How to Stop Spam Condoning Countries With Regular Expression Filters in cPanel.


How To Leverage Foreign Email Servers To Encourage Their Government To Discourage Spam Condoning IPs.

Since there is no necessity to continually update the email filters it might impart a sense of urgency on the abuse enabling country to clean up their internet providers.  

On going: Ticket ID: JKM-13297987  and  Ticket ID: KAI-13229733
New England Primer Home School Textbook.
Go to LIST.
Go to current Reg. Exp.
Abstract:  April 2010

     In my experience since 1997, i.e over 16 years, parasitic spam is easily logged and shown to be 20% unproductive and waisted time (2,000 hours in just the first 5 years of email !).  But now web techs have cPanel with powerful Regular Expression Filters for blocking email spam.  For some background in IPv4 addressing and spam see  .
      This page is to demonstrate comprehensive due diligence at accomplishing the goal of successful implementation of Regular Expression Filters; and also, to make a log of the efforts, i.e. a punch list for reaching the goal of maximum spam control.  It is hoped that by breaking the problem into smaller parts it will be easier to identify the failures and particularly any substantial time delays due to all parties and products involved.  Nearly all of the information on this page has been learned over a long time with research and tech support; but as, you can see it is such a complicated issue a better method than email documents is required hence this html page.
        This method works on shared web hosting accounts using  [] cPanel [] , a web site control panel with email filtering software.

   Edits to each major part of this page will be dated and magenta colored to journal the steps to success.
PART 1 of 4:  The constraints and the goals.  (Philosophy.)

Justification for Regular Expression Filters For "Trashing" on Non English Speaking Top Level IPs.
[] [] (web host - opens in a new window.) which uses 
[] esmtp (Exim 4.69) [] email software and  
[] cPanel [] (web site control panel and email filtering software), 
The FL State Consumers Protection laws. (A recent spam seemed to have come from Miami, FL.)  File a complaint to the FL. Attorney General .  Of course any of the other US states Attorney Generals with jurisdiction could also be contacted.
The Federal Trade Commission [] FTC [] ( The gov agency responsible for spam control in the USA .)  
The Federal Bureau of Investigation [] FBI []   ( The gov agency responsible for malicious DDoS (Distributed Denial of Service) crimes in the USA .)
Therefore, the goal is to identify the Top Level spamming IPs and its country of registration; and then, block all of their spam including their honest business enterprises; so that it might generate a small amount of commercial concern to create an incentive for the Top Level IPs to clean up their own hosted spammers.
Are There Any Consequences To Blocking The
Offending Domain & Country From My Email Server?

      The following quote is from the SPAM or UCE web page; specifically, the "complain to" paragraph with my comments & answers in Magenta.

Positive Aspects
  • You can be fairly assured that you won't receive e-mail from that site.  or foreign country. Excellent!
  • The offending site will eventually get the idea that most people aren't interested in this sort of activity and cease it's actions.  or clean up their own hosted spammers. Excellent!
  •  If USA IPs are involved simple abuse emails and/or follow-up inquiries have a good chance of success because continued abuse can be filed with the appropriate US gov agency(ies) i.e. FTC (  
  • The publication of Regular Expression Filters, which prevent abusive spam, even these filters that are independent of any web site administration software, is a desirable, high quality marketing incentive for email servers and hosting companies to freely use, and distribute and market.  Would not the market saturation of Reg Ex Filters terminate spam?
Negative Aspects
  • If this is a Top Level IP site that hosts both private and business accounts, you will not be able to communicate with anyone on that site.  My Regular Expression Filters are specifically designed to filter foreign countries &/or non English language IPs  - Excellent!
  • The Spammer site administrator might take blocking mail as a sign of aggression and attempt one of many possible offensive actions against your e-mail or (y)our site.  Probably the worst case scenario would be DDoS (Distributed Denial of Service) crime(s).  But my site is so small and insignificant that it would be a waste of the spammer's time and effort and expose the Spammer-Criminal to detection and arrest.  If DDoS (Distributed Denial of Service) crimes were committed the FBI or/and the FTC Agencies would be interested in a domestic i.e. USA  investigation(s), where prosecutions, arrests and convictions are probable.  Excellent!  
  • The DDoS (Distributed Denial of Service) prevention technology exists and has been around since 2001 to prevent the DoS attack see:
    • A decade on from the ILOVEYOU bug   ;  (A current news article.)
    • Ref:  Original DDoS Report  132k PDF file of the first DDoS attack. On May 4th, 2001, by Steve Gibson and The web site.   ;  (A journal of one of the first DDos attacks that led to prevention, investigation, and perhaps arrest and conviction.)
    • Ref:  DRDoS Attack Report  214k PDF file of the DRDoS attack web page. On January 11th, 2002, by Steve Gibson and The web site.  h.ttp://  ;  (Another attack on the same site!  And how Mr. Gibson responded.) [10/18/10 404 Error so check this grc menu:for these reports. ]
       For the blog of tech support emails on Part 1 of 4 ,see:  IP-FiltersRegExBLOG.html#Blog1 .

