cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
18570
Views
0
Helpful
6
Replies

Best practice to blacklist a sender

RoBu
Level 1
Level 1

Hello Community,

 

what is the better practice to blacklist a specific sender i.e. "guy@badguys.com" or "@badguys.com"?

 

- use "Sender Verification Exception Table" and set the address as "reject", and enable the table on the the table on the mailflowpolicy "blocked"?

 

or

 

- use an "Incoming Mail policy" on these senders with an "incoming content filter" that blocks/drop/bounces the mail?

 

AFAIK the better one should be the exception table, because the mail is already blocked during the SMTP dialog. Is this right?

 

Regards Roman

1 Accepted Solution

Accepted Solutions

Libin Varghese
Cisco Employee
Cisco Employee

Blocking an email at the connection level is certainly better, since it saves resources.

 

However, sender verification is DNS based and HAT Blacklist only accepts sending IP/hostname as entries. These do not provide you options to block a domain or email address specifically.

 

Sender verification exception table is used to set exceptions for domains who you do not wish to run sender verification on, so that isn't used for blocking.

 

To block a specific email address/domain you would always need message/content filters.

 

Regards,

Libin Varghese

View solution in original post

6 Replies 6

Libin Varghese
Cisco Employee
Cisco Employee

Blocking an email at the connection level is certainly better, since it saves resources.

 

However, sender verification is DNS based and HAT Blacklist only accepts sending IP/hostname as entries. These do not provide you options to block a domain or email address specifically.

 

Sender verification exception table is used to set exceptions for domains who you do not wish to run sender verification on, so that isn't used for blocking.

 

To block a specific email address/domain you would always need message/content filters.

 

Regards,

Libin Varghese

exMSW4319
Level 3
Level 3

There's very few occasions where it's worth blocking by sender or envelope address or domain. I only do it where there's a persistent problem with an actual sender who's unlikely to morph. Most of my blocks are by sending server or IP range, aimed at ESPs and "bulletproofs" who think that abuse from their network is perfectly acceptable. The HAT Says No.

 

Having said that, if you're going to go after the problem at that level then you will have to do your diligence first, and keep evidence that the block was merited. Diligence means checking over the suggested host name or IP range to see who else uses it, and evidence means keeping copies of not one but multiple abuses to substantiate your action. My own selectively pruned Abuse store runs to 940Mb for a relatively small collection of 2,000 private recipients, and if you are providing a service to the public or other organisations then data protection regulations may limit what you can retain.

 

Diligence checks will also turn up cases where it turns out that the sender has a significant output of genuine mail, and in those cases you'll have to sharpen your aim or try a different tactic.

 

However, the biggest problem is going to be the time needed to do all of this, which is probably why you may want to limit any action to the sort of specific "problem" sender I mentioned above and leave the mainstream spam handling to the Greymail feature, URL filtering or the spam reporting plug-in. For dealing with the small number of "individual" cases I maintain custom dictionaries of both hosts and sender addresses then have content rules operate on that. You can double up with both "grey" and "black" dictionaries, where a hit on one merely notes or quarantines a mail and a hit on another goes straight to a drop action, which of course makes the mail irretrievable.

You cannot match a sender's email domain via the Blacklist Sender Group since it refers to the hostname or IP address of the connecting server, not necessarily the sender's domain. Hence, the recommended way to blacklist a sender's email domain is by using 'Incoming mail policy' and content filter > https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118551-qa-esa-00.html. Anyone out there who use Blacklist Sender Group extensively, or most of u use content filtering?

We use both, but mostly the policy/content filter.

RoBu
Level 1
Level 1

Sorry to come back so late, but many thanx to all of you for your replies.

 

Well, i'll use an incoming policy to solve this.

 

Regards

Roman