Spam

I Want an Email Client
program that filters by

a 'KEY' 'Received: from'
IP address

compared against user-specified,
'undesirable' IP-address ranges

(2008 Feb blog post)

Home page > Blog menu >

This page on need for an email client with
ability to filter on IP address ranges

! Note !
More info, images, and/or links may be added,
if/when I re-visit this page.

My (spam) Battle

I get a lot of email spam (in the years around 2008). Some is from China and Korea, the Asia-Pacific area. Some is from other places like Chile and Romania --- and some is from the United States.

In 2008, I am/was receiving mostly ads for meds. In 2007, I was also getting lots of mortgage re-financing spam and Rolex watch spam --- and the usual offers to enlarge that certain male member.

My Internet Service Provider (ISP) --- cox.net --- filters out a lot of spam --- by anti-spam techniques unknown to me. But I still get about 20 spam emails per week (two to four per day). It's a real nuisance --- especially because I do not check my email sometimes for over a week, so I end up having to deal with about 20 spam messages.

I can usually tell from the gobbledy-gook 'Subject' text --- and from the unfamiliar 'From' name --- which emails are spam.

    (I have to wonder who would respond to emails with such meaningless subject lines --- and gobbledy-gook in the message body to throw off mail filters that try to learn what to filter according to the message content.)

Although most spam is recognizable from the 'Subject' text, it would be a real time-saver to have a means to automatically direct such mail to a 'suspected-spam' mail folder (or a 'Trash' folder).

Some of the mail is particularly annoying because it is sent over and over and over again --- day after day --- even several times a day. I don't even want to see it.

    A SIDE NOTE:

    Unfortunately, I chose an email address of the form first-name-initial and last-name ... like sjones for Steve Jones.

    It seems spammers send out huge amounts of spam by attaching a single letter to a last name, from a huge list of last names. Hence I often see a spam email addressed not just to my email address but to several with the same first initial.

    Example: sjohnson, sjohnston, sjones, sjorgenson

    Lesson to you: Do not pick an email address of that form.


What I'd Like     (filter by IP address range)

I would like to have an email client that filters out email by IP addresses --- in ranges --- such as all addresses in the range 200.61.0.0 through 200.62.128.255 (for example, all the addresses assigned to a particular mail server)
---
INSTEAD OF by individual specific addresses like 200.61.23.42, or by individual mail sender addresses like sjones@att.net.

I have described how a 'Received: from' line in email 'header lines' can be used to determine a source IP address of an email. That description is in one of my external-web-LINKS pages --- on the subject of SPAM-FIGHTING-INFO.

Here is an example 'Received from' header record:

    Received: from bb0ea012.schwab.com ([162.93.212.202])
      by fed1rmimpi03.cox.net with IMP
      id YJ2S1X02f4NaEDu0000000; Sun, 05 Aug 2007 14:02:27 -0400

Note that it is of the form 'Received: from ... by ... date-time'. The IP address after 'from' is a candidate for determining the email-sender's location.

    Note this quote from the Wikipedia email spam page:
    "Senders cannot completely spoof email delivery chains (the 'Received' header), since the receiving mailserver records the actual connection from the last mailserver's IP address. To counter this, some spammers forge additional delivery headers to make it appear as if the email had previously traversed many legitimate servers."
    This implies that there is at least one 'valid' received-from IP address among the 'Received' headers.

Unfortunately, there are not many email clients that can filter on email header info --- specifically the 'bottom-most' received-from IP-address in the headers of an email.

    The 'bottom-most' received-from IP-address is what may be a 'KEY' received-from address --- one that would help determine the sender of the email. (Unfortunately, the bottom-most' received-from line may not reveal that address --- but it is a good candidate.)

The Microsoft mail clients (Outlook Express and Outlook) allow for filtering on keywords in the 'Subject' and 'From' and 'Body' fields. But spammers have pretty much made that kind of basic filtering useless. Most spammers use misspelled words for 'Subject' --- and, often, graphics images instead of text in the 'Body' --- and faked email addresses in 'From'.

You could do a WEB SEARCH to see if there is a way to to direct suspected spam to a 'trash' folder --- for your particular email receiving-and-reading program --- such as the Mozilla Thunderbird email 'client' program.

In particular, it would be nice to find an email 'client' program that can 'filter' incoming mail according a 'KEY' received-from IP-address compared against ranges of IP-addresses.

Unfortunately, I have not found an email 'client' that 'filters out' incoming mail according to user-specified IP address ranges.


Thunderbird filtering :

The following two images indicate the panels within Thunderbird where one would specify the filtering on individual IP addresses (or on mail-server-inserted message headers).