PART 2 of 4:  Verify The IPs Geo Locations of Registration For Jurisdiction.

 Verify the Locations of the Foreign IPs.
     FireFox:   highlight an IP  below without the brackets and click this FF=Geo IP link to open a map showing the IP: city and country of registration.    
     Internet Explorer:  highlight an IP  below without the brackets and click this link: IE=Geo-IP

List of Good IPs List of Bad or/and Foreign IPs
     This is the list of IPs that are under USA regulation or are granted exception based on national language, authority or locality.      This list is a personal collection of IPs that have been collected from spam headers over an unknown period of time.
(34ea +/-)
[] US [] [] [] [] [] []
[] US [] [] [] [] [] US  []
[] US [] US   [] US  [] US
[ ??? 01/03/17] US [] US
[] AU [] AU = TW
[] []CN = Indonesia
[] NY
[] USA [] Hi ? [] CA
[] ??
[] US [] US [] US [] US
[] US
[] US [] US [] US
Total  34 ea.

      The reason for listing the "Good" IPs here is that a future Reg. Ex. Filter might be designed to Allow only eMail from the "Good" IPs and Trashing all others.  However the purpose of this page is to eliminate the "Bad" IPs and to get Reg Ex Filters working in cPanel..

3/8/12  Complete list of USA's IP's here.
6/14/11 Quick count of "Good"(34 ea.) vs "Bad" (96 ea.) suggests changing to an Allow filter instead of the Rejection filter.
1/24/11 Pending: move of  "[] US" to "Bad" side b/c of email hijacking and spam from = Yahoo.

 8/4/16  Two encrypted email services   IP:
London   IP:
Switzerland secure email address    $33/yr.

Go to LIST.
Go to current Reg. Exp.
(96 ea +/-)
[] vn   []  [ This is a USA based ISP but it's all foreign domains.]  []
[]  [] []
[]  _31.0.0.0  [] []
[] [] [] [] [] [] []
 [] []
[]Korea []DE  [] FOREIGN
[] RU, LT, DE  [] []
[] [] [] [] [] [] []UK [] [] [] Israel?
[] [] [] []  [] []
  [] = gmail server!
[]  [] [] [] []  [] [] [] [] []
[] [] [] [] [] [] []  [] []  []
[] [] [] [] [] [] []
[] [] [] []
[] [] [] []
[] [] []
[] [] [] [] []
[] [] [] [] []=votervoice? amazon? []  [] [] [] []
[] [] [] [] [] []  [] []
[] [] [] [] [] [] []
[]DE  [] []  
[]JP []China FOREIGN [] []  []  []  []  []  []  []
[ - 249.]   [ - 259.]
      Total "Bad" TLD IPs = 118 ea.  approximately

6/2012+/-  cPanel has updated it's Reg. Expressions to normal "single backslash excapes" instead of 4.
6.17.13  Added  [27 (cn), [181 (ar),  [159 Saudi Arabia, [177 Brazil,
7.13.13  Removed
[]   b/c it's a USA machine.
7.21.16  Added  [ (cn), Start another filter for 2nd level foreign DNS'
8.06.16  Added  [] IN+CN

