https://live.paloaltonetworks.com/t5/general-topics/tons-of-quot-generic-lt-url-gt-hits-in-threat-logs-for-dns-query/m-p/382366#M89841 <P>Hi Guys,</P><P>&nbsp;</P><P>I am seeing a ton of "generic:&lt;random-url&gt;" hits in my threat logs under the spyware category for DNS queries from my email spam filter server out to the world. I have DNS security set up on the Palo so they are being sinkholed, but there are a ton of them, and several dozen different URL's.&nbsp; The spam filter uses a proprietary software so it's unlikely it is infected. I suspect the queries are being made from the URL's being placed in the emails themselves. Wondering if anyone has seen this or can explain? These can't all be malicious URL's my users are referencing in their emails can they?&nbsp; Here's a small example:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dromanelli_0-1611763278220.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29688i1FD81E6817C9A09D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="dromanelli_0-1611763278220.png" alt="dromanelli_0-1611763278220.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 27 Jan 2021 16:01:26 GMT dromanelli 2021-01-27T16:01:26Z https://live.paloaltonetworks.com/t5/general-topics/tons-of-quot-generic-lt-url-gt-hits-in-threat-logs-for-dns-query/m-p/382366#M89841 <P>Hi Guys,</P><P>&nbsp;</P><P>I am seeing a ton of "generic:&lt;random-url&gt;" hits in my threat logs under the spyware category for DNS queries from my email spam filter server out to the world. I have DNS security set up on the Palo so they are being sinkholed, but there are a ton of them, and several dozen different URL's.&nbsp; The spam filter uses a proprietary software so it's unlikely it is infected. I suspect the queries are being made from the URL's being placed in the emails themselves. Wondering if anyone has seen this or can explain? These can't all be malicious URL's my users are referencing in their emails can they?&nbsp; Here's a small example:</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="dromanelli_0-1611763278220.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/29688i1FD81E6817C9A09D/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="dromanelli_0-1611763278220.png" alt="dromanelli_0-1611763278220.png" /></span></P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 27 Jan 2021 16:01:26 GMT https://live.paloaltonetworks.com/t5/general-topics/tons-of-quot-generic-lt-url-gt-hits-in-threat-logs-for-dns-query/m-p/382366#M89841 dromanelli 2021-01-27T16:01:26Z https://live.paloaltonetworks.com/t5/general-topics/tons-of-quot-generic-lt-url-gt-hits-in-threat-logs-for-dns-query/m-p/382635#M89870 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/141381">@dromanelli</a>,</P> <P>I would expect this on an email security gateway to be honest. The number of DNS requests an email security gateway will make is dependent on mailflow, but they'll all generally resolve the source domain email was sent from, and a lot of them will resolve any domain that they see come across in a message. So all of the spam and phishing messages that you receive are likely going to be triggering alerts for all of those as well.&nbsp;</P> Thu, 28 Jan 2021 16:55:41 GMT https://live.paloaltonetworks.com/t5/general-topics/tons-of-quot-generic-lt-url-gt-hits-in-threat-logs-for-dns-query/m-p/382635#M89870 BPry 2021-01-28T16:55:41Z