Skip to content

GeoIP Filtering

Filter and control email based on geographic location using MaxMind GeoIP2 databases.

Overview

GeoIP filtering allows you to:

  • Block or allow email from specific countries
  • Quarantine suspicious emails from high-risk regions
  • Apply different policies based on sender location
  • Monitor geographic patterns in email traffic
  • Combine with other filters for enhanced security

How It Works

Email Connection
Extract Sender IP
GeoIP Database Lookup
Identify Country
Apply Geographic Policy
Action: Allow / Quarantine / Reject

GeoIP Database

MaxMind GeoLite2

Mailborder uses MaxMind's GeoLite2 Country database (free, updated monthly).

Database location: 

ls -lh /usr/lib/mailborder/geoip/

Expected files: 

GeoLite2-Country.mmdb           # Main database (currently installed)
GeoLite2-Country.tar.gz         # Compressed download
GeoLite2-Country.tar.gz.sha256  # Checksum for verification

Check Current Database

View database info: 

sudo mb-geoip-info

Example output: 

GeoIP Database Information
==========================
Type: GeoLite2-Country
Build Date: 2025-01-09
Database Age: 4 days
Total Countries: 252
Last Updated: 2025-01-13 02:15:34

Status: UP TO DATE

Update Database

Automatic updates:

Mailborder automatically updates the GeoIP database weekly via mb-cron.

Manual update: 

sudo mb-geoip-update

Expected output: 

Downloading GeoLite2-Country database...
Download complete: GeoLite2-Country.tar.gz (3.2 MB)
Verifying checksum... OK
Extracting database... OK
Installing GeoLite2-Country.mmdb... OK
Restarting services... OK

Database updated successfully.
Build date: 2025-01-13

MaxMind Account (Optional)

For more frequent updates and access to GeoIP2 Precision databases:

  1. Create free account: https://www.maxmind.com/en/geolite2/signup
  2. Generate license key
  3. Configure Mailborder:
sudo mb-config set geoip.maxmind_account_id YOUR_ACCOUNT_ID
sudo mb-config set geoip.maxmind_license_key YOUR_LICENSE_KEY
sudo mb-config set geoip.auto_update true

Configuration

Enable GeoIP Filtering

Enable GeoIP checking: 

sudo mb-config set geoip.enabled true
sudo mb-config reload
sudo systemctl restart mb-filter

Verify it's working: 

sudo mb-geoip-test 8.8.8.8

Expected output: 

IP Address: 8.8.8.8
Country: United States (US)
Continent: North America (NA)
Registered Country: United States (US)

GeoIP lookup successful.

Default Action

What to do with emails from blocked countries: 

# Options: reject, quarantine, tag
sudo mb-config set geoip.default_action quarantine

  • reject - Bounce email back to sender
  • quarantine - Hold for review
  • tag - Add header and deliver (for monitoring)

Scoring Mode

Add to spam score instead of blocking: 

sudo mb-config set geoip.scoring_mode true
sudo mb-config set geoip.score_weight 3.0

This adds 3.0 points to spam score for blocked countries (combined with other spam indicators).

Country Lists

Block Countries

Block by country code (ISO 3166-1 alpha-2): 

sudo mb-geoip-block add CN  # China
sudo mb-geoip-block add RU  # Russia
sudo mb-geoip-block add KP  # North Korea
sudo mb-geoip-block add IR  # Iran

Block multiple countries: 

sudo mb-geoip-block add CN,RU,KP,IR,SY,SD

Common blocked countries (high spam/malware): 

# Eastern Europe / Asia
sudo mb-geoip-block add RU,UA,BY,KZ,CN,VN,IN,PK,BD

# Africa
sudo mb-geoip-block add NG,GH,ZA,KE

# Middle East
sudo mb-geoip-block add IR,IQ,SY,YE

View blocked countries: 

sudo mb-geoip-block list

Example output: 

Blocked Countries:
  CN - China (added 2025-01-10, 234 blocks)
  RU - Russia (added 2025-01-10, 567 blocks)
  KP - North Korea (added 2025-01-10, 2 blocks)
  IR - Iran (added 2025-01-10, 45 blocks)
  NG - Nigeria (added 2025-01-11, 123 blocks)

