Has anyone ever had the URL Rewriting actually block something nefarious?
I've been using the URL Rewriting feature ever since it was introduced, but I'm to the point where I'm thinking it does more harm than good. I've tested it many times on bad e-mails that have gotten through, and it has always sent me right through to the phishing site or the malicious download. The only time it actually seems to make any difference is when the server is down, and the link doesn't work at all (which is bad when it's a legitimate e-mail and link).
When it was first introduced, I opened a support case about it not working on a particular bad site, but by the time they looked at it the site had been taken down. I haven't bothered reporting since.
Why do I think it might be doing more harm than good? If you want to train users to look carefully at URLs before clicking, they can't have been rewritten to point to Sonicwall. Also, if they click on a rewritten URL and it works, they may (and rightfully, should be able to) assume it's OK.
@Trevor search the Discussions for TOC (TimeOf Click)
and note that there is an recommended Update
Thanks, but I'm already on 10.0.8.
I'm trying to train my users to check URLs before clicking on them, and this defeats the purpose. Plus, I've never actually seen it block things that it should. So I guess I'm going to just turn it off for now. I was just curious if it had ever been useful for anyone else.
I used it on my own domain for testing purposes and saw it block a site once or twice. But in the end I disabled it because it caused more harm than good. There was a period where Microsoft saw the URL rewriting as a phishing attempt, bad enough for my emails sent to customers to be quarantined in Office 365.
I contacted Microsoft but they didn't really give any reason for the block, but after a week it didn't happen anymore in my testing. But I'm afraid to enable TOC again if it might happen again.
The problem was when I replied to a message that had a URL, so the mail system in the other end saw the original link in the message changed and this can be evaluated as malicious. Perhaps ES should have some sort of intelligence not to send messages out with the rewritten URL?
I think the days of URL rewriting are counted. It was a good idea in the beginning, but it causes more problems than its worth, IMHO.
Forwarding mails with rewritten URLs causing raised eyebrows all the time.
i have an one positve link from customers email.
but i also have a lot more links from good domains which user can't access after ToC.
trello.com, datev.de , and others... i whitelisted these and customer accepting this