Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
New Member

Block top level domains with ironport

I'm new to ironport and I'm trying to help someone block some SPAM they are receiving from foreign domains.  They have a blacklist definied on their incoming mail policies, but it would not allow me to add a wildcard user such as *@*.ru.  What I ended up doing was editing their content filter to block any envelope sender that ends in .ru.  That's the only thing I've found close to what I'm trying to do in my searches.   Anyone have any suggestions?

Cisco Employee

Re: Block top level domains with ironport

There are 2 options:

  1. Write a filter.
  2. Refer to a dictionary text file in a message filter.

1. You can write either a content filter or a message filter to catch these charsets if your business does not interact with Russian / Cyrillic / Ukranian senders.

Here is an outline for a filter.


if (recv-listener == "InboundMail") AND ((body-contains("windows-1251")) OR (header("Content-type") == "(?i)windows-1251")) {

    quarantine ("Policy");


You may want to place this in the content filters since content filters occur after the anti-spam scanning.  Placing this filter in the message filters may be resource-expensive in order to scan the body of the email for the charsets.

2. Another option is to add the list of character sets to a dictionary text file and refer to that in your message filter.

Full KB article for assistance:

Article 808 from the Customer KB:

Hope this helps!


(*If you have received the answer to your original question, and found this helpful/correct - please mark the question as answered, and be sure to leave a rating to reflect!)

CreatePlease login to create content