity for the given firewall

Firewall Forwarding Capacity by Model

(PAN-OS 8.1, 9.0, 9.1). If a link included in an email corresponds to a file download instead of a URL, the firewall forwards the file only if the corresponding file type is enabled for WildFire analysis."

I hope this helps a little..

Re: Email Link Analysis - does it look at all emails?

Remo — Sun, 09 Aug 2020 10:52:34 GMT

@jdelio My question was more about if the firewall already does a local check for the urls? Or does it - in the case like in this topic - upload 500 times exactly the same URL to wildfire if there are 500 incoming emails with this one URL?

Re: Email Link Analysis - does it look at all emails?

joecbrown — Tue, 11 Aug 2020 11:59:06 GMT

@Remo That is what I am trying to understand as well. If 500 people in my organzition all receive the same email with the same url http://www.website.com/page123. Is that URL submitted 500 times and scanned 500 times or does it scan that URL once?

Re: Email Link Analysis - does it look at all emails?

jdelio — Tue, 11 Aug 2020 14:02:04 GMT

@joecbrown and @Remo

When there are 500 of the exact same link.. I would like to think that it would count them as one, but I will ask the experts about this and see what they are able to tell me.

I will respond as soon as I have an answer.

Re: Email Link Analysis - does it look at all emails?

jdelio — Thu, 13 Aug 2020 14:48:34 GMT

OK, @joecbrown , @Remo and everyone else.. found the info..

Actually I was able to get the details from people who looked at the code, and other detailed info.. and it looks like there will be 500, because each one comes from a different email header and we produce separate reports with the specific session information associated with the SMTP, IMAP or POP3 session. So, all links are sent to the cloud at this time, duplicate or not.

Re: Email Link Analysis - does it look at all emails?

Remo — Thu, 13 Aug 2020 15:06:24 GMT

Thanks @jdelio

This makes sense, as the URL is only one of the different attributes contained in wildfire report.

Re: Email Link Analysis - does it look at all emails?

MP18 — Thu, 13 Aug 2020 15:14:24 GMT

@jdelio

Many thanks for this great info!

Regards

Re: Email Link Analysis - does it look at all emails?

Remo — Thu, 13 Aug 2020 15:22:06 GMT

@jdelio wrote:

So, all links are sent to the cloud at this time, duplicate or not.

Hmn ... what if now all these attributes are the same? Either if the same email really was sent 500 times or if the same email was sent to 500 recipients in bcc. In this case the firewall would only show the actual recipient in the to field of the email but nothing about bcc. But I assume even then there it will be forwarded to wildfire 500 times.

Re: Email Link Analysis - does it look at all emails?

joecbrown — Fri, 14 Aug 2020 11:48:19 GMT

Thank you!

Re: Email Link Analysis - does it look at all emails?

jdelio — Fri, 14 Aug 2020 14:57:03 GMT

Yes @Remo , it would seem that it treats them individually, so yes, 500 links to WildFire.. In batches of 100.