Filtering by IP Address.

General discussion about PopMan.

Moderator: Christian

Post Reply
Cadillakin
Posts: 8
Joined: 09 Nov 2008, 17:41

Filtering by IP Address.

Post by Cadillakin »

Years ago when I used to chat on Yahoo Messenger, one of my nicknames was bandied about and saved into many address books. The long and short of it is.. that address gets alot of spam.. porn, viagra, all of it. I still have legitimate uses for that nickname so deleting the address is not a good option.

For those of you who would like to filter by ip address, there is a sensible way to do this.. First, bookmark this site:
http://www.google.com/support/analytics ... swer=55572

Instead of trying to filter the spam in PopMan with just "bad word filters", I looked into the headers of the email and noticed that much of it was coming from Lacnic - (Latin American and Caribbean Internet Addresses Registry). YOUR SPAM will probably come from different servers so there is no point in copying any examples I give you here... unless you too get spam from Lacnic addresses. In any event, you can view the "source" of the email in Popman by highlighting it, then right clicking, choose source.

Next, you'll need to do a whois on the ip address in your headers. (Good whois tool: http://tools.whois.net/whoisbyip/ ). Basically, you are looking for patterns in your spam mail.. When the whois you are doing on your spam mail headers reveals that much of it is coming from the same servers, then you may want to act on that information.

In my case, 80% of my spam/porn was coming from the Lacnic address range. This is revealed by the whois. As an example, do a whois on 189.155.202.200. The porn mails I was getting had very similar addresses.. They all started with 189 or 190, and they all came from the Lacnic range. The KEY HERE is that I don't know anybody in Latin America or the Carribean, so there is about a 99.99% chance anything coming from there is not email I'll need to concern myself with. Again, in all probability, your porn will come from different addresses.

Then, I found the google tool listed in the first paragraph.. It simply asks you to supply the "range of addresses". This range is revealed in your whois. It might say, NetRange: 190.0.0.0 - 190.255.255.255 or something like that. Feed those two parameters into the google regex tool and voila.. you have a regex filter that will work with Christian's Popman.. You don't want to filter a whole range unless you are sure of what you are doing.. but with a little thought and care, specific addresses can be filtered.

I won't go much further coz I know this is tedious.. but here is an example from my rules file: I created a Lacnic_IP_Regex and placed it within the bad words section of the rules file, below Christian's examples of Viagra_Regex and Cialis_Regex - which I left intact when I created my own rules. Then I used the google tool to get a proper regex expression. To assist with this, I downloaded the Regex Coach so I could tinker with reducing the size of the regex, or adding and subtracting from it...

Here is my Lacnic regex, placed right under Christian's examples..
define string Lacnic_IP_Regex =
regex:"(189|190)\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\."

So, now, as that filter is in place, I can use it to write antispam rules within PopMan that will delete anything that comes from Lacnic. I've done much more with IP filtering, but I will leave it at that.

Be careful before defining any rules using IP addresses. For me, in my Thunderbird Mail, I have about 8000 saved mails. I searched my mail entirely to see if any of them were using Lacnic addresses.. or if somehow I might be deleting some important mail. I found no matches.

I hope this posting puts some of you that might have the inclination to filter IP addresses on the right track.
Last edited by Cadillakin on 21 Feb 2009, 20:37, edited 1 time in total.
User avatar
Christian
Site Admin
Posts: 387
Joined: 11 Jan 2004, 13:04
Location: Magdeburg, Germany
Contact:

Post by Christian »

Thank you for outlining this interesting spam-filtering approach. :)
I think this can be quite effective for advanced users!
Christian Hübner
Cadillakin
Posts: 8
Joined: 09 Nov 2008, 17:41

Post by Cadillakin »

This is a better whois, with more complete info.
http://www.domaintools.com/
Cadillakin
Posts: 8
Joined: 09 Nov 2008, 17:41

Post by Cadillakin »

You can make one long continual filter within the PopMan rules file by just joining the differing IP filters created in Google's IP to Regex page.. Just add a | at the end of the first filter. Then you can add filter string after filter string. I have one very long string for the Junk_IP_Regex I created. So, when I get a mail that is nonsense/junk, I can just create the filter and add the regex string to the end.

It looks like this...

define string Junk_IP_Regex =
regex:"89\.29\.(2(2[4-9]|3[0-9]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|208\.85\.(48\.(0[ -9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|(49|5[0-5])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))$|199\.115\.(1[6-9]|2[0-5])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|146\.82\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|95\.162\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|82\.133\.84\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|69\.95\.226\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|92\.126\.([4-9]|1[0-5])\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|209\.86\.89\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$|96\.32\.(1(1[2-9]|2[0-7]))\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))$"


You should have only two quote marks in the expression - at the very beginning and at the end.

Also, eliminate this character ^, from the beginning of any Google filters before adding to the previous filter strings.
Post Reply