Email, Spam Control, URL defense, re-writing

In an effort to reduce the occurrence of malicious URLs for our Campus email customers, Technical Services has implemented Proofpoint's Targeted Attack Protection (TAP) service. This service verifies the URLs in email are not malicious and then it rewrites the URL to reflect it has been verified by our Spam Control service.

How does it work?

This service automatically scans incoming email for hyperlinks and rewrites them with special URLs. These new URLs allow Proofpoint to check the original URL before actually sending the reader to that web page. 

If Proofpoint checks the intended web page and discovers that it is being used for malicious purposes such as phishing scams or delivering malware, the email reader will not be taken to the malicious web page. They will instead see a message saying that the web page was malicious and blocked.

The most noticeable piece of this service is the URL labelling. All rewritten links will have the website's domain added in square brackets after the link to show where the link points to. After clicking on a rewritten link, web pages should load with little or no noticeable delay — unless, of course, the link was to a malicious web page in which case it will be blocked.

This will only affect email passing through the Campus Email Relays from outside the University of Illinois. Email sent from @illinois.edu to @illinois.edu accounts will not have the URLs rewritten.


What do rewritten hyperlinks look like?

The link text in a message will stay the same, with the domain of the URL added in square brackets as a label to alert you where the link points.

  • NEW: Updated URL Rewrite Options
    •  In the rewrite of the body and attachments, we will rewrite txt in addition to HTML.
      • Rewrite in Body - rewrites URLs in text, and/or the HTML message body
      • Rewrite in Attachment - rewrites URLs found in text and HTML attachments.

When you hover over a link that has been rewritten, you will see that https://urldefense.com/v1/url?u= has been added to the beginning of the link and a string of letters and numbers have been added after the link. To hover place your cursor over a link without clicking it.

  • NEW: The rewritten URL is much shorter with the New URL Format. 
    • The user will see a shorter version of the rewritten URL, and will see the original URL when hovering over the rewritten version. 


If a URL has been determined to malicious, and you click the URL then a campus web page will appear stating the URL was blocked.


What should I do if I click on a link and the page is blocked?

Once a page is blocked, there is nothing more that you need to do. This page will also be blocked for all other customers.

In addition, it is not necessary to report to Tech Services or the web site's administrator that the page has been blocked. However, if a page has been blocked and is not malicious, a false-positive, then please send an email to consult@illinois.edu with the details and we will review it with the vendor to determine if it's a false-positive and update the URL as needed. 

  • NEW: We took the DKIM exclusion off of this infrastructure, which means it might break DKIM certificates if you are forwarding messages to other accounts.
    • Due to DKIM verification, forwarding messages to other accounts will not be recommended. We will offer support to correct the problem if it breaks DKIM. Please send an email to consult@illinois.edu with the details

For more information see Email, Spam Control, URL defense re-writing frequently asked questions


Questions?






Keywords:TAP proofpoint defense spam user, digest   Doc ID:51024
Owner:Email Relays E.Group:University of Illinois Technology Services
Created:2015-05-01 14:00 CDTUpdated:2022-01-16 14:24 CDT
Sites:University of Illinois Technology Services
Feedback:  1   3