See Also:   Top Spam Senders - McAfee Labs Threat Center Listed by: IP, Hostname, Location, Average Email Volume, Email Reputation

Acc Level filters added 3/31/16.
1.)  www\.google\.com\/url\?|\&yahoo\.com   [New]
2.)   \[1\.|\[2\.|\[5\.|\[14\.|\[2[4,7]\.|\[3 ...    [Existing]
cPanel "IP Deny Manager"     NEW:  Bots'  IPs Blocked from web traffic.
Added:  37.* (.ru), 180.* +5 othes settings are in cPanel "IP Deny Manager" but switched to editing htaccess "deny IP method" instead.
Added: -  country: INDIA  Xeex Communication ; [94. = Fr.

 Class Address Ranges

Class A - to
Class B - to
Class C - to

Class D* - to
Class E* - to

   Class A, Class B, and Class C are the
three classes of addresses used on IP
networks in common practice.
   Class D addresses are reserved for
multi cast.
   Class E addresses are simply reserved,
meaning they should not be used on IP
networks (used on a limited basis by
some research organizations for
experimental purposes).

Special IP Address Summary Table

Address Block       Present Use                           ”This” Network            Private-Use Networks            Public-Data Networks            Cable Television Networks            Reserved, subject to allocation          Loopback        Reserved, subject to allocation    Link Local      Private-Use Networks    Reserved, subject to allocation        Reserved but subject to allocation        Test-Net    6to4 Relay Anycast    Private-Use Networks      Network Interconnect Device Benchmark Testing     Reserved, subject to allocation          Multicast, commonly used in multiplayer simulations and gaming and for video distribution.          Reserved for Future Use

       For the blog of tech support emails on Part 2 of 4 ,see:  IP-FiltersRegExBLOG.html#Blog2

Resource for tracking US IPs:  The Top 15 IP represent 65% of All US Hosting Companies.  

Largest US hosting companies.

PART 3 of 4:  The Filters.  (Regular Expressions)
 Here is an example and proof that the Regular Expression Filter design works as demonstrated on a 3rd party testing site.  See images and referral link below.

  Image # 1. Proves the following Regular Expression Filter WORKS on "BAD" IPs as tested on the web site on 4.21.10.  (note the pipe "|" after each IP - means "or".)


06.14.10  Added 3 more IPs to "Bad IP" filter.
01.14.11 added:  to cover IP Classes D and E   |\\\\[23[0-9]|\\\\[24[0-9]|\\\\[25[0-5] to above line. 
02.05.11 Added [] NI, vn , ru
07.02.11 Added [175 , [133 ,.
06.29.12 Added [14.(IN), [20, [31.(NL), [37, [39.(ID), [41, [42.(AU), [48, [49.(AU IN), [81.(Sp), [128, [153.(CN), [199, [176.(DE)   to filter line below.
06.17.13 Added [27.(CN), [181 (ar) ,  [159 Saudi Arabia, [177 Brazil,  REMOVED: \(unknown \[|unknown
07.13.13 Removed 198. i.e."\[19[0,3-7,9]" b/c it's a Hostgator machine!
04.09.14 Added [ -] = Acceleratebiz Inc.  Fort Lauderdale  = \[98.158.22[4|5]
  1. The items (#2 + #3 + #4) below are the current, revised filters:  06.29.12 cPanel has updated it's Reg. Expressions to the normal "single backslash excape". 
  2. \[1\.|\[2\.|\[5\.|\[14\.|\[2[0,3,7]\.|\[3[1,7-9]|\[4[1,2,6-9]|\[5[8,9]|\[6[0-2]|\[7[7-9]|\[8[0-9]|\[9[0-6]|\[10[0-9]|\[11[0-9]|\[12[0-5,8]|\[13[3]|\[14[1]|\[15[0-1,3,9]|\[16[5,8]|
  3. \[17[1,5-8]|\[18[0-9]|\[19[0,3-7,9]|\[20[0-2]|\[21[0-3]|\[21[7-9]|\[22[0-9]|\[23[0-9]|\[24[0-9]|\[25[0-5]|\.ru
  4. Some RegEx's have:  [ \s]91\.  where " \s" means "[space]91\."    02.5.14  Adding this to another filter:   i.e. [\s]31\.|[\s]62.210\.|[\s]78\.|[\s]91\.|[\s]94\.|[\s]113\.|[\s]192\.99\.|[\s]192.252.[0-7][+\.]|[\s]213\.     Template: [\s]xxx\.|    
    Current NEP Acc Level = [\s]31\.|[\s]91\.|[\s]94\.|[\s]213\.

