How to Block All Email From a Country

You’ve all received them before: those annoying emails from people in foreign countries claiming to be diplomats, bankers, lawyers or heirs to huge fortunes. They have millions of dollars sitting in some bank account but for some reason they need your help to get the money out of the account. If you help them, you’ll get to share in the fortune, to compensate you for helping.

Of course, it’s too good to be true. To get the money out, you usually have to pay someone an “administration” fee in advance of receiving your share of the loot. Naturally, the crooks happily take the fee (if you’re stupid enough to pay it) and you never get your promised big payment.

These types of scams are called advance fee fraud scams. Many of them originate from criminals in the African countries of Benin, Ghana, Togo, Ivory Coast and Burkina Faso. The most notable country, however, is Nigeria, where this sort of scam seems to have risen to the level of a national sport. That’s why many sysadmins call these scams “Nigerian 419 scams”, where the number 419 refers to the article of the Nigerian Criminal Code that deals with fraud.

As I noted recently in a comment on the Fortinet blog, I wonder if the spammers in Benin, Ghana, Togo, Ivory Coast and Burkina Faso are actually natives of those countries are just transplanted Nigerians? Either way, they give the whole region a bad name.

A traditional approach to blocking such spam is to use content filtering techniques, which scan the content of the message for certain text patterns such as “absolutely no risk” and “bank account valued at 25 million US dollars”.

The big problem with content filters is that they require frequent updates because the spam content writers are like The Borg — they adapt. Some spammers go so far as to change the wording of their content before each spam run. And it’s easy for them to do it because many of them use templates with “placeholder” phrases which can be easily replaced by a numerous phrases with vastly different wordings but similar meanings. This frequent adaptation makes content filter administrators go crazy! Having said that, SpamAssassin does come with a few advance fee rules that are fairly effective at filtering 419 spam after your mail server (e.g. Postfix) has accepted delivery of the message. I recommend you check that option out.

Increasingly, however, my most effective spam filter rules are geolocation-based, not content based. While it’s easy to change content, it’s much harder to change the location where spam is being sent from (unless, of course, you have access to a large and geographically dispersed botnet that can send snowshoe spam…we’ll deal with that in future article).

Back in the good old days, much of this spam was sent to my mail servers directly from mail servers in the aforementioned countries. If you use Postfix as your mail server, blocking such spam is incredibly easy, as long as you have the luxury of assuming that all email from countries such as Nigeria and China is spam. For example, if you are a small company that only sells its products and services domestically, it’s pretty safe to assume that you won’t get any new sales in Nigeria. On the other hand, if you are a huge multi-national corporation, you might have potential customers in Nigeria.

Assuming you are the first type of company, you should be able to block all email from certain countries. If you are using Postfix, the first thing you need to do is to get a list of all the CIDR blocks for the country you want to block. You can get such a list by downloading a country zone file for free from ipdeny.com. Here is a small excerpt from the zone file for Nigeria as of May 11, 2012:

41.57.120.0/22
41.58.0.0/16
41.67.128.0/18
41.71.128.0/17
41.73.0.0/19
41.73.128.0/19
41.73.224.0/19
41.75.16.0/20
41.75.80.0/20
41.75.192.0/20

Before you can use the zone file with Postfix, you will need to append an action to each line. For example, “REJECT Server country banned” or even “REJECT We don’t want your stinking spam!”. Here is how the zone file would look after appending an action to each CIDR block:

41.57.120.0/22 REJECT Server country banned
41.58.0.0/16 REJECT Server country banned
41.67.128.0/18 REJECT Server country banned
41.71.128.0/17 REJECT Server country banned
41.73.0.0/19 REJECT Server country banned
41.73.128.0/19 REJECT Server country banned
41.73.224.0/19 REJECT Server country banned
41.75.16.0/20 REJECT Server country banned
41.75.80.0/20 REJECT Server country banned
41.75.192.0/20 REJECT Server country banned

Because the zone files change frequently, I strongly suggest you create a cron job that periodically downloads the latest zone file and automatically appends the action to each line. I’ll leave that an exercise to the reader for now. Hint: Use “wget -N”. The “-N” switch ensures that wget only downloads the zone file if it is newer than the one you have. That will make the good folks at IPdeny happy because you’ll be saving them some bandwidth.

To use your edited zone file, you’ll need to add a section like this to your Postfix main.cf file:

smtpd_client_restrictions =
permit_mynetworks,
check_client_access cidr:/etc/postfix/ng.cidr,
permit

Now, notice above that I said the above technique worked great back in “the good old days”? While it still works, some Nigerian 419 spammers have found a loophole. Instead of sending their spam directly from Nigeria, they send from a freemail account from the likes of Hotmail, Yahoo, Gmail or any of the countless other freemail providers. The spammer is still sitting at a desk in Nigeria but since the freemail provider’s server is in another country, it doesn’t look like it came from Nigeria when the SMTP connection is made to your mail server.

