Advanced Block List

Create custom rules that automatically classify threats based on URLs, attachments, and email properties. Advanced Block List provides granular control beyond basic sender blocking.

Written By Matt Sywulak

Last updated 4 months ago

How It Works

Pre-delivery (Analysis Time)
Rules evaluate incoming emails and assign threat categories before delivery. Multiple rule matches = multiple threat categories applied.

Post-delivery (Click Time)
When link rewriting is enabled, rules trigger when users click links. Danger-mode rules redirect to blocker page. Only link conditions evaluate at click time.

Found: Advanced Block List - INKY

Rule Components

Conditions

URL Options:

  • URL - Full URL match

  • URL FQDN - Fully qualified domain name

  • URL Registered Domain - Root domain only

  • Link (Advanced) - Combination of URL criteria

Attachment Options:

  • Attachment Name - File name match

  • Attachment Mimetype - File type match (see [MIME Types Reference])

  • Attachment MD5 Hash - File hash match

  • Attachment (Advanced) - Combination of attachment criteria

Sender Options:

  • Email Address - Exact sender match

  • FQDN - Sender domain

  • Registered Domain - Root domain

Reply-To Options:

  • Email Address - Reply-to address match

  • FQDN - Reply-to domain

  • Registered Domain - Root domain

Recipient (To) Options:

  • Email Address - Recipient match

  • FQDN - Recipient domain

  • Registered Domain - Root domain

Additional Fields:

  • Sender Display Name - Display name shown to users

  • Subject Line - Email subject

  • Message-ID Domain - Domain in Message-ID header

  • Sender IP Address - Originating IP

Match Types

  • Equals

  • Does Not Equal

  • Starts With

  • Ends With

  • Contains

  • Does Not Contain

Rule Modes

  • Disabled - Inactive

  • Caution - Warning banner

  • Danger - Blocks/quarantines, triggers blocker page for links

Options

Unauthenticated Senders Only: Apply rule only to messages that fail SPF/DKIM/DMARC

Example Rules

Double-encoded Google redirect:

  • URL starts with https://www.google.com/url?q=https://www.google.com/url

  • URL contains sa=t

  • URL contains url=amp

  • Mode: Danger (marks as Phishing Content)

Suspicious benefits attachment:

  • Attachment MIME Type equals text/html

  • Attachment Name contains Benefits

  • Mode: Danger (pre-delivery only)

Display name spoofing:

  • Sender Display Name contains CEO

  • Sender Registered Domain does not equal yourcompany.com

  • Mode: Danger (catches spoofed executive names)

Reply-to mismatch:

  • Reply-To Domain does not equal trusted-partner.com

  • Sender Domain equals trusted-partner.com

  • Mode: Caution (flags suspicious reply-to redirects)

Current Limitations

Rules operate at team level only.