Solved: Re: Block outgoing emails based on recipient MX

M1ssi · ‎06-04-2024

Hi everyone,
Is there a way to block a specific receiver MX?
I want to prevent my users from accidentally replying to typosquatting hosts.

There are hosts that collect typosquatted domains and set up an MX directly behind them.
For example, "oulook.com" points to such an MX (park-mx.above.com) and it accepts everything it receives.
I don't know what happens to the data then, but I do know that I don't want to send them any.
Unfortunately, I haven't found anything in the message filters, content filters or any other settings. (AsyncOS 14.2.x)

Ken Stieers · ‎06-05-2024

Yeah, the ESA (and I'm sure ETD as well) is built around where the mail came from, NOT where its going...
And nothing looks ahead for where a mail is going, so when it hits the delivery queue, it doesn't know where the mail is headed until the SMTP process starts working on that mail. And there's nothing to hook up to on the outbound engine.

NOW... you could do some things with DNS... in the DNS settings on the box you could point the DNS for that domain at a DNS server you control and you can point
park-mx.above.com at 127.0.0.1 or something. A single windows box with DNS server installed, and not AD integrated, just a list of borked domains you don't want your ESA talking to.

Your other option would put it in your firewalls... if you have a dynamic connector option, write a script go to get the ips for the list of domains like this and dump to text on regular basis, then use the dynamic connector to pull these IPS in and block them.

View solution in original post

Ken Stieers · ‎06-05-2024

Yeah, the ESA (and I'm sure ETD as well) is built around where the mail came from, NOT where its going...
And nothing looks ahead for where a mail is going, so when it hits the delivery queue, it doesn't know where the mail is headed until the SMTP process starts working on that mail. And there's nothing to hook up to on the outbound engine.

NOW... you could do some things with DNS... in the DNS settings on the box you could point the DNS for that domain at a DNS server you control and you can point
park-mx.above.com at 127.0.0.1 or something. A single windows box with DNS server installed, and not AD integrated, just a list of borked domains you don't want your ESA talking to.

Your other option would put it in your firewalls... if you have a dynamic connector option, write a script go to get the ips for the list of domains like this and dump to text on regular basis, then use the dynamic connector to pull these IPS in and block them.

M1ssi · ‎06-05-2024

Hi Ken,
Such a pity, I was hoping that the ESA could be made to look at the receiver :(.
But your ideas are very good, I will look at them and discuss with my colleagues.
Many thanks for that!

Ken Stieers · ‎06-05-2024

What you're trying to do feels novel to me, like no one is thinking of that end of it at all so thinking through it was interesting.

dukebox · ‎07-05-2024

Agreed this is an interesting topic to provide, as I have stumble on this emailfake.com website which is supposedly used for disposable emails, but let anyone registered any domain with them using their services and being abused to spam us....

So I was looking in a way to block any incoming or outgoing related to MX:emailfake.com ..

We cannot sinkholes DNS or block at the firewall since we are using the Cloud instance ESA and ETD.... any other viable alternative ?

ref : https://emailfake.com/blog/new-fake-email-domain