Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Spam mails with unicode characters pass InterScan Messaging Security Virtual Appliance undetected

    • Updated:
    • 15 Dec 2020
    • Product/Version:
    • InterScan Messaging Security Suite 7.1 Linux
    • InterScan Messaging Security Suite 7.1 Windows
    • InterScan Messaging Security Suite 7.5 Windows
    • InterScan Messaging Security Suite 9.1 Linux
    • InterScan Messaging Security Virtual Appliance 9.0
    • InterScan Messaging Security Virtual Appliance 9.1
    • Platform:
    • N/A
Summary

There was an instance wherein a policy to detect profanity keywords does not work because the word contains Greek and Latin expressions.

This article provides a workaround to block spam mails with unicode characters such as Chinese, Greek, and Latin expressions in InterScan Messaging Security Virtual Appliance (IMSVA).

 
IMSVA Content Filter does not support matching double-byte expression. The workaround is based on Data Loss Prevention (DLP) filter, therefore, a valid DLP license is a must to implement the workaround.
Details
Public

To resolve the issue, you may create a DLP Identifier to block these kinds of letters. Select the expression you would like to block.

Create a DLP Data Identifier

  1. Navigate to Policy > Policy Objects > DLP Data Identifiers > Select Expression tab and click Add

    Add entry

  2. Provide a name and copy the string “([一-鿿]+)” without quotes, to the Expression field. Click Save. As an option, you may provide some description in the Description field, and you may also verify the expression by copying a Chinese subject line to the Test data field and clicking Test.

    Copy string

    If the test result is not correct, remove the pasted expression and create a new one with the following steps.

  3. (Optional) Access this Unicode Lookup site, and copy the character to the Keyword box in IMSVA Web UI.

    Copy unicode

  4. Access this other Unicode Lookup site, and copy the character to the Keyword box as well.

    Other Unicode Lookup site

    Refer to the screenshot in Step 2, add “(“,“[“, “-“, “]”,”+” and “)” accordingly to compose the expression.

Create a DLP Compliance Template

  1. Navigate to Policy > Policy Objects > DLP Compliance Templates and click Add.

    Add template

  2. Provide a name, select the DLP Data Identifier you just created, click Add and then Save.

    Add DLP Data Identifier

Add a new policy rule

  1. Navigate to Policy > Policy List, click Add and select Other.

    Add

  2. Configure Senders and Recipients as needed.

    Configure Senders and Recipients

    Configure Senders and Recipients

  3. In case some users need to receive Chinese mails from specific senders, configure the Exception.

    Configure exception

  4. Configure the scanning criteria to use the DLP Compliance Template just created.
    1. Check the checkbox next to DLP Compliance Templates and then click DLP Compliance Templates.

      DLP Compliance Templates

    2. Select the DLP Compliance Template you just created and click “>>” button to add it to “Selected” field, then click Save.

      Save template

    3. Click Next.

      User-added image

  5. Configure the policy Action.

    Policy action

  6. Name the rule and set its Order Number (priority). You may put it right under the antivirus rule and spam rule.

    Rule priority

  7. Save the changes. The final result will be the following:

    Results

Below is a sample spam email containing unicode characters in Greek, Latin, and IPA Extension, which is why the policy to detect profanity keyword fails to work.

To resolve the issue, create a DLP Identifier to block these accented letters. Please note that there are many other unicode types.

On the product side, you may opt to block emails that contains any of these characters and you may expand it depending on how spammers combine these characters. The following procedure will use the sample mentioned above.

  1. Go to Policy > Policy Objects > DLP Data Identifiers.
  2. Select the Expression tab and click Add.
  3. Provide a name and copy the string "([Ͱ-Ͽ]+)" without quotes to the Expression field, then click Save.
     
    The string came from the ([<first letter>-<last letter>] +) from the Greek and Coptic Unicodes.

  4. Repeat Step 3 and copy the string "([ɐ-ʯ]+)" without quotes, to the Expression field, then click Save.

  5. Create a DLP Compliance Template.
    1. Navigate to Policy > Policy Objects > DLP Compliance Templates and click Add.
    2. Provide a name, select the DLP Data Identifier you just created, click Add and then Save.

    Below is an example wherein both DLP Compliance Templates are added into the policy.

    Here is a sample policy:

  6. Test the policy to verify that the email with Greek or Latin character is quarantined.

    • Profanity detection

    • Compliance detection

Premium
Internal
Partner
Rating:
Category:
Troubleshoot
Solution Id:
1118756
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.