Phish Blocker

From Edge Threat Management Wiki - Arista
Jump to navigationJump to search

    Phish Blocker
Other Links:
Phish Blocker Description Page
Phish Blocker Demo
Phish Blocker Forums
Phish Blocker Reports
Phish Blocker FAQs

About Phish Blocker

Phish Blocker protects users from phishing attacks over email (SMTP). It inspects email for fraudulent emails, also known as phish. A phishing email attempts to acquire sensitive information such as passwords and credit card details by masquerading as a trustworthy person or business in an apparently official electronic communication, such as an email.


This section reviews the different settings and configuration options available for Phish Blocker.


This displays the current status and some statistics.


These settings apply only to the scanned SMTP messages.

  • Scan SMTP: This enables or disables SMTP scanning.
  • Action: The action taken on the message if the Spam Score is high enough.
If set to Mark, "[Phish]..." will be prepended to the email subject line and it will be delivered. If set to Pass, the message will be delivered as originally sent. Drop will inform the sending server the mail was successfully delivered, but NG Firewall will drop the mail so it is never delivered. Quarantine will send the mail to users' email quarantine for them to release or delete as they see fit. For more information, refer to Quarantine.


The Reports tab provides a view of all reports and events for all traffic handled by Phish Blocker.


This applications reports can be accessed via the Reports tab at the top or the Reports tab within the settings. All pre-defined reports will be listed along with any custom reports that have been created.

Reports can be searched and further defined using the time selectors and the Conditions window at the bottom of the page. The data used in the report can be obtained on the Current Data window on the right.

Pre-defined report queries: {{#section:All_Reports|'Phish Blocker'}}

The tables queried to render these reports:

Related Topics

Spam Blocker

Spam Blocker Lite

Phish Blocker FAQs

How can I exempt email addresses from Phish Blocker scanning?

The From-Safe List at Config > Email > From-Safe List is respected by Phish Blocker; it will pass any emails entered there in either Global or User-based safelists.

Where can I get more information on phish filtering for the web?

Phish Blocker leverages Google's Phishing Protection protocol, more information on it is available here.

How do I stop sending daily Quarantine Digests?

Use the Send Daily Quarantine Digest Emails at Config > Email > Quarantine.

Why are users not receiving a Quarantine Daily Digest?

Verify your email configuration at Config > Email - make sure they receive the test email. If they do not, you can check the mailer log on the NG Firewall to see if there was an error, the file is /var/log/exim4/mainlog.

Why can't my off-site users get their Quarantine Digests?

The most common reason is that the Quarantine Digest has a URL with a private IP while they need a URL with a public IP. You'll need to verify a few settings:

  1. Under Config > Administration, make sure that Enable Outside HTTPS Administration is checked.
  2. Under Config > Administration > Public Address, choose Use Hostname or Use Manually Specified IP as appropriate.
  3. If using Use Hostname, make sure your hostname is properly configured and publicly resolvable at Config > Networking > Hostname. If you're using a Dynamic IP, it's recommended to set up Dynamic DNS on the same page.

What happens to email when the recipient is not on the quarantinable address list?

If you removed the wildcard and manually created a quarantinable address list, the Spam Blocker passes but marks the email as [Spam] for those that are not on the list.

What will happen if my rules are set to quarantine but the receiver's address cannot be quarantined?

The Quarantinable Addresses rules take precedence over the actions for email rules. In this situation, the email would be marked rather than quarantined.

Can I have NG Firewall drop mail that is not to valid users?

No as NG Firewall does not have a list of valid emails for your site. It is suggested that your configure your email server to not accept mail for invalid users. This is the default for almost all mail servers except Microsoft Exchange - the links below are instructions on how to configure your email server.

Why is mail not passing between my Exchange servers?

The NG Firewall forces Extended SMTP (ESMTP) to fall back to SMTP so that the transmitting emails may be scanned. When two Exchange servers are setup such that they require ESMTP communication, all communications will fail. This is enforced by transparent rewriting of the "EHLO" command to "HELO" and appropriate keywords are also stripped.

This can be fixed by adding a Bypass Rule for communication between the servers.