One of my clients is a large computer security software company. According to them, it's not just crypto export rules that are the concern, but also the ITAR countries (N. Korea, Lybia, Cuba, ...). As well they are concerned about liabilities in countries like France where it is illegal to import crypto so they want to restrict people from France too.
You're trying to solve the wrong problem. Since you have a legal requirement that would be violated by sending stuff to a bad place, you should only send it to a known good place. Therefore, instead of trying to identify the bad places to block them, you should be trying to identify the good places that should be allowed access. If someone from a good place can't get in, then give them a web page to register a complaint and check it out manually if you think it is worth your while. Michael Dillon