Hi Bernd, I do have a firewall but the spam messages are not being modified. What I showed in my email below is what the server actually receives.
The missing subject is also a key feature of these spams together with the lack of body copy. I guess I could write a matcher which returns the size of the subject and/or the body but as I mentioned it has been a while since I installed James and I'm not into Java development as much as I used to be. Regards, David. On 22/03/15 16:00, Bernd Waibel wrote: > Hello David, > > do you have a firewall, with virus filtering enabled? > If the mail contains only one attachment (as INLINE attachment) and no body, > and the firewall removes the attachment, but keeps the rest alright and sends > this to the receiver? > So a mail without a body could be the rest of a virus mail. > > Also it could just be a "test runner". Testing the Botnet or something like > this. > > Some people use their email system like a "sms" system, just sending a > "subject". > May this lead to a "no-body" mail? > In your example the subject is missing. > > But I didn't see it a lot (or did not remember). > > Greetings > Bernd > > -----Ursprüngliche Nachricht----- > Von: David Legg [mailto:david.l...@searchevent.co.uk] > Gesendet: Sonntag, 22. März 2015 14:29 > An: James Users List > Betreff: Fighting 'no body' spam > > Hi, > > It has been a few years since I last wrote to the list. Our James 2.3 > installation has been happily running all that time with no problems. > > Recently however we are being plagued by a particular variety of spam that > the Bayesian filter just can't handle; 'no-body' spam. This variety has > seemingly random 'from' addresses (but usually with valid domains). They all > seem to come from different IP addresses which suggests a bot-net and > therefore can't be blocked by the firewall. But the other distinguishing > feature is their complete lack of any subject or body. This is what makes it > so difficult for the filter to latch onto. > > A typical email looks as follows: - > > Message-ID: <A[20 > MIME-Version: 1.0 > Content-Type: text/plain; charset=us-ascii > Content-Transfer-Encoding: 7bit > X-MessageIsSpamProbability: 0.018074688897863164 > Received: from 38.124.60.215 ([38.124.60.215]) > by somewhere.co.uk (JAMES SMTP Server 2.3.1) with SMTP ID 965 > for <off...@somewhere.co.uk>; > Sun, 22 Mar 2015 12:11:17 +0000 (GMT) > Date: Sun, 22 Mar 2015 12:11:17 +0000 (GMT) > From: ieqeq...@baboonabeach.com > Received: from 248.32.157.238 by 46.4.123.50; Sun, 22 Mar 2015 18:23:42 > +0500 > > > I was hoping that there was a matcher that I could use to reject all email > with no or very small (< 4 bytes) content. However, all I could find was the > 'SizeGreaterThan' matcher which matches the entire size of the email. > > As well as knowing if their is a solution for this I was also wondering if > anyone knows just what is the point of all this? I've heard one theory that > it poisons the filter but it just seems like a mindless act to me. > > Regards, > David Legg --------------------------------------------------------------------- To unsubscribe, e-mail: server-user-unsubscr...@james.apache.org For additional commands, e-mail: server-user-h...@james.apache.org
