My previous anti-spam tool was NovaSoft's SpamKiller and in there was a screen in which country codes could be selected for filtering. After checking off all countries except the USA, I was impressed at how much spam was filtered out.

Not having a similar option choice in MailWasher, I created the following filter based on Gary Partain's model:

[enabled],"Foreign Routing","Foreign Routing",33023,OR,Delete,EntireHeader,containsRE,(?m)^Received:.+ (\.af|\.al|\.dz|\.as|\.ad|\.ao|\.ai|\.ag|\.ar|\.am|\.aw|\.au|\.at|\.az|\.bs| \.bh|\.bd|\.bb|\.by|\.be|\.bz|\.bj|\.bm|\.bt|\.bo|\.ba|\.bw|\.bv|\.br|\.io| \.bn|\.bg|\.bf|\.bi|\.kh|\.cm|\.ca|\.cv|\.ky|\.cf|\.td|\.cl|\.cn|\.cx|\.cc|\.co| \.km|\.cg|\.cd|\.ck\.cr|\.ci|\.hr|\.cu|\.cy|\.cz|\.dk|\.dj|\.dm|\.do|\.tp| \.ec|\.eg|\.sv|\.gq|\.er|\.ee|\.et|\.fk|\.fo|\.fj|\.fi|\.fr|\.fx|\.gf|\.pf|\.tf| \.ga|\.gm|\.ge|\.de|\.gh|\.gi|\.gr|\.gl|\.gd|\.gp|\.gu|\.gt|\.gg|\.gn|\.gw| \.gy|\.ht|\.hm|\.va|\.hn|\.hk|\.hu\.is|\.in|\.id|\.int|\.ir|\.iq|\.im|\.il|\.it| \.jm|\.jp|\.je|\.jo|\.kz|\.ke|\.ki|\.kp|\.kr|\.kw|\.kg|\.la|\.lv|\.lb|\.ls|\.lr| \.ly|\.li|\.lt|\.lu|\.mo|\.mk|\.mg|\.mw|\.my|\.mv|\.ml|\.mt|\.mh|\.mq| \.mr|\.mu|\.yt|\.mx|\.fm|\.md|\.mc|\.mn|\.ms|\.ma|\.mz|\.mm|\.na| \.nr|\.np|\.nl\.an|\.nc|\.nz|\.ni|\.ne|\.ng|\.nu|\.nf|\.mp|\.no|\.om|\.pk| \.pw|\.pa|\.pg|\.py|\.pe|\.ph|\.pn|\.pl|\.pt|\.pr|\.qa|\.re|\.ro|\.ru|\.rw| \.kn|\.lc|\.vc|\.ws|\.sm|\.st|\.sa|\.sn|\.sc|\.sl|\.sg|\.sk|\.si|\.sb|\.so|\.za| \.gs|\.es|\.lk|\.sh|\.pm|\.sd|\.sr|\.sj\.sz|\.se|\.ch|\.sy|\.tw|\.tj|\.tz|\.th| \.tg|\.tk|\.to|\.tt|\.tn|\.tr|\.tm|\.tc|\.tv|\.ug|\.ua|\.ae|\.gb|\.uk|\.uy|\.uz| \.vu|\.ve|\.vn|\.vg|\.wf|\.eh|\.ye|\yu|\.zm|\.zw)[^\.\w]

OCT 31: SPACES WERE ADDED TO ALLOW WORD WRAP WITHIN THIS FORUM. USE THE FILTER(S) BELOW AS MINE WAS CORRECTED AND OTHERS HAVE BEEN SUGGESTED AS ALTERNATIVES.

This one filters everything except the USA and the Antarctic. I'd hate to miss the first spam routed through the Antartic!

You can find a country list in http://www.w5hq.com/MailWasher/MailWasherFilters.txt
and remove any countries you need unfiltered.

This filter along with a few good DNS blacklist servers in MWP catch over 95% of the 150-200 spams I get every day.

Dallas,

I had just downloaded the country codes from Gary's filters and was fixin' to work with them when I happened to find your post. Talk about timing, you saved me a lot of work! Thanks!

Working with your filter I found where you seem to have left the "|" between hu\is, ck\cr, nl\an, and sj\sz.

Here's the correction I made (I hope they're corrections, I don't quite trust myself working with filters).

