Hi,
Proofpoint has a small Python script:
https://help.proofpoint.com/Threat_Insight_Dashboard/Concepts/How_do_I_decode_a_rewritten_URL%3F
that can be used to decode URLs that they mangle.
It could be adapted to filter incoming messages so that you'd never have
to see proofpoint mangled links. I use a "display-filter" in alpine
(Thunderbird also supports filters) to unmangle Microsoft safelinks
mangled URLs.
It doesn't take a lot of imagination to see that training users to click
on complicated-looking URLs without thought (because they're safe!) can
only end badly. Eventually, some organization is going to lose a lot of
money becuase of a phishing attack made possible by the use of these URL
manglers.
Cheers,
Ron
--
If you are not part of the solution, you are part of the precipitate.
<begin pgp signed message to disable safelinks/>
On Wed, 25 Jul 2018, Maarten wrote:
> Date: Wed, 25 Jul 2018 12:55:43 +0000
> From: Maarten <[log in to unmask]>
> To: scientific-linux-users <[log in to unmask]>
> Cc: [log in to unmask]
> Subject: Re: Re: SPAM: proofpoint.com URLs in sl-users messages
>
> Ended up in my spam box as well
>
>
>
> On Tue, Jul 24, 2018 at 19:40, Denice <[log in to unmask]> wrote:
> On Tue, 24 Jul 2018, Glenn Cooper wrote:
>
> Dear Scientific Linux users,
>
> You may have noticed recently that URLs in messages to the
> [log in to unmask] mailing list are often converted to a longer
> version where the original URL is routed through "urldefense.proofpoint.com",
> e.g.,
>
> https://urldefense.proofpoint.com/v2/url?u=https-3A__bugzilla.mozilla.org_show-5Fbug.cgi-3Fid-3D1278282&d=DwIBAg&c=gRgGjJ3BkIsb5y6s49QqsA&r=Z
> Sgt1f7kW9G8-9f6VpdMqA&m=GNVwbRVdMb0OHea3YcT932r9X96HOwQvQqu1TZ4KG5k&s=YJv_zN6hJ20hObNHTC9szZwF56XooQ5-FHJCgYt00cg&e=
>
> This is an anti-phishing measure adopted by Fermilab. URLs in mail messages
> are automatically rewritten to go through a service that checks against known
> malicious sites, then either blocks the attempt or routes to the original
> address. Although these links look odd, they are legitimate, and you will
> get to the intended sites if you follow them.
>
>
>
> This message showed up in my inbox tagged as SPAM .. so I am not
> sure how this is an improvement.
>
> cheers, etc.
> --
> Denice Deatrich, TRIUMF/Science/ATLAS Ph: +1 604 222 7665
> <*> This moment's fortune cookie:
> Ban the bomb. Save the world for conventional warfare.
>
>
>
|