Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1927
Views
0
Helpful
2
Replies

Messages with no content?

mlbrianr_ironport
Level 1
Level 1

‎05-05-2006 01:47 PM

I've been noticing a large number of messages with no message content. The full headers are intact, but there's nothing beyond them.

This seems like an inefficient way of directory harvesting, if that's what's going on. Whatever the cause, it's rather annoying. Brightmail doesn't catch the messages (presumably because it doesn't have anything to work with) and the source IP addresses don't have a low enough SenderBase score to trigger anything here.

What I'm wondering is: does anyone know of a way (message filters, etc.) of dropping messages that have no content other than headers? I can't figure out a way of determining how many non-header lines are in a message, and can't find any other adjustments in our C10 which would prevent blank messages from coming in.

Thanks..

Labels:
0 Helpful
2 Replies 2

chuntmd_ironport
Level 1
Level 1

‎05-05-2006 02:13 PM

These emails have to be really small. Find out the total message size (look in the smtp logs) and then have a message filter.

if (recv-listener == 'InboundMail') and (body-size < ##b)
{
quarantine ('YOURHOLDPOLICY');

}

##B = number of bytes
##k = numberof kilobytes

YOURHOLDPOLICY = name of quarantine you want these caught emails to goto for review.
InBoundMail = assumes the default inbound listener.

0 Helpful

NtroP_ironport
Level 1
Level 1

‎05-27-2006 01:28 AM

We run all the "clean" mail from our IronPort through Spamassassin (and ClamAV) and it catches those as well as the GIF STOX SPAM and Phishing emails that blow right by BrightMail. I would say that a full 1/4th of the email that makes it past BrightMail is correctly identified as spam by SA; very little spam makes it to our end users.

We've cut down considerably on false positives too, by automating the harvesting of addresses in our user's address books and adding them to our SA whitelists. This allows us to crank the threshold down tighter and still get legit mail through.

In this day and age, I don't think a single-source solution is going to be effective against the spam onslaught. I believe in a staged attack and it's been working for us.

I'll say one thing about IronPort: SenderBase is a godsend! We'd need to quadruple the horsepower of our scanners to handle the load if all that crap came through!

0 Helpful
Customers Also Viewed These Support Documents