Filtering E-mail by World Regions in Exchange Server 2003

Last Update: Nov 19, 2024 | Published: Jan 07, 2009

SHARE ARTICLE

Working with messaging products for many years I’ve noticed that a popular question on Exchange and Outlook forums is how to block email originating from specific countries or world regions. It is possible in both Outlook and Exchange, with varying degrees of success (read my “Filtering E-mail by Regions in Outlook 2003/2007” article for more info on working with the Exchange client).

Originally, most spamming e-mail servers were hosted in the United States. The adoption of laws, such as the CAN-SPAM law of 2004, have forced many spammers to move their operations to countries with fewer controls and rules to host their operations. Today, the United States is declining as the leading source of spam and countries such as China, Korea, Russia, Vietnam, and Brazil are fast becoming sources of spamming mail servers. Naturally, countries with the highest number of spammers operating within their networks are usually those with poor or non-existent spam laws.

this image has been lost in time

(Source: http://www.spamhaus.org/statistics/countries.lasso)

E-mail traffic received from places where an organization has no interest will likely be spam. Blocking e-mail from those countries or geographic regions (city, state, country, or continent), instantly eliminates a very large percentage of total spam received. Even excluding the USA, blocking the next 10 top spam generating countries might still eliminate over 50% of spam email.

IP addresses are allocated by geographical regions. Some of the following links have more information on how the IP range was divided into geographical regions, and give clues on how to find to what region of the world an IP address range belongs to.

In Exchange 2003, it is possible to use Connection Filtering to reject SMTP connections from IP addresses belonging to regions form where there may simply be no valid business reason to accept messages. This can be done by manually entering IP addresses in the Connection Filter tab and entering the IP address range you wish to block:

1. Open Exchange System Manager (or ESM)

2. Expand Global Settings, then right-click Message Delivery and select Properties

this image has been lost in time

3. In the Connection Filter tab, click Deny.

this image has been lost in time

4. In the Deny list click on Add.

this image has been lost in time

5. Add the IP address range you wish to block. For example, you could add 12.166.96.32 with a subnet mask of 255.255.255.224 will block just one of the IP address ranges assigned to Nigeria.

this image has been lost in time

6. When done, click Ok all the way out.

this image has been lost in time

7. You will be prompted with the following error:

​Connection, Recipient, Sender ID, and Sender Filtering must manually be enabled on specific SMTP virtual server IP address assignments as they are not enabled by default. For more information on how to enable any of the above filtering types, read their associated help.

this image has been lost in time

8. Navigate to Administrative Groups –> Your administrative group –> Servers –> Your server –> Protocols –> SMTP. Next right-click the Default SMTP Virtual Server, and click Properties.

this image has been lost in time

9. In the General tab click on the Advanced button.

this image has been lost in time

10. In the Advanced window click Edit.

this image has been lost in time

11. In the Identification page, enter a checkbox near every type of filter we’ll use, in this case – Connection Filter. When finished, press Ok all the way out.

this image has been lost in time

And with that, we are done!

However, all this process was for just one IP address range. Although you can use automation to import entire address ranges into the connection filter, this process requires a lot of administrative overhead.

Luckily for us, rather than manually entering IP addresses to blacklist, there are DNSBLs that will return status codes by country based on the IP address provided. A DNS Blacklist, or DNSBL, is a means by which an Internet site may publish a list of IP addresses that some people may want to avoid and in a format which can be easily queried by computer programs on the Internet. The technology is built on top of the Internet Domain Name System, or DNS. DNSBLs are chiefly used to publish lists of addresses linked to spamming.

DNSBLs work in such a way that they return status codes for each query the server sends to them. The status codes are used to outline the type of offense an IP address has committed by being present in their database. DNSBL status codes range from 127.0.0.2 through 127.0.0.254.

That range is large enough in order to assign a single status code to each country, so what these DNSBLs did was to compile a large list of countries based upon their unique ISO country codes, and attach a custom status code to each.

An example of such a DNSBL is maintained by tqmcube.com. They have a DNSBL that returns status codes based on a legend of ISO country codes. For more information on that, see Real Time DNSBL & Spam Trap.

A snip of that list looks like this:

this image has been lost in time

For example, if you decide not to accept email from Nigeria you can use the Connection Filtering to drop those connections by using a DNSBL provider. Since the ISO country code for Nigeria is NG, and on the page provided by the DNSBL (http://www.tqmcube.com/worldzone.php) an email originating from an IP address in Nigeria would return a status code of 127.0.0.166, all we need to do is to block that IP address.

Exchange Server 2003 SP2 can connect to such DNSBLs and query them before accepting any e-mail. In order to do that follow these steps:

1. Open Exchange System Manager (or ESM).

2. Expand Global Settings, then right-click Message Delivery and select Properties.

this image has been lost in time

3. In the Connection Filter tab, click Add.

this image has been lost in time

4. In the Connection Filter rule enter the following information:

Display name: TQMcube_CountriesDNS Suffix of provider: world.tqmcube.com

this image has been lost in time

5. Click Return Status Code, and in the window that opens enter the status code for the countries you wish to block, based upon the list provided at the DNSBL website – http://www.tqmcube.com/worldzone.php. In our case, since we want to block Nigeria – I will enter 127.0.0.166.

this image has been lost in time

6. Click Ok all the way out. Like in the previous example you will be prompted with the following error:

​Connection, Recipient, Sender ID, and Sender Filtering must manually be enabled on specific SMTP virtual server IP address assignments as they are not enabled by default. For more information on how to enable any of the above filtering types, read their associated help.

this image has been lost in time

12. Navigate to Administrative Groups –> Your administrative group –> Servers –> Your server —> Protocols –> SMTP. Next right-click the Default SMTP Virtual Server, and click Properties.

this image has been lost in time

13. In the General tab click on the Advanced button.

this image has been lost in time

14. In the Advanced window click Edit.

this image has been lost in time

15. In the Identification page, enter a checkbox near every type of filter we’ll use, in this case – Connection Filter. When finished, press Ok all the way out.

this image has been lost in time

You need to repeat step #5 for each country code that you wish to block.

Note: Exchange’s anti-spam capabilities are good if that’s all the protection you’re using. But keep in mind that these capabilities are not only limited, but also create some administrative overhead, especially when the need comes to modify one of the settings. Therefore, using a 3rd-party anti-spam software or appliance is always a good idea.

SHARE ARTICLE