For example, in the case of the “big 3″ aforementioned freemail providers, the SMTP connection will probably be made from a server with an IP address in the United States. Therefore, the above zone file technique will be circumvented by the spammer because the Postfix smtpd_client_restrictions check will only see the American IP.

What can you do in this case? Postfix header checks to the rescue!

The limitation with the smtpd_client_restrictions check is that it will only check the IP address found in the last “Received” header, the one that is added during the SMTP conversation between your mail server and the sending mail server. However, as the email traverses various servers on the way to yours, other headers may also be added and many of them contain IP addresses. For example, you will often find multiple Received headers in an email, some of which may contain a public IP address. Here are some other headers that you will often find public IP addresses in:

• X-Originating-IP
• X-PHP-Script
• X-AOL-IP
• X-SenderIP

For example, here is a header from a recent spam I received. Note that the last byte of the address has been obfuscated with xyz to protect the “innocent”.

X-Originating-IP: [41.71.150.xyz]

To block spam based on the country of the public IP address in an intermediate mail header, you must first visit the handy website Country IP Blocks. In the “Enter IP Address” field in the left sidebar, enter the public IP address found in the header, then press “Locate IP”. You should get output that looks something like this:

IP Address assigned to: NIGERIA

IP Address: 41.71.150.xyz is located within the following Network:

Network: 41.71.128.0
CIDR: 41.71.128.0/17
Mask: 41.71.128.0/255.255.128.0
Network Range: 41.71.128.0 – 41.71.255.255
Total addresses: 32,768
Registrar: AFRINIC

The most important line in the output is the CIDR block of 41.71.128.0/17, which encompasses 32,768 IP addresses.

To successfully block the CIDR block in a Postfix header check, you will have to convert the CIDR block to a regular expression (or regex). To do that, use Xenowire’s excellent CIDR to RegEx Converter. For the above Nigerian CIDR block, you will get the following regex:

41\.71\.(12[8-9]|1[3-9][0-9]|2[0-5][0-9])\.[0-9]{1,3}

Now you can add a rule to your Postfix header_checks file. Here is how the rule might look for the above header and regex:

/^X-Originating-?IP: \[?41\.71\.(12[8-9]|1[3-9][0-9]|2[0-5][0-9])\.[0-9]{1,3}\]?/ REJECT Invalid mail header

Note that I made the “[" and "]” characters optional in the above rule because X-Originating-IP headers are sometimes missing them.

Here are examples of some other rules for other types of intermediate headers:

/^Received: from .{0,80}\[?41\.138\.(1[6-8][0-9]|19[0-1])\.[0-9]{1,3}\]?/ REJECT Invalid mail header
/^X-PHP-Script: .{0,80}for \[?41\.155\.([0-9]{0,1}[0-9]|1[0-1][0-9]|12[0-7])\.[0-9]{1,3}\]?/ REJECT Invalid mail header
/^X-AOL-IP: \[?190\.121\.(6[4-9]|[7-9][0-9]|1[0-1][0-9]|12[0-7])\.[0-9]{1,3}\]?/ REJECT Invalid mail header

Finally, to enable header checks, you’ll need to put a line like the following in your Postfix main.cf file:

header_checks = regexp:/etc/postfix/header_checks

To test your rule, you can run a test from the command line like this (replace some header string with the header you are testing):

postmap -q “some header string” regexp:/etc/postfix/header_checks

For example:

me@mycomputer:~$ postmap -q “X-Originating-IP: [41.71.150.xyz]” regexp:/etc/postfix/header_checks
REJECT Invalid mail header

I have found that Hotmail, Yahoo and AOL spam is pretty easy to block with this IP address header check technique because those freemail providers almost always reveal the underlying IP address of the sender (which could be some Internet cafe in Nigeria…I’d love to be a fly on the wall in one of those places!).

On the other hand, at the time of writing this article, Google’s Gmail usually does NOT reveal the sender’s IP address when the spammer has a @gmail.com email address. However, if the spammer is using Google Apps for Domains (rare, in my experience), you can usually get the IP address.

I guess Google hides the IP address for Gmail users to protect their privacy. I think that’s really stupid because it makes things much easier for spammers. And how much does your IP address really reveal about you? It’s not like people can get your exact phone number, name or street address from it (not usually, anyway, especially if you are sending your email via your home internet connection). I’m a big Google fan but this policy of hiding spammer’s IP addresses is just plain dumb. Shame on you Google!

If this tip helped you, please leave a comment!

Here are some useful links and reference for how to block email from a particular country:

• ipdeny.com
• Country IP Blocks
• countries.nerd.dk
• Postfix Header Checks
• Postfix smtpd_client_restrictions

Be Sociable, Share!

•