A phishing email containing a malicious URL embedded within a Google redirect link is not detected or blocked by Symantec Messaging Gateway, even though the actual target URL is categorized as Phishing in WebPulse Site Review.

SMG 10.8 10.9

This behavior is by design and occurs due to how WebPulse URL classification operates.

WebPulse performs reputation analysis based on the top-level URL structure — specifically, the primary domain and path.

WebPulse does not analyze or classify nested or encoded URLs contained within redirect parameters (such as url= or redirect=) to avoid false positives.
This design helps prevent misclassification of legitimate redirection services such as Google, Bing, or Yahoo, which routinely redirect users to external sites for legitimate purposes.

This behavior is expected, and detection can be improved using one of the following methods:

Quarantine Search Engine Redirect URLs

1. In the SMG Control Center, go to: Spam > Customer-Specific URL Categories

2. Add the “Search Engines/Portals” category.

3. Create or edit a Spam Policy to hold or quarantine messages containing URLs from this category.

This configuration ensures that messages containing redirect URLs (e.g., from Google or Bing) are quarantined for review before delivery.

Report False Negatives to the AntiSpam Team

If the email was clearly spam or phishing-related, report it as a False Negative to Broadcom’s AntiSpam team so that a detection rule can be created.

WebPulse Site Review

Submit false negatives (missed spam) or false positives (legitimate email) to Symantec Security Response