cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
4d4m
Newcomer III

US organisations blocking email based on location

Has anyone else come across organisations blocking email based on geographic locations recently, as a cyber security measure? For example US organisation only allowing email from within the US based on IP location.

 

Adam

6 Replies
CraginS
Defender I

Adam,

Why do you ask? Are you simply curious if anyone is using IP group as a e-mail filter rule, or are you considering doing so, yourself? 

Blocking by IP and domain are both legitimate ways to manage e-mail filter rules, but actually making the rules work correctly is very tricky, given the ability to spoof e-mail header information. There is a particular challenge in filtering MS Exchange Outlook format mail that has been processed through the Office 365 infrastructure, which layers multiple intermediate addresses in the ridiculously complex header.

 

 

 

D. Cragin Shelton, DSc
Dr.Cragin@iCloud.com
My Blog
My LinkeDin Profile
My Community Posts
4d4m
Newcomer III

Thanks. I ask because some companies we work with are doing this and we cannot email them anymore, being UK based. I agree it is not a great way to secure, but we now need to find technical solutions or convince them otherwise.

 

Just wondered if anyone else has had similar issues, who operate outside the US and email US based companies.


@CraginS wrote:

Adam,

Why do you ask? Are you simply curious if anyone is using IP group as a e-mail filter rule, or are you considering doing so, yourself? 

Blocking by IP and domain are both legitimate ways to manage e-mail filter rules, but actually making the rules work correctly is very tricky, given the ability to spoof e-mail header information. There is a particular challenge in filtering MS Exchange Outlook format mail that has been processed through the Office 365 infrastructure, which layers multiple intermediate addresses in the ridiculously complex header.

 

 

 


 

Adam

Brids
Viewer II

I haven't worked with US based organisations but I have previously implemented blocking by country. The questions I asked my users was 'Do you have any legitimate users who would need to access your application from North Korea, China, or Russia?' If the answer was 'No' I set the WAF to disable access from these countries. In fact for some systems the answer was that no-one outside of Europe should be normally be accessing the particular application so I restricted access to European countries only. I believe its a good measure to implement but you need to discuss and agree the access requirements with the system owners.

DAlexander
Newcomer III

Blocking traffic with source IP addresses of other countries will likely end up blocking a lot of legitimate traffic and not do much to stop malicious emails.  Nefarious actors are well aware of how to spoof IPs or use proxy servers and VPNs to make it seem like they are coming from another location entirely.  It's a lot like MAC filtering your home router...it'll add a few steps when you want to add a new device but not do much to stop the kid next door with the Kali box and 10-minutes of YouTube education.

Brids
Viewer II

I agree with you to the extent that no security gives you 100% protection but you can make things more difficult for an opportunistic attacker. From implementing the policy I’ve recommended I experienced no legitimate users complaining of being locked out, and I could see from the SIEM dashboard that I had blocked a number of attempted accesses from countries blacklisted, and as system owners could not explain why anyone would want access from these countries I have to assume they were malicious.

Sent from my iPad
Beads
Advocate I

Used to be a fairly common practice but also of a day when it was considered to be an effective way of slimming down some obviously bogus email. While reading the OP I thought of more than a few West African countries, Togo, Indian Ocean (.io) all come to mind as domains that I used to immediately blocked much like blocking China Backbone or if you remember the notorious 'Russian Business Federation' block of addresses.

 

Most anything can be turned into a game of whack-a-mole if you apply enough effort. This is really no different. Just remember to review your policies toward such on a periodic basis (Monthly, Quarterly, Annually... something different - as long as you see value in it.)