Dear Nikoolayy1,

the ip intelligence is already activated and I'm looking for extra layer. thanks a lot.

If don't want to buy another device you may consider SMTP relay services like SendGrid etc. that are cloud based offerings. Symantec even has Email Security.cloud but from F5 point I think that they have given up on this market :

https://www.mailchannels.com/why-use-an-smtp-relay-service/

Also I just renembered that you can use the URLDB for the SWG module to filter based on FQDN/Domain names:

https://devcentral.f5.com/s/question/0D51T00008GXZw0/is-there-f5-ip-intelligence-based-on-domainfqdn-domain-intelligence

Still you will need to see if you can do this for the SMTP traffic and it will be hard work and maybe not worth the efford:

https://devcentral.f5.com/s/articles/smtp-filter-and-forward-proxy

So is that mean, i can create data group contains all blacklist domain then create irule to check the blacklist domains and it will be assigned to email VS ?!

how to write the irule ?

and is it possible to check   PTR using irule !

About the irule I don't think there is exactly what you are looking for but probably it could be written but it will take a lot of time to capture the traffic with TCP::collect and to match on the "From: user@domain.com" value in the emails but I admit don't have a use case to try do it. This is why I gave you the example with the iRule with smtp-filter-and-proxy.

For PTR if your device is not the DNS/GTM you may extract the needed value from the email payloadd and with the "RESOLV::lookup" to check it as I don't know if ''NAME::lookup'' supports PTR resolution:

https://clouddocs.f5.com/api/irules/resolv__lookup.html

https://clouddocs.f5.com/api/irules/NAME__lookup.html

A good note is you can use free feed lists as alternative to the F5 URLDB service for the SWG module like Minemelt if you have AFM you can add custom feed lists and if not you may check the tabul CVS importer iRule that I also use for some things.

https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld

https://devcentral.f5.com/s/articles/csv-tabular-data-sideband-importer

https://devcentral.f5.com/s/articles/populating-tables-with-csv-data-via-sideband-connections

many thanks i will check that.

Another helpfull article like the one for the SMTP proxy:

https://devcentral.f5.com/s/question/0D51T00006j2p4a/logging-smtp-traffic-info-via-hsl-to-remote-log-server

Also you may try using a Stream profile than TCP::collect or SSL::collect for encrypted SMTP traffic as mentioned in:

https://devcentral.f5.com/s/question/0D51T00006j2p4Z/irule-for-smtp-passing-client-ip-addr-to-backen...

many thanks, your support is highly appreciated.