TUTORIAL - Filter Spam by IP Block With Mailwasher and Regular Expressions

BLOCK IP ADDRESS RANGES USING REGULAR EXPRESSIONS WITH MAIL WASHER

Here's how to construct regular expressions to block IP address ranges or IP address blocks or IP Blocks or whatever it is you call them in your neck of the woods for use in Mailwasher. Be aware this means that you will block all mail from a particular network. I'm assuming that you know what an IP address is and how they are numbered, how to look at the email headers and work out the IP address of your spammer, then do a whois search (ARIN USA, APNIC ASIA, RIPE EUROPE, LACNIC Sth America) to find out the IP address block from which they come. If enough spam starts coming from an area where you have never received legitimate email and from which you are constantly being pummelled with spam, block the whole network. Some may call you isolationist but they don't have to clear your inbox every morning and night, do they? If you're not up for the above there are thousands of sites that list networks that allow spammers to continue to pollute the world with their filth. Just google for them and you'll find all you need. I personally just chose to eliminate the networks that fail to respond to my repeated requests to stop the spammers. Ok, still with me? Here goes.

Regular expressions are basically template forumlaes that look for a match. You will only need the most basic of understanding of regular expressions and soon you'll be filtering spam with regular expressions in Mailwasher to your hearts content, tra la la and so on, easy. Here is an example of a regular expression to filter a block of IP addresses from the Chinanet node Guangdong which regularly clogs my inbox with gay abandon:

NODE NAME: CHINANET Guangdong Province IP RANGE: 218.13.0.0 - 218.18.255.255

IP#1	IP#2	..	Ranges
218	218		218 - 218
13	18		13 - 18
0	255		0 - 255
0	255		0 - 255

Lets break that IP address down into four separate ranges of numbers. Our regular expression will be looking for IP addresses that fit inside this range of numbers. We have:

1) 218 - 218 2) 13-18 3) 0-255 4) 0-255

1) The only possibility for the first number is 218 so our first part will be

218

2) The second set of numbers can be from 13 - 18 so:

1[345678]

anything enclosed in square brackets are options, any one of those options can be used so this represents either 13, 14, 15, 16, 17 or 18

to illustrate another possibility, if we were to have a range of 13 - 25

( 1[3456789] | 2[012345] )

the | (located under your backspace key) means OR so this means we can have (1[3456789] OR 2[012345]), the round brackets just show where the set to be consider for the OR starts and finishes. So this means:

any number starting with 1 and ending with 3-9 (covers 13-19) OR

number starting with 2 and ending with any number from 0-5 (covers 20-25)

As the expressions get longer you will be thankful for ( ) !

in the interests of giving a wide enough range of examples for you to understand, lets say we have a range of 13 - 55

( 1[3456789] | [234]\d | 5[012345] )

it's starting to look odd and why is there a letter? Read it out:

number starting with 1 and ending with 3-9 (covers 13-19) OR

number starting with 2, 3 or 4 and ending with any number from 0-9 (covers 20-49) OR

number starting with 5 and ending with 0-5 (covers 50-55)

So you can see the \d means any number from 0-9

3) The last two sets of numbers, parts 3 and 4, are from 0 - 255 and require us to look for numbers from zero to the hundreds.

(\d | [123456789]\d | 1\d\d | 2[01234]\d | 25[012345] )

Now that doesn't look so daunting after what you already know. Again, reading through makes it quite clear what's happening:

any num from 0 - 9 (covers 0-9) OR

any num starting with 1-9 and finishing with any num from 0-9 (covers 10-99) OR

any num starting with 1, then any num from 0-9 and finish with any num 0-9 (covers 100-199) OR

any num starting with 2, then any num from 0-4 and finish with any num 0-9 (covers 200 - 249) OR

any num starting with 2, then num 5 and finish with an num 0-5 (covers 250-255)

So now we have 1) 218 - 218 2) 13-18 3) 0-255 4) 0-255

218
1[345678]
(\d | [123456789]\d | 1\d\d | 2[01234]\d | 25[012345] )
(\d | [123456789]\d | 1\d\d | 2[01234]\d | 25[012345] )

If we add all these together and separate each with a full stop, just like a real IP address we get:

218.1[345678].(\d | [123456789]\d | 1\d\d | 2[01234]\d | 25[012345] ).(\d | [123456789]\d | 1\d\d | 2[01234]\d | 25[012345] )

Pretty easy to dip your feet into Regular Expressions isn't it? Now all you have to do is create a filter rule in mailwasher, set it to mark for delete, set it to look in the Entire Header for Contains RegExpr and paste in the above line of goobledygook, click ok and you're filtering entire blocks of IP addresses with Mailwasher Regular Expressions. Now maybe you'd like to try something different, try to make a regexp to find the word viagra in spam... :)

kind regards
Peter Riddell