How best to block spam emails

chrish5 · ‎07-14-2020

Our ServiceNow instance accepts all inbound emails and then uses email filters to block certain domains that are sending spam. Within the last couple of months the domains we’ve had to add to our filter to block spam has been increasing, so we would like to change our email filtering process so we only allow email from certain domains and block everything else. This way we only need to make a change when we want to allow an email from a certain domain. What’s the best way to do this?

chrish5 · ‎08-31-2020

I ran across this article in the ServiceNow Wiki that covers what I needed to accomplish. It's from the Helsinki release, but still relevant. I applied this to our Orlando release a couple weeks ago and have seen positive results. Only emails from trusted domains have been allowed in, all spam is being blocked and no more bogus user accounts and incidents being created from the spam emails. This is a simple no-code solution. I hope this is helpful for others.

Prevent untrusted users from triggering inbound actions

https://docs.servicenow.com/bundle/helsinki-servicenow-platform/page/administer/notification/task/t_...

View solution in original post

TrevorK · ‎07-14-2020

a) Setup an email whitelist. It does not block domains but it is for reporting purposes:

https://docs.servicenow.com/bundle/madrid-platform-administration/page/administer/security/task/black-whitelist-email-domains.html

b) Setup email filters to handle the custom logic you want to only allow certain domains (and you should be able to write a script to reference the whitelist above - that way you just update that whitelist and not actual code, which may cause issues on update for things as simply as typos)

In the "old days" I would simply setup my Inbound Actions to only accept email from certain domains. This is a bit more work because you may have a LOT of inbound actions (we have over 100) and even putting the validation in a script include to re-use still requires calling it for each inbound action.

chrish5 · ‎07-14-2020

Trevor, thanks for the information. This sounds like a good approach to solving our problem. Can you provide an example of what the script would look like that references the whitelist?

TrevorK · ‎07-14-2020

We don't use this but I think it could be something like this which could store all the whitelist values in an array:

var domain_array = [];

var gr = new GlideRecord("appsec_domain_listing");
gr.addQuery("dl_category","White");
gr.addQuery("active",true);
gr.query();

while (gr.next()) {
domain_array.push(dl_name);
}

Looking at this, I think you could also just use a System Property to store it. Then you don't have to build an array each time but simply do a check against a comma separated string.

Then you can use arrayutil to check against the array you created. Doc is here: https://developer.servicenow.com/dev.do#!/reference/api/orlando/server_legacy/c_ArrayUtilAPI

You would put all this into the Condition Script within the Email Filters to return true (an email you want) or false (an email you don't want). There are a couple examples in there as well.

Hope that helps!

chrish5 · ‎08-31-2020

I ran across this article in the ServiceNow Wiki that covers what I needed to accomplish. It's from the Helsinki release, but still relevant. I applied this to our Orlando release a couple weeks ago and have seen positive results. Only emails from trusted domains have been allowed in, all spam is being blocked and no more bogus user accounts and incidents being created from the spam emails. This is a simple no-code solution. I hope this is helpful for others.