    IF it turns out that Thunderbird will NOT do filtering on IP address ranges (and I don't think it does), I may have to look for another email-reader client --- or a helper application for an email-reader client.


Groundwork -- IP address ranges by country

To start determining some IP address ranges to filter out, I have started a large list of IP-address ranges (along with some specific addresses).

This text file, on this site, shows ranges of IP addresses assigned to countries --- along with notes on some specific addresses and ranges that seem to be sources of spam and other undesirable net behavior (personal/identity data gathering, spyware, viruses/trojan-horses/worms, adware, popups, etc.).

    For more such IP-address info, some 'block list' sites may be seen at this curlie.org spam blacklisting page.

My desire is to filter out emails (and, also, eventually, block packets trying to enter the network card of my computer) that apparently come from countries like China, Korea, Taiwan, Romania, Chile, etc. --- and certain IP-address ranges in the U.S.

About the only email I get is from friends using ISPs in the U.S. --- like cox, gmail, AOL, roadrunner, etc. --- OR, I get email from businesses in the U.S. --- like airlines, railroads, hotels, my web host provider, etc. (Actually, I may want to filter out the mail from specific companies --- if they do not honor a request to stop further infomercial emails.)

Some web pages indicate how difficult this IP-filtering approach is (namely, constantly finding new address ranges to filter out --- and then finding that some ranges may be too aggressive and need to be broken up).

These kinds of web pages are at sites where administrators of web sites are describing how they attempt to block 'trolls' from posting comments on web sites that they manage.

Those sites typically go dead after a few years, but you could try WEB SEARCHES on keywords --- such as:

If you do web searches like these, you will probably find some people that say filtering on IP addresses is not appropriate. Most of these people are system administrators who are filtering at routers or proxy servers or mail servers on a company network, and their company has a need to accept mail from many parts of the world.

For example, my ISP (Internet Service Provider), cox.net, cannot filter out mail from China and Korea, because many of their customers may need to be able to receive mail from there. HOWEVER, I, as an individual, have no need for mail from China and Korea. I have no relatives or friends there.

And even if I did have a relative or friend who was visiting foreign countries and sending emails to me --- I could simply check the 'From' column in my 'probable-spam' folder (where I would dump all spam-filtered email) to see if I got emails from friends.

If I expected to receive more mail from them, I could add their email address or hostname (or an IP address) to a 'white-list' of addresses from which to always accept mail.


Black-list or White-list

Ideally, I intend to add IP addresses/ranges to an IP list (like at the IP-address-ranges-list-link above) --- as I check spam (and legitimate) email that I receive --- in order to prepare for the possibility of using an email client, like Thunderbird, to filter email by IP address ranges.

Actually, it may be better to specify IP-address ranges from which to ACCEPT mail, rather than ranges from which to REJECT mail. If an email client would allow for that kind of filtering (via a "white-list" rather than a "black-list" --- i.e. via a list of addresses/ranges to ACCEPT rather than a list of addresses/ranges to REJECT), that would probably be the less maintenance-intensive way to go.

Then I could simply specify U.S. IP address ranges that would accomodate senders of emails from my usual sources --- ISPs of relatives and friends (cox, gmail, yahoo, rocketmail, AOL, etc.), travel-related sites, investment sites, web hosting sites, and the like.


Sources of IP Address Ranges

In any case, I need some sites that provide information on ranges of addresses for countries (and companies). Here are some such sites.

  • iana.org
    (IANA = the main internet IP-address-and-domain-name assignment organization. This site offers links to the several organizations that handle IP-addresses and domain-names for NorthAmerica, Asia-Pacific, Europe, etc.)

  • nirsoft.net
    (offered downloadable lists of major ip address blocks by country, in 2018)

  • find-ip-address.org
    (offered lists of major ip address blocks by country, including in CIDR 'Classless Inter-Domain Routing' format, in 2018)

  • services.ce3c.be
    (offered lists of major ip address blocks by country, in 2018)

  • proxyserverprivacy.com
    (offered info on ranges of IP addresses, in 2008)

  • dnsstuff.org
    (a site that allowed for looking up info on specific IP addresses, in 2008)

  • samspade.org
    (offered some info like dnsstuff.org, in 2008)

Sites that give information on IP address ranges assigned within countries typically go dead after a few years, but you could try WEB SEARCHES on keywords --- such as:

In 2008, the web site 'ip2location.com' offered statistics on ranges of IP addresses associated with countries:

    "[In early 2008]... the United States tops the allocation list by holding 37.73% of the IP addresses worldwide. It is followed by United Kingdom (12.83%), Japan (7.64%), China (5.74%), Germany (3.81%), France (3.65%), Canada (2.81%), Korea (2.74%), Netherlands (2.00%) and Italy (1.67%). These Top 11 countries in the list occupied more than 80% of total allocated IP address ranges in the world in 2007. The other 227 countries are sharing less than 20% of allocated IP address spaces."

