This PowerShell script will help an Office 365 administrator or Exchange Online administrator block incoming email messages originating from specific countries using data from IPdeny.
About IPdeny country block downloads
IPdeny compiles raw data from regional internet registries and offers free of charge country IP address block downloads. Their country IP zone files can be used to minimize on-line fraud, SPAM, floods, or brute force attacks. This is the source of information my script will use.
About Mail flow rules (transport rules) in Exchange Online
Mail flow rules (also known as transport rules) identify and take action on messages that flow through your Office 365 organization. Mail flow rules take action on messages while they’re in transit before the message is delivered to a mailbox. This is the target that my script will use to create rules using IPdeny data.
About my PowerShell script
This PowerShell script will do the following: * Log you into your Office 365 Exchange environment * Download two .tar.gz files from IPdeny.com (IPv4 and IPv6) * Download a PowerShell function to decompress the .tar.gz files into temporary folders * Loop through each country file and create a new Transport Rule (New-TransportRule) with country-specific IP ranges
You will end up with about 230 IPv4 and 230 IPv6 new Mail Flow Rules. All rules will be Disabled and All rules will be sorted last in priority. My intention is you use this script to Create new rules, but then logon to Office 365 > Exchange admin center > Mail Flow > Rules to Enable and change Priority for the newly-created rules that interest you. Optionally, my script should be easy enough to modify to also automate those tasks as well.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 | # Use IPdeny country blocks to create Office 365 transport rules # Connect to Office 365 Exchange $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session # Create a few Temporary Folders $FolderRoot = "c:\temp\ipdeny" $FolderDownloaded = "$FolderRoot\downloaded" New-Item -Path $FolderRoot -ItemType directory New-Item -Path $FolderDownloaded -ItemType directory # Download IPdeny IPv4 file $IPv4URL = "https://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz" $IPv4Local = "$FolderDownloaded\ipv4-all-zones.tar.gz" Invoke-WebRequest $IPv4URL -OutFile $IPv4Local # Download IPdeny IPv6 file $IPv6URL = "https://www.ipdeny.com/ipv6/ipaddresses/blocks/ipv6-all-zones.tar.gz" $IPv6Local = "$FolderDownloaded\ipv6-all-zones.tar.gz" Invoke-WebRequest $IPv6URL -OutFile $IPv6Local # Load a function to enable .tar and .gz decompression # Attribution https://stackoverflow.com/questions/38776137/native-tar-extraction-in-powershell # Attribution https://www.powershellgallery.com/packages/7Zip4PowerShell/1.8.0 function Expand-Tar($tarFile, $dest) { if (-not (Get-Command Expand-7Zip -ErrorAction Ignore)) { Install-Package -Scope CurrentUser -Force 7Zip4PowerShell > $null } Expand-7Zip $tarFile $dest } # Decompress .gz files Expand-7Zip "$FolderDownloaded\ipv4-all-zones.tar.gz" "$FolderDownloaded" Expand-7Zip "$FolderDownloaded\ipv6-all-zones.tar.gz" "$FolderDownloaded" # Decompress .tar files Expand-7Zip "$FolderDownloaded\ipv4-all-zones.tar" "$FolderDownloaded\ipv4" Expand-7Zip "$FolderDownloaded\ipv6-all-zones.tar" "$FolderDownloaded\ipv6" # Delete .tar files Remove-Item "$FolderDownloaded\ipv4-all-zones.tar" Remove-Item "$FolderDownloaded\ipv6-all-zones.tar" # Note new IPv4 and IPv6 folders $IPv4Folder = "$FolderDownloaded\ipv4" $IPv6Folder = "$FolderDownloaded\ipv6" # Note new IPv4 and IPv6 files $IPv4Files = Get-ChildItem $IPv4Folder $IPv6Files = Get-ChildItem $IPv6Folder # Uncomment if you want to test a smaller sample size $IPv4Files = Get-ChildItem $IPv4Folder | Select -First 5 $IPv6Files = Get-ChildItem $IPv6Folder | Select -First 5 # Loop: Create an Office 365 Transport Rule to block IPv4 addresses for each