Email Link Analysis - does it look at all emails?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Email Link Analysis - does it look at all emails?

L1 Bithead

I am curious to know if the organization I work at gets a blast email to 500 employee's from an external B2B marketer does the wildfire analysis get performed on all 500 identical emails or does it simply do it once knowing the email and links are identical.

12 REPLIES 12

Cyber Elite
Cyber Elite

@joecbrown 

 

As per my knowledge WF maintains trusted domain list and it will examine the external email address only once.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

L7 Applicator

Actually yes, the firewall is doing the analysis for every email. It does not really care about the url, it simply forwards it to wildfire - in batches of 200 URLs per upload or all 2 minutes - depending on which limit is hit first. About the list of trusted sites I am not sure, as theoretically there is nothing like trusted site. On every website there is the potential risk that it gets hacked and will be used to host malware or exploit kits. But at least I think, there is a timer that a website is not ddos'ed by wildfire and only scanned for example max. once per hour or day. About a local check if the urls are identical, @jdelio could you say something about this? But often the links in such mass-emails aren't identical, every link is different to track which recepient clicks on the url.

L7 Applicator

@Remo  and others.. 

From the official documentation on WildFire email analysis.. 

https://docs.paloaltonetworks.com/wildfire/9-0/wildfire-admin/wildfire-overview/wildfire-concepts/em...

 

It states:

"WildFire visits submitted links to determine if the corresponding web page hosts any exploits or displays phishing activity. A link that WildFire finds to be malicious or phishing is:

 

  • Recorded on the firewall as a WildFire Submissions log entry. The WildFire analysis report that details the behavior and activity observed for the link is available for each WildFire Submissions log entry. The log entry also includes the email header information—email sender, recipient, and subject—so that you can identify the message and delete it from the mail server, or mitigate the threat if the email has been delivered or opened.
  • Added to PAN-DB and the URL is categorized as malware.

The firewall forwards email links in batches of 100 email links or every two minutes (depending on which limit is hit first). Each batch upload to WildFire counts as one upload toward the upload per-minute capacity for the given firewall 
Firewall Forwarding Capacity by Model
 (PAN-OS 8.1, 9.0, 9.1). If a link included in an email corresponds to a file download instead of a URL, the firewall forwards the file only if the corresponding file type is enabled for WildFire analysis."
 
I hope this helps a little.. 
 
LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

L7 Applicator

@jdelio My question was more about if the firewall already does a local check for the urls? Or does it - in the case like in this topic - upload 500 times exactly the same URL to wildfire if there are 500 incoming emails with this one URL?

@Remo That is what I am trying to understand as well.  If 500 people in my organzition all receive the same email with the same url http://www.website.com/page123.  Is that URL submitted 500 times and scanned 500 times or does it scan that URL once?

L7 Applicator

@joecbrown and @Remo 

When there are 500 of the exact same link.. I  would like to think that it would count them as one, but I will ask the experts about this and see what they are able to tell me. 

I will respond as soon as I have an answer.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

OK, @joecbrown , @Remo  and everyone else.. found the info.. 

Actually I was able to get the details from people who looked at the code, and other detailed info.. and it looks like there will be 500, because each one comes from a different email header and we produce separate reports with the specific session information associated with the SMTP, IMAP or POP3 session. So, all links are sent to the cloud at this time, duplicate or not.

 

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Thanks @jdelio

This makes sense, as the URL is only one of the different attributes contained in wildfire report.

@jdelio 

 

Many thanks for this great info!

 

Regards

MP

Help the community: Like helpful comments and mark solutions.


@jdelio wrote:

So, all links are sent to the cloud at this time, duplicate or not.

 


Hmn ... what if now all these attributes are the same? Either if the same email really was sent 500 times or if the same email was sent to 500 recipients in bcc. In this case the firewall would only show the actual recipient in the to field of the email but nothing about bcc. But I assume even then there it will be forwarded to wildfire 500 times.

Thank you!

Yes @Remo , it would seem that it treats them individually, so yes, 500 links to WildFire.. In batches of 100.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!
  • 7655 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!