Mister Audi R8 Spyder
asked on
How to Block Top Level Domain with Sonicwall
What Network Objects and/or Firewall Rules could I use (or would I have to create) to block an entire top level domain with my Sonicwall? We have no need to communicate with anyone not on a .com, .net, or .org domain and the spammers have been finding ingenious ways to bug the hell out of me from their .us, .in, .info, .biz, etc. domains. I'd like to block all of these newer top level domains in a relatively easy fashion. It's extreme yes, but I'm up against the clock. Thanks in advance!
Attached is a image of the screen I used.
Screen.jpg
Screen.jpg
ASKER
Thanks John, but I neglected to mention that this is incoming traffic. If I'm not mistaken, CFS is only to limit my employees from going to these sites correct? I'm basically looking for a solution to block ALL emails coming from any domain EXCEPT .com, .net, and .org.
@Mister Porsche GT3
you are right, CFS applies to web access only which means you can't use this way to filter general IP traffic this way, including email traffic.
unfortunately, the objects in SonicWALL must be IP addresses in numbers, hence domain based filter won't be applicable to SonicWALL objects. therefore your requirement CANNOT be fulfilled by your SonicWALL whatever it is running Standard or Enhanced version.
what you expect can be done by setting up your own DNS server which will be handling all your outgoing DNS requests against all domains. you may simply configure this DNS server to resolve ALL unwanted top domains (actually ANY unwanted domain) itself instead of forwarding the requests to up-level DNS server on the Internet (this is for allowed domains).
simply resolve these unwanted domain to 0.0.0.0 or an unused INTERNAL address, then all traffic to these domains will become nothing, never be accessible. sounds like what you need?
this method applies to all outgoing traffic, including ANY email traffic, so the spam links to the unwanted domains will be NEVER valid again.
does it make sense?
you are right, CFS applies to web access only which means you can't use this way to filter general IP traffic this way, including email traffic.
unfortunately, the objects in SonicWALL must be IP addresses in numbers, hence domain based filter won't be applicable to SonicWALL objects. therefore your requirement CANNOT be fulfilled by your SonicWALL whatever it is running Standard or Enhanced version.
what you expect can be done by setting up your own DNS server which will be handling all your outgoing DNS requests against all domains. you may simply configure this DNS server to resolve ALL unwanted top domains (actually ANY unwanted domain) itself instead of forwarding the requests to up-level DNS server on the Internet (this is for allowed domains).
simply resolve these unwanted domain to 0.0.0.0 or an unused INTERNAL address, then all traffic to these domains will become nothing, never be accessible. sounds like what you need?
this method applies to all outgoing traffic, including ANY email traffic, so the spam links to the unwanted domains will be NEVER valid again.
does it make sense?
inckming traffic to the sonicwall is only an ip. DNS is for outgoing only. You can make address objects and they work for both in and out, but their star only goes one level deep. So *.biz won't block a.bad.biz
Any chance you are concerned about email, not web access? What are these "spammers" actually hitting on your network to bother you?
Any chance you are concerned about email, not web access? What are these "spammers" actually hitting on your network to bother you?
ASKER
Aaron,
Yes, the concern is strictly regarding email traffic. My employees don't actively seek them out. Unfortunately, I am a member of a few organizations that blast out your email address "as a favor" to everyone else on their lists once you join their organization. Once that happens, you get passed around quickly and some of those folks might even have viruses that bombard you. To make a long story short...we're getting 2000+ emails a day that are complete garbage and seem to have found their way around Sonicwall's paid SPAM washing service. Most of the emails are from junk domains like .biz, .us, .info, .adv, etc.
Yes, the concern is strictly regarding email traffic. My employees don't actively seek them out. Unfortunately, I am a member of a few organizations that blast out your email address "as a favor" to everyone else on their lists once you join their organization. Once that happens, you get passed around quickly and some of those folks might even have viruses that bombard you. To make a long story short...we're getting 2000+ emails a day that are complete garbage and seem to have found their way around Sonicwall's paid SPAM washing service. Most of the emails are from junk domains like .biz, .us, .info, .adv, etc.
ASKER
bbao,
I'm not worried about my employees following the phishing links to the incoming SPAM. I just don't want to receive the SPAM at all. So I'd like to block ALL incoming email except from the three top level domains. Drastic I know, but I have interest talking to anyone but a few folks who don't have a URL in the top three. For those few I can add them to a white list.
I'm not worried about my employees following the phishing links to the incoming SPAM. I just don't want to receive the SPAM at all. So I'd like to block ALL incoming email except from the three top level domains. Drastic I know, but I have interest talking to anyone but a few folks who don't have a URL in the top three. For those few I can add them to a white list.
Alright now we are getting somewhere. What's your email server?
ASKER
Exchange 2013 with DAG
yeah, that's super easy to block right in exchange
https://technet.microsoft.com/en-us/library/bb124354%28v=exchg.150%29.aspx
https://technet.microsoft.com/en-us/library/bb124354%28v=exchg.150%29.aspx
ASKER
Aaron,
We tried this, but the MAIL FROM header is too easily spoofed. I tried blocking *.info for example in Exchange and kept getting emails from 5686873493@gmail.com (which is nearly impossible to block of course because they just increment the number and keep sending). I'd like to figure out a way to block *.info while still performing something similar to a reverse DNS lookup. I know you can use SPF records, but not everyone uses them and it's an "all or nothing" rule for blocking so even that is not a viable solution.
We tried this, but the MAIL FROM header is too easily spoofed. I tried blocking *.info for example in Exchange and kept getting emails from 5686873493@gmail.com (which is nearly impossible to block of course because they just increment the number and keep sending). I'd like to figure out a way to block *.info while still performing something similar to a reverse DNS lookup. I know you can use SPF records, but not everyone uses them and it's an "all or nothing" rule for blocking so even that is not a viable solution.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Aaron,
I'll go ahead and give you the credit even though I'm still looking for an answer. We have the Sonicwall SPAM washing subscription and it is useless. I won't be renewing it. Is Barracuda any better?
I'll go ahead and give you the credit even though I'm still looking for an answer. We have the Sonicwall SPAM washing subscription and it is useless. I won't be renewing it. Is Barracuda any better?
Never used barracuda, I think they are all beefy appliances, good reputation though. I've worked with a few larger orgs that use them and they seem powerful.
Do you really want to host your own? Have you looked at comodo or one of the other cloud services?
Do you really want to host your own? Have you looked at comodo or one of the other cloud services?
ASKER
Unfortunately, a full cloud service is not an option. Let's just say my customer is rather private... ;-)
Best reason there is to run your own mail server.
As I don't have experience with any of them I won't mention any by name. Search for self hosted exchange spam filter and you will find lots of options
As I don't have experience with any of them I won't mention any by name. Search for self hosted exchange spam filter and you will find lots of options
The top level domains can be blocked by adding them to the keywords blocking section. Browse to Security Services>Content Filter and then click configure. Then click on the custom list tab. Under the Keyword Blocking add the top level domain which would be blocked. Examples are .com, .net, .biz, .info, etc. Be sure to include the dot/period