Threat Feed Settings

Setting Description
Enable Threat Feed Enables or disables the Threat Feed entirely. This setting is enabled by default.
Resubmit threats which are seen again after

Determines when URIs that are seen repeatedly in authentication failure samples will be resubmitted to your Threat Feed. Select from:

  • 2 weeks (default)
  • 1 month
  • 3 months

If your Threat Feed contains a significant number of false positive (in most cases, legitimate) or junk/spam URLs, the latter not being actual threats and typically not requiring action, you may want to choose one of the longer durations. The default 2 week period is good for most organizations so you can see if there are URLs for which you missed taking necessary action, especially if you use a takedown vendor that charges by the link and limits the time by contract for you to take action.
Signal strength

Determines what threats are included in the Threat Feed. Select from:

  • Send all threats - Includes both URIs spoofing brand and threats failing DMARC. Recommended setting for highest signal strength.
  • Send all threats with brand identifiers - Includes only URIs with brand identifiers.
  • Send all DMARC failure threats (default) - Excludes URIs with brand identifiers.
Include detected by: threat source in feed emails Determines if the Detected By column will appear in the Threat Feed table. The Detected By column separates threat feed submissions into their threat source, which can be from DMARC data or Brand Spoofs.
Exclude URIs on the DMARC Protection allow list DMARC Protection maintains a global allow list of known legitimate URI patterns. This setting determines if the URIs added to allow list will appear in your Threat Feed. Select it (the default value) to ensure that URIs matching these patterns are not submitted on your Threat Feed.
Exclude URIs on my allow list You can add a URI to an allow list for your organization. This setting determines if these URIs added to the allow list will appear on your Threat Feed. Select it (the default value) to ensure that URIs matching these patterns are not submitted on your Threat Feed.
Exclude URIs from sources with an IP Reputation threshold greater than

IP Reputation is a reputation score for the source IP address of an email message. IP Reputation values range from -10 (worst) to +10 (best). You can exclude URIs extracted from messages whose source has an IP Reputation above a designated threshold. The default value is 0.

You might choose, for example, to have your Threat Feed ignore any URIs coming from messages where the source has a highly positive IP Reputation.
Send Threat Feed to email recipients

Determines if items in your Thread Feed will be sent to the recipients you designate. Enter a comma-separated list of valid email addresses. This list should include the email address of any take down vendors that you wish to directly receive your Threat Feed.

NOTE:

This email feed is potentially high volume. It is recommended for automated processing and not a personal email address.

These email messages will contain malicious URIs. You should add these messages from your anti-spam and anti-virus filters to allow list.

Threat Feed email messages:

  • Will come from a source IP address in the following ranges 199.255.192.0/22, 199.127.232.0/22, 54.240.0.0/18
  • Will use a From header email of Fortra <no-reply@fortra.com>
  • Will use the Subject line you designate in the Subject of feed emails: field
Include header From: domains in feed emails

Determines if the From: header domain used in the message the URI was extracted from will be included in the Threat Feed email. The default is not selected.

This can provide additional information about which domain the abuse was from. In general, you will want to enable this option unless it breaks automated processes with tolls or third-party services you use.
Include Subject: lines in feed emails

Determines if the Subject line used in the message that the URI was extracted from will be included in the Threat Feed email. The default is not selected.

This can provide additional information about abuse messages, such as subject commonalities. For example, subjects that all contain viagra" or "accounts." In general, you will want to enable this option unless it breaks automated processes with tolls or third-party services you use.
Subject of feed emails

Determines the Subject line of Threat Feed emails. This can help you to filter these messages and direct them to specific folders.

The default is "Fortra threat feed for Fortra Data, Inc.."
Allow header From: domains

Determines if URIs contained in messages that use specific domains in the From header are omitted from your threat feed. Enter valid domain names in a comma separated list to exclude URIs in messages from these domains.

For example, the domain email.mycorp.com is used by your corporate employees to send email. The authentication failures from this domain tend contain a lot of valid URLs and you don't want to include any URLs in messages from email.mycorp.com in your organization's Threat Feed. You should select this option and enter email.mycorp.com in the text field.
Send threat feed to Internet Identity (target to provide IID: 'Fortra Data, Inc.') If your takedown vendor is Internet Identity (IID, now Infoblox), you can select this option to submit your Threat Feed directly to IID without sending Threat Feed emails. The default is not selected.