    1. 05.16.14  USA IP filters:  Adding to, rewriting and reorganizing 04.09.14  and  05.15.14  filters into 2 User Level filters; See #4. & 5 below. 
    2. 04.09.14  USA IP filter  \[[0-9]|\[66.199.2[2-5][0-9]|\[98.158.22[4-9]|\[98.158.23[0-9]|\[162.208.4[8,9]|\[162.208.5[0,1]|\[192.228.9[6-9][+\.]|\[192.228.1[0-9][0-9]\.| \[192.228.2[0-1][0-9]\.|\[192.228.22[0-8]\.|\[198.210.3[2-5][+\.]|.eu\)|.me\)|\)
    3. 05.15.14   Adding this to another USA IP's filter: \[67.212.6[4-9]\.|\[67.212.7[0-9]\.|\[67.212.8[0-9]\.\[67.212.9[0-5]\.|\[172.245\.|\[170.130\.|\[162.253.4[0-3]\.|\[173.44.129\.|\[173.232\.|\[173.236.[0-9]\. |\[173.236.[1-9][0-9]\.|\[173.236.1[0-1][0-9]\.|\[173.236.12[0-7]\.|\[179.43.12[8,9]\.|\[179.43.1[3-8][0-9]\.|\[179.43.19[0-1]\.|\[192.3.204\.|\[198.8.89\.|
    4. 05.16.14  USA IP filters:  Rewritten: (46ea.) \[[0-9]|\[66.85.14[0-9]\.|\[66.199.2[2-5][0-9]|\[67.212.6[4-9]\.|\[67.212.7[0-9]\.|\[67.212.8[0-9]\.\[67.212.9[0-5]\.|\[98.158.22[4-9]| \[98.158.23[0-9]|\[162.208.4[8,9]|\[162.208.5[0,1]|\[162.253.4[0-3]\.|\[172.245\.|\[170.130\.|\[173.44.129\.|\[173.232\.|\[173.236.[0-9]\.|\[173.236.[1-9][0-9] \.|\[173.236.1[0-1][0-9]\.|\[173.236.12[0-7]\.|\[179.43.12[8,9]\.|\[179.43.1[3-8][0-9]\.|\[179.43.19[0-1]\.
    5. 05.16.14  USA IP filters:  Rewritten:  (19ea.) \[192.3.204\.|\[192.208.186\.|\[192.228.9[6-9][+\.]|\[192.228.1[0-9][0-9]\.|\[192.228.2[0-1][0-9]\.|\[192.228.22[0-8]\.|\[198.8.89\.|\[198.210.3[2-5][+\.]| \[204.10.105\.\[204.45.182\.|.eu\)|.me\)|\)

