Security Basics: Re: Blocking traffic by Country to reduce spam

[Jason Kolpin <jasonk () ncat org>]

paavan.shah () gmail com wrote:
> Hello List,
>
> One of our clients is based in USA and has most of the business in USA and UK.
>
> To reduce spam we are planning to propose them a solution to filter traffic by country.
>
> We can add IP Blocks for USA and UK as a whitelist and allow only incoming access to those IP Blocks,everything else is 
> blocked.
>
> Has anyone implemented this change on their production networks?Has it been effective to reduce spam?
>
> Please share your views and experiences
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! 
>
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ------------------------------------------------------------------------
>
>
>   
I think more information needs to be shared here in order to give you a 
decent answer. The biggest question is what measures have already been 
taken to block the spam and how effective has it been? If you just have 
an email server out there with no antivirus scanning, no spam system 
implemented (like Spamassassin or something), a HELO trick or two, and 
no DNSBLs set up, then these are steps you should probably take first. 
The other question is just how "bad" is the spam problem? Are your users 
complaining about a few that keep getting through or are they showing up 
in the morning, opening up their email client and spending two hours 
shuffling through their new email which is plastered with bad mail? One 
thing I do know is DO NOT take a client's spam concerns too seriously 
until they can provide you with some numbers and statistics about the 
number of spam emails they get daily/weekly/monthly. I've had clients 
that thought 1 or 2 getting through a day was waaay out of hand and made 
it sound as if it were the end of the world when most of us know a spam 
or two a day isn't anything to be concerned about and it definitely 
isn't impacting daily production. These screaming folks almost always 
seem to be someone that checks their email once a week instead of 
handling it daily or a couple times a day like they should as 
professionals. I do know for Spamassassin it is pretty easy for a server 
admin to create custom rules that apply to those recurring text-only 
spams which is probably much better than starting to block entire Class 
A or B subnets.
So with that I want to add:
I've actually done what you are saying before. At the time I got 
dramatic effect, I also got a few calls from across the Atlantic asking 
why they cannot connect anymore, had to go back and alter the rules 
yadda yadda. It should also be mentioned that I had no clue about DNSBLs 
at that time either. I must say that DNSBLs are hands down one of the 
most effective tools you can use BUT since you have no control over them 
can also cause great grief when important client Bob just got blocked by 
a DNSBL because he has a bot/trojan on his machine that he had no clue 
was there. My simple suggestion is to try everything else before going 
postal and blocking entire chunks of the planet.
"If we could just get rid of the average user, everything would be just 
PEACHY!" :-D
J L Kolpin


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! 

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------