topic If you using the exchange in Network Security

Blocking Spamhaus Top 10 most abused Top level domains

andrew.schiro — Tue, 12 Mar 2019 13:28:21 GMT

I've created a test rule to block .study, .accountant, .party, .click, .top, .life, .yokohama, .ml TLD's

I first created a URL objects and then put them in the group TLD_Top10_abused

Created a test policy under users with only me with block with reset.

For some reason it dosn't seem to work. When I created the URL objects I named them "irl.study" then put ".study" as the url. Is there a trick to blocking TLD's?

If you using the exchange

Farhan Mohamed — Mon, 07 Aug 2017 14:07:32 GMT

If you using the exchange server 2010, follow the process as below:-

The specific TLD's I am blocking at present are as follows:

.bar, .bid, .br, .cf, .click, .club, .cn, .cr, .cricket, .date, .eu, .faith, .fr, .ga, .gdn, .gg, .in, .link, .lol, .ml, .ninja, .party, .pw, .racing, .rocks, .rs, .ru, .science, .space, .stream, .tk, .top, .tr, .trade, .us, .wang, .webcam, .website, .win, .work, .xxx, .xyz

I have accomplished this through the use of Sender Filtering (Exchange Management Console -> <OU> -> Organization Configuration -> Anti-spam -> Sender Filtering) and adding each TLD to the Blocked Senders list as a "Domain (include all subdomains)", as opposed to as an "Individual e-mail address" (sic).

#Rate if it helps

Farhan,

andrew.schiro — Mon, 07 Aug 2017 14:22:49 GMT

Farhan,

While this will block spam from entering our accounts from these Top Level Domains, I want to block all traffic in firesite to and from these TLD's. No legitimate traffic should be occurring from these domains.

For instance, If I try to block t.co (twitter links) it blocks anything ending with "t" in the domain name and part of the .com TLD

There seems to be a bit of unintentional wildcarding going on in processing of URL's, which is why I want a method of blocking TLD's not just domains.

Have you tried or heard about

Farhan Mohamed — Mon, 07 Aug 2017 14:39:06 GMT

Have you tried or heard about opendns, if not please check. OpenDNS can block all Top-Level-Domains (TLDs) except .com. Entering a TLD such as net, cn, ru, and so on, will block all sub-domains that end with that TLD name.

See https://support.opendns.com/entries/26514730-Web-Content-Filtering-and-Security

"there are limits on how many entries can be added to 'always block' list. In my case it is 25."

With OpenDNS VIP it is 50.

"you can not establish a whitelist of countries that you want to allow and blacklist all others"

You can - easily! You go for OpenDNS VIP, enable the whitelist-only mode, and add the few TLDs you want to allow to the whitelist. 50 should be sufficient, right?

"If it is not possible to automatically detect language then don't."

OpenDNS has nothing to do with websites and their languages. A DNS service deals with domain names only.

Also check Cisco Umbrella, which is new name for Opendns.

I can arrange demo if you want to know more about Umbrella?

#Please rate if it helps.

Re: Have you tried or heard about

geoces85 — Fri, 24 Aug 2018 14:38:25 GMT

Just to be clear Farhan, your saying FirePower doesnt have a way to block TLD's? we are trying the same thing here and i have not been able to get it working.