Blocking International Domains

Unanswered Question
May 29th, 2008

I would like only North American Domains to be allowed in our out of the Iron port c300.

Is there a way to do this without setting up a dictionary of all possible domain s.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
steven_geerts Fri, 05/30/2008 - 00:37

I don't hink you can do this (easily) on a domain base.

Possibly you can create your own DNS blacklist that contains all domains that are registered by US citizens.
Maybe it's easier (if possible at al) to focus on US IP addresses that deliver mail to you (also with a private DNS blacklist).

if you succeed in this you might miss some very interesting messages from me and my European colleague Ironport admins, but that is you choice :lol:

Steven

rnarvaez_ironport Fri, 05/30/2008 - 15:27

thanks for the ifno. This is not my choice, but senior mgmt. The believe that since we have no business partners outside of the US/Canada that we shouldn't be sending/receiving to these domains....... I know, it doesn't make sense to me either. :shock:

Rayman_Jr Mon, 06/02/2008 - 08:01

Here is one site which could be useful for you.

http://countries.nerd.dk/more.html

Please be aware that you can't know the location of SMTP gateways of the international partners.

Company where I'm working have local business in both US and Canada, some business even under US and Canadian local brands but all SMTP traffic is routed via European gateways.

If we have some common business I sure will help you to identify our IPs for whitelisting :wink:

wmchurch_ironport Sun, 06/15/2008 - 02:44

I'm a proponent of blocking based on geography. It's not that I have anything against those in another region; it just reduces the amount of potential atackers. If I can reduce the number of potential attackers by 75%, why wouldn't I do it?

I've found this to be very helpful for customers or companies that operate in a specific region, especially if they never have a business need to accept mail from outside of their country.

A recent report from McAfee (take if for what it's worth) and reported in last Tuesdays SANS NewsBites, showed that China and Hong Kong domains (.cn and .hk) host the highest proportion of malicious websites, 31% of the websites that contain some sort of malware came from these two areas. The Philippines (.ph) and Romania (.ro) were the next highest.

According to the study, the safest were Finland (.fi), Japan (.jp), and Australia (.au), along with most of the US .gov domains.

As far as .TLD domains, .info was the most risky with 11.7% of .info domains containing some sort of malware.

You can certainly block by country domain with SenderBase, however that won't get your hosts that don't return a PTR record or TLDs that operate in another country (i.e. .us domains that exist in China, and they're quite a few).

I like the idea of using a RBL for this; however you have to make sure that RBL is updated regularly. I would really like to see this feature in SenderBase; I do know of another reputation service that has this capability today and think this would help SenderBase stay competitive.

Some of my customers block entire IP ranges belonging to APNIC, while making allowances for Japan, and Australia to name a few. This could be difficult to manage though, as those IP ranges will transfer every now and then without warning.

rrbranco_ironport Tue, 06/17/2008 - 19:26

Does internet have countries ?

Or just IP address and Autonomous Systems.

Is it trustable to say that the partnet next door uses an server located at a place you consider "national" ?

What if for cost x benefit reasons he decided to host their servers in a "international" place ? Europe ? Canada ? Australia ? Brazil ?

Tell managers to consider the globalization and the competition of ISP , hosting / co-location / outsource providers.

Ask them if the next step will be allow only certain cities ?

IMHO it would not be a good ideia.

Let reputation and senderbase do its work for you 'automagically".

wmchurch_ironport Tue, 06/17/2008 - 20:02

Sure the Internet has countries. For the most part, access is still tied to a physical location (even WiFi can only go so far). If not countries, it definitely has regions.

Laws are different in other parts of the world, data retention, privacy, computer crimes, etc... To protect yourself, it's better to know who you're dealing with and what you're up against. If you just let everyone walk into your house without asking, something will eventually get stolen AND you won't know who did it.

The Internet we know and love today has some seriously inherent design flaws from a security perspective. Look at all the work we have to do to make SMTP safe, and it's still needs a ton of work.

There's a possibility for false positives, sure, however I think in some industries the benefits outweigh the risks. Take the Payment Card Industry, for instance. One breach has the potential to put a card processor essentially out of business, not weigh that risk against possibly denying service to a potential customer every now and then. If handled properly it's a non issue. Typically, organizations that block regions at the firewall (or even router with ACLs) have a specific procedure in place the ensures business partners and customers will not be impacted.