A more current list may be available at this Wikipedia page, 'List of countries by IPv4 address allocation'.


A First-Octet IP-to-Country list
(256 lines long)

For the first octet for an IP address (0 to 255), here is an overview of the countries (their country codes) that use IP addresses in each of those ranges of 256*256*256 = 16,777,216 addresses per each first-octet.

Unfortunately, there was no apparent attempt, by the agencies that administer IP addresses and hostnames, to allocate the addresses in large, continguous chunks to each country. This should be a requirement for IP address assignments in the future. They could go by country-populations to assign large blocks by country --- holding blocks in reserve for future adjustments. This should be a requirement for the new ipV6 address structure.

    (NOTE:
    In 2008, I was in the process of indicating how the countries are scattered over these '1st-octet addresses'. I did the countries US, GB, JP, CN, DE, FR, CA, KR --- accounting for over 75% of the addresses. This information was assembled from the many 'slices' of IP addresses shown, by country/code, at an old website 'ipmaster.org' (at 67.227.226.240 in 2018) that is no longer trustworthy. In 2018, that link redirects to another site that tries to control your browser. Do not go there. Use other sites that give IP address ranges for each country. See the 'Sources of IP Address Ranges' section above for some sources.)
  • 000 -
  • 001 -
  • 002 - GB,
  • 003 - US,
  • 004 - US,
  • 005 -
  • 006 - US,
  • 007 - US,
  • 008 - US,
  • 009 - US,GB,
  • 010 - "PRIVATE"
    (10.0.0.0 to 10.255.255.255 is 'private'. See below)
  • 011 - US,
  • 012 - US,CA,
  • 013 - US,
  • 014 -
  • 015 - GB,DE,FR,
  • 016 - US,
  • 017 - US,
  • 018 - US,
  • 019 - US,FR,
  • 020 - US,
  • 021 - US,
  • 022 - US,
  • 023 - GB,
  • 024 - US,CA,
  • 025 - GB,
  • 026 - US,
  • 027 -
  • 028 - US,
  • 029 - US,
  • 030 - US,
  • 031 -
  • 032 - GB,DE,FR,
  • 033 - US,
  • 034 - US,
  • 035 - US,
  • 036 -
  • 037 -
  • 038 - US,
  • 039 -
  • 040 - US,
  • 041 - CA,
  • 042 -
  • 043 -
  • 044 - US,
  • 045 - US,
  • 046 -
  • 047 - CA,
  • 048 - US,
  • 049 -
  • 050 -
  • 051 - GB,
  • 052 - US,
  • 053 - DE,
  • 054 - US,
  • 055 - US,
  • 056 - US,
  • 057 - FR,
  • 058 - JP,CN,KR,
  • 059 - JP,CN,KR,
  • 060 - US,JP,CN,KR,
  • 061 - JP,CN,FR,KR,
  • 062 - US,GB,CN,DE,FR,CA,
  • 063 - US,CA,KR,
  • 064 - US,GB,JP,CA,
  • 065 - US,CA,
  • 066 - US,CA,
  • 067 - US,GB,CA,
  • 068 - US,CA,
  • 069 - US,CA,
  • 070 - US,CA,
  • 071 - US,CA,
  • 072 - US,CA,
  • 073 - US,
  • 074 - US,CA,
  • 075 - US,CA,
  • 076 - US,CA,
  • 077 - US,GB,DE,FR,
  • 078 - US,GB,DE,FR,
  • 079 - US,GB,DE,FR,
  • 080 - US,GB,CN,DE,FR,CA,KR,
  • 081 - US,GB,JP,DE,FR,
  • 082 - US,GB,JP,DE,FR,CA,
  • 083 - US,GB,DE,FR,
  • 084 - US,GB,DE,FR,CA,
  • 085 - US,GB,CN,DE,FR,
  • 086 - GB,DE,FR,
  • 087 - US,GB,JP,DE,FR,KR,
  • 088 - US,GB,DE,FR,
  • 089 - US,GB,DE,FR,
  • 090 - GB,DE,FR,
  • 091 - US,GB,JP,CN,DE,FR,KR,
