Want help to create a rule for filtering mails with empty message body and attachments

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Want help to create a rule for filtering mails with empty message body and attachments

Swati Rananaware
I want to create a rule to flag a mail with empty message body and attachment. I have read about the PDFInfo plugin but I am not allowed to enable any kind of plugin on server. So creating a rule is must for me. I have created some rules previously, but the problem is I am not able to understand, how to check for empty message body? Because even if we have sent a empty mail, mail contains

--f46d04479717af73f704bb6c327d
Content-Type: text/plain; charset=UTF-8



--f46d04479717af73f704bb6c327d
In that case, I am not able to find a way to filter a message with empty body.
Please suggest something to sort out this problem.

Thanks in advance.


Reply | Threaded
Open this post in threaded view
|

Re: Want help to create a rule for filtering mails with empty message body and attachments

Swati Rananaware
Sorry for bothering you guys.
Found answer to my question:

body BODY_RULE_1 /[::blank::]/
describe BODY_RULE_1 blank mail body
score BODY_RULE_1 1.0

mimeheader MIMEHEADER_RULE_01 Content-Type =~ /multipart\/mixed/i
describe MIMEHEADER_RULE_01 Attachments
score MIMEHEADER_RULE_01 0.5

meta META_RULE_1  BODY_RULE_1 && MIMEHEADER_RULE_01
describe META_RULE_1 Empty mail body with attachment
score META_RULE_1 1.5


Thanks,
-Swati

On Sat, Mar 24, 2012 at 12:13 PM, Swati Rananaware <[hidden email]> wrote:
I want to create a rule to flag a mail with empty message body and attachment. I have read about the PDFInfo plugin but I am not allowed to enable any kind of plugin on server. So creating a rule is must for me. I have created some rules previously, but the problem is I am not able to understand, how to check for empty message body? Because even if we have sent a empty mail, mail contains

--f46d04479717af73f704bb6c327d
Content-Type: text/plain; charset=UTF-8



--f46d04479717af73f704bb6c327d
In that case, I am not able to find a way to filter a message with empty body.
Please suggest something to sort out this problem.

Thanks in advance.



Reply | Threaded
Open this post in threaded view
|

Re: Want help to create a rule for filtering mails with empty message body and attachments

Michael Scheidell-3
> Sorry for bothering you guys.
> Found answer to my question:
>
Cool.. this should be part of the stock SA rules


--
Michael Scheidell, CTO
o: 561-999-5000
d: 561-948-2259
 >*| *SECNAP Network Security Corporation

    * Best Mobile Solutions Product of 2011
    * Best Intrusion Prevention Product
    * Hot Company Finalist 2011
    * Best Email Security Product
    * Certified SNORT Integrator

______________________________________________________________________
This email has been scanned and certified safe by SpammerTrap(r).
For Information please see http://www.spammertrap.com/
______________________________________________________________________  
 
Reply | Threaded
Open this post in threaded view
|

Re: Want help to create a rule for filtering mails with empty message body and attachments

RW-15
In reply to this post by Swati Rananaware
On Sat, 24 Mar 2012 16:39:51 +0530
Swati Rananaware wrote:

> Sorry for bothering you guys.
> Found answer to my question:
>
> body BODY_RULE_1 /[::blank::]/

That will hit any body with a space or tab in it.
Reply | Threaded
Open this post in threaded view
|

Re: Want help to create a rule for filtering mails with empty message body and attachments

John Hardin
On Sat, 24 Mar 2012, RW wrote:

> On Sat, 24 Mar 2012 16:39:51 +0530
> Swati Rananaware wrote:
>
>> Sorry for bothering you guys.
>> Found answer to my question:
>>
>> body BODY_RULE_1 /[::blank::]/
>
> That will hit any body with a space or tab in it.

It's going to be rather hard to check for a blank body, as the Subject
header is treated as part of the body.

Perhaps (totally untested):

body   __NONSUBJ_BODY   /^(?!Subject:\s)/
meta   EMPTY_BODY   !__NONSUBJ_BODY

--
  John Hardin KA7OHZ                    http://www.impsec.org/~jhardin/
  [hidden email]    FALaholic #11174     pgpk -a [hidden email]
  key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
   Homeland Security: Specializing in Tactical Band-aids for Strategic
   Problems.                       -- Eric K. in Bruce Schneier's blog
-----------------------------------------------------------------------
  471 days since the first successful private orbital launch (SpaceX)