Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Email Security Quick-links: ESA Product Support | SMA Product Support | Email Submission and Tracking Portal | Cisco SecurityHub
Current General Deployment (GD) Releases:
ESA: 11.0.0-264 WSA: 10.5.1-296 SMA: 11.0.0-115 Email Plug-in (Reporting): 1.0.1-048 Email Plug-in (Encryption): 1.0.0-036

New Member

New Spam (again)

We have noticed that this kind of spam has increased (see below).
Typically it has no "To:" header, no "Subject:" header and nothing on the message body.

Does IPAS already know this?

Any suggestion to write a filter that catch message with no To or Subject fieled on the header?

---------------------------------------------
Received: from unknown (HELO korisnik-oashe5) ([194.54.182.140])
by ironport.xxx.com with SMTP; 19 Jun 2006 15:02:36 +0700
X-SBRS-Score: -0.3
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AaMwAKjylURuh2mBExULLVE
X-IronPort-AV: i="4.06,149,1149440400";
d="scan'"; a="161511224:sNHT34510798"
Message-ID: <000d01c69376$baca1e30$8cb636c2@korisnikoashe5>
From: buicgeauavc@vela.com
Date: Mon, 19 Jun 2006 15:02:38 +0700
---------------------------------------------

TIA

2 REPLIES
New Member

Filter

Since rcpt-to acts on the 2821 header, you can't really check for it being blank. I believe you can do and (header("To") == "^$") to check for a blank to in the header; however, I haven't tested this though I will be when I get into the office since we are getitng these too and for the most part brightmail isn't catching them.

catch_new_spam: if (subject == "^$") and (header("To") == "^$") and (body-size <= 3072)
{
quarantine();
}

New Member

Re: New Spam (again)

We're seeing them as well.

164
Views
0
Helpful
2
Replies