Filtering E-mail by World Regions in Exchange Server 2003

Posted on January 8, 2009 by Daniel Petri in Exchange Server with 0 Comments

Working with messaging products for many years I’ve noticed that a popular question on Exchange and Outlook forums is how to block email originating from specific countries or world regions. It is possible in both Outlook and Exchange, with varying degrees of success (read my “Filtering E-mail by Regions in Outlook 2003/2007” article for more info on working with the Exchange client).

Originally, most spamming e-mail servers were hosted in the United States. The adoption of laws, such as the CAN-SPAM law of 2004, have forced many spammers to move their operations to countries with fewer controls and rules to host their operations. Today, the United States is declining as the leading source of spam and countries such as China, Korea, Russia, Vietnam, and Brazil are fast becoming sources of spamming mail servers. Naturally, countries with the highest number of spammers operating within their networks are usually those with poor or non-existent spam laws.

(Source: http://www.spamhaus.org/statistics/countries.lasso)

E-mail traffic received from places where an organization has no interest will likely be spam. Blocking e-mail from those countries or geographic regions (city, state, country, or continent), instantly eliminates a very large percentage of total spam received. Even excluding the USA, blocking the next 10 top spam generating countries might still eliminate over 50% of spam email.

IP addresses are allocated by geographical regions. Some of the following links have more information on how the IP range was divided into geographical regions, and give clues on how to find to what region of the world an IP address range belongs to.

In Exchange 2003, it is possible to use Connection Filtering to reject SMTP connections from IP addresses belonging to regions form where there may simply be no valid business reason to accept messages. This can be done by manually entering IP addresses in the Connection Filter tab and entering the IP address range you wish to block:

1. Open Exchange System Manager (or ESM)

2. Expand Global Settings, then right-click Message Delivery and select Properties

3. In the Connection Filter tab, click Deny.

4. In the Deny list click on Add.

5. Add the IP address range you wish to block. For example, you could add 12.166.96.32 with a subnet mask of 255.255.255.224 will block just one of the IP address ranges assigned to Nigeria.

6. When done, click Ok all the way out.

7. You will be prompted with the following error:

8. Navigate to Administrative Groups –> Your administrative group –> Servers –> Your server –> Protocols –> SMTP. Next right-click the Default SMTP Virtual Server, and click Properties.

9. In the General tab click on the Advanced button.

10. In the Advanced window click Edit.

11. In the Identification page, enter a checkbox near every type of filter we’ll use, in this case – Connection Filter. When finished, press Ok all the way out.

And with that, we are done!

However, all this process was for just one IP address range. Although you can use automation to import entire address ranges into the connection filter, this process requires a lot of administrative overhead.

Sponsored

Sponsored

Luckily for us, rather than manually entering IP addresses to blacklist, there are DNSBLs that will return status codes by country based on the IP address provided. A DNS Blacklist, or DNSBL, is a means by which an Internet site may publish a list of IP addresses that some people may want to avoid and in a format which can be easily queried by computer programs on the Internet. The technology is built on top of the Internet Domain Name System, or DNS. DNSBLs are chiefly used to publish lists of addresses linked to spamming.

DNSBLs work in such a way that they return status codes for each query the server sends to them. The status codes are used to outline the type of offense an IP address has committed by being present in their database. DNSBL status codes range from 127.0.0.2 through 127.0.0.254.

That range is large enough in order to assign a single status code to each country, so what these DNSBLs did was to compile a large list of countries based upon their unique ISO country codes, and attach a custom status code to each.

An example of such a DNSBL is maintained by tqmcube.com. They have a DNSBL that returns status codes based on a legend of ISO country codes. For more information on that, see Real Time DNSBL & Spam Trap.

A snip of that list looks like this:

For example, if you decide not to accept email from Nigeria you can use the Connection Filtering to drop those connections by using a DNSBL provider. Since the ISO country code for Nigeria is NG, and on the page provided by the DNSBL (http://www.tqmcube.com/worldzone.php) an email originating from an IP address in Nigeria would return a status code of 127.0.0.166, all we need to do is to block that IP address.

Exchange Server 2003 SP2 can connect to such DNSBLs and query them before accepting any e-mail. In order to do that follow these steps:

1. Open Exchange System Manager (or ESM).

2. Expand Global Settings, then right-click Message Delivery and select Properties.

3. In the Connection Filter tab, click Add.

4. In the Connection Filter rule enter the following information:

Display name: TQMcube_CountriesDNS Suffix of provider: world.tqmcube.com

5. Click Return Status Code, and in the window that opens enter the status code for the countries you wish to block, based upon the list provided at the DNSBL website – http://www.tqmcube.com/worldzone.php. In our case, since we want to block Nigeria – I will enter 127.0.0.166.

6. Click Ok all the way out. Like in the previous example you will be prompted with the following error:

12. Navigate to Administrative Groups –> Your administrative group –> Servers –> Your server —> Protocols –> SMTP. Next right-click the Default SMTP Virtual Server, and click Properties.

13. In the General tab click on the Advanced button.

14. In the Advanced window click Edit.

15. In the Identification page, enter a checkbox near every type of filter we’ll use, in this case – Connection Filter. When finished, press Ok all the way out.

You need to repeat step #5 for each country code that you wish to block.

Note: Exchange’s anti-spam capabilities are good if that’s all the protection you’re using. But keep in mind that these capabilities are not only limited, but also create some administrative overhead, especially when the need comes to modify one of the settings. Therefore, using a 3rd-party anti-spam software or appliance is always a good idea.

Sponsored