The Google for Education Community Platform

MattDPenn · ‎03-06-2025

Greetings all,

We're starting to see an uptick in phishing attempts and we know the ip address of some of the attempts are coming directly from a certain country (coughrussiacough). Is pretty much all I can do is block the ip ranges associated with that country or is there a better way of trying to block emails? I know as far as user logins I can set up Context Aware and it looks like I should just be able to simply exclude said country but I assume that only extends to logins and not so much email. I'm sure they can vpn around if they really want to get sophisticated but we figure implementing at least baseline blocks aught to be a no brainer.

As far as I'm aware nothing we use pulls data from there. We do need to potentially have a talk with the district that handles the main level firewall and double check what exactly they're doing on that front. We're still learning the ins and outs of what we can do with our Education Plus licensing.

ddelboccio · ‎03-06-2025

You are correct, Context Aware Access restricts where your users can login, and access products.

I think IP address blocking might be your best bet, if you have solid addresses.

I'd even be willing to know them if you are willing to share.

Justin_W · ‎03-06-2025

I think they've changed a bit on what they offer for 'free' these days, but there are online databases for such things. (Re: IP location database)

Here's one I used to use https://lite.ip2location.com/?lang=en_US

https://www.ip2location.com/free/visitor-blocker

MattDPenn · ‎03-06-2025

In the latest instance it appears to be

45.84.128.*

45.84.129.*

But even the message ID has the .ru domain in it which is probably another low hanging fruit to block. Email domain is allegedly my.com

I think I'm just surprised that, at least at a glance, email blocking doesn't have similar geo blocking tools as user access.

JimmyR · ‎03-07-2025

We use Zix for other reasons but I have been able to use their geoblocking capabilities which has greatly cut down on issues. However, it definitely would be really nice if geoblocking was included in the admin console!! Prior to Zix we used to use compliance rules for various country domains but there were holes in that process.

jwhitford · ‎03-06-2025

We use a Content Compliance Rule that quarantines any email that comes in from specific top level domains that are typically used for malicious activity. This can be but isn't limited to country top level domains. Create a rule, Inbound, If any of the following match the message, add a setting, advanced content match, location Full headers, matches regex, use the regex below as your template, save and then decide how you want to handle those messages. You can add as many regex expressions as you need.

[\w.+\-]{0,50}\.xyz(\W|$)

The .xyz is the top level domain you want to block. Just replace that with the domain you want to control.

Hope this helps give you another option.

ddelboccio · ‎03-06-2025

So in place of ".xyz" you would enter ".my.com" (no quotes for either) ?

jwhitford · ‎03-06-2025

I've only used it for like .ws (for Somoa) .ph (for Philipines). If you use .my.com, you might catch .com. You can test it, the emails will just go into quarantine that you can easily release. Hope this helps.

Kim_Nilsson · ‎04-07-2025

Just a quick clarification.

Context Aware Access (CAA) does NOT restrict where or when your users can log in.

CAA restricts access to services, not access to accounts. So users can log in, but they can't use Google's services, like Drive, Gmail and so forth. Also, to my knowledge CAA does not restrict access to third-party OAuth connected services, but they restrict access to third-party SAML connected services.

You can read about that here.

--
https://wheretofind.me/@NoSubstitute

zacariaschueren · ‎04-26-2025

Ter a sessão de e-mail para pagar-me.

The Google for Education Community Platform

Blocking Access and Emails from Certain Countries