  • 092 - GB,DE,FR,
  • 093 - FR,
  • 094 - FR,
  • 095 - DE,
  • 096 - US,CA,
  • 097 - US,
  • 098 - US,
  • 099 - US,CA,
  • 100 -
  • 101 -
  • 102 -
  • 103 -
  • 104 -
  • 105 -
  • 106 -
  • 107 -
  • 108 -
  • 109 -
  • 110 -
  • 111 -
  • 112 - FR,
  • 113 -
  • 114 -
  • 115 -
  • 116 - JP,CN,KR,
  • 117 - JP,CN,KR,
  • 118 - JP,CN,KR,
  • 119 - JP,CN,KR,
  • 120 -
  • 121 - JP,CN,DE,FR,KR,
  • 122 - JP,CN,KR,
  • 123 - JP,CN,KR,
  • 124 - JP,CN,FR,KR,
  • 125 - JP,CN,KR,
  • 126 - JP,
  • 127 -
  • 128 - US,GB,DE,FR,CA,KR,
  • 129 - US,GB,JP,DE,FR,CA,KR,
  • 130 - US,GB,JP,DE,FR,CA,
  • 131 - US,GB,JP,DE,FR,CA,
  • 132 - US,GB,JP,DE,FR,CA,
  • 133 - JP,
  • 134 - US,GB,JP,CN,DE,FR,CA,KR,
  • 135 - US,GB,DE,CA,
  • 136 - US,GB,JP,DE,CA,
  • 137 - US,GB,JP,DE,FR,CA,KR,
  • 138 - US,GB,JP,DE,FR,CA,
  • 139 - US,GB,JP,DE,FR,CA,
  • 140 - US,GB,JP,DE,FR,CA,
  • 141 - US,GB,JP,DE,FR,CA,KR,
  • 142 - US,CA,
  • 143 - US,GB,JP,DE,FR,KR,
  • 144 - US,GB,JP,DE,FR,CA,
  • 145 - US,GB,DE,FR,
  • 146 - US,GB,JP,DE,FR,CA,
  • 147 - US,GB,JP,CN,DE,FR,KR,
  • 148 - US,GB,JP,DE,FR,CA,
  • 149 - US,GB,DE,FR,CA,
  • 150 - US,GB,JP,DE,FR,KR,
  • 151 - US,GB,JP,DE,
  • 152 - US,GB,DE,FR,KR,
  • 153 - US,DE,
  • 154 - US,GB,JP,CA,KR,
  • 155 - US,GB,JP,DE,FR,CA,KR,
  • 156 - US,GB,DE,FR,CA,KR,
  • 157 - US,GB,JP,DE,FR,CA,KR,
  • 158 - US,GB,JP,DE,FR,CA,KR,
  • 159 - US,GB,JP,CN,DE,FR,CA,
  • 160 - US,GB,JP,DE,FR,CA,
  • 161 - US,GB,JP,CN,DE,FR,CA,KR,
  • 162 - US,GB,JP,CN,FR,CA,
  • 163 - US,GB,JP,DE,FR,CA,KR,
  • 164 - US,GB,JP,DE,FR,CA,KR,
  • 165 - US,JP,CA,KR,
  • 166 - US,GB,JP,CN,KR,
  • 167 - US,GB,JP,CN,CA,
  • 168 - US,JP,CN,CA,KR,
  • 169 - US,GB,KR,
  • 170 - US,CA,
  • 171 - US,GB,DE,FR,
  • 172 - US,
    (172.16.*.* - 172.31.*.* is 'private'. See below.)
  • 173 -
  • 174 -
  • 175 -
  • 176 -
  • 177 -
  • 178 -
  • 179 -
  • 180 -
  • 181 -
  • 182 -
  • 183 -
  • 184 -
  • 185 -
  • 186 -
  • 187 -
  • 188 - DE,
  • 189 -
  • 190 -
  • 191 -
  • 192 - US,GB,JP,CN,DE,FR,CA,KR,
    (192.168.*.* is 'private'. See below.)
  • 193 - US,GB,CN,DE,FR,CA,
  • 194 - US,GB,JP,CN,DE,FR,CA,KR,
  • 195 - US,GB,CN,DE,FR,CA,
  • 196 - US,DE,
  • 197 -
  • 198 - US,GB,JP,CN,DE,CA,
  • 199 - US,GB,JP,DE,FR,CA,
  • 200 - US,
  • 201 -
  • 202 - US,JP,CN,KR,
  • 203 - US,GB,JP,CN,KR,
  • 204 - US,GB,JP,DE,FR,CA,
  • 205 - US,GB,CA,
  • 206 - US,JP,CA,KR,
  • 207 - US,GB,CA,
  • 208 - US,GB,CA,
  • 209 - US,CA,
  • 210 - US,JP,CN,KR,
  • 211 - JP,CN,DE,KR,
  • 212 - US,GB,JP,CN,DE,FR,CA,KR,
  • 213 - US,GB,DE,FR,CA,
  • 214 - US,
  • 215 - US,
  • 216 - US,JP,CA,
  • 217 - US,GB,JP,CN,DE,FR,CA,
  • 218 - JP,CN,KR,
  • 219 - JP,CN,KR,
  • 220 - JP,CN,KR,
  • 221 - JP,CN,KR,
  • 222 - JP,CN,KR,
  • 223 -
  • 224 -
  • 225 -
  • 226 -
  • 227 -
  • 228 -
  • 229 -
  • 230 -
  • 231 -
  • 232 -
  • 233 -
  • 234 -
  • 235 -
  • 236 -
  • 237 -
  • 238 -
  • 239 -
  • 240 -
  • 241 -
  • 242 -
  • 243 -
  • 244 -
  • 245 -
  • 246 -
  • 247 -
  • 248 -
  • 249 -
  • 250 -
  • 251 -
  • 252 -
  • 253 -
  • 254 -
  • 255 -

