How to Stop Spam Condoning Countries
With Regular Expression Filters in cPanel.
  
Or
How To Leverage Foreign Email Servers To Encourage Their Government To Discourage Spam Condoning IPs.
 
Since there is no necessity to continually update the filters it might impart a sense of urgency on the abuse enabling country to clean up their internet providers.  

On going: Ticket ID: JKM-13297987  and  Ticket ID: KAI-13229733
New England Primer Home School Textbook.
Go to LIST.
 
Abstract:  April 2010
     Over 16 years of parasitic spam is easily logged and shown to be 20% unproductive and waisted time (2,000 hours in just the first 5 years of email).  But now comes cPanel with powerful Regular Expression Filters for blocking email spam.
      This page is to demonstrate comprehensive due diligence at accomplishing the goal of successful implementation of Regular Expression Filters; and also, to make a log of the efforts, i.e. a punch list for reaching the goal of maximum spam control.  It is hoped that by breaking the problem into smaller parts it will be easier to identify the failures and particularly any substantial time delays due to all parties and products involved.  Nearly all of the information on this page has been learned over a long time with research and tech support; but as, you can see it is such a complicated issue a better method than email documents is required hence this html page.
        This method works on shared web hosting accounts using CPanel.

   Edits to each major part of this page will be dated and magenta colored to journal the steps to success.
PART 1 of 4:  The constraints and the goals.  (Philosophy.)

Justification for Regular Expression Filters on Non English Speaking Top Level IPs.
[] hostgator.com [] (web host - opens in a new window.) which uses 
[] esmtp (Exim 4.69) [] email software and  
[] cPanel [] (web site control panel and email filtering software), 
The FL State Consumers Protection laws. (A recent spam seemed to have come from Miami, FL.)  File a complaint to the FL. Attorney General .  Of course any of the other US states Attorney Generals with jurisdiction could also be contacted.
The Federal Trade Commission [] FTC [] ( The gov agency responsible for spam control in the USA .)  
 The Federal Bureau of Investigation [] FBI []   ( The gov agency responsible for malicious DDoS (Distributed Denial of Service) crimes in the USA .)
Therefore, the goal is to identify the Top Level spamming IPs and its country of registration and then block all of their business enterprises which might generate a small amount of commercial concern to create an incentive to clean up the spammers.
   
Are There Any Consequences To Blocking The
Offending Domain & Country From My Email Server?

      The following quote is from the SPAM or UCE web page; specifically, the "complain to" paragraph with my comments & answers in Magenta.

Positive Aspects
  • You can be fairly assured that you won't receive e-mail from that site.  or country. Excellent!
  • The offending site will eventually get the idea that most people aren't interested in this sort of activity and cease it's actions.  Excellent!
  •  If USA IPs are involved simple abuse emails and/or follow-up inquiries have a good chance of success because continued abuse can be filed with the appropriate US gov agency(ies) i.e. FTC (http://ftc.gov/spam).  
  • Publication of Regular Expression Filters,which prevent abusive spam, even filters that are independent of any web site administration software, is a desirable, high quality marketing incentive for email servers and hosting companies to freely use, market and distribute.  Would not market saturation of Reg Ex Filters terminate spam?
Negative Aspects
  • If this is a Top Level IP site that hosts both private and business accounts, you will not be able to communicate with anyone on that site.  My Regular Expression Filters are specifically designed to filter foreign countries &/or non English language IPs  - Excellent!
  • The Spammer site administrator might take blocking mail as a sign of aggression and attempt one of many possible offensive actions against your e-mail or (y)our site.  Probably the worst case scenario would be DDoS (Distributed Denial of Service) crime(s).  But my site is so small and insignificant that it would be a waste of the spammer's time and effort and expose the Spammer-Criminal to detection and arrest.   If DDoS (Distributed Denial of Service) crimes were initiated the FBI or/and the FTC Agencies might want to initiate international investigation(s), arrests and convictions. Excellent!  
  • The DDoS (Distributed Denial of Service) prevention technology exists and has been around since 2001 to prevent the DoS attack see:
    • A decade on from the ILOVEYOU bug   ;  (A current news article.)
    • Ref:  Original DDoS Report  132k PDF file of the first DDoS attack. On May 4th, 2001, by Steve Gibson and The grc.com web site. http://www.grc.com/sn/sn-008.pdf   ;  (A journal of one of the first DDos attacks that led to prevention, investigation, and perhaps arrest and conviction.)
    • Ref:  DRDoS Attack Report  214k PDF file of the DRDoS attack web page. On January 11th, 2002, by Steve Gibson and The grc.com web site.  h.ttp://www.grc.com/files/drdos.pdf  ;  (Another attack on the same site!  And how Mr. Gibson responded.) [10/18/10 404 Error so check this grc menu:for reports. ]
 
