Re: hi, i'd like to use an "AND"

keithsauer507 · ‎02-02-2016

We've been getting an influx of email from random gmail accounts with no subject and rarely anything in the body. The body may contain a few commas or a single word like "HI". Its annoying and obviously spam.

Just curious since there's very limited things you can do to prevent this, but perhaps do you block blank subjects? How many valid emails do you think are accidently sent without a subject? Is this something that anyone has ever explored and did it cut back on any of this junk?

I do have one example however where both the subject and the body was just the word Hi. I think this bait is trying to get people to reply back and catch valid email accounts. I think these are bots or hijacked gmail accounts.

Philip D'Ath · ‎02-02-2016

I just use the reputation filtering built into the Ironport. Perhaps you need to adjust the sensitivity level.

Greg Hopp · ‎02-09-2016

Perhaps being lazy, but I wanted to know how to block blank subjects (for the same reason) and am unable to see that in content filters.

I agree, the default reputation sensitivity is not the best, I torqued mine down quite a bit.

Mathew Huynh · ‎02-09-2016

Hey Greg,

You can block blank subjects from the usage of content filters or message filters.

You will need to select condition -> Subject > "contains" -> ^$

You can also add the additional condition was well -> Other Header -> Subject -> ^$

Action -> Drop, or quarantine.

Regards,

Matthew

keithsauer507 · ‎02-10-2016

Does this mean subject header?

Not sure what version of async os you have, but ours does not say subject. It says subject header.

Mathew Huynh · ‎02-10-2016

Hello Keith,

My apologies, that's the one. It's subject header, which is indeed the subject line.

Regards

Matthew

slicciardola · ‎02-01-2017

hi, i'd like to use an "AND" condition for filtering

blank subject AND blank bodies, but this condition will not work

Mathew Huynh · ‎02-15-2018

Hello s.licciardola,

I am not sure if this query is still pending but in the event anyone else viewing would like to do this as well.

You would need to create the message filter as content filters won't be able to meet this rule.

A tested scenario with a filter i used was:
empty_body_and_subject:
if (NOT only-body-contains(".", 1)) AND (Subject =="^$")
{
drop();
}
.

I strongly recommend with such an aggressive filter like this, always deploy it in a fixed environment so you can test if it meets your expectations.

Thank you,
Matthew

dukebox · ‎10-16-2018

It appears that it is mostly Gmail that is abused for those non worthy HI or empty body emails..So we could filter this way only if the sender is from gmail probably..

Anyone would know what is the intent behind these emails and why gmail do not do anything for this abuse ?

My wild guess is that these emails are only use to validate if their email list is right for their next targeted attack to eliminate any potential bounce

Mathew Huynh · ‎10-16-2018

Hey Duke,

This is purely speculation on my side but i do have to agree with that.

It is likely a compromised / fake account used to try to harvest valid email ID information for next wave of attack or to begin a targetted attack.

Unfortunately due to gmail servers being of high reputation it is generally not advisable to run this type of filter in for all gmail as it will in turn cause a LOT of false positive matching, even with boundary matching.

Regards,

Mathew

369 · ‎09-05-2019

Any final thoughts on this please? Is cisco working on a native detection of such use cases?

Blank subject and/or blank body only are pretty much straight requirements? What would cause FPs? Please enlighten.

exMSW4319 · ‎02-10-2016

In the case you describe, is the total message size sufficiently small to preclude the possibility of legitimate mail?

I'm presuming that all of this Gmail is the genuine article and not simply forged Gmail envelopes?

do you ever block emails with no subject?