Blocking emails from hacked Gmail accounts

Some Gmail accounts - either legitimate accounts that have been hacked, or spam accounts created for malicious purposes - will send emails with little or no content. For example, an email with a subject line of "hi" and no body text. Since these emails have very little content to analyse, it can be difficult to immediately determine if the email is legitimate or not.

EMS can detect these types of emails, and automatically block or quarantine them. Here's how to set it up.

  1. Visit your USS Dashboard and click ProductsE-mail SecurityCustom Rule Data.
  2. Click to create new Rule Data. Give it a sensible name such as "Gmail domains".
  3. In the Value field, enter
  1. Click to create a new RegEx. Call it "Gmail spam".
  2. In the value field, enter
You may need to update this RegEx with additional values, if you're regularly receiving spam emails with different subject lines. You can test out your new RegEx value at
  1. Click Message Rules, then click to add a new Rule. Call it "Quarantine Gmail spam".
Make sure that the Active checkbox is enabled, so that the new Rule will start working right away.
  1. Add a Direction Condition. Set the logic to Matches: Inbound.
  2. Add an Email size Condition. Set the logic to Less Than: 4kb.
  3. Add a Sender Condition. Set the logic to Matches: Gmail domains (or whatever name you gave the Rule Data in Step 2).
  4. Add a Subject Condition. Set the logic to Matches: Gmail spam (or whatever name you gave the RegEx in Step 4).
  5. Add a Quarantine Final Action. Set the value to Spam.
  6. Click and drag the new Rule to a sensible position in your Message Rules list. If your Service Provider has created a set of sensible default Rules, positioning this new Rule above the Confirmed Spam Rule is a good choice.
Quarantining the message (rather than deleting or blocking it) allows the intended recipient to receive a digest of this message instead. If all detected emails are indeed spam, you can change this Rule to use a Quarantine - Company Final Action instead.

The full Rule should look like this:

How did we do?