  5. 04.17.14 Separating Upper Level filters above from User Account Level filters below.  b/c  Item 1 is foreign IP's and item 2 is mixed (foreign + USA) IP's but all beginning with a SPACE before the IP.
  6. 08.27.14 Deleted filters to observe spam count.   After 12 days I still received 17 foreign spam IPs.  Trimmed filter to:
    .. and Reinstalled:
  7.  2.6.15 Modified filters to correct oversight.
    \[1\.|\[2\.|\[5\.|\[14\.|\[2[0,3,7]\.|\[3[1,7-9]\.|\[4[1,2,6-9]\.|\[5[8,9]\.|\[6[0-2]\.|\[7[7-9]\.|\[8[0-9]\.|\[9[0-5]\.|\[10[0-9]\.|\[11[0-9]\.|\[12[0-5,8]\.|\[13[3]\.|\[14[1]\.|\[15[0-1,3,9]\.|\[16[5,8]\.| \[17[1,5-8]\.|\[18[0-9]\.|\[19[0,3-7,9]\.|\[20[0-2]\.|\[21[0-3]\.|\[21[7-9]\.|\[22[0-9]\.|\[23[0-9]\.|\[24[0-9]\.|\[25[0-5]\.|\.ru
  8. (5.24.16) 4.3.17 update allowed  Modified filters.   This is current Account level filter.
    \[1\.|\[2\.|\[5\.|\[14\.|\[2[7]\.|\[3[1,6-9]\.|\[4[1-3,6-9]\.|\[5[8,9]\.|\[6[0-2]\.|\[7[7-9]\.|\[8[0-9]\.|\[9[0-5]\.|\[10[1-3,5,6,9]\.|\[11[0-9]\.|\[12[0-5,8]\.|\[13[3,9]\.|\[14[1]\.| \[15[0-1,3,9]\.|\[16[5,7,8]\.|\[17[1,5-9]\.|\[18[0-3,6-9]\.|\[19[0,1,3-7]\.|\[20[0-2]\.|\[21[0-3,7-9]\.|\[22[0-9]\.|\[23[0-9]\.|\[24[0-9]\.|\[25[0-5]\.|\.ru
          04/03/17 unblocked 
         01/01/17 unblocked, and
  9. ......

7/21/16 NEW 2nd level Foreign filters:   [ =  \[203\.192.|   Sample for "\." and OR "|" =  \[203\.192.|\[203.015\.
HOW to filter: ;  
 PCRE - Perl Compatible Regular Expressions
TEST your filters:
     Note:  Image # 2. below Proves the following Regular Expression Filter WORKS on "GOOD" IPs as tested on the web site on 4.21.10.  
Here are the results of a Regular Expression Filter rule that selects only the BAD IPs. [Image # 1. Bad IPs]
       1.)  The red text indicates that the Reg Ex Filter made a match on all of the IPs listed in the "Test on Text" box.  Notice that the Text box input data included both the "Good" and "Bad" IPs but there were no matches on the "Good" IPs since the filter was designed to match only the "Bad" IPs.
       2.)  In the image note the "Dialect" line where Preg is checked.  This means that it is a "Perl regular Expression" compatible tester 
which is what the cPanel Reg Ex Filter application requires.
Regular Expression Test for Top Level Spam IPs.  

Image # 1. Bad IPs

Here are the results of a Regular Expression Filter rule that selects only the GOOD IPs.
       The red text indicates that the Reg Ex Filter made a match on all of the IPs listed in the "Test on Text" box.  Notice that the Text box data included the "Bad" IPs but there were no matches since the filter was designed to match "Good" IPs only.  (The reason for listing the "Good" IPs here is that it might be advantageous to design a reverse Reg. Ex. Filter to Allow only eMail from the "Good" IPs and thereby Trashing all others.) showing Good IPs

Image # 2. Good IPs
       For the blog of tech support emails on Part 3 of 4 ,see:  IP-FiltersRegExBLOG.html#Blog3 .

PART 4 of 4: The Application. (cPanel)cPanel

        5.13.10  This Part 4 will be up dated with the Filter that now works in cPanel see Part 3.   to try different "Actions" to get the optimum results.
      Here is an example of how the Regular Expression Filters are used in the cPanel application - A simplified example: ((\[[0-9]))
cPanel Reg Ex Filter setup.
       One of the more infuriating exercises with the cPanel application was that as soon as all of the above was accomplished and checked and implemented, then inexplicably it didn't work at all !!  The spam level was the same as before without filters.  Or else it Trashed i.e. Discarded ALL emails such that days might expire without receiving one email good or bad!

       For the blog of tech support emails on Part 4 of 4 ,see:  IP-FiltersRegExBLOG.html#Blog4 .

-  Page Publication Date: 03/25/10 -   -
PAGE PATH:   /ePress   /articles  /2010  /IP-FiltersRegEx.html
----‡----   ----‡----   ----‡----
| END |   | MIDDLE |    | TOP |