Automate Steam Phishing Alerts with n8n and Mailgun

1. Opening Problem Statement

Meet Alex, a cybersecurity analyst responsible for monitoring phishing websites targeting Steam users. Every day, Alex manually checks dozens of suspicious domains reported by the community, an exhausting process riddled with risks. Time lost scrolling through DNS records, repeated manual email notifications to security teams at Cloudflare and Valve, and the constant chance of missing critical phishing sites burden his daily workflow. Manual checking alone costs Alex hours each week, allowing threats to linger longer and putting Steam users at continual risk.

This is exactly where our automation workflow using n8n steps in. It transforms Alex’s tedious process into an automated, error-proof system that actively verifies domain names, checks for Cloudflare affiliation via DNS records, and sends targeted alert emails to both Cloudflare’s security team and Valve’s security contact automatically. No more wasted time, fewer errors, and faster protective responses.

2. What This Automation Does

When triggered, this n8n workflow accomplishes the following specific outcomes:

• Validates domain format for suspicious Steam phishing URLs submitted through a webhook.
• Ensures DNS records exist by checking if the domain has name servers.
• Uses dig command to check if the domain’s name servers include Cloudflare, identifying if the phishing site is hosted behind Cloudflare protection.
• Sends automated emails via Mailgun: One alert to Cloudflare’s security team if the domain uses Cloudflare’s name servers, and another to Valve’s security team regardless.
• Installs necessary tools (bind-tools) on the n8n server automatically if missing, ensuring the workflow functions smoothly without manual system maintenance.
• Helps accelerate cybersecurity response by automating repetitive manual checks and notifications, saving hours weekly for security analysts like Alex.

3. Prerequisites ⚙️

• n8n account (Cloud or self-hosted) 🔌
• Mailgun account with API key for sending emails 📧🔑
• Server or environment where n8n can execute shell commands (for the bind-tools installation and dig commands) ⏱️
• Basic HTTP authentication credentials for securing the webhook 🔐
• Access to configure webhook URL for receiving phishing domain submissions 💬
• Optional: Self-hosting recommended for full command execution capability. Consider Hostinger via buldrr.com/hostinger for a seamless setup.

4. Step-by-Step Guide to Build This Workflow

Step 1: Set Up the Webhook Node to Receive Domain Queries

Navigate to +Add Node → Select “Webhook” node.
Set the path to steam, enable Basic Auth and configure credentials to secure submissions.
The webhook captures query data containing the suspicious domain in the “q” parameter.
You should see a URL generated like https://your-n8n-instance/webhook/steam.
Common mistake: Forgetting to configure basic authentication will expose your webhook to unsolicited traffic.

Step 2: Add Validation with an IF Node for Domain Format

After the webhook, add an IF node named “IF1”.
Configure the condition to use regex that matches typical domain format: /^[a-zA-Z0-9-_.]+$/
This ensures only valid domain-like queries proceed.
Expected outcome: Invalid domain submissions are dropped silently.
Common mistake: Using too loose regex may cause false positives or errors downstream.

Step 3: Ensure bind-tools are Installed Using an Execute Command Node

Add an Execute Command node named “Add bind-tools”.
Set the command to which dig || apk add bind-tools.
This checks if the dig command is available and installs bind-tools on Alpine Linux if missing.
Enable retry on failure for robust installation.
Expected result: The node ensures the environment can run DNS queries.
Common mistake: Not allowing continuation on fail might stop your workflow entirely if the install fails.

Step 4: Check if Domain Has Name Servers Using dig

Add another Execute Command node “dig check if domain is valid”.
Command: dig NS {{$node["Webhook"].data["query"]["q"]}} +short | wc -l
Checks the count of NS records for the submitted domain.
Expected output: Number > 0 means domain exists.
Common mistake: Typing errors in the command interpolation will cause failures.

Step 5: Add IF Node to Proceed Only if NS Records Exist

Add IF node “If it has nameservers”.
Set condition: Output of previous Execute Command node’s stdout larger than 0.
This gatekeeping step stops invalid domains from proceeding.
Expected outcome: Workflow halts for invalid domains.
Common mistake: Not checking stdout properly could pass false domains.

Step 6: Check if Domain Uses Cloudflare

Add another Execute Command node “dig check CF”.
Set command to: dig NS {{$node["Webhook"].data["query"]["q"]}} +short | grep cloudflare.com.$ | wc -l
This command returns count of NS entries indicating Cloudflare hosting.
Expected result: A number greater than 0 means Cloudflare is used.
Common mistake: Miswriting grep pattern will cause false negatives.