country .zone file foreach ($IPv4File in $IPv4Files) { # Null all previous variables $Comments = $null $CountIPs = $null $CountryName = $null $Date = $null $Enabled = $null $Mode = $null $Name = $null $Quarantine = $null $RuleErrorAction = $null $SenderAddressLocation = $null $SenderIpRanges = $null $StopRuleProcessing = $null # Set fixed variables $Enabled = $False $Mode = "Enforce" $Quarantine = $True $RuleErrorAction = "Ignore" $SenderAddressLocation = "Header" $StopRuleProcessing = $True # Set dynamic variables $Date = Get-Date $SenderIpRanges = Get-Content $FolderDownloaded\IPv4\$IPv4File $CountIPs = ($SenderIpRanges | Measure-Object).Count $Comments = "$CountIPs IPv4 country addresses imported from ipdeny.com ($Date)" $CountryName = $IPv4File.Name.Trim().ToUpper().Replace(".ZONE","") $Name = "Block-IPdeny-IPv4-$CountryName" # Report on screen Write-Host "----------------------------------------" Write-Host " File:" $IPv4File.Name Write-Host " Comments:" $Comments Write-Host "CountryName:" $CountryName Write-Host " Name:" $Name Write-Host "NumberOfIPs:" $CountIPs Write-Host "IPv4 Ranges:" $SenderIpRanges # Remove existing rule (error will display if the rule does not exist, which is okay) Remove-TransportRule $Name -Confirm:$False # Create New Rule New-TransportRule -Comments $Comments -Enabled $Enabled -Mode $Mode -Name $Name -Quarantine $Quarantine -RuleErrorAction $RuleErrorAction -SenderAddressLocation $SenderAddressLocation -SenderIpRanges $SenderIpRanges -StopRuleProcessing $StopRuleProcessing } # Loop: Create an Office 365 Transport Rule to block IPv6 addresses for each country .zone file foreach ($IPv6File in $IPv6Files) { # Null all previous variables $Comments = $null $CountIPs = $null $CountryName = $null $Date = $null $Enabled = $null $Mode = $null $Name = $null $Quarantine = $null $RuleErrorAction = $null $SenderAddressLocation = $null $SenderIpRanges = $null $StopRuleProcessing = $null # Set fixed variables $Enabled = $False $Mode = "Enforce" $Quarantine = $True $RuleErrorAction = "Ignore" $SenderAddressLocation = "Header" $StopRuleProcessing = $True # Set dynamic variables $Date = Get-Date $SenderIpRanges = Get-Content $FolderDownloaded\IPv6\$IPv6File $CountIPs = ($SenderIpRanges | Measure-Object).Count $Comments = "$CountIPs IPv6 country addresses imported from ipdeny.com ($Date)" $CountryName = $IPv6File.Name.Trim().ToUpper().Replace(".ZONE","") $Name = "Block-IPdeny-IPv6-$CountryName" # Report on screen Write-Host "----------------------------------------" Write-Host " File:" $IPv6File.Name Write-Host " Comments:" $Comments Write-Host "CountryName:" $CountryName Write-Host " Name:" $Name Write-Host "NumberOfIPs:" $CountIPs Write-Host "IPv4 Ranges:" $SenderIpRanges # Remove existing rule (error will display if the rule does not exist, which is okay) Remove-TransportRule $Name -Confirm:$False # Create New Rule New-TransportRule -Comments $Comments -Enabled $Enabled -Mode $Mode -Name $Name -Quarantine $Quarantine -RuleErrorAction $RuleErrorAction -SenderAddressLocation $SenderAddressLocation -SenderIpRanges $SenderIpRanges -StopRuleProcessing $StopRuleProcessing } |
Screenshot of Result
The result in Office 365 > Exchange admin center > Mail Flow > Rules will look like this. Note that I imported only a few IPv4 and IPv6 rules (an option in my script). By default, my script will create about 460 new rules; two for each country (IPv4 and IPv6).
Note that all an Exchange Online admin has to do at this point is to Prioritize and Enable the rules for the countries they wish to block. Each rule is named by the country’s two-character abbreviation and each Rule Comment tells you how many IP blocks were imported and when.
You may re-run this script any time. It will delete existing Rules and create new ones with the updated data from IPdeny.
I hope someone finds this PowerShell script for Office 365 Exchange Online and IPdeny helpful.