Phishing URI Realtime Blocklist (PURBL)

Phishing is a technique used to perform social engineering through emails. A phishing email will be crafted to look like an official email coming from a reputable business, for example a bank. Phishing emails will contain instructions, for example that a bank requires you to reconfirm your online banking username and password or credit card information. The phishing email will include a phishing Uniform Resource Identifier (URI) that the user is supposed to follow to enter some sensitive information on a site, such as the username and password in the example used before. The site pointed to by the phishing URI will look like the official site, but in reality it is controlled by whoever sent the phishing emails. When the user enters the sensitive information on the phishing site, the data will be collected and is then used for example to withdraw money from your bank account.

The Phishing URI Realtime Blocklist (PURBL) feature of GFI MailEssentials detects phishing emails by comparing URIs present in the email to a database of URIs that are known to be used in phishing attacks, and also by looking for typical phishing keywords in the URIs.

To enable the PURBL check:

1. Right click on the Anti-Spam > Phishing URI Realtime Blocklist node and select Properties.

Screenshot 35 – Phishing URI Realtime Blocklist Properties

2. In Phishing URI Realtime Blocklist tab, select the Check mail messages for URI’s to known phishing sites option. This option will instruct GFI MailEssentials to look at the URIs present in an email, perform a lookup of those URIs in a database of URIs that are known to be used to point to phishing sites, and if a match is found, the email containing those URIs will be marked as SPAM email.

3. If you also want to check for phishing keywords in the URIs present in the email, which would be a good indicator that the email is a phishing email, access the Keywords tab and select the Check URI’s in mail messages for typical phishing keywords option.

Screenshot 36 - Phishing keywords

4. To add phishing keywords, click the Keyword button. In the Enter a keyword dialog specify the phishing keyword and click the OK button. The phishing keyword is added to the Keywords list.

NOTE: To edit/remove a phishing keyword, select it from the list and click the Edit or Remove button respectively.

5. When ready, click on the Apply button to save the new settings.

Updates tab

In the Updates tab, you can configure GFI MailEssentials to automatically check for and download any anti-phishing updates available. Since new phishing URIs are discovered daily, it is recommended to leave the automatic checking and downloading option enabled so that the PURBL feature will be more effective in detecting the latest phishing email attempts.

If you want to be informed via email whenever a new anti-phishing update is downloaded and installed, select the Send a notification email when an update succeeds checkbox.

If you want to be informed via email whenever a failure occurs, select the Send a notification email when an update fails checkbox.

The anti-phishing updates will be downloaded from the preferred server selected. For more information on how to select the preferred server, refer to the ‘Selecting the server from where to download updates’ section of the ‘Miscellaneous Options’ chapter.

Screenshot 37 - Automatic anti-phishing updates

Actions tab

After you have specified which PURBL checks to perform, click on the Actions tab to specify what you want to do with emails marked as spam by this filter. For more information on possible actions, please refer to the ‘Actions – what to do with spam email’ section in this chapter.

Other tab

Please refer to the ‘Other options’ section in this chapter.