Step 7: IF Node to Condition on Cloudflare Presence

Add IF node “IF” after “dig check CF”.
Condition: Result from “dig check CF” stdout is larger than zero.
Only domains behind Cloudflare will trigger this path.
Expected outcome: Paths split for mail notification.
Common mistake: Incorrectly referencing previous node output leads to logic errors.

Step 8: Create Mailgun Email Node to Notify Cloudflare

Add Mailgun node named “Mail CloudFlare”.
Set recipient to [email protected], subject containing domain.
Use interpolation to personalize message body.
Attach CC if needed.
Use your Mailgun API credentials.
Expected effect: Cloudflare security team gets immediate phishing alert.
Common mistake: Using wrong credentials or forgetting fromEmail will block sending.

Step 9: Create Mailgun Email Node to Notify Valve (Steam)

Add another Mailgun node “Mail Steam”.
Send notification email to [email protected].
Customize the subject and message to include the suspicious domain.
Expected outcome: Valve’s security team is informed regardless of Cloudflare usage.
Common mistake: CC fields or fromEmail not set correctly causing delivery issues.

5. Customizations ✏️

• Change Recipient Emails: In the “Mail CloudFlare” or “Mail Steam” nodes, update the toEmail and ccEmail fields to reflect your organization’s or other security team emails.
• Expand DNS Check to Other Services: Modify the “dig check CF” command to detect other DNS providers by changing the grep pattern from cloudflare.com.$ to another provider domain.
• Add Logging Node: Insert a Write Binary File or Google Sheets node after email notifications to log reported domains with timestamps.

>

• Customize Email Templates: Edit the text field of Mailgun nodes to include more detailed reporting or branding.
• Secure the Webhook Further: Add IP whitelist checks in the “IF1” node or additional webhook authentication layers.

6. Troubleshooting 🔧

Problem: “dig” command not found or command execution fails

Cause: bind-tools package is missing or installation failed.
Solution: Check the “Add bind-tools” node’s logs, ensure you have permissions to install packages on your server. Run command manually if needed outside n8n.

Problem: Email notifications not sending

Cause: Incorrect Mailgun API credentials or missing email fields.
Solution: Double-check Mailgun node settings, confirm API key validity, and that the “fromEmail” and “toEmail” fields are correctly filled.

Problem: Workflow triggers on invalid domains or blank queries

Cause: Regex condition in “IF1” node too permissive or misconfigured.
Solution: Tighten regex pattern and test webhook payloads for expected format.

7. Pre-Production Checklist ✅

• Verify webhook security with basic auth credentials.
• Test webhook with known valid and invalid domain queries.
• Confirm bind-tools installation completes successfully in the environment.
• Test each Execute Command node manually with sample domains to see expected outputs.
• Send sample emails with Mailgun nodes to verify email delivery.
• Backup n8n workflow JSON before deploying live.

8. Deployment Guide

Activate the workflow by toggling the “active” status in n8n.
Expose the webhook endpoint URL securely to your phishing report intake system.
Monitor automation runs via n8n’s workflow executions dashboard for errors.
Ensure your server environment remains operational with the bind-tools available.
Regularly update email recipients as your security contacts evolve.

9. FAQs

• Can I use another mail service besides Mailgun? Yes, you can swap out Mailgun nodes with SMTP or other email nodes if preferred, but you’ll need to adjust credentials accordingly.
• Does this workflow use many API credits? Mailgun sends emails via API calls. The number of emails sent depends on how frequently phishing domains are reported.
• Is the domain validity check 100% accurate? It checks name server presence but does not guarantee domain legitimacy.
• Can this workflow scale to many phishing reports? It depends on your n8n hosting limits, but it’s designed for moderate volumes typical in phishing monitoring teams.

10. Conclusion

By setting up this n8n workflow, you’ve automated the detection and alerting process Alex faced. You save hours of manual DNS lookups and email reporting every week, empowering faster response to Steam phishing threats. With simple customization, you can extend the system for other phishing domains or adjust notifications to various teams. Next, consider adding a logging database or integrating Slack alerts for real-time security team notifications. This focused, hands-on automation brings real, measurable efficiency to cybersecurity operations.