Total: 5 countries blocked

Allow Countries (Whitelist)

Allow only specific countries: 

# Enable whitelist mode (block all except allowed)
sudo mb-config set geoip.whitelist_mode true

# Allow countries
sudo mb-geoip-allow add US  # United States
sudo mb-geoip-allow add CA  # Canada
sudo mb-geoip-allow add GB  # United Kingdom
sudo mb-geoip-allow add AU  # Australia
sudo mb-geoip-allow add DE  # Germany
sudo mb-geoip-allow add FR  # France

Common allow lists:

North America: 

sudo mb-geoip-allow add US,CA,MX

Europe (EU + UK): 

sudo mb-geoip-allow add GB,DE,FR,IT,ES,NL,BE,AT,CH,SE,NO,DK,FI,IE,PT,PL,CZ,RO,GR

Asia-Pacific (major economies): 

sudo mb-geoip-allow add JP,SG,AU,NZ,KR,TW,HK

Remove from Lists

Remove from block list: 

sudo mb-geoip-block remove CN

Remove from allow list: 

sudo mb-geoip-allow remove US

Exceptions and Overrides

Whitelist Known Senders

Exempt specific senders from GeoIP filtering: 

sudo mb-geoip-exempt add sender@foreign-partner.com
sudo mb-geoip-exempt add @trusted-foreign-domain.com

Exempt by IP address: 

sudo mb-geoip-exempt add-ip 203.0.113.50
sudo mb-geoip-exempt add-ip 198.51.100.0/24

List exemptions: 

sudo mb-geoip-exempt list

Per-Domain Policies

Apply GeoIP filtering only for specific recipient domains: 

sudo mb-geoip-policy add --domain example.com --block CN,RU
sudo mb-geoip-policy add --domain partner.org --allow US,CA,GB

Remove domain policy: 

sudo mb-geoip-policy remove example.com

Testing GeoIP Filtering

Test IP Address

Lookup single IP: 

sudo mb-geoip-test 203.0.113.50

Example output: 

IP Address: 203.0.113.50
Country: China (CN)
Continent: Asia (AS)
City: Shanghai
Time Zone: Asia/Shanghai

Policy Match: BLOCKED (country CN in block list)
Action: QUARANTINE

Test with different actions: 

sudo mb-geoip-test 203.0.113.50 --show-policy

Test Email File

Test complete email processing: 

sudo mb-geoip-test-email /path/to/email.eml

Example output: 

Analyzing email: /path/to/email.eml

Originating IP: 198.51.100.123 (from Received header)
Country: Russia (RU)
Sender: sender@example.ru

GeoIP Policy Evaluation:
  [MATCH] Country RU in block list
  [CHECK] Sender not in exemption list
  [ACTION] QUARANTINE

Verdict: Message would be QUARANTINED due to GeoIP policy

Bulk IP Testing

Test multiple IPs: 

# Create list
cat > /tmp/ips.txt << EOF
8.8.8.8
1.1.1.1
203.0.113.50
198.51.100.25
EOF

# Test all
sudo mb-geoip-test-bulk /tmp/ips.txt

Geographic Spam Scoring

Scoring by Region

Assign spam scores based on country: 

sudo mb-geoip-score set CN 3.0  # China: +3.0 spam score
sudo mb-geoip-score set RU 3.0  # Russia: +3.0
sudo mb-geoip-score set NG 5.0  # Nigeria: +5.0 (higher spam)
sudo mb-geoip-score set IN 2.0  # India: +2.0 (moderate)

View score table: 

sudo mb-geoip-score list

Example output: 

Country Score Table:
  CN - China      3.0
  RU - Russia     3.0
  NG - Nigeria    5.0
  IN - India      2.0
  VN - Vietnam    2.5

Default score: 0.0

Regional Scoring

Score entire continents: 

sudo mb-geoip-score set-continent AS 1.0  # Asia: +1.0
sudo mb-geoip-score set-continent AF 2.0  # Africa: +2.0

