Hello David, do you have a firewall, with virus filtering enabled? If the mail contains only one attachment (as INLINE attachment) and no body, and the firewall removes the attachment, but keeps the rest alright and sends this to the receiver? So a mail without a body could be the rest of a virus mail.
Also it could just be a "test runner". Testing the Botnet or something like this. Some people use their email system like a "sms" system, just sending a "subject". May this lead to a "no-body" mail? In your example the subject is missing. But I didn't see it a lot (or did not remember). Greetings Bernd -----Ursprüngliche Nachricht----- Von: David Legg [mailto:david.l...@searchevent.co.uk] Gesendet: Sonntag, 22. März 2015 14:29 An: James Users List Betreff: Fighting 'no body' spam Hi, It has been a few years since I last wrote to the list. Our James 2.3 installation has been happily running all that time with no problems. Recently however we are being plagued by a particular variety of spam that the Bayesian filter just can't handle; 'no-body' spam. This variety has seemingly random 'from' addresses (but usually with valid domains). They all seem to come from different IP addresses which suggests a bot-net and therefore can't be blocked by the firewall. But the other distinguishing feature is their complete lack of any subject or body. This is what makes it so difficult for the filter to latch onto. A typical email looks as follows: - Message-ID: <A[20 MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-MessageIsSpamProbability: 0.018074688897863164 Received: from 38.124.60.215 ([38.124.60.215]) by somewhere.co.uk (JAMES SMTP Server 2.3.1) with SMTP ID 965 for <off...@somewhere.co.uk>; Sun, 22 Mar 2015 12:11:17 +0000 (GMT) Date: Sun, 22 Mar 2015 12:11:17 +0000 (GMT) From: ieqeq...@baboonabeach.com Received: from 248.32.157.238 by 46.4.123.50; Sun, 22 Mar 2015 18:23:42 +0500 I was hoping that there was a matcher that I could use to reject all email with no or very small (< 4 bytes) content. However, all I could find was the 'SizeGreaterThan' matcher which matches the entire size of the email. As well as knowing if their is a solution for this I was also wondering if anyone knows just what is the point of all this? I've heard one theory that it poisons the filter but it just seems like a mindless act to me. Regards, David Legg --------------------------------------------------------------------- To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
