Cisco Support Community
Community Member

Messages with no content?

I've been noticing a large number of messages with no message content. The full headers are intact, but there's nothing beyond them.

This seems like an inefficient way of directory harvesting, if that's what's going on. Whatever the cause, it's rather annoying. Brightmail doesn't catch the messages (presumably because it doesn't have anything to work with) and the source IP addresses don't have a low enough SenderBase score to trigger anything here.

What I'm wondering is: does anyone know of a way (message filters, etc.) of dropping messages that have no content other than headers? I can't figure out a way of determining how many non-header lines are in a message, and can't find any other adjustments in our C10 which would prevent blank messages from coming in.


Community Member

Re: Messages with no content?

These emails have to be really small. Find out the total message size (look in the smtp logs) and then have a message filter.

if (recv-listener == 'InboundMail') and (body-size < ##b)
quarantine ('YOURHOLDPOLICY');


##B = number of bytes
##k = numberof kilobytes

YOURHOLDPOLICY = name of quarantine you want these caught emails to goto for review.
InBoundMail = assumes the default inbound listener.

Community Member

Spamassassin Catches Them

We run all the "clean" mail from our IronPort through Spamassassin (and ClamAV) and it catches those as well as the GIF STOX SPAM and Phishing emails that blow right by BrightMail. I would say that a full 1/4th of the email that makes it past BrightMail is correctly identified as spam by SA; very little spam makes it to our end users.

We've cut down considerably on false positives too, by automating the harvesting of addresses in our user's address books and adding them to our SA whitelists. This allows us to crank the threshold down tighter and still get legit mail through.

In this day and age, I don't think a single-source solution is going to be effective against the spam onslaught. I believe in a staged attack and it's been working for us.

I'll say one thing about IronPort: SenderBase is a godsend! We'd need to quadruple the horsepower of our scanners to handle the load if all that crap came through!

CreatePlease to create content