URL Defense FAQ

URL Defense Guide using Cisco Secure Email

What are Service Logs?

The Service Logs are used to collect personal data based on the Cisco Email Security Appliance Data Sheet guidelines.

The Service Logs are sent to the Cisco Talos Cloud service to improve Phishing detection.

The email gateway collects limited personal data from customer emails and offers extensive useful threat detection capabilities that can be coupled with dedicated analysis systems to collect, trend, and correlate observed threat activity. Cisco uses the personal data to improve your email gateway capabilities to analyze the threat landscape, provide threat classification solutions on malicious emails, and to protect your email gateway from new threats such as spam, virus, and directory harvest attacks.

During the upgrade process, you can choose to enable Service Logs on your appliance in any one of the following ways:

  • Select the 'I Agree' option for Service Logs in the System Administration > System Upgrade page of the web interface.
  • Type 'Yes' for the “Do you agree to proceed with Service Logs being enabled by default? [y]>” statement in the “upgrade’ CLI command.

For more information, see the “Improving Phishing Detection Efficacy using Service Logs” chapter of the user guide.

How can I find more information regarding Cisco Talos?

What is the full list of 'URL Categories'?

Talos, Cisco’s Security Intelligence and Research Group, constantly tracks a broad set of attributes to evaluate conclusions about a given host. Talos provides both the content and threat categories used for our scoring.

URL Categories (click to expand)
  • Adult
  • Advertisements
  • Alcohol
  • Animals and Pets
  • Arts
  • Astrology
  • Auctions
  • Business and Industry
  • Cannabis
  • Chat and Instant Messaging
  • Cheating and Plagiarism
  • Child Abuse Content
  • Cloud and Data Centers
  • Computer Security
  • Computers and Internet
  • Conventions, Conferences and Trade Shows
  • Cryptocurrency
  • Cryptomining
  • DIY Projects
  • DNS-Tunneling
  • Dating
  • Digital Postcards
  • Dining and Drinking
  • DoH and DoT
  • Dynamic DNS Provider
  • Dynamic and Residential
  • Education
  • Entertainment
  • Extreme
  • Fashion
  • File Transfer Services
  • Filter Avoidance
  • Finance
  • Freeware and Shareware
  • Gambling
  • Games
  • Government and Law
  • Hacking
  • Hate Speech
  • Health and Medicine
  • Humor
  • Hunting
  • Illegal Activities
  • Illegal Downloads
  • Illegal Drugs
  • Infrastructure and Content Delivery Networks
  • Internet Telephony
  • Internet of Things
  • Job Search
  • Lingerie and Swimsuits
  • Lotteries
  • Military
  • Mobile Phones
  • Museums
  • Nature and Conservation
  • News
  • Non-governmental Organizations
  • Non-sexual Nudity
  • Not Actionable
  • Online Communities
  • Online Document Sharing and Collaboration
  • Online Meetings
  • Online Storage and Backup
  • Online Trading
  • Organizational Email
  • Paranormal
  • Parked Domains
  • Peer File Transfer
  • Personal Sites
  • Personal VPN
  • Photo Search and Images
  • Politics
  • Pornography
  • Private IP Addresses as Host
  • Professional Networking
  • Real Estate
  • Recipes and Food
  • Reference
  • Regional Restricted Sites (Germany)
  • Regional Restricted Sites (Great Britain)
  • Regional Restricted Sites (Italy)
  • Regional Restricted Sites (Poland)
  • Religion
  • SaaS and B2B
  • Safe for Kids
  • Science and Technology
  • Search Engines and Portals
  • Sex Education
  • Shopping
  • Social Networking
  • Social Science
  • Society and Culture
  • Software Updates
  • Sports and Recreation
  • Streaming Audio
  • Streaming Video
  • Terrorism and Violent Extremism
  • Tobacco
  • Transportation
  • Travel
  • URL Shorteners
  • Uncategorized URLs
  • Weapons
  • Web Cache and Archives
  • Web Hosting
  • Web Page Translation
  • Web-based Emails

I have a domain that I do not want to be scanned and scored in emails. How do I prevent my domain/URL from being scored?

Use the URL Lists (Mail Policies > URL Lists) option. You can place any valid URL in a URL List that you wish to allowed during message processing. The URL List can then be specified in your Message or Content Filter.

URL Lists examples (click to expand)

The following is a list of valid URL domain formats that can be used to skip URL filtering:

  • Hostnames such as:
    • "example.com"
    • "10.1.1.1"
    • "[2001:db8:85a3:8d3:1319:8a2e:370:7348]"
  • Hostnames with wildcard '_' such as:
    • "example.com/" or "example.com/path/"
    • "10.1.1.1/" or "10.1.1.1/path/"
    • "[2001:db8:85a3:8d3:1319:8a2e:370:7348]/_" or
    • [2001:db8:85a3:8d3:1319:8a2e:370:7348]/path/_"
  • Partial hostnames with wildcard '_' such as:
    • "_.example.com"
    • ".example.com/"
    • "_.example.com/path/*"

For example, adding ".1000logos.net/" to the URL Lists "bypass_URLs" would prevent any URL with hxxp://1000logos.net/* from being scored.

In the Web Reputation Logs, it is then logged as:

Mon Jan 16 19:39:03 2023 Info: url_rep_client.beaker_rpc_server : THR: Thread-28: SRC: antispam: MID: 11064: A URL on the Allowed List found: ['hxxps://1000logos.net/wp-content/uploads/2016/11/Cisco-logo.png'].