Add an Incoming Block list Filtering Rule

You can add rules that apply to a specific domain in the Domain Rules tab or, if accessing from the Admin Level, to all domains linked to the logged in Admin in the Admin Rules tab.

1. In the Admin Level or Domain Level Control Panel, select Incoming - Protection Settings > Block list filtering rules
2. Navigate to the appropriate tab: Domain Rules or Admin Rules
3. Click on + Add rule

The dialog that is displayed here depends on whether you have enabled or disabled the Use advanced custom filtering rules option in the User profile page. For more information, see Manage Your Admin User Profile or Manage Your Domain User Profile.

4. Configure the Block list rule as per the filter rule type:
   Simple Block list Filtering Rule

   If the Use advanced custom filtering rules option is disabled in the User profile page, you will see the Add a new simple filtering block rule dialog:

   

   Enter the required information in each of the fields:

   Field	Description	Match Operators	Field value
   Domain (only displayed at Admin Level)	Select the domain the rule will apply to	-	Domain name selected from the dropdown list of domains
   Rule name	Give the rule a memorable name	-	Rule name in text format
   Match	Use the Match fields to structure your rule. The following options are available: Subject The subject of the message	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	The part of the message subject to block in text format
   	From The message header FROM address. Note: this is different to the SMTP envelope sender address.	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	The part of the message header FROM address to block in a valid email address format e.g.: Rocket Raccoon <rocket@demo-domain.invalid> Check the exact format from an example message header of the type you wish to block as the format may differ
   	To The message header TO address. Note: this is different to the SMTP envelope recipient address.	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	The part of the message header TO address to block in a valid email address format e.g.: Rocket Raccoon <rocket@demo-domain.invalid> Check the exact format from an example message header of the type you wish to block as the format may differ
   	CC The message header CC addresses.	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	The part of the CC address to block that was contained in the message header in a valid email address format e.g.: local-part@domain.invalid Check the exact format from an example message header of the type you wish to block as the format may differ
   	Country The desired Country name as is displayed in the Log Search > Location column e.g. Iran, Islamic Republic of, or United States	Can be refined by the following operators: Is Is not	Select the value from the defined list of Country codes
   	Continent In the text field, enter the desired Continent name e.g. Europe, or North America	Can be refined by the following operators: Is Is not	Select the value from the defined list of Continent names
   	Message Body The decoded message body content.	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	The part of the decoded message content to block in text format
   	Recipient The SMTP envelope RCPT TO address. Note: this is different to the message header TO address.	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	The SMTP envelope RCPT TO address to block in a valid email address format e.g.: local-part@domain.invalid
   	Sender The SMTP envelope MAIL FROM address. Note: this is different to the message header FROM address.	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	The SMTP envelope MAIL FROM address to block in a valid email address format e.g.: local-part@domain.invalid
   	Sender IP The public IP address of the server sending the message to the filter.	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	The Public IP address of the sending server to block in a valid IP format e.g.: 1.102.103.104
   	Sender Hostname The associated DNS PTR record for the sender IP address.	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	The associated DNS PTR record for the sender IP address to block
   	URL	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	-
   	Language The language the message was written in using the ISO 639-1 two-digit language code.	Can be refined by the following operators: Is Is not	Select the value from the defined list of language codes - Language code
   	Attachment Type The MIME type of an attached file - as defined by the sending server.	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	The MIME type of attached files to block in text format
   	Attachment Name The name of an attachment including the file extension.	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	The name or file extension of attached files to block in text
   	Attachment Type (auto-detect) The MIME type of an attached file - as detected by the filter system	Can be refined by the following operators: Is Is not Contains Does not contain Starts with Ends with	The MIME type of attached files to block in text format
   	Sensitive Data The type of sensitive data in the email - as detected by the filter system	Can be refined by the following operators: is	Chose one of five available data types to match: credit-card bank-account personal-identifier health-identifier any We will match against the most common formats of these types of data – for example, a VISA credit card might be “4012888888881881”, or “4012-8888-8888-1881”, or “4012 8888 8888 1881”. However, it will always be possible for someone determined to bypass these checks to do so, e.g. with “my credit card is 4012 then eight eights in a row then 1881”. This functionality is intended to protect against accidental exposure rather than malicious intent.
   	Spear Phishing A targeted form of phishing attack aimed to steal sensitive data or install malware on the devices of specific individuals.	-	A spear phishing rule is a security measure configured to detect and prevent spear phishing attacks. You must provide your First Name, Last Name , and select Additional Allowed Domains to allow the emails from these domains despite them having your display names

   Advanced Block list Filtering Rule

   If the Use advanced custom filtering rules option is enabled in the User profile page, you will see the Add a new advanced filtering block rule dialog:

   

