What No One Tells You About Country-Based DNSBL Blocking

Back in 2009, I wrote an article about country-based DNSBL blocking. You can find the original article here:https://www.vircom.com/security/country-based-blocking/

Thankfully, the person who runs the countries.nerd.dk blacklist is still around and operational and you can still use their country-based DNSBL zones to block certain countries from sending mail to you.

Depending on the type of organization that you run, you may be able to tolerate blocking entire countries from sending mail to your server(s). For instance, a lot of spam originates from China and Russia. So if you don’t do any business with those nations, nothing prevents you from blocking those two countries altogether!

According to Spamhaus, as of March 31^st 2015, the following countries are the current “spam havens” by volume.

1. United States
2. China
3. Russian Federation
4. Japan
5. Ukraine
6. United Kingdom
7. Brazil
8. Germany
9. Turkey
10. India

All you need to do to query the DNS zone of countries.nerd.dk is to prepend the IANA country letters to the name and put it in your DNSBL servers you query (xx.countries.nerd.dk). For the list above:

1. Us.countries.nerd.dk
2. cn.countries.nerd.dk
3. Ru.countries.nerd.dk
4. jp.countries.nerd.dk
5. ua.countries.nerd.dk
6. uk.countries.nerd.dk
7. br.countries.nerd.dk
8. de.countries.nerd.dk
9. tr.countries.nerd.dk
10. in.countries.nerd.dk

You can find the list of IANA country codes on Wikipedia here:
http://en.wikipedia.org/wiki/List_of_Internet_top-level_domains#Country_code_top-level_domains

Obvious, your mileage may vary, use with caution.

With most MTAs, querying a DNSBL can add delivery delays depending on the DNS timeout for each DNSBL query. It is possible to go overboard with DNSBLs – generally speaking, you don’t want to use more than say, a dozen DNSBLs. If every DNSBL query takes a few hundred milliseconds to perform and you query 20 different servers, each IP address that hits your server can cause a socket to stay open for a few seconds and if you have one DNSBL that isn’t responding rapidly, this can cause the connection to stay open much longer than necessary, so focus on the biggest sources first.

As a test, I’ve put the following DNSBLs on a production server for one minute on a system that has 2500 active mailboxes: 

cn.countries.nerd.dk
Ru.countries.nerd.dk
jp.countries.nerd.dk
ua.countries.nerd.dk
br.countries.nerd.dk
tr.countries.nerd.dk
in.countries.nerd.dk

There were 86 connection attempts in one minute out of a total of 1120 connections. Most of the connections were getting blocked by Spamhaus and other DNSBLs, these connections were specifically not caught by our favorite DNSBL.

3 from Brazil

14 from China

4 from India

5 from Japan

5 from Turkey

5 from Ukraine

50 from Russia

So adding China and Russia to your DNSBL blocklists should make a difference if you could only pick one or two.

Sample log output with filtered based on *.countries.nerd.dk (1 minute of logging):

37.9.109.194 [37.9.109.194] backlisted on server ru.countries.nerd.dk.

37.9.109.194 [37.9.109.194] backlisted on server ru.countries.nerd.dk.

5.255.227.178 [5.255.227.178] backlisted on server ru.countries.nerd.dk.

218.241.176.165 [218.241.176.165] backlisted on server cn.countries.nerd.dk.

176.28.64.130 [176.28.64.130] backlisted on server ru.countries.nerd.dk.

85.172.106.90 [85.172.106.90] backlisted on server ru.countries.nerd.dk.

1.22.124.195 [1.22.124.195] backlisted on server in.countries.nerd.dk.

5.255.227.178 [5.255.227.178] backlisted on server ru.countries.nerd.dk.

89.184.1.40 [89.184.1.40] backlisted on server ru.countries.nerd.dk.

5.255.227.235 [5.255.227.235] backlisted on server ru.countries.nerd.dk.

31.169.77.51 [31.169.77.51] backlisted on server tr.countries.nerd.dk.

5.255.227.235 [5.255.227.235] backlisted on server ru.countries.nerd.dk.

133.242.138.152 [133.242.138.152] backlisted on server jp.countries.nerd.dk.

177.103.247.215 [177.103.247.215] backlisted on server br.countries.nerd.dk.

5.255.227.177 [5.255.227.177] backlisted on server ru.countries.nerd.dk.

37.140.138.4 [37.140.138.4] backlisted on server ru.countries.nerd.dk.

185.73.203.8 [185.73.203.8] backlisted on server tr.countries.nerd.dk.

5.255.227.238 [5.255.227.238] backlisted on server ru.countries.nerd.dk.

80.67.208.179 [80.67.208.179] backlisted on server ru.countries.nerd.dk.

84.201.186.23 [84.201.186.23] backlisted on server ru.countries.nerd.dk.

5.255.227.237 [5.255.227.237] backlisted on server ru.countries.nerd.dk.

5.255.227.237 [5.255.227.237] backlisted on server ru.countries.nerd.dk.

5.255.227.179 [5.255.227.179] backlisted on server ru.countries.nerd.dk.

176.192.120.110 [176.192.120.110] backlisted on server ru.countries.nerd.dk.

93.90.41.221 [93.90.41.221] backlisted on server ru.countries.nerd.dk.

5.255.227.178 [5.255.227.178] backlisted on server ru.countries.nerd.dk.

5.255.227.175 [5.255.227.175] backlisted on server ru.countries.nerd.dk.

