2
Do you IP Country Block to Stop attacks?
Question asked by CCWH - 4/2/2015 at 2:58 PM
Unanswered
Admin - Placed this in the SmarterStats section then realised no one goes in there very often so recreated in General ;-)
 
-----------
Hello all,
 
For the last three months or so we have had a 10 fold increase in attacks across our public facing server range.  This includes Web and Email.
 
After going through the logs and SmarterStats info it shows that 90+% of these connections are coming from Chinese IP addresses.
 
One option is to simply import a CIDR country list into the firewall and block the whole lot.  Obviously only after confirming client buy-in.  However, that's pretty heavy handed and I wondered if anyone does block full country IP blocks or if you use a different method?
 
In all honesty the email servers can cope.  In fact all the servers are not being taxed, however it is playing havoc with SEO stats within SmarterStats for clients!
 
Any thoughts?

8 Replies

Reply to Thread
1
Employee Replied
Employee Post
I've done this temporarily across select server ranges to mitigate similar attacks to our network, no fallout was reported from our userbase.
 
However, each environment is different and this does have the potential to cause some fallout depending on your clients usage.
0
Scarab Replied
Although it takes more work and effort, we do selective SMTP blocks against countries. Generally we will look at the entire IP range for the provider that is repeatedly spamming and see what their Senderbase score is (http://www.senderbase.org/). If there is not a single Neutral or Good reputation in that entire IP Range (up to a /16) then we block it without hesitation, otherwise we block the smallest IP Range necessary to get rid of the ones with consistent Poor reputations (more often than naught blocking a /24 CIDR Block is sufficient and in some cases will block just an individual IP).
 
Although we get hit a lot by China (more Brute-Force than Spam), we have customers who rely on Chinese manufacturers and distributors to do their business, preventing us from blocking the entire country wholesale. Not everything in China is unwanted, so it's important not to throw the proverbial baby out with the bathwater which is why we selectively block.
 
To be honest, the only times we've had to block an entire country was the Ukraine and India (although at this point I'm pretty sure half of the Netherlands are blocked by our Mail Servers), but if you do block an entire country it's important to consider it a temporary stop-gap measure and periodically audit whether it is still necessary.
1
Steve Reid Replied
We have blocked China and Russia on our firewall. Our entire IT infrastructure and equipment has thanked us for it.
0
Stojan Cergol Replied
Good protection is firewall PALOALTO (threat protection, wildfire and antivirus), against BruteForce, AntiVirus and country "filtering".
 
1
Joe Wolf Replied
You don't need any special firewall, etc. to block countries in SmarterMail.  You can simply use the Spam Eating Monkey Country Block list as an RBL in your antispam administration:
http://spameatingmonkey.com/geobl/usage.html#blocking-by-country-or-continent
Thanks, -Joe
0
Damián Dela Huerta Replied
I now this is an old thread, but spameatingmonkey.com has changed how they do the country blocking service, does anyone know how to use this with smartermail?

Twin Vision Studios, Inc.
0
Steven Belsha Replied

You can get the country codes here: List of ISO 3166 country codes - Wikipedia   Use the ISO 3166-1 Alpha-2 codes

If you just want to block a country, then enable inbound SMTP blocking and change the weight to 40
1
Chris Replied
Hi,

Never block a country or an IP range (specific IP OK !) ! if you have a customer which travel (or for holidays) to some countries or if your customer make business with specific country, you will block is connection : so you block his business...

Country blocking is ONLY a good idea if you are sure that your traffic would come from specific country. In Smartermail you can make agressive spam rules (check Security / Security) : it would be a better idea.

Note : Material Firewall can be a good solution, but you have to think business first (with not standard antispam solution but commercial one...).

Regards.


Reply to Thread