How to Troubleshoot Issues with URL Defense

Created by Antonio Ortiz, Modified on Mon, 13 Jan 2020 at 03:28 PM by Jason Carreiro

Situation	URL Defense will defend against malicious and potentially harmful URL’s contained within emails. URL Defense is not re-writing emails with DKIM signature. DKIM signature is broken by URL re-writing. You noticed that URL Defense is not re-writing links for some emails. What are all the additional characters in a defended URL.
Solution	URL defense feature has some exception that can be configure according to customer needs. Make sure after you enable Attachment Defense which exceptions you want to add into customers. URL Defense and DKIM signature. URL Defense Exceptions. Reading a defended URL.

URL Defense and DKIM signature

By default URL Defense will re-write URLs that are located in DKIM signed emails. This will provide needed security for URLs, but will break the DKIM signature in these emails. To use URL Defense for unsigned emails and preserve DKIM signing for signed emails, you will need to disable this setting.

Login with your admin credentials into Proofpoint Dashboard.
Click on Company Settings tab.
Under Company Settings, click on URL Defense tab.
Check the box: Re-write URLs that are located in DKIM signed messages.

URL Defense Exceptions

URL Defense can be configured so that it doesn't have to re-write all links in emails.

Re-write URLs that are not located in an anchor tag
- This will re-write URL’s that are not included in an anchor tag
- Example: not included in <a href="proofpoint.com”></a>
Exclude URLs that contain specified domains/IP addresses:
- URL’s will not be re-written that contain the specified Domains listed/IP address’s
- Enter your domain list separated by line, comma or semi-colon
Exclude active domains associated with this organization:
- This will exclude re-writing URL’s from emails from domains associated with the organization;s account
- Check the box to enable this option
Exclude re-writing emails that are sent by specified senders:
- This will not re-write URL’s that have specified senders/domains listed
- Enter your domain list separated by line, comma or semi-colon
Exclude re-writing bare IP addresses in plain text emails:
- This will not re-write bare IP address’s in plain text emails
- Check the box to enable this option
Exclude re-writing URLs in plain text emails:
- This will not re-write URLs contained in plain text emails
- Check the box to enable this option

Reading A Defended URL

Example:

```
Original URL: http://www.google.com
```

Defended URL:  https://urldefense.proofpoint.com/v2/url?u=http-3A__www.google.com&d=DwMBaQ&c=Vxt5e0Osvvt2gflwSlsJ5DmPGcPvTRKLJyp031rXjhg&r=U7dT0lFTeyLPTT18j4jTT-QA0_6S0SNyKKRkIm_J6m0&m=phBCMPbh8b9Q8KZOis22AQ2dvsY8EX3owRM-4hZtz1o&s=tyrC6QslpNIWXiCLUXJEbjm0oo5vBoSwGrVYEhO1xBw&e=

All fields except the URL are encrypted. The information embedded in the URL is as follows:

u – the original URL
d – a set of debug flags
c – a PPS cluster ID
r – the recipient of the message
m – a message identifier
s – a digital signature to prevent tampering
e – a blank parameter to signify the end of the rewritten URL

Warning When Malicious URL Is Clicked

URL Defense Settings

Setting	Description	Additional Notes
Re-write URLs that are located in DKIM signed messages	DKIM is an email validation system designed to detect email spoofing. It provides a mechanism to allow mail systems to check that incoming email from a domain has not been modified during transport. Many hosted mail systems today employ this technique in their email delivery process. If this setting is enabled URLs found in DKIM signed messages will be re-written. DKIM validation will fail as a result of this setting.	This setting is enabled by default. If you are experiencing delivery issues as a result of DKIM failures, you can disable this setting.
Re-write URLs that are not located in an anchor tag	Anchor tags <a> are used in HTML to tell a browser or email client where to direct the user when a piece of content, such as a website URL, is clicked. For example: This anchor tag <a href="http://www.bobsbooksupplies.com">Click Here</a> will appear as Click Here when viewed in an email browser or email client. Some email clients will make any URL that appears in a message, such as www.bobsbooksupplies.com or http://www.bobsbooksupplies.com, clickable without the need for an anchor tag. If this setting is enabled, these links will be re-written. As a result, they will appear as follows: https://urldefense.proofpoint.com/v2...ksupplies.com&...	Proofpoint recommends you enable this setting.
Exclude URLs that contain specified domains/IP addresses	You can specify one or more domains and/or IP addresses that, when found in a message URL, will not be re-written. For example: If the entry bobsbooksupplies.com appeared in the list then the URL: http://www.bobsbooksupplies.com would not be re-written	Proofpoint recommends you limit the use of this exclusion policy.
Exclude active domains associated with this organization	If this setting is enabled all active domains registered to this organization will not be re-written when found in a message URL.
Exclude re-writing emails that are sent by specified senders	You can specify one or more senders whose emails will not be re-written.	Proofpoint recommends you limit the use of this exclusion policy.
Exclude re-writing bare IP addresses in plain text emails	If this setting is enabled, bare IPs (e.g., http://123.123.123.123) will not be re-written. Bare IPs are common when receiving auto generated log/event related emails.	Proofpoint recommends you disable this setting.
Exclude re-writing URLs in plain text emails	In HTML emails, URLs are typically masked behind a friendly link (e.g., click here will be displayed instead of http://www.bobsbooksupplies.com). Plain text emails do not offer this ability and, as a result, users will see re-written URLs (https://urldefense.proofpoint.com/v2...plies.com&...\).