Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 15 replies
  • Subscribers 6 subscribers
  • Views 21807 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking and SMTP traffic

ICT Department1

I have been toying with tightening up the country blocking and wanted to know what peoples thoughts were on turning on the country blocking on for most obvious countries and then FROM to the majority of others.  My question was on if people do this but allow SMTP traffic through.  Would this just increase the load on the spam filter?

 

Any thoughts?

 

Regards

Lee



This thread was automatically locked due to age.
  • 0

    Sorry for asking, but I didn't get the question right.

    Increase the load compared to without country blocking or without the exception of smtp?

    So I'll try to answer my best guess.

    Depending of your email volume the spam filter should handle the load without country blocking. If you need this, the device is too small. If you use country blocking and block smtp for some countries the load will be lower than without.

     

    Best
    Alex

    -

  • 0 in reply to Alexander Busch

    sorry I didnt explain myself very well.  I was just wanting to know if it was good practise to adjust country blocking settings as required (I was looking to at least set to BLOCK FROM for most countries) but then make an exception to the rule for SMTP and just let the spam filter deal with them as they come through!.
    I was just after some advice on making sure that I set up the best security policy without hindering email flow.
    Hope this make more sense.
    regards
    Lee

  • 0 in reply to ICT Department1

    Hello Lee,

    this makes much sense to me. Mainly because it is the setup I have done it myself :-) I use coutry blocking to get rid off attack attempts mainly. But of course you can't be sure to block out some email server you don't want to. That's why make an exception for smtp is the best way, I think. The spam filter does a good job in my opinion.

    Hope this was the right direction to your question.

    Best

    Alex

    -

  • 0

    You need good log analysis tools to understand the consequences, since it blocks all traffic on all ports.

    Recommend deploying both standard and transparent web proxies before you start.  The proxy logs provide url and country name, while the firewall log does not, so you want as much data as possible in the web logs.   Replace transparent host skip lists with exclude-everything exceptions for the same reason.

    Transparent web includes traffic for antivirus, remote PC access, and autoupdate, and other fat client apps, much of which is https using IP addresses rather than fqdn, so partitioning traffic between proxies helps to reverse engineering what a blocked entry represents.

    Some resources float around the world.   We have had great difficulty getting TeamViewer to work, because we have not been able to create a sufficient exclude list.

    Standard web dproxy ignores country blocking exceptions, and many entries do not get a country code.   Level 3 support is investigating.  Use URL filtering exceptions as a workaround.   This disables more than country checks, which is unfortunate, but it allows more powerful exclude strategies.  You can exlude all of TeamViewer.com using a website exception that assigns a tag to the company name and all subdomains.   Regex is also an option, but more error prone.   Country blocking exceptions have to be network objects, so you cannot whitelist an entire company based on  DNS domain.

    Inbound country blocking has fewer issues because they tend to be devices that are logically fixed in the internet geography.

    Good luck.

  • 0 in reply to DouglasFoster

    DouglasFoster said:
    You need good log analysis tools to understand the consequences, since it blocks all traffic on all ports.

    ...

    Inbound country blocking has fewer issues because they tend to be devices that are logically fixed in the internet geography.

    Good luck.

    Important statement. Do you have examples ad hoc in your mind?

    Best

    Alex

    -

  • 0 in reply to Alexander Busch

    My own (sorry for the self-promotion, but its free, and I have been working these logs intensively since we turned on Country Blocking.)   

    This link has the basics.   

    community.sophos.com/.../how-to-using-a-sql-database-to-interpret-utm-log-files

    Send me a PM if you get this much working and want more code.

  • 0

    You also asked about workload.   Blocking traffic is less overhead than letting it through.   Blocking non-SMTP traffic has no effect on the SMTP traffic, therefore no effect on the workload.   Don't worry about it.

  • 0 in reply to DouglasFoster

    I analyzed that one DVR was opening  connection with China. NO DynDns no Internet DNAT or open ports.

    The DVD says in the label Made In China.

    What I have to analyse more to block China?

  • 0 in reply to Ol Deda

    I had a devil of a job with this. I had some spam coming from Japan and blocked it. Problem solved.

    Then all of a sudden I had mail bouncing from a key partner because they were using a Trendmicro spam solution which bounced our mail because the Trendmicro server (in Japan) couldn't connect back to us for one of their spam checks.

    I think at the time, we asked for an exception (if country blocking was enabled) for any mail that was sent to XXX, that a reply/response wouldn't be blocked for a limited period.

    eg so even if Japan was blocked, if we sent a mail to mailserver spamserver.japan.com, that mail server could respond rather than get blocked outright by country blocking.

Unfiltered HTML