How can I block emails from specific domains or email addresses in Amazon SES?

Last updated: 2019-09-04

I don't want my Amazon Simple Email Service (Amazon SES) identity to receive emails from a certain domain or email address. How can I block those emails? 

Short Description

To prevent certain domains or email addresses from sending emails to your Amazon SES identity, follow these steps:

1.    Create an AWS Lambda function to process incoming emails, evaluate the sender, and then drop the message if the sender matches a specific domain or email address.

2.    Create an Amazon SES receipt rule that routes all incoming email to the Lambda function.

3.    Check the function's Amazon CloudWatch Logs to verify the emails being blocked.

Note: You incur Amazon SES and Lambda charges when you add the Lambda action on the Amazon SES receipt rule.

Resolution

Create an AWS Lambda function

1.    Open the AWS Lambda console.

2.    In the Region selector on the navigation bar, select the AWS Region that you're using for Amazon SES. The Lambda function must be in the same Region that you're using with Amazon SES. For more information, see Lambda Action.

3.    Choose Create function.

4.    Select Author from scratch.

5.    For Function Name, enter a name for your function. For example, you can enter "SESReceiptRule".

6.    For Runtime, select Node.js 10.x.

7.    Under Permissions, expand Choose or create an execution role.

8.    For Execution Role, select Create a new role with basic Lambda permissions.

9.    Choose Create function.

10.    Under Function code, enter the following code:

// Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: MIT-0

'use strict';

const AWS = require('aws-sdk');

exports.handler = (event, context, callback) => {
    console.log('Blocking email filter starting');

    const sesNotification = event.Records[0].ses;
    const messageId = sesNotification.mail.messageId;
    const receipt = sesNotification.receipt;
    const mail = sesNotification.mail;  
 
    // Convert the environment variable into array. Clean spaces from it.
    var blockingListString = process.env.blockingList;
    blockingListString = blockingListString.replace(/\s/g,'');  
    var blockingListArray = blockingListString.split(",");

    // Check if the mail source matches with any of the email addresses or domains defined in the environment variable
    function isListed() {
        var length = blockingListArray.length;
        for(var i = 0; i < length; i++) {
            if (mail.source.endsWith(blockingListArray[i]))
                return true;
        }
        return false;
    }

    console.log('Processing message:', messageId);

        // Processing the message
    if (isListed()) {
            callback(null, {'disposition':'STOP_RULE_SET'});
            console.log('Rejecting messageId: ', messageId, ' - Source: ', mail.source, ' - Recipients: ',receipt.recipients,' - Subject: ', mail.commonHeaders['subject']);
    }
    else {
        console.log('Accepting messageId:', messageId, ' - Source: ', mail.source, ' - Recipients: ',receipt.recipients,' - Subject: ', mail.commonHeaders['subject']);
        callback();
    }
};

11.    Under Environment variables, for Key, enter "blockingList".

Note: There's no limit to the number of environment variables that you can create as long as the total size of the set doesn't exceed 4 KB. For more information, see Rules for Naming Environment Variables.

12.    For the Value of "blockingList", enter a comma-separated list of the email addresses and domains that you want to block. For example, enter "example.com, JohnDoe@example.com".

Note: You can edit the list of email addresses and domains without changing the Lambda function code.

13.    Choose Save.

Create an Amazon SES receipt rule

1.    Open the Amazon SES console.

2.    In the navigation pane, under Email Receiving, choose Rule Sets.

3.    If you want to add the rule to an existing active rule set, skip to step 4. To create a new rule set, choose Create a Rule Set, enter a rule set name, and then choose Create a Rule Set.

Note: If you create a new rule set, be sure to select the rule set, and then choose Set as Active Rule Set.

4.    Choose View Active Rule Set.

5.    Choose Create Rule.

Note: You can also choose to update an existing rule with the same values described in the following steps.

6.    For Recipients, enter the email addresses or domains associated with your Amazon SES identity.

Important: Enter the email address or domain that you want to prevent from receiving emails from specific senders. Don't enter the email address or domain that you want to block emails from. For example, if your Amazon SES identity uses the email address "JaneRoe@example.net" and you want to block emails from "example.com", enter "JaneRoe@example.net".

7.    Choose Next Step.

8.    Under Actions, for Add action, select Lambda. Then, complete these fields:
For Lambda function, select the function that you created.
For Invocation type, select RequestResponse.
(Optional) Configure SNS topic as required by your use case. Or, you can leave this field blank. For more information on this field, see Lambda Action.

9.    Choose Next Step.

10.    Under Rule Details, complete these fields:
For Rule name, enter a name for your rule.
For Enabled, be sure that this checkbox is selected so that the rule is created as an active rule.
(Optional) Select Require TLS or Enable spam and virus scanning if required by your use case.
For Rule set, verify that your active rule set is selected. An active rule set includes (Active) in the name.
For Insert after rule, select the position that you want for your rule within the rule set.

11.    Choose Next Step.

12.    Choose Create Rule.

Note: If you get a Missing Permissions dialog box with the message "SES was unable to access the resource [your Lambda function]," then Amazon SES needs permissions to the function. You can choose Add permissions to configure the required permissions.

Check the function's Amazon CloudWatch Logs

After you set up the Lambda function and Amazon SES rule, follow these steps to verify the emails being blocked:

1.    Open the CloudWatch console.

2.    From the navigation pane, choose Logs.

3.    From the list of log groups, choose your Lambda function's log group. For example, choose /aws/lambda/name_of_your_function.

4.    Choose the log stream that you want to check. The log stream displays the email messages and domains being processed by the Lambda function, similar to the following:

14:08:25 START RequestId: aa939984-1b9b-11e7-83d2-efc6877bdc9b Version: $LATEST
14:08:25 2017-04-07T14:08:25.957Z aa939984-1b9b-11e7-83d2-efc6877bdc9b Blocking email filter starting
14:08:25 2017-04-07T14:08:25.958Z aa939984-1b9b-11e7-83d2-efc6877bdc9b Processing message: jc0iurgrtkrsrs7f5pk0rsmf4r3q0poikdjfdi01
14:08:25 2017-04-07T14:08:25.959Z aa939984-1b9b-11e7-83d2-efc6877bdc9b Rejecting messageId: jc0iurgrtkrsrs7f5pk0rsmf4r3q0poikdjfdi01 - Source:
user@example.com - Recipients: [ 'user@domain.com' ] - Subject: This is an unwanted message
14:08:25 END RequestId: aa939984-1b9b-11e7-83d2-efc6877bdc9b

Did this article help you?

Anything we could improve?


Need more help?