Empty Body Detection

Updated 2 months ago by admin

The Empty Body detection feature has been designed to detect empty body (blank) emails.  This includes emails such as:

  • Empty bodies (including white space) with or without attachments to the email
  • Empty bodies (including white space) with only emojis with or without attachments
If the email body only contains images this will not trigger as many legitimate marketing emails can be sent in this form.

By default, the rule will only trigger on specific email domains, such as Gmail free consumer domains, Microsoft free consumer domains, Yahoo free consumer domains. However, this can be extended by following the instructions below.

Any entries in the Safe List will exclude these addresses/domains from being quarantined.
  1. Visit your USS Dashboard and click ProductsE-mail SecurityCustom Rule Data
  2. Click on New and select Rule Data
  3. Give your new Rule Data a sensible name, like Empty Body Domains.
  4. Enter in the value the list of domains that you want to detect. For example, gmx.de (see the pre-defined list of known consumer domains)
You can enter multiple domains, one per line, if required
  1. Click on Save.
  2. Repeat Steps 1 & 2 and then click New -> Rule RegEx
  3. Give your new Rule Regex a sensible name, such as “Empty Subject Line”
  4. Add this Regex ^Accept.[d|\s]\:\s|^Hendelse\sakseptert\:\s|^Accepterad\:\s and click Save.
  5. Now navigate to Products -> E-mail Security -> Message Rules.
  6. Click the + icon to create a new rule and provide a sensible name such as "Empty Body Detection"
  7. Add a Direction Condition, with the direction set to Match Inbound.
  8. Add a Body Condition, with the logic set to Match Empty Body Detection. (This is a system level Rule Data that is only visible in the rule.)
  9. Add a Sender Condition, with the logic set to Matches: Empty body domains (the Custom Rule Data created in step 3 & 4)
  10. Add a Subject Condition, with the logic set to Does Not Match: Empty Subject Line (The regex created in step 6 & 7)
This automatically excludes accepted meeting requests as without this condition these will be detected causing a false positive
  1. Add a Add to Spam score action and set the value to 147.
  2. Do not add a Final Action.
Remember to check that your new Rule is active, by enabling the Active checkbox.C
  1. Click Apply Changes
  1. Move or drag the rule up in the policy to a location above the Confirmed Spam rule.

References:

Top Consumer domains.txt

 


How did we do?