Skip to main content
My preferencesSign out
Proofpoint, Inc.

Troubleshooting issues with URL Defense

Situation URL Defense will defend against malicious and potentially harmful URL’s contained within emails.
  • URL Defense is not re-writing emails with DKIM signature.
  • DKIM signature is broken by URL re-writing.
  • You noticed that URL Defense is not re-writing links for some emails.
  • What are all the additional characters in a defended URL.
Solution URL defense feature has some exception that can be configured according to customer needs. Make sure after you enable Attachment Defense which exceptions you want to add into customers.
  1. URL Defense and DKIM signature.
  2. URL Defense Exceptions.
  3. Reading a defended URL.

 

URL Defense and DKIM signature

By default URL Defense will re-write URLs that are located in DKIM signed emails. This will provide needed security for URLs, but will break the DKIM signature in these emails.  To use URL Defense for unsigned emails and preserve DKIM signing for signed emails, you will need to disable this setting. 

  1. Login with your admin credentials into Proofpoint Dashboard.
  2. Under Security Settings, click on Malicious Content tab.
  3. Under Malicious Content, click on URL Defense tab.
  4. Check the box: Re-write URLs that are located in DKIM signed messages.

clipboard_eb31bd0d2010152a48afa4538bcbca39d.png

URL Defense Exceptions

URL Defense can be configured so that it doesn't have to re-write all links in emails. 

  1. Re-write URLs that are not located in an anchor tag
    • This will re-write URL’s that are not included in an anchor tag
    • Example: not included in <a href="proofpoint.com”></a>
  2. Exclude URLs that contain specified domains/IP addresses:
    • URL’s will not be re-written that contain the specified Domains listed/IP addresses
    • Enter your domain list separated by line, comma or semi-colon
  3. Exclude active domains associated with this organization:
    • This will exclude re-writing URL’s for emails from domains associated with the organization's account
    • Check the box to enable this option
  4. Exclude re-writing emails that are sent by specified senders:
    • This will not re-write URL’s that have specified senders/domains listed
    • Enter your domain list separated by line, comma or semi-colon
  5. Exclude re-writing bare IP addresses in plain text emails:
    • This will not re-write bare IP addresses in plain text emails
    • Check the box to enable this option
  6. Exclude re-writing URLs in plain text emails:
    • This will not re-write URLs contained in plain text emails
    • Check the box to enable this option

Case condition re-writes

For the above, please ensure to note the considerations here:

Text has hyperlink - entire URL is re-written

Text URL matches hyperlink - entire is re-written

Text URL does not match hyperlink -  original hyperlink is missing, text URL is re-written and given as new hyperlink.

 

Solution to last scenario - Need to exempt the sender or base URL

Reading a defended URL

Example

  • Original URL:
    Original URL: http://www.google.com
    
  • Defended URL: 
    Defended URL:  https://urldefense.proofpoint.com/v2/url?u=http-3A__www.google.com&d=DwMBaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=U7dT0lFTeyLPTT18j4jTT-QA0_6S0SNyKKRkIm_J6m0&m=phBCMPbh8b9Q8KZOis22AQ2dvsY8EX3owRM-4hZtz1o&s=tyrC6QslpNIWXiCLUXJEbjm0oo5vBoSwGrVYEhO1xBw&e=
    

All fields except the URL are encrypted.  The information embedded in the URL is as follows:

  • u – the original URL
  • d – a set of debug flags
  • c – a PPS cluster ID
  • r – the recipient of the message
  • m – a message identifier
  • s – a digital signature to prevent tampering
  • e – a blank parameter to signify the end of the rewritten URL

Warning When Malicious URL is clicked

Blocked URL link change

When you visit a URL and see the site below, the URL itself changes. If you are contacting support in regards to a false positive on the URL, we require the original link from the email, not the one currently in your browser address bar.

proofpoint-url-defense-block-page.png

Support Escalation

If you would like to contact Support for a URL Defense issue that is not described above, please be prepared to provide the following:

  1. Original copy of the email (not forwarded, as it may properly defend all URLs after forwarding). -- We will need it downloaded as an attachment and most likely zipped, password protected, and uploaded to the ticket.
  2. A screen shot of which specific URL is not defended in the email. -- If the email contains multiple URLs, Support will need to know exactly which URL they are being asked to review.