Blocklists

This page includes:

• Blocklists
  • About blocklists
  • Types of blocklists
  • Global blocklists
  • Propagating blocklists from a parent organization to child organizations
  • Bulk import of blocklist entries
  • Allowlists vs blocklists - precedence
  • Configuring the "sender email address / domain blocklist"
  • Configuring the "sender IP blocklist"
  • Configuring the "URL blocklist"
  • Configuring the "hash blocklist"
  • Custom blocklists
  • Filtering [searching] blocklists

About blocklists

Blocklists help to reduce the number of false-negative scan verdicts. If an email scan or a URL scan is initially assigned a clean verdict, you can use a blocklist to define that the scan verdict should be changed to malicious or spam - if the email or URL meets specified requirements.

Note: If the same item is included in both an allowlist and a blocklist, the allowlist will take precedence. When you add an entry to a blocklist, if the same entry already exists in the blocklist, then the new entry is totally ignored, and the existing entry is maintained [unchanged]. You can perform a bulk import of blocklist entries. For details, see Bulk import of blocklist entries below.

• Blocklists can't be exported to .csv files by admin-users. This can be done by Perception Point Support [support@perception-point.io] only.

Types of blocklists

You can configure various blocklists in Perception Point X‑Ray:

Sender email address / domain blocklist	When an email is scanned, and the scan verdict is clean, if the email is sent from an email address that is included in the "Sender email address / domain blocklist", then the scan verdict will be set to malicious or spam.
Sender IP blocklist	When an email is scanned, and the scan verdict is clean, if the email is sent from an IP address that is on the "Sender IP blocklist", then the scan verdict will be set to malicious or spam.
URL blocklist	When a URL is scanned, and the scan verdict is clean, if the URL is included in the URL blocklist, then the scan verdict will be set to malicious or spam.
Hash blocklist	When a file should possibly be scanned, if the SHA-256 hash of the file is included in the "hash blocklist," then the file won't be scanned, and the scan verdict will be set to malicious.

When you define an entry in each of the blocklists above, you define if the scan verdict should be changed to malicious or spam.

The Allowlists & Blocklists page is available to admin users with the "Controller" role [or higher].

Note: It is possible to perform a bulk import of blocklist entries. For details, see Bulk import of blocklist entries below.

For details about allowlists, see Allowlists.

Global blocklists

Perception Point X‑Ray maintains global blocklists - with entries that apply to all organizations. Entries in globally maintained blocklists do not appear in the blocklists of your organization - these global entries are visible internally to Perception Point only.

When you add an entry to a blocklist, you'll know that the entry was added successfully only if you see a "successfully added" message, similar to the following:

If you add an entry, and a "successfully added" user notification doesn't appear, this may indicate that the entry is included in the globally maintained blocklist. The entry that you tried to add therefore won't appear in the blocklist for your organization. For further details, contact Perception Point Support [support@perception-point.io].

Propagating blocklists from a parent organization to child organizations

All blocklist entries that are configured in a parent organization are propagated [applied] to the child organizations as well.

Note: Blocklist entries that are added to a parent organization and propagated from the parent organization to the child organization, are not visible in the child organizations.

If you want to add a blocklist entry to a specific child organization only, make sure to select that child organization when you configure the new blocklist entry.

Bulk import of blocklist entries

You can use Perception Point X‑Ray to perform a bulk import of entries for the following blocklists:

• Sender Email Address / Domain blocklist

• Sender IP blocklist

If you need to upload multiple entries to another blocklist, contact Perception Point Support [support@perception-point.io] for assistance.

When you upload entries, make sure that the upload file meets the following requirements:

• The upload file must be a .csv file, with a maximum size of 20 KB.

• The upload file can have a maximum of 100 entries.

Note: If you have thousands of entries to add to an allowlist or a blocklist, contact Perception Point Support [support@perception-point.io] for assistance.

• Each entry should be on a separate line in the upload file.

• Don't include a header or header row [such as "Domains to block"] at the top of the file.

• By default, each organization can have a maximum of 2,000 allowlist and blocklist entries combined.

Allowlists vs blocklists - precedence

If the same item is included in both an allowlist and a blocklist, the allowlist will take precedence.

Configuring the "sender email address / domain blocklist"

Follow the procedure below to block-list sender email addresses and sender domains [such as acme.com]. When you block-list a domain, all email addresses inside the domain will be included in the blocklist.

