Block Spam Using GeoIP Filter – Guide

emailipnetworkingspamspam-filter

We are looking for a way to be able to block spam based on geographic location by filtering using geoip.

context: we rarely have any email correspondence outside of the USA, so we would like to block all incoming email outside the US except for maybe one or two countries.

After a little Googling I have found a couple of solutions that may work (or not), but I would like to know what other sysadmins are currently doing or what they would recommend as a solution.

Here is what I have found so far:

Using PowerDNS and its GeoIP backend it is possible to use geoip for filtering. Normally this backend is used to help distribute load as a kind of load balancing but I dont see why it couldnt be used to kill spam as well?

Possibly use the Maxmind lite country database and some scripting to do a similar job.

Ideally what I am looking for is a solution that would handle decent load and scale well too…aren't we all! 😉

Thanks in advance for your help! 🙂

Best Answer

There is also the geoip patch for netfilter/iptables for Linux. You could use this to block 25 for your email server if it is Linux. You could use Linux as a firewall for your email server with this iptables patch. Best part is that it is free :-)

Related Solutions

email – How to Send Emails and Avoid Spam Classification

Be sure that your emails don’t look like typical spam emails: don’t insert only a large image; check that the character-set is set correctly; don’t insert “IP-address only” links. Write your communication as you would write a normal email. Make it really easy to unsubscribe or opt-out. Otherwise, your users will unsubscribe by pressing the “spam” button, and that will affect your reputation.

On the technical side: if you can choose your SMTP server, be sure it is a “clean” SMTP server. IP addresses of spamming SMTP servers are often blacklisted by other providers. If you don’t know your SMTP servers in advance, it’s a good practice to provide configuration options in your application for controlling batch sizes and delay between batches. Some mail servers don’t accept large sending batches or continuous activity.

Use email authentication methods, such as SPF, and DKIM to prove that your emails and your domain name belong together. The nice side-effect is you help in preventing that your email domain is spoofed. Also check your reverse DNS to make sure the IP address of your mail server points to the domain name that you use for sending mail.

Make sure that the reply-to address of your emails are a valid, existing addresses. Use the full, real name of the addressee in the To field, not just the email-address (e.g. "John Doe" <john.doe@example.com> ) and monitor your abuse accounts, such as abuse@example.com and postmaster@example.com.

Linux – GeoIP based greylisting with Exim

I am answering my own question now that I have a solution that I like myself.

Greylisting itself can be implemented purely with Exim access control lists, or an external greylisting helper can be hooked to the ACLs. There are several approaches to this, which are documented elsewhere.

Greylisting is typically implemented in access control lists, and therefore it is easy to add some external IP address lookup in the ACL to control greylisting behavior (for example to skip greylisting according to a country code lookup).

There are several alternatives for getting the country code:

DNSBL lookup using for example http://countries.nerd.dk/ (as in mailq's answer).
Import some GeoIP database into a SQL database and make a SQL query from the ACL.
Implement GeoIP lookup using one of the several perl GeoIP modules and hook that in the Exim ACL with the perl interface.
Use a dlfunc library which implements the GeoIP lookup in the ACL.

I personally chose the last option as it is most efficient and does not depend on external resources. I implemented a new dlfunc library for this purporse as none of the several existing ones had IPv6 support. My implementation with simple examples is available at: http://dist.epipe.com/exim/. While implementing this I learned about Exim ACLs and found that they are extremely powerful for implementing any kind of mail acceptance policies.

Now it is easy to skip greylisting for certain countries by adding an ACL rule before the greylisting rules:

warn    set acl_c_geoip_country_code = \
        ${dlfunc{/usr/local/lib/exim4/exim-geoipv6-dlfunc.so}\
        {geoip_country_code}{$sender_host_address}}

accept  condition = ${if inlist{$acl_c_geoip_country_code}{FI:SE:EE}}

Exim versions older than 4.77 do not have inlist{ syntax. The same can be achieved by changing the second rule as follows:

accept  condition = ${if forany{FI:SE:EE}{eq{$item}{$acl_c_geoip_country_code}}}

Best Answer

Related Solutions

email – How to Send Emails and Avoid Spam Classification

Linux – GeoIP based greylisting with Exim

Related Topic