This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Country Blocking and SMTP traffic

I have been toying with tightening up the country blocking and wanted to know what peoples thoughts were on turning on the country blocking on for most obvious countries and then FROM to the majority of others.  My question was on if people do this but allow SMTP traffic through.  Would this just increase the load on the spam filter?

 

Any thoughts?

 

Regards

Lee



This thread was automatically locked due to age.
Parents
  • You need good log analysis tools to understand the consequences, since it blocks all traffic on all ports.

    Recommend deploying both standard and transparent web proxies before you start.  The proxy logs provide url and country name, while the firewall log does not, so you want as much data as possible in the web logs.   Replace transparent host skip lists with exclude-everything exceptions for the same reason.

    Transparent web includes traffic for antivirus, remote PC access, and autoupdate, and other fat client apps, much of which is https using IP addresses rather than fqdn, so partitioning traffic between proxies helps to reverse engineering what a blocked entry represents.

    Some resources float around the world.   We have had great difficulty getting TeamViewer to work, because we have not been able to create a sufficient exclude list.

    Standard web dproxy ignores country blocking exceptions, and many entries do not get a country code.   Level 3 support is investigating.  Use URL filtering exceptions as a workaround.   This disables more than country checks, which is unfortunate, but it allows more powerful exclude strategies.  You can exlude all of TeamViewer.com using a website exception that assigns a tag to the company name and all subdomains.   Regex is also an option, but more error prone.   Country blocking exceptions have to be network objects, so you cannot whitelist an entire company based on  DNS domain.

    Inbound country blocking has fewer issues because they tend to be devices that are logically fixed in the internet geography.

    Good luck.

  • I analyzed that one DVR was opening  connection with China. NO DynDns no Internet DNAT or open ports.

    The DVD says in the label Made In China.

    What I have to analyse more to block China?

  • I had a devil of a job with this. I had some spam coming from Japan and blocked it. Problem solved.

    Then all of a sudden I had mail bouncing from a key partner because they were using a Trendmicro spam solution which bounced our mail because the Trendmicro server (in Japan) couldn't connect back to us for one of their spam checks.

    I think at the time, we asked for an exception (if country blocking was enabled) for any mail that was sent to XXX, that a reply/response wouldn't be blocked for a limited period.

    eg so even if Japan was blocked, if we sent a mail to mailserver spamserver.japan.com, that mail server could respond rather than get blocked outright by country blocking.

Reply
  • I had a devil of a job with this. I had some spam coming from Japan and blocked it. Problem solved.

    Then all of a sudden I had mail bouncing from a key partner because they were using a Trendmicro spam solution which bounced our mail because the Trendmicro server (in Japan) couldn't connect back to us for one of their spam checks.

    I think at the time, we asked for an exception (if country blocking was enabled) for any mail that was sent to XXX, that a reply/response wouldn't be blocked for a limited period.

    eg so even if Japan was blocked, if we sent a mail to mailserver spamserver.japan.com, that mail server could respond rather than get blocked outright by country blocking.

Children
No Data