   Field/Option	Description
   Domain (only displayed at Admin Level)	Choose the domain you want to apply the rule to from those available in the Domain dropdown. (When you are accessing this page at the Domain Level, the system applies the rule to the logged in domain).
   Rule name	Enter the name you want to give this rule
   Priority	Enter a number to represent the priority given to the rule Rules are evaluated by Priority from the lowest number to the highest number, until one matches or all rules have been checked. All Allow list rules are checked before Block list rules regardless of priority.
   Content Type	By default this field will display Header Name as initially the Match field is set to Header, however, this field will change or disappear as the Match field is changed: Match Field Name Value Header Header Name restrict the check to a specific header. This will also match the decoded version of the header rather than the raw content. You may enter a regular expression here, if required. Message Body Content Type Restrict the check to specific parts of the message for example text/plain, or text/.*. You may enter a regular expression here, if required. Language Automatic or Specified By default, language matches will be done against automatic language detection and when the sender specifies the language. To only match against automatic detection, use "automatic", or to only match when the sender specifies, use "specified" Location Location Type You must specify which type of location to match against. Valid values are: "city" "continent" "country" "represented_country" "registered_country" "latitude" "longitude" You may enter a regular expression here, if required. Advanced filtering location rules created using regular expressions may not be compatible with the simple filtering rule views and as such display as Unknown. Hashing Algorithm Supported Hash You must specify which Hash to match against. Valid values are: MD5 SHA-224 SHA-256 SHA-384 SHA-512 Spear Phishing First Name, Last Name, Additional Allowed Domains A spear phishing rule is a security measure configured to detect and prevent spear phishing attacks. You must provide your First Name, Last Name , and select Additional Allowed Domains to allow the emails from these domains despite them having your display names
   Regular expression	Enter the regular expression for the rule Use the Cheatsheet panel on the right of the page for examples of how to build your regex or our Advanced Filtering Rule Examples and Quick Reference page for more details Unfortunately, the Technical Support team is unable to support any customisation of the predefined Rulesets or those you build yourself. Due to the potential complexity in building a regex pattern, we advise that only users with regex experience should attempt to create new rules or customise existing ones.
   Match	Use the Match fields to structure your rule. The following options are available: Header The RFC-5322 message header content Raw Message The encoded message. Message Body The decoded message content. HELO/EHLO The response to the HELO/EHLO command, from the sending server Recipient The SMTP envelope RCPT TO address. Note: this is different to the message header TO address. Sender The SMTP envelope MAIL FROM address. Note: this is different to the message header FROM address. Sender (Verified) The SMTP MAIL FROM address - only if this address has passed SPF. Sender IP The public IP address of the server sending the message to the filter. Sender Hostname The associated DNS PTR record for the sender IP address. URL Language The language the message was written in using the ISO 639-1 two-digit language code. - Language code Location The country of origin of the sending server using the country name - not the country code. Attachment Type The MIME type of an attached file - as defined by the sending server. Attachment Name The name of an attachment including the file extension. Attachment Type (auto-detect) The MIME type of an attached file - as detected by the filter system Attachment Hash The Hash type of an attached file - as detected by the filter system Message Type The filter classification of the message type, if the message is a genuine newsletter or social-media platform mailing Sensitive Data The type of sensitive data in the email - as detected by the filter system We will match against the most common formats of these types of data – for example, a VISA credit card might be “4012888888881881”, or “4012-8888-8888-1881”, or “4012 8888 8888 1881”. However, it will always be possible for someone determined to bypass these checks to do so, e.g. with “my credit card is 4012 then eight eights in a row then 1881”. This functionality is intended to protect against accidental exposure rather than malicious intent. Spear Phishing A targeted form of phishing attack aimed to steal sensitive information or install malware on the devices of specific individuals.
   Flags	The following flags are available: i (ignore case) m (^ and $ match start and end of line), s (. matches newline) x (allow spaces and comments)

      
5. Click Save

The new rule will appear in the list shortly after saving.

Attachment Hash Rule Specifics

The Hashing Algorithm field that is displayed once Attachment Hash is selected in the Match field is compulsory. Fill this with the algorithm type used to generate the hash for the file to be matched. E.g.:

• MD5
• SHA-224
• SHA-256
• SHA-384
• SHA-512

Spear Phishing

Spear Phishing refers to a targeted form of phishing aimed to steal sensitive information or install malware on the devices of specific individuals. A targeted spear phishing prevention rule for a specific individual can enhance email security by safeguarding against emails that impersonate high-ranking executives, for example, the VP or CEO.

Following are the steps to add a Spear Phishing rule under Simple Block list Filtering Rule:

1. Disable the Use advanced custom filtering rules option in the User profile page and navigate to Block list filtering rules -> + Add rule

   The Add a new simple filtering block rule dialog displays

2. Select Spear Phishing from the Match drop-down. You will see new fields appear

   

3. Enter your First Name, Last Name , and select Additional allowed domains

   Additional allowed domains are the sender domains that are excluded from this blocking rule.

4. Click Save to apply the rule

Following are the steps to add a Spear Phishing rule under Advanced Block list Filtering Rule:

1. Enable the Use advanced custom filtering rules option in the User profile page and navigate to Block list filtering rules -> + Add rule

   The Add a new advanced filtering block rule dialog displays

2. Select Spear Phishing from the Match drop-down. You will see new fields appear.

   

3. Enter your First Name, Last Name, and select Additional allowed domains

   Additional allowed domains are the sender domains that are excluded from this blocking rule.

4. Click Save to apply the rule