cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1778
Views
15
Helpful
11
Replies
Enthusiast

do you ever block emails with no subject?

We've been getting an influx of email from random gmail accounts with no subject and rarely anything in the body.  The body may contain a few commas or a single word like "HI".  Its annoying and obviously spam.

Just curious since there's very limited things you can do to prevent this, but perhaps do you block blank subjects?  How many valid emails do you think are accidently sent without a subject?  Is this something that anyone has ever explored and did it cut back on any of this junk?

I do have one example however where both the subject and the body was just the word Hi.  I think this bait is trying to get people to reply back and catch valid email accounts.  I think these are bots or hijacked gmail accounts.

11 REPLIES 11
VIP Advisor

I just use the reputation

I just use the reputation filtering built into the Ironport.  Perhaps you need to adjust the sensitivity level.

Beginner

Perhaps being lazy, but I

Perhaps being lazy, but I wanted to know how to block blank subjects (for the same reason) and am unable to see that in content filters.

I agree, the default reputation sensitivity is not the best, I torqued mine down quite a bit.

Cisco Employee

Hey Greg,

Hey Greg,

You can block blank subjects from the usage of content filters or message filters.

You will need to select condition -> Subject > "contains" -> ^$

You can also add the additional condition was well -> Other Header -> Subject -> ^$

Action -> Drop, or quarantine.

Regards,

Matthew

Enthusiast

Does this mean subject header

Does this mean subject header?

Not sure what version of async os you have, but ours does not say subject.  It says subject header.

Cisco Employee

Hello Keith, 

Hello Keith, 

My apologies,  that's the one.  It's subject header,  which is indeed the subject line. 

Regards 

Matthew 

Beginner

hi, i'd like to use an "AND"

hi, i'd like to use an "AND" condition for filtering

blank subject AND blank bodies, but this condition will not work

Cisco Employee

Re: hi, i'd like to use an "AND"

Hello s.licciardola,

I am not sure if this query is still pending but in the event anyone else viewing would like to do this as well.

You would need to create the message filter as content filters won't be able to meet this rule.

A tested scenario with a filter i used was:
empty_body_and_subject:
if (NOT only-body-contains(".", 1)) AND (Subject =="^$")
{
drop();
}
.

I strongly recommend with such an aggressive filter like this, always deploy it in a fixed environment so you can test if it meets your expectations.

Thank you,
Matthew
Beginner

Re: hi, i'd like to use an "AND"

It appears that it is mostly Gmail that is abused for those non worthy HI or empty body emails..So we could filter this way only if the sender is from gmail probably..

 

Anyone would know what is the intent behind these emails and why gmail do not do anything for this abuse ?

My wild guess is that these emails are only use to validate if their email list is right for their next targeted attack to eliminate any potential bounce

Everyone's tags (1)
Cisco Employee

Re: hi, i'd like to use an "AND"

Hey Duke,

 

This is purely speculation on my side but i do have to agree with that.

It is likely a compromised / fake account used to try to harvest valid email ID information for next wave of attack or to begin a targetted attack.

 

Unfortunately due to gmail servers being of high reputation it is generally not advisable to run this type of filter in for all gmail as it will in turn cause a LOT of false positive matching, even with boundary matching.

 

Regards,

Mathew

Highlighted
369 Beginner
Beginner

Re: hi, i'd like to use an "AND"

Any final thoughts on this please? Is cisco working on a native detection of such use cases?

Blank subject and/or blank body only are pretty much straight requirements? What would cause FPs? Please enlighten.

Participant

In the case you describe, is

In the case you describe, is the total message size sufficiently small to preclude the possibility of legitimate mail?

I'm presuming that all of this Gmail is the genuine article and not simply forged Gmail envelopes?