To add an entry to the "sender email address / domain blocklist":

1. In Perception Point X‑Ray, in the left navigation menu, select Detection Setup > Allowlists & Blocklists.

2. On the right of "Sender Email Address / Domain Blocklist", click Add Address.

   

3. Configure the required settings.

   Organization	If this option appears, select the organization [or organizations] to which the block list applies. Note: If you add a block list" entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the block list entry won't be visible in the child organizations. If you want to add a block list entry to a specific child organization only, select that child organization here.
   Sender Email Address / Domain	Single email address / domain Specify the email address of the sender. Emails that originate from this email address will be block-listed. Email addresses should be plain email addresses only, without any display names or extra characters. Formatting domains When you specify a domain, such as acme.com, all sub-domains, and all email addresses inside the domain, will be included in the allowlist or the blocklist. For example, if you specify acme.com: All sub-domains in the "acme.com" domain will be included in the list. This includes sub-domains such as legal.acme.com and drivers.acme.com Don't include a wildcard character [*], a period [.], or an at sign [@] before the domain. For example, *acme.com and *.acme.com and @acme.com are not valid formats. Domain names are not case-sensitive. Import bulk list Lets you add multiple email addresses and domains to the blocklist. You'll need to specify and upload a .csv file that contains the required email addresses and/or domains. Upload-file requirements You can include both email addresses and domains in the same upload file. Email addresses should be plain email addresses only, without any display names or extra characters. The upload file must be a .csv file, with a maximum size of 20 KB. The upload file can have a maximum of 100 entries. Note: If you have thousands of entries to add to an allowlist or a blocklist, contact Perception Point Support [support@perception-point.io] for assistance. Each entry should be on a separate line in the upload file. Don't include a header or header row [such as "Domains to block"] at the top of the file. By default, each organization can have a maximum of 2,000 allowlist and blocklist entries combined.   Formatting domains When you specify a domain, such as acme.com, all sub-domains, and all email addresses inside the domain, will be included in the allowlist or the blocklist. For example, if you specify acme.com: All sub-domains in the "acme.com" domain will be included in the list. This includes sub-domains such as legal.acme.com and drivers.acme.com Don't include a wildcard character [*], a period [.], or an at sign [@] before the domain. For example, *acme.com and *.acme.com and @acme.com are not valid formats. Domain names are not case-sensitive. Don't include sub-domains, such as sub.example.com. Instead, include just example.com If a sub-domain format such as sub.example.com is required, then add it separately, not as part of a bulk upload.
   Set verdict as	Select the verdict that will be applied to scans of emails that were sent from an email address that is included in the "Sender Email Address / Domain" [see above], either Malicious or Spam. For details on what happens to emails that are assigned a malicious or spam verdict, see Verdicts.
   Include blocked emails in	When an email is blocked due to this blocklist definition, then the email will be included in the following [as selected]: Admin alerts: For details, see Alerts. End user alerts: For details, see Alerts. Digest reports: For details, see Sending Digest reports.
   Comment	Add an optional comment.

4. Click Add. Check that the new entry or entries appear in the blocklist as expected.

   Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your blocklist, this may indicate that the entry is included in the globally maintained blocklist. For details, see Global blocklists.

Configuring the "sender IP blocklist"

To add an entry to the sender IP blocklist:

1. In Perception Point X‑Ray, in the left navigation menu, select Detection Setup > Allowlists & Blocklists.

2. On the right of "Sender IP Blocklist", click Add IP.

   

3. Configure the required settings.

   Organization	If this option appears, select the organization [or organizations] to which the block list applies. Note: If you add a block list" entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the block list entry won't be visible in the child organizations. If you want to add a block list entry to a specific child organization only, select that child organization here.
   Sender IP address	Single IP Address Specify the IP address of the sender. Emails that originate from this IP address will be block-listed. By default, block-listing a subnet is not supported. For possible implementation details, contact Perception Point Support [support@perception-point.io]. Import bulk list Lets you add multiple IP addresses to the blocklist. You'll need to specify and upload a .csv file that contains the required IP addresses. Upload-file requirements The upload file must be a .csv file, with a maximum size of 20 KB. The upload file can have a maximum of 100 entries. Note: If you have thousands of entries to add to an allowlist or a blocklist, contact Perception Point Support [support@perception-point.io] for assistance. Each entry should be on a separate line in the upload file. Don't include a header or header row [such as "Domains to block"] at the top of the file. By default, each organization can have a maximum of 2,000 allowlist and blocklist entries combined.
   Set verdict as	Select the verdict that will be applied to scans of emails that were sent from the "Sender IP Address" [see above], either Malicious or Spam. For details on what happens to emails that have been assigned a malicious or spam verdict, see Verdicts.
   Include blocked emails in	When an email is blocked due to this blocklist definition, then the email will be included in the following [as selected]: Admin alerts: For details, see Alerts. End user alerts: For details, see Alerts. Digest reports: For details, see Sending Digest reports.
   Comment	Add an optional comment.

4. Click Add. Check that the new entry or entries appear in the blocklist as expected.

   Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your blocklist, this may indicate that the entry is included in the globally maintained blocklist. For details, see Global blocklists.

Configuring the "URL blocklist"

The URL blocklist includes a list of URLs that are block-listed. The blocklist will apply to URLs that are included in any of the channels that are specified in the blocklist.

To add an entry to the "URL blocklist":

1. In Perception Point X‑Ray, in the left navigation menu, select Detection Setup > Allowlists & Blocklists.

2. On the right of "URL Blocklist", click Add URL.

   

3. Configure the required settings.

   Organization	If this option appears, select the organization [or organizations] to which the block list applies. Note: If you add a block list" entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the block list entry won't be visible in the child organizations. If you want to add a block list entry to a specific child organization only, select that child organization here.
   Method and URL	In the field on the right, specify the URL of sites that will be block-listed. Use Method below to define how the URL string should be applied. Specify how the URL string defined above should be applied to determine which URLs to block-list: Starts with: A URL will be block-listed if the URL starts with the URL string specified above. In: A URL will be block-listed if the URL includes the complete URL string specified. Note: This option is available to Perception Point Support only. Contact Perception Point Support [support@perception-point.io] for details. Domain ends with: A URL will be block-listed if the URL ends with the URL string specified. Wildcard: An asterisk [*] included in the URL string above acts as a wildcard - representing any set of characters. If Wildcard is not selected, then an asterisk in the URL string acts as a single asterisk character, and not as a wildcard. If Wildcard is selected, but no asterisk [*] is specified in the URL string, then each URL will be evaluated as if the " Exact" method has been selected. Note: This option is available to Perception Point Support only. Contact Perception Point Support [support@perception-point.io] for details. Exact: A URL will be block-listed if the URL is the exact URL string specified.
   Apply to channels	Select "All channels" so that the blocklist will be applied to all channels. - or - Select the channels that will be affected by the blocklist.
   Set verdict as	Select the verdict that will be applied to scans of URLs that are included in "Method" [see above], either Malicious or Spam. For details on what happens to emails that have been assigned a malicious or spam verdict, see Verdicts.
   Include blocked emails in	When an email is blocked due to this blocklist definition, then the email will be included in the following [as selected]: Admin alerts: For details, see Alerts. End user alerts: For details, see Alerts. Digest reports: For details, see Sending Digest reports.
   Comment	Add an optional comment.

4. Click Add. Check that the new entry or entries appear in the blocklist as expected.

   Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your blocklist, this may indicate that the entry is included in the globally maintained blocklist. For details, see Global blocklists.

Configuring the "hash blocklist"

When a file should possibly be scanned, if the SHA-256 hash of the file is included in the "hash blocklist," then the file won't be scanned, and the scan verdict will be set to malicious.

Note: Only SHA-256 hashes are supported. MD-5 hashes and SHA-1 hashes are not supported.

To add an entry to the hash blocklist:

1. In Perception Point X‑Ray, in the left navigation menu, select Detection Setup > Allowlists & Blocklists.

2. Click Add Hash on the right of "Hash Blocklist".

   

3. Configure the required settings.

   Organization	If this option appears, select the organization [or organizations] to which the block list applies. Note: If you add a block list" entry to a parent organization, the entry will affect the parent organization and all child-organizations. However, the block list entry won't be visible in the child organizations. If you want to add a block list entry to a specific child organization only, select that child organization here.
   SHA256	Specify the SHA-256 hash value. Any file with this hash value will not be scanned, and the scan verdict will be set to malicious. Note: Only SHA-256 hashes are supported. MD-5 hashes and SHA-1 hashes are not supported.
   Comment	Add an optional comment.

4. Click Add. Check that the new entry or entries appear in the blocklist as expected.

   Note: If you don't see a "successfully added" user notification, and if the entry that you tried to add doesn't appear in your blocklist, this may indicate that the entry is included in the globally maintained blocklist. For details, see Global blocklists.

Custom blocklists

In addition to the standard blocklists, Perception Point Support is able to create customized blocklist entries that may be helpful in your organization. For example, they could create a custom blocklist entry to block all emails that have the word "bitcoin" in the subject of the email, or in the body of the email, or even in an attachment to the email.

For additional information about custom blocklists, and how to implement them, contact Perception Point Support [support@perception-point.io].

Note: You won't be able to see any custom blocklist entries in the Allowlists & Blocklists page in Perception Point X‑Ray. Custom blocklist entries are visible to Perception Point Support only.

Filtering [searching] blocklists

Sometimes blocklists may contain many entries. Finding a specific entry in a long blocklist may not be so simple. For example, your "Sender Email Address / Domain" blocklist contains 245 entries, and you want to see all entries that include "example.com". You can use the Search facility at the top of each blocklist.

See also: 

• Setup

• Allowlists