       For the blog of tech support emails on Part 1 of 4 ,see:  IP-FiltersRegExBLOG.html#Blog1 .
 


PART 2 of 4:  Verify The IPs Geo Locations of Registration For Jurisdiction.

 Verify the Locations of the Foreign IPs.
     FireFox:   highlight an IP  below without the brackets and click this FF=Geo IP link to open a map showing the IP: city and country of registration.    
     Internet Explorer:  highlight an IP  below without the brackets and click this link: IE=Geo-IP

l
List of Good IPs List of Bad or Foreign IPs
     This is the list of IPs that are under USA regulation or are granted exception based on national language, authority or locality.      This list is a personal collection of IPs that have been collected from spam headers over an unknown period of time.
(34ea +/-)
[9.0.0.0]KS USA
[63.0.0.0] US [64.0.0.0] [65.0.0.0] [66.0.0.0] [67.0.0.0] [68.0.0.0] [69.0.0.0]
[70.0.0.0] US [71.0.0.0] [72.0.0.0] [73.0.0.0] [74.0.0.0] [75.0.0.0] US  [76.0.0.0]
[97.0.0.0] US [99.0.0.0] US
[110.0.0.0] AU [111.0.0.0] AU = TW
[130.0.0.0] [140.0.0.0]
[160.0.0.0] NY
[172.0.0.0] USA [173.0.0.0] Hi ? [174.0.0.0] CA
[192.0.0.0]TX USA
[204.0.0.0] US [205.0.0.0] US [206.0.0.0] US [207.0.0.0] US
[209.0.0.0] US
[214.0.0.0] US [215.0.0.0] US [216.0.0.0] US  34 ea.

      The reason for listing the "Good" IPs here is that a future Reg. Ex. Filter might be designed to Allow only eMail from the "Good" IPs and Trashing all others.  However the purpose of this page is to eliminate the "Bad" IPs and to get Reg Ex Filters working in cPanel..



6/14/11 Quick count of "Good"(34 ea.) vs "Bad" (96 ea.) suggests changing to an Allow filter instead of the Rejection filter.
1/24/11 Pending: move of  "[98.0.0.0] US" to "Bad" side b/c of email hijacking and spam from 98.139.91.82 (Yahoo). 		(96 ea +/-)
[1.0.0.0] vn
[41.0.0.0] [46.0.0.0] [58.0.0.0] [59.0.0.0]
[60.0.0.0]Korea [61.0.0.0]DE  [62.0.0.0] FOREIGN
[77.0.0.0] RU, LT, DE  [78.0.0.0] [79.0.0.0]
[80.0.0.0] [81.0.0.0] [82.0.0.0] [83.0.0.0] [84.0.0.0] [85.0.0.0] [86.0.0.0]UK [87.0.0.0] [88.0.0.0] [89.0.0.0] 89.0.0.0 Israel
[90.0.0.0] [91.0.0.0] [92.0.0.0] [93.0.0.0]  [94.0.0.0] [95.0.0.0]  [96.0.0.0]
[100.0.0.0]  [101.0.0.0] [102.0.0.0] [103.0.0.0] [104.0.0.0]  [105.0.0.0] [106.0.0.0] [107.0.0.0] [108.0.0.0] [109.0.0.0]
[110.0.0.0] [111.0.0.0] [112.0.0.0] [113.0.0.0] [114.0.0.0] [115.0.0.0] [116.0.0.0]  [117.0.0.0] [118.0.0.0]  [119.0.0.0]
[120.0.0.0] [121.0.0.0] [122.0.0.0] [123.0.0.0] [124.0.0.0] [125.0.0.0]
[150.0.0.0] [151.59.46.21]
[165.0.0.0] [168.0.0.0]
[171.0.0.0] [178.0.0.0]
[180.0.0.0] [182.0.0.0] [183.0.0.0] [184.0.0.0]=votervoice? amazon? [185.0.0.0]  [186.0.0.0] [187.0.0.0] [188.0.0.0] [189.0.0.0]
[190.0.0.0] [193.0.0.0] [194.0.0.0] [195.0.0.0] [196.0.0.0] [197.0.0.0]  [198.0.0.0]
[200.0.0.0] [201.0.0.0.] [202.0.0.0] [210.0.0.0] [211.0.0.0] [212.0.0.0] [213.0.0.0]
[217.0.0.0]DE  [218.0.0.0] [219.0.0.0]  
[220.0.0.0]JP [221.0.0.0]China FOREIGN [222.0.0.0] [223.0.0.0]  [224.0.0.0]  [225.0.0.0]  [226.0.0.0]  [227.0.0.0]  [228.0.0.0]  [229.0.0.0]
      Total "Bad" IPs = 96 ea.

