Block email attachment from specific domain

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Block email attachment from specific domain

L2 Linker

Hello experts,

 

Is there any way in Palo Alto to block email attachments coming from specific domain?

Lets say i want to block all email attachments which are coming from *@xyz.com. Is it possible?

2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

You can easily achieve it on your mail server.

 

Mayur

M

View solution in original post

Cyber Elite
Cyber Elite

@Vikashh,

Sometimes I think we try to solve issues with the wrong tool, because we know more about the tool directly under our control. In 99.9% of situations when you're looking to block attachments through email, the correct course of action is blocking them on your mail server or SMTP gateway as suggested by @SutareMayur

Honestly when you are dealing with email its generally gotten to the point where you'll be unable to create a policy that blocks just this one domain from sending attachments on your firewall, because most people are using a shared service or have granted impersonation rights for marketing purposes or the like. So you would have to account for all addresses listed in the orgs SPF record, which likely would match other email that you wouldn't necessarily want to block attachments for. You'd also have to keep that up-to-date when it could be rotating.

 

OR, you simply do it on your mail server for the domain and be done with it. You can now ensure that the domain isn't allowed to send attachments into your organization and the only time you have to worry about it not working is if they rename their domain. 

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

You may be able to try and create a FQDN object for the domain, and allow traffic into the FW, but create a security profile for file blocking and just do not any attachments.

 

Using wireshark you can try and create a custom application that is looking for the domain name in the smtp or imap response headers, and create a policy to deny.

 

Just some ideas.

Help the community: Like helpful comments and mark solutions

I am curious if below solution will be able to block incoming mails from specific domain.

Still i will give a try.

 

Thank you.

Cyber Elite
Cyber Elite

You can easily achieve it on your mail server.

 

Mayur

M

Cyber Elite
Cyber Elite

@Vikashh,

Sometimes I think we try to solve issues with the wrong tool, because we know more about the tool directly under our control. In 99.9% of situations when you're looking to block attachments through email, the correct course of action is blocking them on your mail server or SMTP gateway as suggested by @SutareMayur

Honestly when you are dealing with email its generally gotten to the point where you'll be unable to create a policy that blocks just this one domain from sending attachments on your firewall, because most people are using a shared service or have granted impersonation rights for marketing purposes or the like. So you would have to account for all addresses listed in the orgs SPF record, which likely would match other email that you wouldn't necessarily want to block attachments for. You'd also have to keep that up-to-date when it could be rotating.

 

OR, you simply do it on your mail server for the domain and be done with it. You can now ensure that the domain isn't allowed to send attachments into your organization and the only time you have to worry about it not working is if they rename their domain. 

@BPry ,

 

Thank you so much for giving clarification on this. Yes i agreed now, it is better to block specific domain on our mail server/ email gateway. I will proceed with same option to do it.

 

Thanks to @SutareMayur also for the inputs. 

  • 2 accepted solutions
  • 6141 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!