Static Blocking

Benefits

Static blocking provides immediate protection against known threats by:

• Proactive Defense: Block malicious domains, IP addresses, and user identifiers before they can cause harm
• Zero-Day Protection: Instantly block newly identified threats without waiting for pattern detection
• Reduced Attack Surface: Prevent access attempts from known bad actors and compromised sources
• Flexible Control: Whitelist trusted sources while blocking suspicious ones
• Granular Management: Block entire domains or specific email addresses, IPs, or user accounts
• Exception Handling: Allow specific exceptions even when their domain or IP is blacklisted

Overview

Static blocking is a fraud detection mechanism that allows you to create predefined lists of blocked and allowed resources. Unlike dynamic fraud detection that analyzes behavior patterns, static blocking provides immediate protection based on known threat intelligence.

Common use cases:

• Blocking temporary email services (e.g., tempmail.com, 10minutemail.com) to prevent fake account registrations
• Blocking known malicious IP addresses or IP ranges
• Blocking specific user accounts (subs) that have been compromised
• Blocking individual email addresses or identifiers associated with attacks
• Whitelisting trusted partner domains or IPs to ensure legitimate access

How Static Blocking Works

Static blocking evaluates requests in a specific order:

1. Whitelist Check First: If an email domain or IP address is whitelisted, the request is immediately allowed (bypasses all other checks)
2. Blacklist Check: If the email domain, IP, sub, or identifier is blacklisted, the request is blocked
3. Exception Check: Even if a domain or IP is blacklisted, specific exceptions can allow individual emails or IPs through

This ensures that trusted sources always have access, while known threats are blocked immediately.

Blocking Settings

The static blocking feature supports multiple types of blocking rules:

Email Domain Blocking

Block entire email domains to prevent registrations or logins from specific email providers:

• Blacklisted Email Domains: List of domains that will be blocked (e.g., tempmail.com, guerrillamail.com)
• Whitelisted Email Domains: List of domains that will always be allowed, even if other rules would block them
• Excluded Emails from Blacklist: Specific email addresses that are allowed even if their domain is blacklisted

Example scenario:

• Block tempmail.com domain to prevent fake registrations
• Allow [email protected] as an exception for legitimate use

IP Address Blocking

Block specific IP addresses or IP ranges to prevent access from known malicious sources:

• Blacklisted IPs: List of IP addresses that will be blocked (e.g., 192.168.1.100)
• Whitelisted IPs: List of IP addresses that will always be allowed
• Excluded IPs from Blacklist: Specific IP addresses that are allowed even if they're in a blocked range

Use cases:

• Block IPs associated with known botnets
• Block IP ranges from specific geographic regions if needed
• Whitelist corporate IP ranges for trusted access

User Account Blocking

Block specific user accounts (subs) that have been compromised or identified as threats:

• Blocked Subs: List of user IDs (subs) that will be blocked from all access attempts

Use cases:

• Immediately block accounts that have been compromised
• Block accounts associated with fraudulent activity
• Temporary blocking of accounts under investigation

Identifier Blocking

Block specific email addresses, phone numbers, or usernames:

• Blacklisted Identifiers: List of specific identifiers (emails, phone numbers, usernames) that will be blocked

Use cases:

• Block specific email addresses used in attacks
• Block phone numbers associated with fraud
• Block usernames that violate terms of service

Configuration Options

Enable/Disable Blocking

The enabled field controls whether static blocking is active:

• enabled: true: Static blocking rules are enforced
• enabled: false: Static blocking is disabled (all requests pass through)

Setting Priorities

1. Whitelist takes precedence: Whitelisted domains/IPs are always allowed
2. Blacklist is checked second: Blacklisted resources are blocked unless they have exceptions
3. Exceptions override blacklist: Excluded emails/IPs are allowed even if their domain/IP is blacklisted

Technical Integration

API Endpoint

Configure static blocking settings using the Fraud Detection System API:

Endpoint: PATCH /fraud-detection-srv/staticsettings

Authentication: Requires OAuth2 token with scope cidaas:fds_settings_write

API Documentation: Fraud Detection System API

Request Example

{
  "blockingSetting": {
    "enabled": true,
    "blackListedEmailDomains": [
      "tempmail.com",
      "10minutemail.com",
      "guerrillamail.com"
    ],
    "whiteListedEmailDomains": [
      "trusted-partner.org",
      "company.com"
    ],
    "excludedEmailsFromBlackList": [
      "[email protected]",
      "[email protected]"
    ],
    "blackListedIps": [
      "192.168.1.100",
      "10.0.0.50"
    ],
    "whiteListedIps": [
      "203.0.113.0/24"
    ],
    "excludedIpsFromBlackList": [
      "192.168.1.101"
    ],
    "subs": [
      "b0c59777-72e4-4a9f-8fe0-5d90e8a05679"
    ],
    "blackListedIdentifiers": [
      "[email protected]",
      "+1234567890"
    ]
  }
}

Response Example

{
  "success": true,
  "status": 200,
  "data": {
    "blockingSetting": {
      "enabled": true,
      "blackListedEmailDomains": [
        "tempmail.com",
        "10minutemail.com"
      ],
      "whiteListedEmailDomains": [
        "trusted-partner.org"
      ],
      "excludedEmailsFromBlackList": [
        "[email protected]"
      ],
      "blackListedIps": [
        "192.168.1.100"
      ]
    },
    "createdTime": "2024-01-15T10:30:00Z",
    "updatedTime": "2024-03-20T14:45:30Z"
  }
}

Partial Updates

The API supports partial updates. You can update only specific fields without affecting others:

{
  "blockingSetting": {
    "blackListedEmailDomains": [
      "new-threat-domain.com"
    ]
  }
}

This will add the new domain to the blacklist without changing other settings.

Best Practices

1. Start with Whitelists: If you have trusted partners or internal domains, add them to whitelists first to prevent accidental blocking
2. Use Exceptions Sparingly: Only add exceptions when absolutely necessary, as they can weaken security
3. Regular Updates: Review and update your blocking lists regularly based on threat intelligence
4. Monitor Impact: Track how blocking rules affect legitimate users and adjust accordingly
5. Combine with Dynamic Detection: Use static blocking alongside dynamic fraud detection for comprehensive protection
6. Document Exceptions: Keep clear records of why specific exceptions were added

Related API Documentation

API	Description
Fraud Detection System API	Complete API reference for configuring static blocking and other fraud detection settings

Explore Related Topics

• Security Dashboard - Monitor security threats and configuration issues
• Brute Force Attack Prevention - Learn about dynamic blocking mechanisms
• Password Policy and Compromised Credentials Detection - Additional security layers
• Smart MFA - Multi-factor authentication for enhanced security

---

warning

Need Support?

Please contact us directly on our support page.