6.17.10  Added  Class D+E   \\[23[0-9]  \\[24[0-9]  \\[25[0-5]  ; 2.05.11  Added [165.98.179.58] NI, 1.55.41.26 vn , 46.146.84.14 ru , 182.177.183.230  ; 7.2.11  Added  [175.193.21.81 cn , [133.154.197.201 jp, [188.143.232.20 ru,
7.4.11  Pending  [14.(IN) , [31.(NL) , [39.(ID) ,[42.(AU) , [49.(AU) , [153.(CN) , [81. (Sp) ,  [176. (DE) , [49.202.178.185 India , 176.65.164.111 DE , 

Reference:
 Class Address Ranges

Class A - 1.0.0.0 to 126.0.0.0
Class B - 128.0.0.0 to 191.255.0.0
Class C - 192.0.1.0 to 223.255.255.0

Class D* - 224.0.0.0 to 239.255.255.255
Class E* - 240.0.0.0 to 255.255.255.255

   Class A, Class B, and Class C are the three classes of addresses used on IP networks in common practice.

   Class D addresses are reserved for multi cast.
   Class E addresses are simply reserved, meaning they should not be used on IP networks (used on a limited basis by some research organizations for experimental purposes).
 
       For the blog of tech support emails on Part 2 of 4 ,see:  IP-FiltersRegExBLOG.html#Blog2

Resource for tracking US IPs:  The Top 15 IP represent 65% of All US Hosting Companies.  [] ...more?  Click Here. []
Largest US hosting companies.
 

PART 3 of 4:  The Filters.  (Regular Expressions)
 
 Here is an example and proof that the Regular Expression Filter design works as demonstrated on a 3rd party testing site.  See images and referral link below.

  Image # 1. Proves the following Regular Expression Filter WORKS on "BAD" IPs as tested on the regextester.com web site on 4.21.10.  (note the pipe "|" after each IP - means "or".)

