Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1744
Views
0
Helpful
2
Replies

New Spam (again)

kisanak_ironport
Level 1
Level 1

‎06-19-2006 09:52 AM

We have noticed that this kind of spam has increased (see below).
Typically it has no "To:" header, no "Subject:" header and nothing on the message body.

Does IPAS already know this?

Any suggestion to write a filter that catch message with no To or Subject fieled on the header?

---------------------------------------------
Received: from unknown (HELO korisnik-oashe5) ([194.54.182.140])
by ironport.xxx.com with SMTP; 19 Jun 2006 15:02:36 +0700
X-SBRS-Score: -0.3
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AaMwAKjylURuh2mBExULLVE
X-IronPort-AV: i="4.06,149,1149440400";
d="scan'"; a="161511224:sNHT34510798"
Message-ID: <000d01c69376$baca1e30$8cb636c2@korisnikoashe5>
From: buicgeauavc@vela.com
Date: Mon, 19 Jun 2006 15:02:38 +0700
---------------------------------------------

TIA

Labels:
0 Helpful
2 Replies 2

shannon.hagan
Level 1
Level 1

‎06-19-2006 01:04 PM

Since rcpt-to acts on the 2821 header, you can't really check for it being blank. I believe you can do and (header("To") == "^$") to check for a blank to in the header; however, I haven't tested this though I will be when I get into the office since we are getitng these too and for the most part brightmail isn't catching them.

catch_new_spam: if (subject == "^$") and (header("To") == "^$") and (body-size <= 3072)
{
quarantine();
}

0 Helpful

Corey_ironport
Level 1
Level 1

‎06-19-2006 03:07 PM

We're seeing them as well.

0 Helpful
Customers Also Viewed These Support Documents