cancel
Showing results for 
Search instead for 
Did you mean: 
jont717
Level 12

urs.microsoft.com - Web Mail???

Why does this keep coming up as "Web Mail"?  I tried to change the category by remapping it and that doesn't work either.   Trusted Source says Business, Software/Hardware.

[22/Mar/2011:14:57:33 -0400] "rharvey" 172.16.104.125 0.0.0.0 403 "POST https://urs.microsoft.com/urs.asmx?MSPRU-Client-Key=/Zx6nNdOLxz0sU8KVFS6Yw%3d%3d&MSPRU-Patented-Lock... HTTP/1.1" "Web Mail" "Minimal Risk" "" 0 "VCSoapClient" "" "10"

Anyone else have this issue.  It is throwing off our entire "Web Mail" category in Web Reporter.

0 Kudos
9 Replies
eelsasser
Level 15

Re: urs.microsoft.com - Web Mail???

Not sure exactly, but if you resolve that IP (for it's 65.55.187.221) and lookup the IP, it's categorized as webmail.

Something is categorizing the IP instead of the URL.

Capture.JPG

0 Kudos
jont717
Level 12

Re: urs.microsoft.com - Web Mail???

Here are some more logs from today:  The first IP address is the destination IP.  I took out our client IPs.   So we have the same destination IP coming up as different categories.   What can I do?  Thanks!

3.png

0 Kudos
eelsasser
Level 15

Re: urs.microsoft.com - Web Mail???

Well, i cannot reproduce that behaviour, but you could put urs.microsoft.com into the extended list and have it recategorize the site to always be Business, Hardware/Software to always force it to those categories.

0 Kudos
jont717
Level 12

Re: urs.microsoft.com - Web Mail???

It also comes up like this:   157.55.60.189

157.55.60.189 200 "POST https://urs.microsoft.com/urs.asmx?MSPRU-Client-Key=u8tZywJ9GajB6xhMPz5GqA%3d%3d&MSPRU-Patented-Lock... HTTP/1.1" "Business, Software/Hardware" "Minimal Risk" "" 540 "" "" "0"

And also this:  65.55.187.221

65.55.187.221 200 "POST https://urs.microsoft.com/urs.asmx?MSURS-Client-Key=6yVvLXtAkDlfkR%2bKyTxDaA%3d%3d&MSURS-Patented-Lo... HTTP/1.1" "Business, Software/Hardware" "Minimal Risk" "" 515 "" "" "0"

0 Kudos
eelsasser
Level 15

Re: urs.microsoft.com - Web Mail???

yes. Same for me too.

I don't get it, but I'd just recategorize the site in the extended list and see if that helps.

0 Kudos
jont717
Level 12

Re: urs.microsoft.com - Web Mail???

Okay.  I just put urs.microsoft.com in the extended list to test.

0 Kudos
jont717
Level 12

Re: urs.microsoft.com - Web Mail???

Does not change anything.  Still get all the "Web Mail" hits. 

It blocks all those hits so the IE Phishing Filter in turn is not working.

0 Kudos
msiemens
Level 9

Re: urs.microsoft.com - Web Mail???

This post is a couple of years old but it certainly helped me. I encountered the same issue. "hXXp://eagledoorandhardware.com" was being blocked due to categorization as Web Mail. Trusted Source said it wasn't categorized. After scratching my head, I searched this forum.

It turns out that eagledoorandhardware.com resolves to 72.29.66.107. A reverse lookup of 72.29.66.107 results in server.monsterblu12.com which is categorized as Web Mail. As soon as I added eagledoorandhardware.com to the extended list and categorized it as "Business", eagledoorandhardware.com was no longer blocked, although

server.monsterblu12.com is still blocked because it's Web Mail. Perfect!

Apparently, when the gateway encounters an uncategorized site, it uses the IP address in an attempt to assign a category. Assigning the category in the extended list prevents MWG from categorizing based on the reverse lookup.

0 Kudos
pbrickey
Level 11

Re: urs.microsoft.com - Web Mail???

FYI, this is described in detail here: https://community.mcafee.com/docs/DOC-4825

-Patrick

0 Kudos