How to block mail that has a size of 0B?
Question asked by Robert Pinkerton - September 9, 2014 at 10:10 AM
Unanswered
I have recently been inundated with Spam that has a message size of 0B when received in Outlook. Strangely, SmarterMail skips content checking with the following message:
 
Message exceeds maximum scanning size, skipping content based checks.
 
I have tried a content rule to handle any email smaller than 1byte but this does not seem to have any effect. This appears to be an exploit in SmarterMail - 0 bytes is too large?
 
Anyone else seeing this or have thoughts on a fix?

17 Replies

Reply to Thread
0
John Marx Replied
In Content Filtering you can specify "under size". You could put 1 as the number and anything under 1 would apply to the filtering.
0
Thanks, John. That is exactly what I did but, for some reason, SmarterMail is seeing 0 Bytes as *bigger* than the maximum size and the content filter does nothing.
0
John Marx Replied
It is possible it is taking into account the header and everything else. :(
0
Joe Wolf Replied
I've never seen a message with zero bytes. I suspect you're having the no subject, no body problem. Check to make sure any virus scanners aren't removing the messages on the server.
Thanks,
-Joe
0
Thanks, Joe Wolf. I'm not familiar with the "no subject, no body" problem. You can see the inbox view from here and the message details screen grab is here. There is a subject and there is a body. It looks to me that the email can't possibly be 0bytes and the spammer is somehow spoofing the size? A mystery to me but this has spiked in the last two weeks.
0
Steve Reid Replied
How do these messages report in webmail?
0
Thanks for the pointer, Steve. Indeed, there are no 0 byte messages in webmail. One of the examples that reported as 0 bytes in Outlook is 608K in reality so that would explain why the rule doesn't catch it. Have to re-think my anti-spam measures, apparently.
0
Steve Reid Replied
Please use Bruce Barnes anti spam document to ensure your server is setup well:
 
0
Thanks, Steve. That's how I setup the server in the first place. Excellent document. Still letting a lot of spam through.
0
Steve Reid Replied
So you are saying these spam emails do not fail any tests at all?
0
Yep. Sadly, every one of these emails is getting past all of the Spam Checks described in Bruce's document.
0
Sounds like IS addresses, e-mail addresses or domains are whitelisted or the users or domains can override and set their own spam settings (we never allow that) or there are other issues.
 
With the latest version of SmarterMail 12.4, the internal spam checking is better than ever.
 
We use no external tests, allow no whitelisting, enforce greylisting (for 1 minute now) and take total control of the MX server - almost completely eliminating spam.
 
I'm in the process of updating now - using the tighter settings we've tested on both my SmarterMail server, a SmarterMail server in Pennsylvania - that services several hundred accounts, and on an ISP in New Orleans, with close to 3,000 accounts, and have no spam problems whatsoever.

I should have the latest version online by tonight.  Here's the link to what will always contain the most recent version: https://portal.chicagonettech.com/kb/a171/smartermail-antispam-settings-document.aspx
 
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Thanks, Bruce. Truly appreciate you sharing your wisdom. I'll check the other settings you suggest and look for the updated document.
0
Just pushed the update. Finding out that FIREFOX runs cached pages for a long time, so anyone using Firefox should flush their browser cache to see the updated doc. Has today's date in title.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
Thanks, Bruce. I updated all of my setting per your document. I am still seeing a volume of spam that passes all those checks and attains a total weight of 10 or isn't scored at all. Many of the spam emails originate at .eu, .us, .biz, .br, tlds. I've created content filters to address those but if I get one more email about the Genie Zip Bra I'm going to go nuts. :-)

I did go through the specific domain settings and neither the domain nor the user can override greylisting and both use the default spam settings. There are a handful of whitelisted addresses but nothing strange.

At this point I'm a bit confused and not sure what steps to take next.

Thanks for any insights

Bob
2
Been investigating these guys for a while and just added them based on the e-mail address of "Genie Bra" being blocked - along with some other reputation information about them.  Here's a link to their website: http://www.gbudb.com/index.jsp
 
It's added as an RBL, and both the ENABLE FOR FILTERING and ENABLE FOR SMTP BLOCKING columns should be checked.
 
Don't forget to SAVE it all when you get done:
 
GBUbd RBL Setup Information
 
UPDATED: Antispam document updated with this and two other new RBLs and the background information.
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
0
ADDENDUM

GBUdb is blocking bad sources very effectively:

[2014.09.17] 13:04:36 [188.138.93.166][418483] connected at 9/17/2014 1:04:36 PM
[2014.09.17] 13:04:36 [188.138.93.166][418483] cmd: EHLO 010b00cb.slypt.eu
[2014.09.17] 13:04:36 [188.138.93.166][418483] rsp: 250-securemail.chicagonettech.com Hello [188.138.93.166]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2014.09.17] 13:04:36 [188.138.93.166][418483] cmd: MAIL FROM:<CableService@slypt.eu> SIZE=12916
[2014.09.17] 13:04:49 [188.138.93.166][418483] rsp: 554 Sending address not accepted due to spam filter
[2014.09.17] 13:04:49 [188.138.93.166][418483] Mail rejected due to SMTP Spam Blocking: GBUdb, SpamCannibal
[2014.09.17] 13:04:49 [188.138.93.166][418483] cmd: QUIT
[2014.09.17] 13:04:49 [188.138.93.166][418483] rsp: 221 Service closing transmission channel
[2014.09.17] 13:04:49 [188.138.93.166][418483] disconnected at 9/17/2014 1:04:49 PM
[2014.09.17] 13:07:15 [95.211.128.44][6482301] rsp: 220 securemail.chicagonettech.com Wed, 17 Sep 2014 18:07:15 +0000 UTC | SmarterMail Enterprise 12.4.5364.28866
[2014.09.17] 13:07:15 [95.211.128.44][6482301] connected at 9/17/2014 1:07:15 PM
[2014.09.17] 13:07:15 [95.211.128.44][6482301] cmd: EHLO bela2.belacompra.info
[2014.09.17] 13:07:15 [95.211.128.44][6482301] rsp: 250-securemail.chicagonettech.com Hello [95.211.128.44]250-SIZE 52428800250-AUTH CRAM-MD5250-STARTTLS250-8BITMIME250 OK
[2014.09.17] 13:07:15 [95.211.128.44][6482301] cmd: MAIL FROM:<flavioescobar@belacompra.info> BODY=8BITMIME
[2014.09.17] 13:07:27 [95.211.128.44][6482301] rsp: 554 Sending address not accepted due to spam filter
[2014.09.17] 13:07:27 [95.211.128.44][6482301] Mail rejected due to SMTP Spam Blocking: GBUdb
[2014.09.17] 13:07:27 [95.211.128.44][6482301] cmd: QUIT
[2014.09.17] 13:07:27 [95.211.128.44][6482301] rsp: 221 Service closing transmission channel
[2014.09.17] 13:07:27 [95.211.128.44][6482301] disconnected at 9/17/2014 1:07:27 PM
Bruce Barnes
ChicagoNetTech Inc
brucecnt@comcast.net

Phonr: (773) 491-9019
Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread