i must implement the following rule with those content filtering criterias:
* subject: empty
* body: empty
i've already done some tests.
Subject --> equals (or containts)= ^$
Body --> contains= ^$
if i set the condition on "if one or more is matched" it works, if i set the condition on "only if all conditions match" , and i need the second one, the combination of both.
can someone help me?
Our content search filter conditions (i.e. body-contains, attachement-contains, etc) all search line by line; like grep. We can search for empty lines (^$).... However, most emails have at least one empty line in the body section, so there would be many, many FPs.
I suggest reviewing examples of these 'no body' emails. There may be something else that these emails have in common that can be detected in filters.
Also, just because it looks 'empty' to the human eye, doesn't mean it is truly empty. There many be whitespace, html code, or unprintable characters. So make sure to look deep (i.e. packet capture, archive via Message Filter, or injection debug logs).
The content filter conditions would work as expected with the AND OR conditions.
How it works would depend on the email sample you are testing with, I would recommend saving the original email as .eml and then opening it in a text editor to review the actual contents on the email.
- Libin V