Combined Scoring

GeoIP scores combine with spam detection:

Spam Score Calculation:
  Base spam indicators: 4.5
  + GeoIP country score: 3.0 (Russia)
  = Total: 7.5 (triggers quarantine at default threshold 6.0)

Monitoring GeoIP Activity

Statistics

View GeoIP statistics: 

sudo mb-geoip-stats

Example output: 

GeoIP Statistics (Last 30 days)
================================

Top Countries (by volume):
  1. US (United States)      45,234 (68.2%)
  2. CA (Canada)              8,123 (12.3%)
  3. GB (United Kingdom)      4,567 (6.9%)
  4. CN (China)               2,890 (4.4%) - BLOCKED
  5. RU (Russia)              1,234 (1.9%) - BLOCKED

Blocked by GeoIP: 4,589 (6.9%)
Quarantined by GeoIP: 3,245 (4.9%)
Exempted: 234 (0.4%)

Statistics by country: 

sudo mb-geoip-stats --country CN

Example output: 

China (CN) Statistics
=====================
Total emails: 2,890
Blocked: 2,345 (81.1%)
Quarantined: 434 (15.0%)
Delivered (exempted): 111 (3.8%)

Top senders from CN:
  sender1@example.cn - 234 (exempted)
  sender2@spam.cn - 567 (blocked)
  sender3@phish.cn - 123 (blocked)

Real-time Monitoring

Watch GeoIP blocks: 

sudo tail -f /var/log/mailborder/geoip.log

Example log entries: 

2025-01-13 14:23:45 [BLOCK] IP=203.0.113.50 Country=CN From=spam@example.cn To=user@example.com Action=QUARANTINE
2025-01-13 14:24:12 [BLOCK] IP=198.51.100.25 Country=RU From=phish@example.ru To=victim@example.com Action=REJECT
2025-01-13 14:25:03 [EXEMPT] IP=203.0.113.75 Country=CN From=partner@trusted.cn To=sales@example.com Reason=sender-whitelist

Filter by country: 

sudo grep "Country=CN" /var/log/mailborder/geoip.log | tail -n 50

Daily Reports

Configure daily GeoIP report: 

sudo mb-config set geoip.daily_report true
sudo mb-config set geoip.report_email admin@example.com

Manual report: 

sudo mb-geoip-report --daily --email admin@example.com

Advanced Configuration

Connection Time Penalties

Slow down connections from blocked countries (teergrubing): 

sudo mb-config set geoip.teergrubing true
sudo mb-config set geoip.teergrubing_delay 30  # seconds

This delays SMTP responses, making spam campaigns from those countries less profitable.

Greylisting by Country

Enable greylisting for specific countries: 

sudo mb-geoip-greylist add CN,RU,NG

First email from these countries is temporarily rejected; legitimate servers retry.

Two-Tier Filtering

Quarantine from suspicious countries, reject from high-risk: 

# Tier 1: Suspicious (quarantine)
sudo mb-geoip-block add CN,RU,IN,VN --action quarantine

# Tier 2: High-risk (reject)
sudo mb-geoip-block add KP,IR,SY --action reject

Time-Based Rules

Block certain countries only during off-hours: 

sudo mb-geoip-schedule add CN,RU \
  --block-times "18:00-08:00" \
  --timezone "America/New_York"

Integration with Other Security Layers

GeoIP + SPF/DKIM/DMARC

Require authentication from foreign countries: 

sudo mb-policy create geoip-auth

sudo mb-policy rule add geoip-auth \
  --condition "geoip not in US,CA,GB,AU" \
  --action "require spf pass" \
  --action "require dkim pass"

GeoIP + Spam Scoring

Lower spam threshold for blocked countries: 

sudo mb-policy create geoip-spam

sudo mb-policy rule add geoip-spam \
  --condition "geoip in CN,RU,NG" \
  --action "set spam threshold 3.0"

