topic Re: Block email attachment from specific domain in General Topics

Block email attachment from specific domain

Vikashh — Mon, 20 Apr 2020 17:56:23 GMT

Hello experts,

Is there any way in Palo Alto to block email attachments coming from specific domain?

Lets say i want to block all email attachments which are coming from *@xyz.com. Is it possible?

Re: Block email attachment from specific domain

S.Cantwell — Tue, 21 Apr 2020 00:01:40 GMT

You may be able to try and create a FQDN object for the domain, and allow traffic into the FW, but create a security profile for file blocking and just do not any attachments.

Using wireshark you can try and create a custom application that is looking for the domain name in the smtp or imap response headers, and create a policy to deny.

Just some ideas.

Re: Block email attachment from specific domain

Vikashh — Tue, 21 Apr 2020 11:56:53 GMT

I am curious if below solution will be able to block incoming mails from specific domain.

Still i will give a try.

Thank you.

Re: Block email attachment from specific domain

SutareMayur — Tue, 21 Apr 2020 12:00:11 GMT

You can easily achieve it on your mail server.

Mayur

Re: Block email attachment from specific domain

BPry — Tue, 21 Apr 2020 15:02:15 GMT

@Vikashh,

Sometimes I think we try to solve issues with the wrong tool, because we know more about the tool directly under our control. In 99.9% of situations when you're looking to block attachments through email, the correct course of action is blocking them on your mail server or SMTP gateway as suggested by @SutareMayur.

Honestly when you are dealing with email its generally gotten to the point where you'll be unable to create a policy that blocks just this one domain from sending attachments on your firewall, because most people are using a shared service or have granted impersonation rights for marketing purposes or the like. So you would have to account for all addresses listed in the orgs SPF record, which likely would match other email that you wouldn't necessarily want to block attachments for. You'd also have to keep that up-to-date when it could be rotating.

OR, you simply do it on your mail server for the domain and be done with it. You can now ensure that the domain isn't allowed to send attachments into your organization and the only time you have to worry about it not working is if they rename their domain.

Re: Block email attachment from specific domain

Vikashh — Tue, 21 Apr 2020 15:55:39 GMT

@BPry ,

Thank you so much for giving clarification on this. Yes i agreed now, it is better to block specific domain on our mail server/ email gateway. I will proceed with same option to do it.

Thanks to @SutareMayur also for the inputs.