Email Geoblocking Best Practices

Posted by Trevagh Stankard on Thu, Sep 9th, 2021

The latest estimates from Cisco researchers show that the amount of spam filling up our inboxes is around 85% of all emails. That is an enormous amount of illegitimate, unwanted emails. But some of these spam emails are not just a nuisance, they are a serious threat, potentially resulting in malware infection, including ransomware. Email-borne threats continue to challenge organizations the world over. Spam may be a worldwide phenomenon, but its origins are typically from certain geographic locations or IP addresses.

One of the most effective ways to stop spam is to spot the location it is being sent from and block its entry to your email server and ultimately an employee inbox. This technique is known as ‘Geoblocking’.

 

What is Email Geoblocking?

Certain countries and IP addresses are renowned, or quickly become known for, sending out spam and phishing emails. Email-borne attacks can be devastating to an organization. A recent example was a phishing campaign initiated by the Nobelium hacking group, the cybercriminals behind the 2020 SolarWinds attack. In this latest phishing attack, 3000 email accounts at 150 companies were targeted. The hackers tried to trick users by using a compromised USAid email marketing account to send out phishing emails that looked legitimate. Many of the targets were able to stop the emails before they entered employee inboxes by using email filtering; however, it only takes a single phishing email that escapes detection to result in ransomware infection or other cyber-attacks.

Cybersecurity intelligence on malicious IP addresses and countries of origin of phishing campaigns can be leveraged via email filters that have a Geoblocking feature. This spam filter is used to implement geo restrictions to block incoming emails based on their origins, i.e., IP addresses or geographic location.

 

Benefits of Email Geoblocking

By stopping emails based on a location or IP address, an organization can:

Prevent excessive spam cluttering up employees’ inboxes: A survey found that a third of employees were missing out on important email communications because of the volume of emails in their inboxes. Geoblocking ensures that only legitimate emails enter staff inboxes.

Block phishing emails: Phishing is the number one way that malware infections enter a network. Geoblocking helps to prevent phishing messages entering email inboxes. This, in turn, prevents malware infection, ransomware attacks, stolen credentials, and the theft of data.

Auto-quarantine emails: Geoblocking in email filters can be used to quarantine emails, delivering a business communication system that is under an organization's control.

 

Best Practices when Using Email Geoblocking

Deciding on the best Geoblocking solution for your organization can be daunting. To help in your evaluation of a Geoblocking service look for the following best practice features:

 

Granular Choice of Location to Block

Geoblocking should be done at a granular level to ensure effective control. This can be done on a per country, multiple countries, basis, or by IP address or IP range. SpamTitan V7.11 comes with a Country IP Database that makes the setting of country-level Geoblocking easy.

 

Exemptions to Geoblocking

However, it is also important to be able to set exemptions to Geoblocking rules to ensure that legitimate emails are delivered. These exemption rules are typically based on a trusted sender's IP, domain, or email address. This granular level of control is essential to effective Geoblocking.

 

Easy Configuration and Administration

Without an easy-to-use interface, the granular level of configuration needed for effective Geoblocking will be difficult to achieve. A Geoblocking solution must provide highly configurable, rules-based, settings that are easy to implement from a central console. Flexibility in configuration is key to an effective Geoblocking solution.

 

Mix it up with Other Filters

Geoblocking, alone, is not enough to prevent spam emails. More sophisticated cybercriminals may use compromised servers in a country other than the one they reside in.  Geoblocking, therefore, should be used as part of a multi-layered approach to spam prevention. Email fraudsters are forever changing tactics and only by applying multiple filter methods can spam and phishing be successfully blocked. Other effective spam filter methods include predictive techniques such as Bayesian analysis, heuristics, and machine learning. A system that applies multiple layers of filters can even block new varieties of spear-phishing and zero-day attacks that lead to ransomware.

 

Geoblocking must be Flexible and part of a Layered Approach to Email Filtering

​​Geoblocking is an essential part of a layered approach to email spam filtering and control. The ability to block email threats using a specified geographic location or IP address/range is an essential feature of a modern, smart, email filter solution. Geoblocking filters add a layer of control to create a more sophisticated spam filter as used alongside other filter options such as Bayesian analysis. These multi-layered email filters work for organizations of all sizes and all sectors to reduce threat vectors in known geographies or specific IP addresses and IP ranges. As the volumes of spam and phishing continue to place organizations the world over at risk, having this additional level of control can help to close off the path to ransomware and other cyber threats.