LiveZilla Live Chat Software

Country-Based Blocking

Written by Yves Lacombe on . Posted in Best Practices

Is it good or bad? Well the answer is “it depends.”  If your organization only operates within North-America, for instance, blocking the more prolific spam sources by country may be a very good way to reduce the amount of traffic hitting your MTA. For example, you could block all traffic coming from the top-10 spam sources listed by country on the Spamhaus Top 10 Worst Countries List (excluding your own, of course).

At writing time, Spamhaus’ Top 10 countries were:

1- United States
2- China
3- Russian Federation
4- United Kingdom
5- France
6- Brazil
7- South Korea
8- Japan
9- Argentina
10- Germany

Traditionally, the easiest method to block traffic based on national IP blocks was to use a DNS block list (DNSBL) provider that basically offered the IP zone files for each country.  Until fairly recently, the most popular one in use was blackholes.us, which wasn’t really a DNSBL per se, but it did break down IP blocks by country.  So, if you wanted to block traffic from China, for example, you could query cn.blackholes.us.

However, blackholes.us was shut down in 2002 and its IP address space was later assigned to another company. Email servers that continued to query those addresses began receiving a value of “true” on any lookup, meaning the whole Internet was blacklisted for them.

According to The MX Record, “The issue is the maintainer of the blackholes.us DNSBL shut the list down some time back and the IP address space that the DNS servers for it were on was given back to ARIN.  That address space has since been re-allocated to a new company and they are getting tired of the continual inbound DNS queries to the IP address of the old server.  Apparently they have now stood up a DNS server to answer those queries with a wildcard record that effectively returns “yes, the IP you are inquiring about is a spammer”.  As a result, lots of mail relays that are still configured to do lookups against this DNSBL are now being told that everyone on the Internet is a spam source.”

We obviously need an alternative method, and one such option is the “countries.nerd.dk” DNSBL. To block a country from sending mail to your MTA, you’d simply prepend the IANA country code to .countries.nerd.dk.

Examples:
cn.countries.nerd.dk -> China
kr.countries.nerd.dk -> Korea
pl.countries.nerd.dk -> Poland
ru.countries.nerd.dk -> Russia
br.countries.nerd.dk -> Brazil
ar.countries.nerd.dk -> Argentina

Here’s a log extract from a mail server that receives a small amount of traffic (10 messages per second) after filtering out the spam-blocking DNSBL.  The log covers approximately 15 seconds:

Trackback from your site.

Yves Lacombe

Yves Lacombe

Yves Lacombe has been working on Internet Infrastructure products for over 15 years. He is an Internet Security expert and one of his company's gurus. He has forgotten more things about Email Security than most people will ever know. He runs numerous heavily secured email servers and is constantly getting in trouble while trying to hack into his company's products. Yves has two mottos that he lives by: “The buck stops here” and “Lets just get the job done”.

Leave a comment

Whitepaper Downloads

  • Spam Industry terms
  • Antispam checklists
  • Tips and tricks
  • In depth research analysis

Download

Customer Quote

Vircom's suppport representative was very helpful, and quickly helped me determine the cause of our authentication problem.

    Tom Pipes
    T6 Broadband