search cancel

URL is not being rewritten by Click-time URL Protection

book

Article ID: 163836

calendar_today

Updated On:

Products

Email Security.cloud Email Threat Detection and Response

Issue/Introduction

The Click-time URL Protection service did not rewrite a URL that has been received by email. However, it is expected that the Click-time URL Protection service rewrites all of the URL links that are included in the body of an inbound email message.

Environment

  • Email Security.cloud
  • Click-time Protection Service

Resolution


Is the service enabled?

The first step of investigating this type of problem is to ensure that the Click-time URL Protection service is enabled in the Symantec.cloud portal. For all existing Advanced Threat Protection: Email customers the Click-time URL Protection service is provided in a disabled state. You must enable the service for your organization either globally or on a per-domain basis.

 

Is the URL schemeless?

For example: 

  • http://www.symantecdomain.co.uk or https://www.symantecdomain.com or www.symantecdomain.co.uk will be rewritten
  • symantecdomain.com will not be rewritten.

 

Is the URL a hostname or private IP address?

 By default, the Click-Time URL protection service does not rewrite URLs containing hostnames or private IP addresses such as:

  • http://localhost/
  • http://10.0.0.2/
  • http://192.168.0.2/
  • http://172.16.0.2/
     

Is the email inbound or outbound?

The Click-time URL Protection service only handles mail that is inbound to your organization. The service does not rewrite URLs in outbound mail.

 

Is the email signed by DKIM, SMIME or PGP?

Symantec initially advised administrators not to apply click-time protection to the inbound emails that are securely signed using DKIM, S/MIME, and PGP. Rewriting the URLs changes the content of the email. This breaks encryption for the methods that expect an exact match between what is sent and what is received. Though this guidance remains in place for S/MIME and PGP, Symantec now recommends that DKIM-signed inbound emails not be excluded from URL rewriting. DKIM validation takes place at the MTA level and not at the endpoint level. This means that DKIM validation can be done before the URL is rewritten, so that the rewriting doesn’t break the validation. By contrast, because validation for both S/MIME and PGP is done on the endpoint, validation always takes place after rewriting, thus breaking encryption.

Note: Be careful to implement DKIM checking using Email Security.cloud only. You cannot perform DKIM checking on an MTA that is downstream from Email Security.cloud without breaking the signatures for the messages that contain rewritten URLs.

 

HTML email formatting may be hiding the rewritten URL

 

If your email is being displayed in HTML format, it is possible to have the text display a URL or link that is different to the actual destination URL.

For example, both of these links were successfully rewritten by the Click-time URL Protection service, but you can only view the rewritten URL when you hover your mouse pointer over the link or inspect the link's properties:

 

Is the domain whitelisted?

Advanced Threat Protection: Email customers can define a whitelist of domains that will be excluded from Click-time URL Protection processing. If you have a URL that has not been rewritten by the Click-time URL Protection service, check to ensure the domain in question is not currently on any of your organization's whitelists.

Note: When wildcard entries are used on a whitelist, there is a risk of unintentionally whitelisting certain domains.  


 

Is the recipient whitelisted?

Administrators can protect ALL users when the service is enabled, add recipient email addresses as exceptions or protect specific users. If you have a URL that has not been rewritten by the Click-time URL Protection service, check to ensure the recipient in question is not currently on any of your organization's whitelists.

 

Where is the link?

The initial release of Click-time URL Protection will only rewrite URLs that are contained in an email's message body only.

 

Does the URL start with ftp://?

The Click-time URL Protection service does not support the processing of ftp:// schemed URLs.

 

Is the URL's target an internationalized domain name?

The initial release of Click-time URL Protection does not support the processing of internationalized domain names.

 

Further investigation

If you are unable to determine the reason why a URL has not been rewritten, please open a ticket with the Symantec. cloud Support team.

Note: Click-time URL Protection is designed to rewrite URLs up to 2048 characters in length. Longer URLs are not rewritten currently.

Attachments