Bug 3416 - Spam with empty body
Summary: Spam with empty body
Status: RESOLVED WORKSFORME
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: Rules (show other bugs)
Version: SVN Trunk (Latest Devel Version)
Hardware: Other other
: P5 normal
Target Milestone: Future
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-05-21 05:11 UTC by Christian Becker
Modified: 2006-12-30 19:59 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Some samples text/plain None Christian Becker [NoCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Becker 2004-05-21 05:11:44 UTC 
In the last month, I've received 9 spam with empty bodies, which would make 
them 1.5% of my spam that month. Some others came in january. Two of these got 
through, the problem of course being that the ruleset had not much information 
to catch, not to mention bayes (hits about 65%, after all).
So I suggest a MISSING_BODY rule to complement MISSING_SUBJECT et al - any 
objections? Would we run into issues with listservers etc.?
Don't know whether this is caused by a bad setup at the spammer's side, or if 
they just want to be annoying. This might be exploited to send spam just in 
the subject - say "Important Notification - see [url]" (where URIDNSBL could 
kick in of course).
Comment 1 Christian Becker 2004-05-21 05:18:46 UTC 
Created attachment 1965 [details]
Some samples

Looks like it's all from the same sender [or software?] - garbage sender
addresses, missing To: line; missing subject, weird MessageID/Info.

There's a thread on SpamCop - they suggest spammers are "testing the waters":
http://news.spamcop.net/pipermail/spamcop-list/2004-February/073757.html
Comment 2 Justin Mason 2004-05-21 06:29:14 UTC 
Subject: Re:  New: Spam with empty body 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I used to get a lot of these.  For a while I thought it was "testing
the waters" -- but now I'm pretty sure it's broken spamware apps.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFArgQNQTcbUG5Y7woRAqsAAKDqa4J7c25VUUvUhNSlPy+O78XAKACgn+5U
t9pD5RhKQJq109ZU5XyES8o=
=GbdK
-----END PGP SIGNATURE-----
Comment 3 Bob Menschel 2004-05-22 11:13:33 UTC 
I've been testing the following within SARE: 
body      __SARE_HTML_HAS_MSG   /./
meta      SARE_HTML_NO_BODY     ( !__SARE_HTML_HAS_MSG ) 
describe  SARE_HTML_NO_BODY     Message is empty
score     SARE_HTML_NO_BODY     1.136
#counts   SARE_HTML_NO_BODY     314s/2h of 98542 corpus (76935s/21607h RM)
#counts   SARE_HTML_NO_BODY     0s/8h of 6944 corpus (3188s/3756h CT) 
Can be a useful rule for some systems, but looks like it doesn't meet the hit 
criteria for official distribution.
Comment 4 Daniel Quinlan 2005-03-30 01:09:08 UTC 
move bug to Future milestone (previously set to Future -- I hope)
Comment 5 Theo Van Dinter 2006-12-30 19:59:06 UTC 
no movement, closing.