This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Block spam email with both empty body and subject

Hi all,

 

My company is receiving this kind of email recently with empty body and empty subject. Obviously, I think this is spam email without any argument. However, my Sophos ES1100 only rated it a very low score and, hence, not considering it a spam.

X-SEA-Spam: Gauge=X, Probability=10%, Report='
BLANK_SUBJECT 0.1, EMPTY_BODY 0.1, HTML_90_100 0.1, HTML_NO_HTTP 0.1, MULTIPLE_RCPTS 0.1, BODYTEXTH_SIZE_10000_LESS 0, BODYTEXTP_SIZE_3000_LESS 0, BODYTEXTP_SIZE_400_LESS 0, BODY_SIZE_1000_LESS 0, BODY_SIZE_2000_LESS 0, BODY_SIZE_200_299 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, DKIM_ALIGNS 0, DKIM_SIGNATURE 0, DQ_S_H 0, NO_CTA_URI_FOUND 0, NO_URI_FOUND 0, NO_URI_HTTPS 0, SMALL_BODY 0, SPF_PASS 0, TO_UNDISCLOSED_RECIPIENTS 0, WEBMAIL_SOURCE 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_ALT 0, __DATE_TZ_HK 0, __DKIM_ALIGNS_1 0, __DKIM_ALIGNS_2 0, __DQ_IP_SUSP_1 0, __DQ_IP_SUSP_2 0, __DQ_NEG_HEUR 0, __DQ_NEG_IP 0, __DQ_S_HIST_1 0, __DQ_S_IP_100K 0, __DQ_S_IP_10K 0, __DQ_S_IP_1K 0, __DQ_S_IP_FSO_100K 0, __DQ_S_IP_FSO_1K 0, __DQ_S_IP_HD_0 0, __DQ_S_IP_MC_1 0, __FRAUD_WEBMAIL 0, __FRAUD_WEBMAIL_FROM 0, __FROM_GMAIL 0, __FUR_RDNS_GMAIL 0, __HAS_FROM 0,
__HAS_HTML 0, __HAS_MSGID 0, __HELO_GMAIL 0, __HEX28_LC_BOUNDARY 0, __HTML_TAG_DIV 0, __MIME_HTML 0, __MIME_TEXT_H 0, __MIME_TEXT_H1 0, __MIME_TEXT_H2 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_TEXT_P2 0, __MIME_VERSION 0, __PHISH_SPEAR_STRUCTURE_1 0, __PHISH_SPEAR_STRUCTURE_2 0, __RDNS_WEBMAIL 0, __SANE_MSGID 0, __TO_MALFORMED_3 0, __X_GOOGLE_DKIM_SIGNATURE 0, __YOUTUBE_RCVD 0'

 

Anyway, I would like to build a rule to block this but I find that I can't define a "blank" value in the "Attribute" input dialog. Do anybody know how to define such a rule?

Thanks and regards,

 

Joseph Liu



This thread was automatically locked due to age.
  • Hi Joseph,

     

    I would double check your spam settings via my kb here.. community.sophos.com/.../120802

    make sure stuff like delay queue is on and the spam rules match.  stuff like this should be caught without having to make rules...

     

    But..

    If your still bent on making this rule..  

    you may want to try something like this...

    data control rule

    messages matching specific words or phrases

    enable advanced.

    next

    next

    message attributes

    header: Subject (with a capital)

    check off regular expression

    ^\s*$

    save 

    next

    include a user.. (set it to yourself for testing)

    action set to quarantine.

     

    when your happy with it .. just remove yourself from the "include" tab..

     

  • just to be totally clear tho..

     

    this rule is NOT recommended...   so use it at your own risk..

  • Hi Red_Warrior,

     

    I check my spam settings and they should be in default status. However, we didn't turn on delay queue.

     

    Anyway, I tried to create the rule you stated but it didn't work. I have the following "message attributes" added. Please advise if they are correct.

     

     

    I need both subject and body to be blank in order to block the message.

     

    Thanks and regards,

     

    Joseph

     

  • If delay queue was not enabled, I would wait and re-asses your email flow before making this rule.. as I mentioned I would consider this rule hostile at best.  

     

    if you really need to make this, do not use body..  your asking for a whole world of hurt .. (see below) 

     

    I would only use the subject regex..

     

    anyways here is some additional information about your body header

    https://www.ietf.org/rfc/rfc2822.txt

     

    section 3.6 

    the "body" is not a required header per sey but more of a required attribute that makes up an email ..  It can consist of all of the fields listed under 3.6 ..  its not meant to be referd to as the "body" of a document or a required field .. if that makes sense.. 

     

    for example

    an email connection looks like this..

     

    telnet 1.2.3.4 25

    helo localhost
    mail from: santa@the_north_pole.com

    RCPT TO: mr_grinch@whooville.com

    DATA
    --insert message

    .

     

    RFC 822/2822 only requires 3 components..

    the helo string (is your smtp banner string used for reverse dns)

    mail from: is known as the mail envelope from (this is not the from that appears in your outlook)

    rcpt to: is the recipient of the message .. generally validation is done here..

    and the DATA command followed by a . at the end

    the body is anything between the DATA command and the . 

    it could contain Subject, To: From: reply-to: mime_encoded attachment, utf8 char, base 64 encoding .. or a number of other "key words" 

     

    the rule your making .. will only look for headers between the DATA command and the .

     

    If your rule requires a body: header.. that exact header may or may not exist within the "body" as defined as the space between the  DATA command and the (period).   . technically headers like: subject to from reply-to etc.. are not actually required to send mail ..  so if you make a rule that requires / looks for a header that is not required.. then you risk a false positive.

     

    searching for a subject, is generally fine because 99% of all emails have one.. if you want to quarantine for that.. no problem ..  same could be true with a To .. or a From header .. as generally they are "expected" .... they are not however required .. 

     

    if your bent on searching for those sorts of thing.. 

    your better off to use a header rule..

     

    for example:

    header  body

    check off Does not exist

    then under actions maybe tag subject and continue...  

    NO Body field exists   %%subject%%

     

    or what ever header you wish to search for. 

     

     

    In the above example, you rule is not working as expected because its looking for both rules to exists..

    IE: 

    header matches ...   AND header matches ...

     

    you need to check off the box at the bottom (one of these must exist)  

    then your rule will look like

     

    header matches ... OR header matches ...

     

    then your rule will match if one or the other hits instead of only if both hit.

     

    hope that helps a bit.