GeoIP + Content Filtering

Stricter content filtering for high-risk regions: 

sudo mb-policy create geoip-content

sudo mb-policy rule add geoip-content \
  --condition "geoip in CN,RU,KP,IR" \
  --action "reject has-executable" \
  --action "reject has-script" \
  --action "quarantine score > 2.0"

Troubleshooting

GeoIP Lookups Failing

Check database exists: 

ls -lh /usr/lib/mailborder/geoip/GeoLite2-Country.mmdb

Test database: 

sudo mb-geoip-test 8.8.8.8

Reinstall database: 

sudo mb-geoip-update --force

Legitimate Email Blocked

Identify sender IP: 

sudo grep "BLOCKED.*user@example.com" /var/log/mailborder/geoip.log

Exempt sender: 

sudo mb-geoip-exempt add sender@foreign-company.com

Or exempt IP: 

sudo mb-geoip-exempt add-ip 203.0.113.50

Can't Determine Country

Some IPs are unassigned or private: 

sudo mb-geoip-test 10.0.0.1
# Result: Private IP - no country assignment

Configure handling: 

# Options: allow, quarantine, reject
sudo mb-config set geoip.unknown_action allow

Database Out of Date

Check update status: 

sudo mb-geoip-info

Force update: 

sudo mb-geoip-update --force

Check automatic updates: 

sudo systemctl status mb-cron
sudo grep geoip /var/log/mailborder/mb-cron.log

Best Practices

Initial Setup

  1. Start with scoring mode - Monitor before blocking 

    sudo mb-config set geoip.scoring_mode true

  2. Review statistics for one week - Identify patterns 

    sudo mb-geoip-stats

  3. Implement blocks gradually - Start with obvious spam sources 

    sudo mb-geoip-block add KP,IR,SY  # High-risk, low legitimate traffic

  4. Set up exemptions - For known foreign partners 

    sudo mb-geoip-exempt add @international-partner.com

Ongoing Maintenance

  1. Review blocks monthly - Check for false positives
  2. Update exemption list - As partnerships change
  3. Monitor statistics - Identify new spam sources
  4. Keep database updated - Weekly automatic updates
  5. Adjust scoring - Based on effectiveness

Balancing Security and Usability

Conservative (fewer false positives): - Block only extreme risk countries (KP, IR, SY) - Use scoring mode for others - Quarantine instead of reject

Moderate (balanced): - Block high-spam countries (CN, RU, NG) - Require SPF/DKIM from others - Combine with greylisting

Aggressive (maximum protection): - Whitelist mode (allow only trusted countries) - Reject all others - Strict exemption list

Geographic Considerations

International organization: 

# Use scoring instead of blocking
sudo mb-config set geoip.scoring_mode true

Domestic-only organization: 

# Whitelist mode with home country only
sudo mb-config set geoip.whitelist_mode true
sudo mb-geoip-allow add US

Regional organization: 

# Block outside region
sudo mb-geoip-allow add US,CA,MX  # North America
# Or: GB,DE,FR,IT,ES  # Western Europe

Data Retention

GeoIP logs contain: - Sender IP addresses - Geographic locations - Email metadata

Configure retention: 

sudo mb-config set geoip.log_retention 90  # days

GDPR Compliance

GeoIP filtering processes personal data (IP addresses). Ensure:

  1. Document in privacy policy - Disclose GeoIP filtering
  2. Legitimate interest - Security is valid legal basis
  3. Proportional measures - Don't over-block
  4. Regular review - Ensure necessity

False Positive Handling

Provide alternative contact: 

sudo mb-config set geoip.reject_message \
  "Email from your country is filtered. Contact security@example.com for assistance."

Country Code Reference

Common country codes (ISO 3166-1 alpha-2):

Code Country Notes
US United States
CA Canada
GB United Kingdom
DE Germany
FR France
CN China High spam volume
RU Russia High spam/malware
IN India Moderate spam
NG Nigeria High phishing
BR Brazil Moderate spam
VN Vietnam High spam
KP North Korea Extreme risk
IR Iran Sanctions, high risk
SY Syria Conflict zone

Full list: https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2

See Also