This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking and SMTP traffic

I have been toying with tightening up the country blocking and wanted to know what peoples thoughts were on turning on the country blocking on for most obvious countries and then FROM to the majority of others.  My question was on if people do this but allow SMTP traffic through.  Would this just increase the load on the spam filter?

 

Any thoughts?

 

Regards

Lee



This thread was automatically locked due to age.
Parents
  • You need good log analysis tools to understand the consequences, since it blocks all traffic on all ports.

    Recommend deploying both standard and transparent web proxies before you start.  The proxy logs provide url and country name, while the firewall log does not, so you want as much data as possible in the web logs.   Replace transparent host skip lists with exclude-everything exceptions for the same reason.

    Transparent web includes traffic for antivirus, remote PC access, and autoupdate, and other fat client apps, much of which is https using IP addresses rather than fqdn, so partitioning traffic between proxies helps to reverse engineering what a blocked entry represents.

    Some resources float around the world.   We have had great difficulty getting TeamViewer to work, because we have not been able to create a sufficient exclude list.

    Standard web dproxy ignores country blocking exceptions, and many entries do not get a country code.   Level 3 support is investigating.  Use URL filtering exceptions as a workaround.   This disables more than country checks, which is unfortunate, but it allows more powerful exclude strategies.  You can exlude all of TeamViewer.com using a website exception that assigns a tag to the company name and all subdomains.   Regex is also an option, but more error prone.   Country blocking exceptions have to be network objects, so you cannot whitelist an entire company based on  DNS domain.

    Inbound country blocking has fewer issues because they tend to be devices that are logically fixed in the internet geography.

    Good luck.

  • DouglasFoster said:
    You need good log analysis tools to understand the consequences, since it blocks all traffic on all ports.

    ...

    Inbound country blocking has fewer issues because they tend to be devices that are logically fixed in the internet geography.

    Good luck.

    Important statement. Do you have examples ad hoc in your mind?

    Best

    Alex

    -

  • My own (sorry for the self-promotion, but its free, and I have been working these logs intensively since we turned on Country Blocking.)   

    This link has the basics.   

    community.sophos.com/.../how-to-using-a-sql-database-to-interpret-utm-log-files

    Send me a PM if you get this much working and want more code.

Reply Children
No Data