Riot in Sophos

Riot sends phishing test emails. Without the correct configuration, some of these emails would not pass the Sophos web filter, which would compromise your campaign statistics.

The following guide explains how to avoid this and ensure your test campaigns run smoothly.

Did you know? Unlike Riot, hackers would have no problem bypassing your spam filter by exploiting legitimate email servers, which Riot cannot afford to do.

Add attack domain to exclusion list

Following Sophos documentation, add the domains that have been generated for you by the platform and should be used in place of the placeholders domain1.com, domain2.com... following the format:

domain1.com
domain2.com
domain3.com

For UTM 9 version

  1. Navigate to Web Protection > Web Filter Profiles > New filter Action > Websites > Add whitelist > Domain
  2. Add the domains that have been generated for you by the platform and should be used in place of the placeholders domain1.com, domain2.com... following the format:

*.domain1.com, *.domain2.com, *.domain3.com

For Sophos Email Appliance

The instructions below include information from the SEA Configuration guide and the Allow/Block Lists article, both provided by Sophos.

Modify the Allow/Block Lists

The Allow/Block lists allow you to define hosts and senders which are trusted or untrusted. Messages from allowed hosts and senders will bypass Sophos antispam filtering.

To add Riot to the Allow list:

  1. In your SEA manager, navigate to Configuration > Policy > Allow Lists.
  2. Click the appropriate list to display the List Editor dialog box.
  3. If you have an additional spam filter in front of SEA, select the Senders tab. If you do not have an additional spam filter in front of SEA, select the Hosts tab.
  4. In the Add entries text box, enter each required item* and click Add.
  5. What you enter next varies depending on your selection in Step 3 (Hosts or Senders):
  6. If on the Senders tab, enter noreply.link.
  7. If on the Hosts tab, enter 159.135.234.25.
  8. Optionally, you can also add Riot's phish link and landing domains to the Whitelisted URLs list: loginform.net and loginprotect.net

Sophos Perimeter Protection

Many of Riot's phishing emails will use senders from domains that don't exist. Sophos has a Perimeter Protection setting which blocks email from any non-existent domains. We do not recommend that you turn this off, as this may allow real spam to come through your filters.

As a workaround, you can modify the senders in phishing templates to come from one of Riot's phish link or landing domains. If you also add Riot to your SPF records, you'll be able to use phishing emails marked with a (Spoofs Domain) tag, as these emails will appear to come from your own domain.