Filtering E-mail by World Regions in Exchange Server 2003

Working with messaging products for many years I’ve noticed that a popular question on Exchange and Outlook forums is how to block email originating from specific countries or world regions. It is possible in both Outlook and Exchange, with varying degrees of success (read my “Filtering E-mail by Regions in Outlook 2003/2007” article for more info on working with the Exchange client).

Originally, most spamming e-mail servers were hosted in the United States. The adoption of laws, such as the CAN-SPAM law of 2004, have forced many spammers to move their operations to countries with fewer controls and rules to host their operations. Today, the United States is declining as the leading source of spam and countries such as China, Korea, Russia, Vietnam, and Brazil are fast becoming sources of spamming mail servers. Naturally, countries with the highest number of spammers operating within their networks are usually those with poor or non-existent spam laws.

spam origins 1

(Source: http://www.spamhaus.org/statistics/countries.lasso)

E-mail traffic received from places where an organization has no interest will likely be spam. Blocking e-mail from those countries or geographic regions (city, state, country, or continent), instantly eliminates a very large percentage of total spam received. Even excluding the USA, blocking the next 10 top spam generating countries might still eliminate over 50% of spam email.

IP addresses are allocated by geographical regions. Some of the following links have more information on how the IP range was divided into geographical regions, and give clues on how to find to what region of the world an IP address range belongs to.

In Exchange 2003, it is possible to use Connection Filtering to reject SMTP connections from IP addresses belonging to regions form where there may simply be no valid business reason to accept messages. This can be done by manually entering IP addresses in the Connection Filter tab and entering the IP address range you wish to block:

1. Open Exchange System Manager (or ESM)

2. Expand Global Settings, then right-click Message Delivery and select Properties

block spam by region 1 small

3. In the Connection Filter tab, click Deny.

block spam by region 2 small

4. In the Deny list click on Add.

block spam by region 3 small

5. Add the IP address range you wish to block. For example, you could add 12.166.96.32 with a subnet mask of 255.255.255.224 will block just one of the IP address ranges assigned to Nigeria.

block spam by region 4 small

6. When done, click Ok all the way out.

block spam by region 5 small

7. You will be prompted with the following error:

​Connection, Recipient, Sender ID, and Sender Filtering must manually be enabled on specific SMTP virtual server IP address assignments as they are not enabled by default. For more information on how to enable any of the above filtering types, read their associated help.

block spam by region 6 small

8. Navigate to Administrative Groups –> Your administrative group –> Servers –> Your server –> Protocols –> SMTP. Next right-click the Default SMTP Virtual Server, and click Properties.

block spam by region 7 small

9. In the General tab click on the Advanced button.

block spam by region 8 small

10. In the Advanced window click Edit.

block spam by region 9 small

11. In the Identification page, enter a checkbox near every type of filter we’ll use, in this case – Connection Filter. When finished, press Ok all the way out.

block spam by region 10 small

And with that, we are done!

However, all this process was for just one IP address range. Although you can use automation to import entire address ranges into the connection filter, this process requires a lot of administrative overhead.

Luckily for us, rather than manually entering IP addresses to blacklist, there are DNSBLs that will return status codes by country based on the IP address provided. A DNS Blacklist, or DNSBL, is a means by which an Internet site may publish a list of IP addresses that some people may want to avoid and in a format which can be easily queried by computer programs on the Internet. The technology is built on top of the Internet Domain Name System, or DNS. DNSBLs are chiefly used to publish lists of addresses linked to spamming.

DNSBLs work in such a way that they return status codes for each query the server sends to them. The status codes are used to outline the type of offense an IP address has committed by being present in their database. DNSBL status codes range from 127.0.0.2 through 127.0.0.254.

That range is large enough in order to assign a single status code to each country, so what these DNSBLs did was to compile a large list of countries based upon their unique ISO country codes, and attach a custom status code to each.

An example of such a DNSBL is maintained by tqmcube.com. They have a DNSBL that returns status codes based on a legend of ISO country codes. For more information on that, see Real Time DNSBL & Spam Trap.

A snip of that list looks like this:

spam origins 2

For example, if you decide not to accept email from Nigeria you can use the Connection Filtering to drop those connections by using a DNSBL provider. Since the ISO country code for Nigeria is NG, and on the page provided by the DNSBL (http://www.tqmcube.com/worldzone.php) an email originating from an IP address in Nigeria would return a status code of 127.0.0.166, all we need to do is to block that IP address.

Exchange Server 2003 SP2 can connect to such DNSBLs and query them before accepting any e-mail. In order to do that follow these steps:

1. Open Exchange System Manager (or ESM).

2. Expand Global Settings, then right-click Message Delivery and select Properties.

block spam by region 1 small

3. In the Connection Filter tab, click Add.

block spam by region 11 small

4. In the Connection Filter rule enter the following information:

Display name: TQMcube_CountriesDNS Suffix of provider: world.tqmcube.com

block spam by region 12 small

5. Click Return Status Code, and in the window that opens enter the status code for the countries you wish to block, based upon the list provided at the DNSBL website – http://www.tqmcube.com/worldzone.php. In our case, since we want to block Nigeria – I will enter 127.0.0.166.

block spam by region 13 small

6. Click Ok all the way out. Like in the previous example you will be prompted with the following error:

​Connection, Recipient, Sender ID, and Sender Filtering must manually be enabled on specific SMTP virtual server IP address assignments as they are not enabled by default. For more information on how to enable any of the above filtering types, read their associated help.

block spam by region 14 small

12. Navigate to Administrative Groups –> Your administrative group –> Servers –> Your server —> Protocols –> SMTP. Next right-click the Default SMTP Virtual Server, and click Properties.

block spam by region 7 small

13. In the General tab click on the Advanced button.

block spam by region 8 small

14. In the Advanced window click Edit.

block spam by region 9 small

15. In the Identification page, enter a checkbox near every type of filter we’ll use, in this case – Connection Filter. When finished, press Ok all the way out.

block spam by region 10 small

You need to repeat step #5 for each country code that you wish to block.

Note: Exchange’s anti-spam capabilities are good if that’s all the protection you’re using. But keep in mind that these capabilities are not only limited, but also create some administrative overhead, especially when the need comes to modify one of the settings. Therefore, using a 3rd-party anti-spam software or appliance is always a good idea.