White-list or Black-list ? (or both ? )

The list above is oriented toward specifying IP address ranges from which I expect to DENY mail. According to the 'ip-address-slices' data, I would have to 'refine' the denial-ranges into many thousands (tens of thousands?) of tiny slices, to avoid squelching mail from desired sites/countries. So ...

I ALSO want to collect ranges of addresses to accomodate various ISPs and companies from which I would expect to ALLOW mail (a 'white-list').

  • ??? to ??? - gmail
  • ??? to ??? - cox
  • ??? to ??? - road-runner
  • ??? to ??? - AOL
  • ??? to ??? - Schwab
  • ??? to ??? - Amtrak
  • ??? to ??? - American airlines
  • ??? to ??? - Hilton hotels
  • ??? to ??? - etc. etc.

No doubt I would have to 'widen' or 'add to' these allowance-ranges to avoid squelching mail from desired sites --- especially whenever they added an outgoing mail server whose IP address lay outside the ranges from which I was accepting mail.

It is beginning to look like the best way to go would be to consider mail 'guilty until proven innocent' --- that is, to send mail to a 'suspected-spam' folder, UNLESS the 'first' 'Receive from' IP address (usually the 'bottom-most' IP address in the list of mail header lines) is in a "white-list" of addresses/ranges. I.e. it may be better to use a "white-list" than a "black-list", for my purposes.

IN ANY CASE, I would NOT use filters based on the IP-addresses/ranges to IMMEDIATELY DELETE incoming emails. I would automatically route mail from certain ranges of IP addresses to a probable-spam folder, which I would scan occasionally to see if any desirable mail was directed there.


'PRIVATE' IP address ranges

'Reserved' IP address ranges

  • 10.0.0.0 - 10.255.255.255
  • 172.16.0.0 - 172.31.255.255
  • 192.168.0.0 - 192.168.255.255
are defined by RFC 1918. (RFC is an Internet organization Request For Comment --- which often becomes a rule or protocol.)

As explained at this FAQ (at tech-faq.com), 'private' IP addresses are special, because they can be utilized over and over again on different networks. For example, two different companies can have 192.168.*.* networks at the same time.

All home networks, 'behind' a router, use IP addresses in this range --- 192.168-prefixed addresses. The home router is typically 198.168.0.1, with addresses of the form 198.168.0.* for the PC(s) in the home.

Private IP address ranges are considered non-routable. That is to say, private IP addresses cannot communicate on the Internet. Those addresses are used on company 'intranets' --- and Network Address Translation (NAT) is used to handle external connections, like routing of email.

Bottom of this page on
Spam -- Need for an Email Client
capable of Filtering on a 'KEY' 'Received: from' IP Address
.

To return to a previously visited web page location, click on the Back button of your web browser, a sufficient number of times. OR, use the History-list option of your web browser.
OR ...

< Go to Top of Page, above. >

Or you can scroll up, to the top of this page.


Page was created 2008 Feb 24.

Page was changed 2009 Aug 07. (Text was added.)

Page was changed 2009 Aug 11. (Added page-breaks for better printing.)

Page was changed 2013 Apr 18. (Minor format changes.)

Page was changed 2018 Nov 14. (Added css and javascript to try to handle text-size for smartphones, esp. in portrait orientation.)