Block single domain when blocklist set to quarantine.


Using the SEA,


I have already configured the standard blocklist to quarantine various messages and do not want to change this.

However - I have a domain I would like to discard all traffic from.


I have added the domain to a phrase filter set to discard but the emails still flow through. The rule is moved to top of the list but not triggering?

I have tried adding the domain as:  *  and just neither method works.

Am I missing an obvious solution? can anyone help?




  • DISCLAIMER: this response contains information that could have unexpected results.  DO NOT SET ANY RULES TO DISCARD as there is no "recycle bin"  DISCLAIMER

    always set the main action to quarantine until you are sure your rules work exactly as expected insurance you need to retrieve a false positive. 


    Hi Tony,

    If you mean you have changed filtering options to quarantine..  that may not be the best idea..

    in short:

    the results "should" be the same, except if you leave it to discard.. any connecting mta that is blacklisted would be dropped by postfix at the connection level.

    this is good because your appliance is not wasting its time processing mail from bad senders. 

    this is bad because it means its ruling all your policy against all of this mail that should be dropped.. so any policy that may say "deliver immediately" or other scanning rules could be delivered when it should never have been accepted in the first place.


    Before going on, I highly recommend you have a look at my KB on spam settings:


    In regards to dropping mail from a domain.  here is an example :

    configuration / policy / allow/block list / block list

    you will see a pop up with HOSTS and SENDERS tabs

    HOSTS: should be root domains or ips / cidar ranges .. IE etc

    SENDERS: checks the DATA from .. IE:

    do not try and use any wild cards or similar..   If this does not work then chances are the mta and data senders may be mixed up .. or similar. 


    another option would be to create a watch list rule.  the sample KB can be found here:


    under additional policy ..


    watch list

    select users : choose the Include sender  (this makes the rule ONLY apply to who you enter next)

    check custom groups



    main action : quarantine

    next, name it, save it. 


    Email Globs .. the short version...

    email globs are specifically used for email address matching... they are slightly different 


    for example

    One  * means 1 word between a qualifier ..  it is not a "normal" wildcard .. like delete *.*


    would match:

    it would not match or


    ** means match any number of words regardless 


    would match any number of chars in front of the @



    would NOT match

    but it would match


    there are two other common ones you could use in the (message attributes) rules .. under regular expressions.. they are:

    .*  = means match anything OR nothing ..

    and $  means ends in ..



    match a blank or null string:  may be useful for emails with no subject for example. but again be very careful with rules like this.



    top level domain (when used with a watch list rule like above you could target all mail from a tld or country) 



    or a combination .. like


    means anything in front of the @ that specifically ends in


    there are some cases where you may need multiple rules to accomplish the goal..  for example .. 

    there are 2 rules you could use to search for all mail from .info and .tv domains. 


    again .. do NOT set these rules to discard.

    here is an example using all of the examples listed above ...


    BELOW is an example of using all of the above matching to match both ENVELOPE and DATA senders.


    This sample would quarantine  any mail from .info and .tv top level domains. 

    BE VERY VERY CAREFUL with these rules.

     NOTE: mail that is quarantined for the reason of KEYWORD will not show up in the quarantine digest.. but you CAN search through the UI .. this will allow you to see all of the hits on the rules..



    two rules are required:

    #1 : DATA rule checker

    under configuration / policy / data control / inbound
    rule type : messages matching specific words or phrases
    enable advanced policy
    rule config
    message attributes
    select Header from the drop down
    name From (the capital F is important)
    matches regular expression
    value : .*@.*\.domain$
    ie : .*@.*\.tv$ or .*@.*\.info$
    select users
    main action:
    quarantine / reason keyword 
    next until rule description... give it a name and activate the rule

    once you get dropped back to the rules listing make sure this rule is #1 in the list, click save order

    #2 Envelope rule

    under configuration / policy / data control / inbound
    rule type : messages matching specific words or phrases
    enable advanced policy
    rule config
    click on the regular expressions tab
    message attributes
    select users{}
    click on include sender
    custom group add
    ie: **@**.info
    click add
    main action:
    quarantine for keyword
    next to the end
    give it a name, activate the rule
    once its saved move this rule directly under the previous rule and click save order.


    in closing.


    the SEA is an exceptional email appliance, in regards to rules.. the skys the limit.. just always make sure your rules are as specific as possible to avoid false positives. 


    have fun..