Has anyone else come across organisations blocking email based on geographic locations recently, as a cyber security measure? For example US organisation only allowing email from within the US based on IP location.
Adam
Adam,
Why do you ask? Are you simply curious if anyone is using IP group as a e-mail filter rule, or are you considering doing so, yourself?
Blocking by IP and domain are both legitimate ways to manage e-mail filter rules, but actually making the rules work correctly is very tricky, given the ability to spoof e-mail header information. There is a particular challenge in filtering MS Exchange Outlook format mail that has been processed through the Office 365 infrastructure, which layers multiple intermediate addresses in the ridiculously complex header.
Thanks. I ask because some companies we work with are doing this and we cannot email them anymore, being UK based. I agree it is not a great way to secure, but we now need to find technical solutions or convince them otherwise.
Just wondered if anyone else has had similar issues, who operate outside the US and email US based companies.
@CraginS wrote:Adam,
Why do you ask? Are you simply curious if anyone is using IP group as a e-mail filter rule, or are you considering doing so, yourself?
Blocking by IP and domain are both legitimate ways to manage e-mail filter rules, but actually making the rules work correctly is very tricky, given the ability to spoof e-mail header information. There is a particular challenge in filtering MS Exchange Outlook format mail that has been processed through the Office 365 infrastructure, which layers multiple intermediate addresses in the ridiculously complex header.
Adam
I haven't worked with US based organisations but I have previously implemented blocking by country. The questions I asked my users was 'Do you have any legitimate users who would need to access your application from North Korea, China, or Russia?' If the answer was 'No' I set the WAF to disable access from these countries. In fact for some systems the answer was that no-one outside of Europe should be normally be accessing the particular application so I restricted access to European countries only. I believe its a good measure to implement but you need to discuss and agree the access requirements with the system owners.
Blocking traffic with source IP addresses of other countries will likely end up blocking a lot of legitimate traffic and not do much to stop malicious emails. Nefarious actors are well aware of how to spoof IPs or use proxy servers and VPNs to make it seem like they are coming from another location entirely. It's a lot like MAC filtering your home router...it'll add a few steps when you want to add a new device but not do much to stop the kid next door with the Kali box and 10-minutes of YouTube education.
Used to be a fairly common practice but also of a day when it was considered to be an effective way of slimming down some obviously bogus email. While reading the OP I thought of more than a few West African countries, Togo, Indian Ocean (.io) all come to mind as domains that I used to immediately blocked much like blocking China Backbone or if you remember the notorious 'Russian Business Federation' block of addresses.
Most anything can be turned into a game of whack-a-mole if you apply enough effort. This is really no different. Just remember to review your policies toward such on a periodic basis (Monthly, Quarterly, Annually... something different - as long as you see value in it.)