02-02-2016 02:11 PM
We've been getting an influx of email from random gmail accounts with no subject and rarely anything in the body. The body may contain a few commas or a single word like "HI". Its annoying and obviously spam.
Just curious since there's very limited things you can do to prevent this, but perhaps do you block blank subjects? How many valid emails do you think are accidently sent without a subject? Is this something that anyone has ever explored and did it cut back on any of this junk?
I do have one example however where both the subject and the body was just the word Hi. I think this bait is trying to get people to reply back and catch valid email accounts. I think these are bots or hijacked gmail accounts.
02-02-2016 08:53 PM
I just use the reputation filtering built into the Ironport. Perhaps you need to adjust the sensitivity level.
02-09-2016 09:31 AM
Perhaps being lazy, but I wanted to know how to block blank subjects (for the same reason) and am unable to see that in content filters.
I agree, the default reputation sensitivity is not the best, I torqued mine down quite a bit.
02-09-2016 04:36 PM
Hey Greg,
You can block blank subjects from the usage of content filters or message filters.
You will need to select condition -> Subject > "contains" -> ^$
You can also add the additional condition was well -> Other Header -> Subject -> ^$
Action -> Drop, or quarantine.
Regards,
Matthew
02-10-2016 06:27 AM
Does this mean subject header?
Not sure what version of async os you have, but ours does not say subject. It says subject header.
02-10-2016 12:48 PM
Hello Keith,
My apologies, that's the one. It's subject header, which is indeed the subject line.
Regards
Matthew
02-01-2017 02:51 AM
hi, i'd like to use an "AND" condition for filtering
blank subject AND blank bodies, but this condition will not work
02-15-2018 04:09 AM
10-16-2018 01:21 PM - edited 10-16-2018 01:22 PM
It appears that it is mostly Gmail that is abused for those non worthy HI or empty body emails..So we could filter this way only if the sender is from gmail probably..
Anyone would know what is the intent behind these emails and why gmail do not do anything for this abuse ?
My wild guess is that these emails are only use to validate if their email list is right for their next targeted attack to eliminate any potential bounce
10-16-2018 04:43 PM
Hey Duke,
This is purely speculation on my side but i do have to agree with that.
It is likely a compromised / fake account used to try to harvest valid email ID information for next wave of attack or to begin a targetted attack.
Unfortunately due to gmail servers being of high reputation it is generally not advisable to run this type of filter in for all gmail as it will in turn cause a LOT of false positive matching, even with boundary matching.
Regards,
Mathew
09-05-2019 11:47 PM
Any final thoughts on this please? Is cisco working on a native detection of such use cases?
Blank subject and/or blank body only are pretty much straight requirements? What would cause FPs? Please enlighten.
02-10-2016 02:06 PM
In the case you describe, is the total message size sufficiently small to preclude the possibility of legitimate mail?
I'm presuming that all of this Gmail is the genuine article and not simply forged Gmail envelopes?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide