How can I block emails from specific domains or email addresses in Amazon SES?

Short description

To prevent certain domains or email addresses from sending emails to your Amazon SES identity, complete the following steps:

1. Create an AWS Lambda function. Configure the function to process incoming emails, evaluate the sender, and drop the message if the sender matches a specific domain or email address.
2. Create an Amazon SES receipt rule that routes all incoming email to the Lambda function.
3. Check the function's Amazon CloudWatch Logs to verify that the emails are blocked.

Note: You incur Amazon SES and Lambda charges when you add the Lambda action on the Amazon SES receipt rule.

Resolution

Create a Lambda function

1.    Open the AWS Lambda console. Select the AWS Region that you use for Amazon SES. The Lambda function must be in the same AWS Region that you use with Amazon SES. For more information, see Invoke Lambda function action.

2.    Choose Create function.

3.    Select Author from scratch.

4.    For Function Name, enter a name for your function. For example, enter "SESReceiptRule".

5.    For Runtime, select a language for your function. Node.js 14.x is selected in this example.

6.    For Architecture, choose an architecture for your function code.

7.    Under Permissions, expand Change default execution role.

8.    For Execution Role, select Create a new role with basic Lambda permissions.

9.    Choose Create function.

10.    Under the Code source section, under the index.js tab, enter the following code:

// Copyright 2019 Amazon.com, Inc. or its affiliates. All Rights Reserved.// SPDX-License-Identifier: MIT-0
'use strict';

const AWS = require('aws-sdk');

exports.handler = (event, context, callback) => {
    console.log('Blocking email filter starting');
    const sesNotification = event.Records[0].ses;
    const messageId = sesNotification.mail.messageId;
    const receipt = sesNotification.receipt;
    const mail = sesNotification.mail;

    // Convert the environment variable into array. Clean spaces from it.
    var blockingListString = process.env.blockingList;
    blockingListString = blockingListString.replace(/\s/g,'');
    var blockingListArray = blockingListString.split(",");

    // Check if the mail source matches with any of the email addresses or domains defined in the environment variable
    function isListed() {
        var length = blockingListArray.length;
        for(var i = 0; i < length; i++) {
            if (mail.source.endsWith(blockingListArray[i]))
                return true;
        }
        return false;
    }
    console.log('Processing message:', messageId);

        // Processing the message
    if (isListed()) {
            callback(null, {'disposition':'STOP_RULE_SET'});
            console.log('Rejecting messageId: ', messageId, ' - Source: ', mail.source, ' - Recipients: ',receipt.recipients,' - Subject: ', mail.commonHeaders['subject']);
    }
    else {
        console.log('Accepting messageId:', messageId, ' - Source: ', mail.source, ' - Recipients: ',receipt.recipients,' - Subject: ', mail.commonHeaders['subject']);
        callback();
    }
};

11.    Under Environment variables, for Key, enter "blockingList".
Note: There's no limit to the number of environment variables that you can create. The total size of the set can't exceed 4 KB. For more information, see Using AWS Lambda environment variables.

12.    For the Value of "blockingList", enter a comma-separated list of the email addresses and domains that you want to block. For example, enter "example.com, JohnDoe@example.com".
Note: You don't need to change the Lambda function code to edit the list of email addresses and domains.

13.    Choose File, and then choose Save.

Create an Amazon SES receipt rule

1. Open the Amazon SES console.
2. In the navigation pane, choose Email Receiving.
3. If you want to add the rule to an existing active rule set, then skip to step 4. To create a new rule set, choose Create a Rule Set, enter a rule set name, and then choose Create Rule Set.
   Note: If you create a new rule set, then be sure to select the rule set, and then choose Set as Active Rule Set.
4. Choose View Active Rule Set.
5. Choose Create Rule.
   Note: You can also choose to update an existing rule with the same values described in the following steps.
6. For Define rule settings, enter the following information:
   For Rule name, enter a name for your rule.
   For Status, check the Enabled box to create the rule as an active rule. Then, choose Next.
7. For Recipients conditions, choose Add new recipient condition.
8. For Recipient condition, enter the email addresses or domains that are associated with your Amazon SES identity. Then, choose Next.
   Important: Enter the email address or domain that you want to prevent from receiving emails from specific senders. Don't enter the email address or domain that you want to block emails from. For example, if your Amazon SES identity uses the email address "JaneRoe@example.net" and you want to block emails from "example.com", then enter "JaneRoe@example.net".
9. On the Add actions screen, under Add new action, select Invoke AWS Lambda function. Then, enter the following information:
   For Lambda function, select the function that you created.
   For Invocation type, select RequestResponse invocation.
   (Optional) Configure SNS topic as your use case requires. Or, you can leave this field blank. For more information on this field, see Invoke Lambda function action. Then, choose Next.
10. Choose Create Rule.
    Note: You might get a Missing Permissions dialog box with the message "SES was unable to access the resource [your Lambda function]." This error means that Amazon SES needs permissions to the function. Choose Add permissions to configure the required permissions.

Check the function's CloudWatch Logs

After you set up the Lambda function and Amazon SES rule, follow these steps to verify that the emails are blocked:

1.    Open the CloudWatch console.

2.    From the navigation pane, under Logs, choose Log groups.

3.    From the list of log groups, choose your Lambda function's log group. For example, choose /aws/lambda/name_of_your_function.

4.    Under Log streams, choose the log stream that you want to check. The log stream displays the email messages and domains that the Lambda function is processing. It looks similar to the following example:

14:08:25 START RequestId: aa939984-1b9b-11e7-83d2-efc6877bdc9b Version: $LATEST14:08:25 2017-04-07T14:08:25.957Z aa939984-1b9b-11e7-83d2-efc6877bdc9b Blocking email filter starting
14:08:25 2017-04-07T14:08:25.958Z aa939984-1b9b-11e7-83d2-efc6877bdc9b Processing message: jc0iurgrtkrsrs7f5pk0rsmf4r3q0poikdjfdi01
14:08:25 2017-04-07T14:08:25.959Z aa939984-1b9b-11e7-83d2-efc6877bdc9b Rejecting messageId: jc0iurgrtkrsrs7f5pk0rsmf4r3q0poikdjfdi01 - Source:
user@example.com - Recipients: [ 'user@domain.com' ] - Subject: This is an unwanted message
14:08:25 END RequestId: aa939984-1b9b-11e7-83d2-efc6877bdc9b

Related information

Getting started with Lambda

Recipient-based control using receipt rules