But, I argue why not go a step further. I'm a huge proponent of the "positive security model", which is essentially defining everything you will have access to instead of defining what you will not have access to. Not to mention, if you're cutting out a large part of traffic you have more resources (bandwidth, cpu, memory) to scan and inspect the traffic you do allow in. Less logging to look through and sift, and more time to spend on making sure everything is as it should be.

Positive Security Models are painful to implement, but organizations that use them have laid the best security foundation you possibly can. It's tough to do that with e-mail though.

Could you imagine getting 100,000 letters in your Postal Mail to your house or even your business every day? Out of that, 99% of them were from people you don't know and don't want to do business with, and of that 99%, %75 we from out of the country? What if you could tell the post office to just shred that 75%, because you don't know anyone outside of your country? It would be even better if you could do it by state.

I agree, let SenderBase do it's "magic" but let’s add to that magic and let me decide if I want to block by geography.

It's true, some people could be using a server in another country for one reason or another, but the practicality of that is unlikely if you’re a US or Canadian based business. If you were based out of Europe or Asia, it's a different story and takes a different approach. It's not something I'm faced with so I can't comment, I just know what works for my region and the businesses I work with.

Of course, you don’t have to give those regions you choose to block a cold shoulder either. If we block based on Geo we can always create a MailFlow with a custom error policy that would contain instructions on how to have an exception made.

And, if a US based company is somehow getting cheaper and more efficient hosting services out of China, Hong Kong, or Romania they need to build a time machine, because as far as I know, no human has cracked moving data past the speed of light, yet.

Now, with that said. I have business partners in Australia, New Zealand and Japan. I make exceptions for their servers (actually the entire country when possible) because I work with them.

As a man once said, "There's more than one way to skin a cat, but why would you want to?"

BTW, did I just write a book there? whew...

rrbranco_ironport Tue, 06/17/2008 - 21:00

I understand that it would be nice to receive only messages from known and trustable partners.

But what if a "not-yet-partner" wants to be a partner and sends a mail proposing a highly profitable business ? (wherever he is, even in a 'national' locale). If he is not known and not previously authorized, what happens ? For this case, reputation would be better than geography and "white-list".

What I just wanted to raise the issue that, nowadays, we cannot tell with confidence that the message comes from where it is supposed to come from.

I mean, big (perhaps huge) and multi-national companies have only one domain and servers around the globe.

Their mail gateways are located at all continents and messages are routed as administrator wants to, either by server/link capacity/cost or by BCP/contingency plan (active or not) or or by decentralized operation/administration or by policy or by any other internal reason that they have created.

Do internal users of these domain (senders) can tell where their mail will get out to the world ?

Do the external recipients can tell where the expected mail will come from ?

Are both administrators (senders and receivers) aware of comercial, sales, training, development teams needs ?

Note that I'm being as generic as I can, not focusing on this domain or that, this business model or that.

I'm trying to see the problem from a outside the box point of view.

Anyway, the pros and cons ought to be checked, analyzed so that the best approach is provided to the customer.

Regards from Rio de Janeiro, Brazil.

wmchurch_ironport Wed, 06/18/2008 - 02:28

Yes, that is certainly a possibility; it all just depends on what your security posture is and your line of business. Some businesses can afford to have liberal security practices while others choose to run like Fort Knox. If my management or my customer must conduct business that way, we make a provision for it. The solution would be architected to support the customer.

To turn that around, a potential business partner wants to send you a proposal for a lucrative opportunity, but his server has an SBRS of -3.0, what happens to him? I've had to deal with them. In my case, custom response messages in the SBRS drop advised of a phone number to call for support in the event their message was dropped.

While I trust the SenderBase system, I can't control what mail server an individual chooses to use. Some people just don't know that there's a difference. Therefore, no matter what tool I use to block out the bad guys, there will always be the potential for an "innocent" person to be affected. It's putting a procedure or process in place to deal with those issues that makes the plan work.

Just depends on what's important to you. I think the ability to classify by geography (meaning where the server is located) is important.

Do I think everyone should just switch that on? Absolutely not, but they should have the option. Just like they have the option to block senders with a +2 SBRS and lower. Is it a good idea? Who knows, everyone's environment is different. While +2 is much more aggressive for some customers, it might be good for others.

It's up to the senior management to make that decision, our jobs are just to give them the information and options to make the environment as secure as possible and still conduct business.

Anyway, my point is. I can block by Network Owner, I can block by Domain, I can block by IP, I can block by IP range, why shouldn’t I be able to block by geography?

Actions

This Discussion