Jump to content


Photo

Intent Analysis reliability - UA strings

intent useragent user agent multi-level

  • Please log in to reply
2 replies to this topic

#1 Jaybone

Jaybone
  • Members
  • 114 posts

Posted 21 January 2016 - 01:08 PM

A couple of users got spammed with a short email; just two lines and a link.

 

One of them opened it "without thinking" (his words:) and immediately closed it before actually processing (with his brain) what came up in the browser.

 

He let us know about this.  Not about to open the link in a browser, I grabbed it with wget.  404.

"Weird," I think.  "It's less than 20 hours old, I doubt they've taken it down this soon..."

Try wget again, but this time have it send a user agent string that looks like Chrome...

Boom - 30X redirect chain through half a dozen different sites, finally landing on a rotating page with obvious junk that, had it been in the email, or, I assume, reachable by the Barracuda for analysis, would have caused the email to get blocked.

Switched back and forth a bit between using wget with no user agent specified and with the Chrome-looking one, on the various redirect urls, and each time, the wget UA got either a 404 or 403, but the Chrome-looking one got a redirect to the end site and page.

 

Now, I'm assuming from stuff I've read in the distant past, and from the Multi-Level Intent feature's description that the Barracuda will follow links to look at content of the pages linked in an email, and make decisions based on that content.   Anyone know if this is actually the case for all/most possible links?  The feature description only calls out "...well known free websites for redirection" so maybe this link didn't fall into that category?

 

 

 



#2 mheller

mheller

    Nobody

  • Moderators
  • 1,299 posts
  • LocationSan Jose, CA

Posted 21 January 2016 - 01:32 PM

Hi Jay,

 

We don't emulate all browsers when we do the multilevel intent check, but this is an unfortunate scenario that I will use with our product team to discuss ways to detect these.

 

In terns of links found on pages we visit - we do follow them if we don't recognize them in our other intent classifiers.

 

If you wouldn't mind submitting some of those emails to us via a case i'd love to get this data to the team!



Matthew Willson-Heller
Support Escalation Manager, US

Barracuda Networks Inc.
Phone: +1 408.342.5300 x5346
Fax: +1 408.342.1061
Web: www.barracudanetworks.com



#3 Jaybone

Jaybone
  • Members
  • 114 posts

Posted 22 January 2016 - 12:27 PM

All pages I'm trying today seem to now have been taken down - 404's for everything.

 Next time it comes up, I'll open a case with screenshots, page downloads, etc.

 

Thanks