183.79.56.157 [183.79.56.157] backlisted on server jp.countries.nerd.dk.

5.255.227.237 [5.255.227.237] backlisted on server ru.countries.nerd.dk.

5.255.227.177 [5.255.227.177] backlisted on server ru.countries.nerd.dk.

211.157.162.231 [211.157.162.231] backlisted on server cn.countries.nerd.dk.

5.255.227.178 [5.255.227.178] backlisted on server ru.countries.nerd.dk.

188.120.255.93 [188.120.255.93] backlisted on server ru.countries.nerd.dk.

106.39.30.82 [106.39.30.82] backlisted on server cn.countries.nerd.dk.

84.201.186.23 [84.201.186.23] backlisted on server ru.countries.nerd.dk.

202.137.235.132 [202.137.235.132] backlisted on server in.countries.nerd.dk.

115.182.1.67 [115.182.1.67] backlisted on server cn.countries.nerd.dk.

89.108.91.186 [89.108.91.186] backlisted on server ru.countries.nerd.dk.

37.140.190.33 [37.140.190.33] backlisted on server ru.countries.nerd.dk.

31.169.77.51 [31.169.77.51] backlisted on server tr.countries.nerd.dk.

195.162.8.152 [195.162.8.152] backlisted on server ru.countries.nerd.dk.

103.13.96.41 [103.13.96.41] backlisted on server in.countries.nerd.dk.

5.255.227.236 [5.255.227.236] backlisted on server ru.countries.nerd.dk.

95.213.132.50 [95.213.132.50] backlisted on server ru.countries.nerd.dk.

37.57.89.174 [37.57.89.174] backlisted on server ua.countries.nerd.dk.

5.255.227.176 [5.255.227.176] backlisted on server ru.countries.nerd.dk.

37.140.190.33 [37.140.190.33] backlisted on server ru.countries.nerd.dk.

59.177.171.13 [59.177.171.13] backlisted on server in.countries.nerd.dk.

61.152.239.106 [61.152.239.106] backlisted on server cn.countries.nerd.dk.

185.73.129.9 [185.73.129.9] backlisted on server tr.countries.nerd.dk.

37.140.190.33 [37.140.190.33] backlisted on server ru.countries.nerd.dk.

58.59.12.2 [58.59.12.2] backlisted on server cn.countries.nerd.dk.

95.141.192.27 [95.141.192.27] backlisted on server ru.countries.nerd.dk.

177.71.251.1 [177.71.251.1] backlisted on server br.countries.nerd.dk.

5.255.227.178 [5.255.227.178] backlisted on server ru.countries.nerd.dk.

194.50.141.80 [194.50.141.80] backlisted on server ru.countries.nerd.dk.

112.195.153.14 [112.195.153.14] backlisted on server cn.countries.nerd.dk.

153.149.233.22 [153.149.233.22] backlisted on server jp.countries.nerd.dk.

111.198.29.42 [111.198.29.42] backlisted on server cn.countries.nerd.dk.

46.172.211.188 [46.172.211.188] backlisted on server ru.countries.nerd.dk.

5.255.216.147 [5.255.216.147] backlisted on server ru.countries.nerd.dk.

218.24.153.88 [218.24.153.88] backlisted on server cn.countries.nerd.dk.

82.138.20.188 [82.138.20.188] backlisted on server ru.countries.nerd.dk.

88.248.101.94 [88.248.101.94] backlisted on server tr.countries.nerd.dk.

210.233.73.199 [210.233.73.199] backlisted on server jp.countries.nerd.dk.

5.255.227.238 [5.255.227.238] backlisted on server ru.countries.nerd.dk.

5.255.227.238 [5.255.227.238] backlisted on server ru.countries.nerd.dk.

210.158.40.205 [210.158.40.205] backlisted on server jp.countries.nerd.dk.

91.207.218.35 [91.207.218.35] backlisted on server ua.countries.nerd.dk.

176.119.24.77 [176.119.24.77] backlisted on server ua.countries.nerd.dk.

222.35.152.244 [222.35.152.244] backlisted on server cn.countries.nerd.dk.

62.122.212.170 [62.122.212.170] backlisted on server ru.countries.nerd.dk.

176.106.23.57 [176.106.23.57] backlisted on server ru.countries.nerd.dk.

212.5.120.133 [212.5.120.133] backlisted on server ru.countries.nerd.dk.

89.108.91.186 [89.108.91.186] backlisted on server ru.countries.nerd.dk.

46.172.207.113 [46.172.207.113] backlisted on server ru.countries.nerd.dk.

213.156.91.83 [213.156.91.83] backlisted on server ua.countries.nerd.dk.

222.168.57.201 [222.168.57.201] backlisted on server cn.countries.nerd.dk.

189.124.91.164 [189.124.91.164] backlisted on server br.countries.nerd.dk.

116.228.10.118 [116.228.10.118] backlisted on server cn.countries.nerd.dk.

95.108.130.94 [95.108.130.94] backlisted on server ru.countries.nerd.dk.

121.40.215.79 [121.40.215.79] backlisted on server cn.countries.nerd.dk.

77.35.154.64 [77.35.154.64] backlisted on server ru.countries.nerd.dk.

115.29.33.77 [115.29.33.77] backlisted on server cn.countries.nerd.dk.

80.67.208.179 [80.67.208.179] backlisted on server ru.countries.nerd.dk.

80.245.112.25 [80.245.112.25] backlisted on server ru.countries.nerd.dk.