[enabled],"Foreign Routing","Foreign Routing",33023,OR,Delete,EntireHeader,containsRE,(?m)^Received:.+
(\.af|\.al|\.dz|\.as|\.ad|\.ao|\.ai|\.ag|\.ar|\.am|\.aw|\.au|\.at|\.az|\.bs|
\.bh|\.bd|\.bb|\.by|\.be|\.bz|\.bj|\.bm|\.bt|\.bo|\.ba|\.bw|\.bv|\.br|\.io|
\.bn|\.bg|\.bf|\.bi|\.kh|\.cm|\.ca|\.cv|\.ky|\.cf|\.td|\.cl|\.cn|\.cx|\.cc|\.co|
\.km|\.cg|\.cd|\.ck|\.cr|\.ci|\.hr|\.cu|\.cy|\.cz|\.dk|\.dj|\.dm|\.do|\.tp|
\.ec|\.eg|\.sv|\.gq|\.er|\.ee|\.et|\.fk|\.fo|\.fj|\.fi|\.fr|\.fx|\.gf|\.pf|\.tf|
\.ga|\.gm|\.ge|\.de|\.gh|\.gi|\.gr|\.gl|\.gd|\.gp|\.gu|\.gt|\.gg|\.gn|\.gw|
\.gy|\.ht|\.hm|\.va|\.hn|\.hk|\.hu|\.is|\.in|\.id|\.int|\.ir|\.iq|\.im|\.il|\.it|
\.jm|\.jp|\.je|\.jo|\.kz|\.ke|\.ki|\.kp|\.kr|\.kw|\.kg|\.la|\.lv|\.lb|\.ls|\.lr|
\.ly|\.li|\.lt|\.lu|\.mo|\.mk|\.mg|\.mw|\.my|\.mv|\.ml|\.mt|\.mh|\.mq|
\.mr|\.mu|\.yt|\.mx|\.fm|\.md|\.mc|\.mn|\.ms|\.ma|\.mz|\.mm|\.na|
\.nr|\.np|\.nl|\.an|\.nc|\.nz|\.ni|\.ne|\.ng|\.nu|\.nf|\.mp|\.no|\.om|\.pk|
\.pw|\.pa|\.pg|\.py|\.pe|\.ph|\.pn|\.pl|\.pt|\.pr|\.qa|\.re|\.ro|\.ru|\.rw|
\.kn|\.lc|\.vc|\.ws|\.sm|\.st|\.sa|\.sn|\.sc|\.sl|\.sg|\.sk|\.si|\.sb|\.so|\.za|
\.gs|\.es|\.lk|\.sh|\.pm|\.sd|\.sr|\.sj|\.sz|\.se|\.ch|\.sy|\.tw|\.tj|\.tz|\.th|
\.tg|\.tk|\.to|\.tt|\.tn|\.tr|\.tm|\.tc|\.tv|\.ug|\.ua|\.ae|\.gb|\.uk|\.uy|\.uz|
\.vu|\.ve|\.vn|\.vg|\.wf|\.eh|\.ye|\yu|\.zm|\.zw)[^\.\w]

Thanks again,
Jarron

Edited for forum formatting purposes. Remove CR's before pasting into filter list (text should be one line). Not responsible for false positives or other problems; if you lose out on $1,000,000.00 because you didn't get your letter from Nigeria it's not my fault.

It worked. I was wondering how I could get this filter error corrected and I thought, "Post it in the forum!"

Really, thanks for catching those. Looks like you got all of 'em. Must've happened those four times my eyeballs popped out when I was working on it.

I hope you find it as effective as I do.

Instead of a huge filter listing all the country codes you want to exclude, could you not instead add a blacklist entry like *@*.?? then write a filter to override the blacklist for the countries you'd like to receive email from (ie *@*.us or whatever)?

I was looking at your regex and I just wanted to make a couple suggestions.

The first iterator in the expression might be better as a non-greedy. Also, it might actually help to specify the "from" that is normally in the line.

Instead of:
^Received:.+(\.af|\.al|\.dz|\.as|\.ad|\.ao|\.ai|\.ag|\.ar|\.am....

change it to:

^Received: from.+?(\.af|\.al|\.dz|\.as|\.ad|\.ao|\.ai|\.ag|\.ar|\.am....


You might be able to speed it up, and shorten the expression if you remove the "\." from before each countrycode and place it before the Mega-OR statement.

Instead of:

^Received: from.+?(\.af|\.al|\.dz|\.as|\.ad|\.ao|\.ai|\.ag|\.ar|\.am....


change it to:

^Received: from.+?(af|al|dz|as|ad|ao|ai|ag|ar|am....

Once that is done, you might be able to shorten it some more by grouping all the first charactors together:

Change:

^Received: from.+?(a[defgilmnorstuwz]|b[abdefghijmnorstvwyz]|c[acdfghiklmnoruvxyz]|d[ejkmoz]|e[ceghrst]|f[ijkmorx]|g[abdefghilmqrstuwy]|h[kmnrtu]|i[dlmnoqrst]|j[emop]|k[eghimnprwyz]|l[abcikrstuvy]|m[acdghklmnopqrstuvwxyz]|n[acefgilopruz]|om|p[aefghklmnrtwy]|qa|r[eouw]|s[abcdeghijklmnortvyz]|t[cdfghjkmnoprtvwz]|u[agkyz]|v[acegnu]|ws|y[etu]|z[amw])[^\.\w]


Finally, at the end of the regex the terminator seems to be malformed.

[^\.\w] is telling the Regex interpreter that any charactor that follows the two letter country designator other than "\", . , or an alphanumeric charactor will make the result true.

It might be a good practice to get into now to skip the "\" before the dot when enclosed in the square brackets "[]"

Change it to read [^.\w]

Homeland Security indeed. The term "isolationist" comes to mind......

BTW Dallas, would it be possible to edit your posts and insert a space every once in a while in your rather longish lines? These forums need some sort of autowrap after 200 or so characters.......

Dallas, I just emailed you the solution to do exactly the same thing, but 1/10 the size.

You may not have received it though, I'm in Australia. Oh well.

I agree with the suggestion to use non-greedy wildcard.
Also I think the expression should be terminated with \s.
Otherwise, you'll get false positives on servers with dashes and numbers in them:

Received: from mx.af-lala.com

So just replace [^.\w] with \s.

BTW, I appreciate the sarcastic title of the post.
Even if it wasn't intended to be so.

TimeGhost,

I had considered that, but was concerned that somethimes there is no space between the end of the domain and a bracket.

This is usually indicative of a malformed line, but if you write the regex to insist on "\s" as a termintor you will miss those malformed Recieved lines.

Might as well use the filter to catch a few forgeries here and there. What do you think??

Noted. Thanks for the heads-up on that.