How do I block messages where the header From: field is missing, blank, or invalid?


This article applies to:

  • Trustwave MailMarshal (SEG)

Question:

How do I block messages where the header From: field is missing, blank, or invalid?

Background:

Spam messages may be sent with a missing or blank From: field in the header, or a From: address that is badly formatted. Since most legitimate email includes a correctly formatted From: field, you may want to block messages with a missing or blank From: address.

These messages are generally blocked by one or more of the anti-spam technologies enabled by default in MailMarshal. You can also create a rule to block them specifically.

The rule described will block messages if any of the following is true:
  • From: field is completely missing from Header.
  • From: field exists in Header but is blank.  
  • From: field exists in Header but is a malformed address.

Note: This rule may cause false positives/over-triggering. Use it with caution. This rule is no longer part of the default policy for new installations.

  • In particular the rule may trigger on attached messages or S/Mime signed messages where the attachment has an incomplete header part. You may need to exclude messages with mail or signed attachments from evaluation by this rule.

Procedure:

Depending on the version of MailMarshal SMTP that was originally installed, you may find a pre-defined rule to accomplish this purpose.
  • If your initial MailMarshal SMTP installation was version 6.1.3 through 6.5, the default configuration includes a rule Spam & Junk Mail | Block if 'From:' field is invalid
  • If you originally installed a later version of MailMarshal SMTP, or this rule is not present, you can create the rule as below.
  • If you originally installed an earlier version of MailMarshal SMTP, you will need to download the XML category file and then create the rule.

To get the category file if required:

  1. Download the zip file InvalidFrom.zip from the Article Attachments section below.
  2. Unpack the BlankFrom.xml file into the {Install}\Config folder.
To create the rule:
  1. Create the following rule in the MailMarshal Configurator or Management Interface:

    When a message arrives
    Where the message is incoming
    Where the message is categorized as 'InvalidFrom'
    Move the message to 'Junk'

  2. Commit configuration changes.

 

Notes:

For information on rejecting email where the SMTP Mail From: address is blank, see the following Knowledge Base article:

  • Q10228 - "How do I block email where the SMTP "Mail From:" address is blank?"

For information on rejecting email where the subject field is missing or blank, see the following Knowledge Base article:

  • Q10234 - "How do I block messages where the subject field is missing or blank?"

 

This article was previously published as:

 

NETIQKB45546

Last Modified 4/21/2021.
https://support.trustwave.com/kb/KnowledgebaseArticle10233.aspx