 \[6[0-2]|\[7[7-9]|\[8[0-9]|\[9[0-6]|\[10[0-9]|\[11[2-9]|\[12[1-4]|\[15[0-1]|\[168|\[171|\[18[3-9]|\[19[3-8]|\[21[0-3]|\[21[7-9]|\[22[0-9]
        5.13.10 "cPanel" has a proprietary implementation of Regular Expression and needs 4 "escape backslashes"  for every 1 used in regextester.com ,  This is the revised filter:   \\\\[6[0-2]|\\\\[7[7-9]|\\\\[8[0-9]|\\\\[9[0-6]|\\\\[10[0-9]|\\\\[11[2-9]|\\\\[12[1-4]|\\\\[15[0-1]|\\\\[168|\\\\[171|\\\\[18[3-9]|\\\\[19[3-8]|\\\\[21[0-3]|\\\\[21[7-9]|\\\\[22[0-9]
        5.24.10  Added 10 more IPs to "Bad IP" filter.  This is the revised filter: 
\\\\[2\\\\.|\\\\[41|\\\\[58|\\\\[6[0-2]|\\\\[7[7-9]|\\\\[8[0-9]|\\\\[9[0-6]|\\\\[10[0-9]|\\\\[110|\\\\[11[2-9]|\\\\[12[0-5]|\\\\[15[0-1]|\\\\[168|\\\\[17[1,8]|\\\\[18[3-9]|\\\\[19[0,3-8]|\\\\[20[0,2]|\\\\[21[0-3]|\\\\[21[7-9]|\\\\[22[0-9]
06.14.10  Added 3 more IPs to "Bad IP" filter.
01.14.11 added:  to cover IP Classes D and E   |\\\\[23[0-9]|\\\\[24[0-9]|\\\\[25[0-5] to above line. 
02.05.11 Added [165.98.179.58] NI, 1.55.41.26 vn , 46.146.84.14 ru
07.02.11 Added [175 , [133 , ,  to filter line below.
This is the revised filter:
\\\\[1\\\\.|\\\\[2\\\\.|\\\\[4[1,6]|\\\\[5[8,9]|\\\\[6[0-2]|\\\\[7[7-9]|\\\\[8[0-9]|\\\\[9[0-6]|\\\\[10[0-9]|\\\\[11[0-9]|\\\\[12[0-5]|\\\\[13[3]|\\\\[15[0-1]|\\\\[16[5,8]|\\\\[17[1,5,8]|\\\\[18[0,2-9]|\\\\[19[0,3-8]|\\\\[20[0-2]|\\\\[21[0-3]|\\\\[21[7-9]|\\\\[22[0-9]|\\\\[23[0-9]|\\\\[24[0-9]|\\\\[25[0-5]


  Image # 2. Proves the following Regular Expression Filter WORKS on "GOOD" IPs as tested on the regextester.com web site on 4.21.10.  
\[9\.|\[6[]3-9]|\[7[0-6]|\[9[7-9]|\[110|\[111|\[130|\[140|\[160|\[17[2-4]|\[192|\[20[4-7]|\[209|\[21[4-6]
Here are the results of a Regular Expression Filter rule that selects only the BAD IPs. [Image # 1. Bad IPs]
       1.)  The red text indicates that the Reg Ex Filter made a match on all of the IPs listed in the "Test on Text" box.  Notice that the Text box input data included both the "Good" and "Bad" IPs but there were no matches on the "Good" IPs since the filter was designed to match only the "Bad" IPs.
       2.)  In the image note the "Dialect" line where Preg is checked.  This means that it is a "Perl regular Expression" compatible tester which is what the cPanel Reg Ex Filter application requires.
Regular Expression Test for Top Level Spam IPs.  

Image # 1. Bad IPs
Here are the results of a Regular Expression Filter rule that selects only the GOOD IPs.
       The red text indicates that the Reg Ex Filter made a match on all of the IPs listed in the "Test on Text" box.  Notice that the Text box data included the "Bad" IPs but there were no matches since the filter was designed to match "Good" IPs only.  (The reason for listing the "Good" IPs here is that it might be advantageous to design a reverse Reg. Ex. Filter to Allow only eMail from the "Good" IPs and thereby Trashing all others.)
RegExTester.com showing Good IPs

Image # 2. Good IPs
 
       For the blog of tech support emails on Part 3 of 4 ,see:  IP-FiltersRegExBLOG.html#Blog3 .

PART 4 of 4: The Application. (cPanel)cPanel

        5.13.10  This Part 4 will be up dated with the Filter that now works in cPanel see Part 3.   to try different "Actions" to get the optimum results.
      Here is an example of how the Regular Expression Filters are used in the cPanel application - A simplified example: ((\[[0-9]))
 
cPanel Reg Ex Filter setup.
 
       One of the more infuriating exercises with the cPanel application was that as soon as all of the above was accomplished and checked and implemented, then inexplicably it didn't work at all !!  The spam level was the same as before without filters.  Or else it Trashed i.e. Discarded ALL emails such that days might expire without receiving one email good or bad!


       For the blog of tech support emails on Part 4 of 4 ,see:  IP-FiltersRegExBLOG.html#Blog4 .
 

-  Page Publication Date: 03/25/10 -   -
PAGE PATH:
http://neprimer.com   /ePress   /articles  /2010  /IP-FiltersRegEx.html 
----‡----   ----‡----   ----‡----