One of my clients is a large computer security software
company. According to them, it's not just crypto export rules that are
the concern, but also the ITAR countries (N. Korea, Lybia, Cuba, ...). As
well they are concerned about liabilities in countries like France where
it is illegal to import crypto so they want to restrict people from
You're trying to solve the wrong problem. Since you have a legal
requirement that would be violated by sending stuff to a bad place, you
should only send it to a known good place.
Therefore, instead of trying to identify the bad places to block them, you
should be trying to identify the good places that should be allowed
access. If someone from a good place can't get in, then give them a web
page to register a complaint and check it out manually if you think it is
worth your while.