Webmail traffic control

When it comes to controlling traffic from our internal network to external servers which have Webmail features, such as GMail, Hotmail, etc. It is not enough to just do a couple of DNS queries and block these registers, we need a complete servers list.

We will use SPF -Sender Policy Framework. That is an open standard meant to limit spammers activity. By SPF domain admins list which email servers are allowed to send email belonging to their domain. After that, servers that receive the emails can verify whether the emails are coming from authorized servers.

To us turns out very handy when implementing filtering rules. Let’s say we want to control block/monitor/permit access to Hotmail servers.

First, we get the server list needed. Easlily done by using nslookup o dig.

Then we create an object-group to simplify working with our ACL:

object-group network hotmail.com
 network-object 209.240.192.0 255.255.224.0
 network-object 65.52.0.0 255.252.0.0
 network-object 131.107.0.0 255.255.0.0
 network-object 157.54.0.0 255.254.0.0
 network-object 157.56.0.0 255.252.0.0
 network-object 157.60.0.0 255.255.0.0
 network-object 167.220.0.0 255.255.0.0
 network-object 204.79.135.0 255.255.255.0
 network-object 204.79.188.0 255.255.255.0
 network-object 204.79.252.0 255.255.255.0
 network-object 207.46.0.0 255.255.0.0
 network-object 199.2.137.0 255.255.255.0
 network-object 199.103.90.0 255.255.254.0
 network-object 204.182.144.0 255.255.255.0
 network-object 204.255.244.0 255.255.254.0
 network-object 206.138.168.0 255.255.248.0
 network-object 64.4.0.0 255.255.192.0
 network-object 65.54.128.0 255.255.128.0
 network-object 207.68.128.0 255.255.192.0
 network-object 207.68.192.0 255.255.240.0
 network-object 207.82.250.0 255.255.254.0
 network-object 207.82.252.0 255.255.254.0
 network-object 209.1.112.0 255.255.254.0
 network-object 209.185.128.0 255.255.254.0
 network-object 209.185.130.0 255.255.254.0
 network-object 209.185.240.0 255.255.252.0
 network-object 216.32.180.0 255.255.252.0
 network-object 216.32.240.0 255.255.252.0
 network-object 216.33.148.0 255.255.252.0
 network-object 216.33.151.0 255.255.255.0
 network-object 216.33.236.0 255.255.252.0
 network-object 216.33.240.0 255.255.252.0
 network-object 216.200.206.0 255.255.255.0
 network-object 204.95.96.0 255.255.240.0
 network-object 65.59.232.0 255.255.254.0
 network-object 65.59.234.0 255.255.255.0
 network-object 209.1.15.0 255.255.255.0
 network-object 64.41.193.0 255.255.255.0
 network-object 216.34.51.0 255.255.255.0