Untangle Phish Blocker

Untangle Phish Blocker Overview:

Identity thieves are becoming increasingly sophisticated with email and website spoofs that are nearly impossible to discern from the real thing. Phish Blocker makes it easier for administrators to:

• Protect users from email phishing attacks and fraudulent pharming websites
• Protect multiple protocols, including HTTP, SMTP, POP & IMAP
• Ensure that signatures are always current with automatic updates

Identity theft can compromise your business, and your accounts, as well as create turmoil in the lives of your employees. None-of-which is good for business.

Maintain the highest level of protection for you and your employees with our Identity Theft Blocker. This application protects your network against “phishing” attacks—emails that direct users to fraudulent websites with the intent to steal personal identity, credit card information and more.

Identity Theft Blocker marks phishing emails and puts them in a user’s quarantine. Transparent, powerful and easy to use, it requires no alteration of your network’s mail configuration.

Key Features:

• Open source & Free under the GNU General Public License (GPL)
• Block phishing email on SMTP, IMAP, and POP
• Event log of phish caught
• Reports show how many fraud emails were stopped, who they were targeting, and from where they were sent

Technical Specifications:

Identity Theft Blocker is an intelligent email filter that identifies phish—email containing fraudulent links or information stealing code. Identity Theft Blocker can scan any email that is transported by the following protocols:

• SMTP
• POP
• IMAP

What It Does

Transparently scans SMTP, POP and IMAP traffic for phish signatures

How It Does It

Based on ClamAV engine and phish signature database

Controls

• Can be configured to scan incoming and/or outgoing by traffic type
• In addition:
  • SMTP: action on detection can be set to quarantine, block, mark or pass message with or without sender notification
  • POP and IMAP: action on detection can be set to mark or pass message (the nature of POP and IMAP protocols prevent messages from being blocked or quarantined)

Screenshots:

(Enlarge Image)

Phish Blocker FAQs:

If an unwanted email (spam, phishing, etc) is received for an email address that cannot be quarantined, but my rules are set to quarantine, What happens?

The Quarantinable Addresses rules take precedence over the actions for email rules. In this situation, the email would be marked rather than quarantined.

POP and IMAP work differently than SMTP. When POP and IMAP are used, the client requests the mail when the user clicks on the email. At that point the message is downloaded from the server and scanned. Even if the application determines the message should not be passed it still must be delivered to the client because the client is waiting and will not be able to read mail unless something is delivered. As a result, only MARK is an option.

For the same reason that you can't quarantine POP/IMAP spam. The message is not scanned until it is requested by the mail client. At that point, the message (even if it is spam) must be delivered to the client to complete the transaction.

One of the characteristics of phishing emails is that they use deception to change the apparent sender of an email. Although Untangle Server can detect the email as a phishing attempt, there is no way to determine the true sender.

Not all emails (especially spam emails) have subjects. Some spammers also use tricks to cause there to be no detectable sender.

The Untangle Server forces Extended SMTP (ESMTP) to fall back to SMTP so that the transmitting emails may be scanned. When two Exchange servers are setup such that they require ESMTP communication, all communications will fail. This is enforced by transparent rewriting of the "EHLO" command to "HELO" and appropriate keywords are also stripped.

This can be avoided by adding a special policy for communication for these two servers. To do so, enter the Policy Manager, Custom Policies and add two policies to be processed by "No Rack", one from server A to server B port 25, and one from server B to server A port 25. The net effect is that any communications between these two servers will be ignored.

No. Untangle is a network gateway and is meant to be installed "in-line" with the traffic. Untangle does not store-and-forward mail. Untangle will transparently scan mail as it passes through it.

No. Untangle does not have a list of valid emails for your site. It is suggested that your configure your email server to not accept mail for invalid users. This is the default for almost all mail servers except Microsoft Exchange. The links below are instructions on how to configure your email server.

Hardware Requirements:

• The Untangle Server requires a dedicated PC installed at the gateway to your network.
• Your hardware does not need an operating system - the Untangle Server installs its own operating system.
• The Untangle Server software completely erases any content or data that may exist on your PC hard drive.

Sizing Guidance

Recommended Configurations (New Hardware)

When purchasing new hardware, spending a couple of extra dollars to meet the following recommended configurations provides the best value.

Verified Configurations (Trials, Refurbished or Repurposed Hardware)

These are the lowest verified hardware configurations that provide reliable — albeit sometimes slower — performance in production. However, it may be possible for organizations with lower than average network traffic or organizations that do not wish to use all of the modules to run Untangle on smaller systems.