How to block emails by wildcard across a server

Exim Version 4.91-5 WHM version 78.0.23

There are many email domains that are receiving spams from the same source emails,

SpamAssassin is impractical as this blocks wildcard domains only on a per-account basis.

What I want to do:
-- Check a sending domain matches a set pattern or a wildcard pattern, and if so discard silently across any server account.

What I have read so far...
I have read various topics on this:

• - Exim Blacklist Domains Issue
• - https://forums.cpanel.net/threads/block-incoming-emails-from-domain.606795/
• - deano.me/2016/05/how-to-block-emails-by-domain-in-whm-exim/
• - unix.stackexchange.com/questions/213537/regex-usage-in-exim-filtering

And the documentation on applying Exim rules.

- How to Customize the Exim System Filter File - cPanel Knowledge Base - cPanel Documentation

However, The example on the WHM Documentation is simple and does not reference wildcarding. I have set up a file per the documentation and reading links above, thus:

Code:

if
  $h_from: contains "@example.com"
  or $h_from: contains "@example.net"
  or $h_from: matches ".*@.*\.example\.org$"
  or $h_from: matches ".*@.*\.icu$"
#then noerror seen finish
then
  deliver "SpamTest <admin@atmyserver.co.uk>"
  seen finish
endif

The Exim Documentation on PCRE ( Exim Specification - Regular expressions ) states that in "matches" that single backslashes are enough (rather than double) and that dollar signs do not need escaping.

And this seems to stop the "Contains" but I suspect this rule also seems to be failing for all emails. I received reports that at least one client has received no emails since this was put in place.

What I would like to achieve

I am trying to set a single cannonical location on the server to list PCRE email from accounts that should be silently blocked from all server accounts.

I need so far:

• - To block anything from @example.com (this works)
• - To block anything from @example.net (this works)
• - To block anything from any email shaped as <anything>@<anything>.example.org
• - To block anything from any email shaped as <anything>@<anything>.icu

From the stackexchange link above I also ran the "/usr/sbin/exim -bF <scriptfile> -f <sender>" but this returned nothing; so was ambiguous (I am a litte fishing in the dark, here) .

What is the best way of achieving this aim, Once I'm confident of the PCRE working I can add further domains to the list.

Thank you.