Now I see a lot of mails from .cn domains which were all coming from
china
(If I firewall off all chinese networks , spam would reduce by atleast
30% flat .. but I cant do that :-()

They typical patterns I see is

Usually the envelope from is ".ru" domain and the body contains a ".cn"
email id
Should I write a combination rule for these ?

https://ecm.netcore.co.in/tmp/spam1.txt