There are DNSBLs that map source IP to country code (ie http://countries.nerd.dk/). I used to use tqmcube.com a couple of years ago, but they have changed their offerings (and domain name). They weren't really a block list, but a cross-reference list.
tqmcube, like nerd.dk I mentioned above, used to use return codes specific to ISO country code. So, you get an email from source IP which is checked against an IP-to-country code list. The country code is assigned a return code 127.0.0.xx (10-254) and your server can act based on the return code. I may start working on hosting something like that in April. ---------------------------------------- From: "Joe Heaton" <jhea...@etp.ca.gov> Sent: Tuesday, February 17, 2009 12:29 PM To: "MS-Exchange Admin Issues" <exchangelist@lyris.sunbelt-software.com> Subject: RE: Incoming spoofed e-mail issue I tried this, and there are hundreds, if not thousands of IP ranges associated with .pl domains. Joe Heaton Employment Training Panel From: Kim Longenbaugh [mailto:k...@colonialsavings.com] Sent: Tuesday, February 17, 2009 10:35 AM To: MS-Exchange Admin Issues Subject: RE: Incoming spoofed e-mail issue One way would be to look up the IP address ranges associated with those areas and block access to and from them with your firewall. ---------------------------------------- From: Joe Heaton [mailto:jhea...@etp.ca.gov] Sent: Tuesday, February 17, 2009 12:30 PM To: MS-Exchange Admin Issues Subject: Incoming spoofed e-mail issue I'm getting users who are getting lots of mail in their inbox every morning that looks like it is coming from themselves. Looking at the headers, I see various actual senders, many coming from domains ending in .ru, or .pl, etc. Is there a way of blocking e-mails from these foreign domains? None of my users have legitimate business with anyone in Russia, or Poland, or any other foreign country. I tried setting this up under Sender Filtering, by putting the following in, for example: *...@*.pl Is there a different way of putting this in? I notice that the instructions for Sender Filtering says to block messages "claiming" to be from the following:, but these messages are actually "claiming" to be from the user, not what is actually in the header. Is there a different way of filtering these messages? There's nothing in the subject line that is keying the IMF, or my Symantec Mail Security for Microsoft Exchange. Joe Heaton AISA Employment Training Panel 1100 J Street, 4th Floor Sacramento, CA 95814 (916) 327-5276 jhea...@etp.ca.gov ~ Ninja Email Security with Cloudmark Spam Engine Gets Image Spam ~ ~ http://www.sunbeltsoftware.com/Ninja ~