Skip to main content

How to block all email from firebaseapp.com?

ffeingol

We have clients that are getting a ton of spam from firebaseapp.com subdomains.  We've tried adding *firebaseapp.com to their blacklists, but they still come through.

TIA

Comments

10 comments

Date Votes
  • mtindor

    add *.firebaseapp.com to

    /etc/blocked_incoming_email_domains

    M

    0
  • mtindor

    If you do what I said above, any time something comes in for *.firebaseapp.com, it will be blocked during SMTP and the sending server will receve "Sender domain is banned"

     

    1
  • quietFinn

    it must be *.firebaseapp.com not *firebaseapp.com

     

     

    0
  • ffeingol

    Alas, still not working with .firebaseapp.com.  It's getting marked with a really high spam score, but not blocking.  This is being done at the domain level in the Domain's email blacklist.

    0
  • mtindor

     

    If your /etc/blocked_incoming_email_domains file contains *.firebaseapp.com in it, it should be rejecting (during SMTP) and never making it to spamassassin or to a specific domain.

    0
  • ffeingol

    mtindor I completely agree that would work.  The "problem" is that only one customer is complaining, so we only want to do this for their domain/account, not everyone on the server.

    0
  • Mise

    Activate and customize Exim filters :
    https://docs.cpanel.net/knowledge-base/email/how-to-customize-the-exim-system-filter-file/

    then edit the filters file:  
    nano /etc/cpanel_exim_system_filter_new

    the logics is easy. Include something like these examples according your wishes:

    # block to all 
    if ($message_headers contains "firebaseapp") 
    then
        fail text "Firebaseapp not allowed in this server"
    endif

    # block to one domain
    if ($message_headers contains "firebaseapp") 
        and ($h_to contain "customer1.com")
    then
        fail text "Firebaseapp not allowed for customerdomain.com"
    endif


    # block to several domains
    if ($message_headers contains "firebaseapp") 
        and ($h_to contain "customer2.com" or
             $h_to contain "customer2.com" or
             $h_to contain "customer3.com")
    then
        fail text "Firebaseapp not allowed in this server"
    endif

    and finally rebuild and restart:

    /scripts/buildeximconf; service exim restart


    I block all firebaseapp messages by default. In case that one customer ask for it, then I allow the exception introducing:

    and ($h_to does not contain "onecustomer.com")

    before the rest.

     

    hope it helps

    0
  • Kanakbhuvan LLP

    You’re on the right track, but simply blocking firebaseapp.com often doesn’t work because most spam filters don’t support wildcard domain blocking in that format, and many Firebase-hosted apps send mail through third-party mail servers.

    Here are a few more effective approaches:

    1. Block by sender domain properly
    Instead of firebaseapp.com, try blocking:

    • firebaseapp.com (exact domain)
    • @firebaseapp.com (if your system supports it)

    2. Use header-based filtering
    Many of these emails won’t actually originate from Firebase servers. Check the email headers and block based on:

    • Return-Path
    • Reply-To
    • Sending IP or mail server hostname

    3. Block by SPF/DKIM failure or mismatch
    A lot of spam from Firebase-hosted pages fails authentication. Configure your filter to:

    • Reject SPF softfail/fail
    • Enforce DKIM/DMARC policies

    4. URL/domain filtering (most effective)
    Since the spam usually contains links like xyz.firebaseapp.com, set up a rule to:

    • Block or quarantine emails containing firebaseapp.com in the email body

    5. Use your email provider’s advanced filtering
    If youre using services like Microsoft 365 or Google Workspace:

    • Create a transport rule (Exchange) or content compliance rule (Gmail)
    • Condition: message body contains firebaseapp.com
    • Action: reject or quarantine

    6. Consider allowlisting instead (if feasible)
    If spam is overwhelming, switching to an allowlist approach (trusted senders only) for certain users can help.

    0
  • Mise

    Kanakbhuvan, read the specifications about Exim expansion variables. 

    $message_headers contains all the headers of the current message as a single string, so you can search for the presence of a specific word or phrase anywhere within all the headers.

    The messages will fail when the string "firebaseapp.com" is found inside its headers. It is more simple than what you writes

    The previous filter I wrote it will work with the presence of firebaseapp.com in any place inside the headers. No necessity of wildcards, subdomains, prefixes, or added things. 

    0
  • freedman

    I found this post because I've been having problems with people sending spam through outlook.  We added:

    *.onmicrosoft.com

    to  blocked_incoming_email_domains

    Which worked well, except many seem to send through outlook with no from in the headers, it's in the message body so shows up in email with the from address.  

    I noticed that there is a header: "    X-Originatororg"

    So I added the following which seems to have stopped the spam going through outlook without a proper smtp from header to match:

    #BEGIN ACL-RECIPIENT-BLOCK-OUTLOOK

    # BEGIN INSERT blockeddomainsoutlook

      deny

        message = Your host is not allowed to connect to this server.

        log_message = Sender domain is banned

        condition = ${if match_domain{$h_X-OriginatorOrg:}{+blocked_domains}{yes}{no}}

     

    # END INSERT blockeddomainsoutlook

     

    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post