Do you mean a sample of what a blank email message would look like, or a sample of how it would be identified? I've pasted a blank message example below (with email addresses redacted)

Here are the content compliance rules that don't work:

Expressions

Delivered-To: redacted

Received: by 2002:a59:b36f:0:b0:382:ebd0:cc6d with SMTP id y15csp471985vqs;

        Fri, 13 Jan 2023 08:54:59 -0800 (PST)

X-Received: by 2002:a0d:dc46:0:b0:4e1:4a86:8cb8 with SMTP id f67-20020a0ddc46000000b004e14a868cb8mr78412ywe.36.1673628899767;

        Fri, 13 Jan 2023 08:54:59 -0800 (PST)

ARC-Seal: i=3; a=rsa-sha256; t=1673628899; cv=pass;

        d=google.com; s=arc-20160816;

        b=uH5YiwmPJfTg0DaPkKU/ANKdDveF3mSGnQBGAuASHYx+XZhxs/7j9wj/bTNgXwxjuU

         K+X9a++pQNtuy+Wt8uAcVSpWEosh0iacjNd0tR4iZohrdlq2vRTudXIlgo4r2UeWihTV

         QT7rVkqxJJ7XKl05qYtTgE40NXCzMRlbFpVewMK0T9RywymKJFOI21EeIJ8knq+fehYb

         a5popdhKpI7vbiyvATUubmct1suEJNUzTxeD6o2NF/5hJt0+Xq55NscUw42YCVJ2JedX

         lGHHsAmnurvGUpwIetin5xIGcUBhhdzPn3fymIxphN3KYWyXrf4WqpMGe58XDTGWxMxV

         sdQg==

ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;

        h=to:subject:message-id:date:from:mime-version:dkim-signature;

        bh=a66VV+YuO2pMkRWnJ9M60TWOYFEetR+6cVUWSfOFPWg=;

        b=s8V919WbzbTdLSSiTFjUeF4SJfntkiFPIayJbb31Tf0Tn8OEpE5M+3y6JF2hMSvxOb

         zgRBp7BkVVd8fRKLzVx23QqpjIFBYfWjzNA6PEZs5g6uciS3Vah0OKhy1rr4wCkO6+oA

         Amm9XaL5RtMG5u0GjRc59lOU7ahUFBFSMHmd4TMdp4ZgHerVw2tYV6b3atdi9B6dpk6C

         CyjBjnqGr+gpB3KNZN2KQC7oupZ/ICDhN/WFL+2N6UALAz5HgNMir/eG2o2v0VIMPTzy

         PLBoE59oMWiw0w1dz3DZmnTrv92pz1U4ds5xqhiOdnlASGhwxEfCUO2MbxNqvYqtg05r

         BbZw==

ARC-Authentication-Results: i=3; mx.google.com;

       dkim=fail header.i=@gmail.com header.s=20210112 header.b=Y2bizebV;

       arc=pass (i=2 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);

       spf=pass (google.com: domain of redacted @gmail.com designates 209.85.220.69 as permitted sender) smtp.mailfrom= redacted @gmail.com;

       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

Return-Path: <redacted @gmail.com>

Received: from mail-sor-f69.google.com (mail-sor-f69.google.com. [209.85.220.69])

        by mx.google.com with SMTPS id 206-20020a8101d7000000b003e927b92f06sor10242546ywb.150.2023.01.13.08.54.59

        for <redacted>

        (Google Transport Security);

        Fri, 13 Jan 2023 08:54:59 -0800 (PST)

Received-SPF: pass (google.com: domain of redacted @gmail.com designates 209.85.220.69 as permitted sender) client-ip=209.85.220.69;

Authentication-Results: mx.google.com;

       dkim=fail header.i=@gmail.com header.s=20210112 header.b=Y2bizebV;

       arc=pass (i=2 spf=pass spfdomain=gmail.com dkim=pass dkdomain=gmail.com dmarc=pass fromdomain=gmail.com);

       spf=pass (google.com: domain of redacted @gmail.com designates 209.85.220.69 as permitted sender) smtp.mailfrom= redacted @gmail.com;

       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

ARC-Seal: i=2; a=rsa-sha256; t=1673628899; cv=pass;

        d=google.com; s=arc-20160816;

        b=iW9onMSjCXIFXDBwVOU1PHY3hfJpL4VHuaS2VsgSm/Zbnc+J68SiBwVyCEDIFF4MU5

         2o1OcpVLlPRM/EB160nTYy8w4cPeV83AJa4OiyhCzhNE9CJ/o9R7O9mUSGqPfDJhmaiT

         FQr20jmiU01RBMDlAbUwY05RiCrnJFXGTSQxWsugMU1t3WxMHCYdcs+DdM5EQZGiOauV

         08IkSKkbUuzMUmc4OXX/qT/xFhncANDK57Acu+n40jk+NU42UauLElMSRYdt1qKq3OYB

         EqWgjdSLz+wae3HINXhVq6b+V7LKqbf8QI1RZvpkp+uAzoYrVOLiGGss2uzd5DEwjHn0

         M30g==

ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;

        h=to:subject:message-id:date:from:mime-version:dkim-signature;

        bh=a66VV+YuO2pMkRWnJ9M60TWOYFEetR+6cVUWSfOFPWg=;

        b=dfEVMK59TOValSNiB2pF6AWXv08lSbQ0DBxgzM5JatdCLMtXPXG0lwTExWaPwXspLR

         XotgNC8zLi6eytltOcOj3SPdIcGLcL3yZUL3o57F5Mzm02hrAmBNIJiA9dp1X+GW+IQ+

         JqodcvCGpmN0DWStS1UjNjpDrxfNXcFKmiiaslVJ8Ut5K08lR/TWe806LbwLOgWfMcxx

         0X4LtXqjTiMVI3IRJurmIvJxLeVPFpJAZmOurfwNmewGJi0uq15r3GT25eBQ666fy6g3

         0MSsgVZcRRW3ZtV6SOBonjIO4MBOTJkHFyOOqv3wvt4+UWMj+KAjwoOzrqfAQKMegzui

         4BXQ==

ARC-Authentication-Results: i=2; mx.google.com;

       dkim=pass header.i=@gmail.com header.s=20210112 header.b=Y2bizebV;

       spf=pass (google.com: domain of redacted @gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom= redacted @gmail.com;

       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

        d=1e100.net; s=20210112;

        h=to:subject:message-id:date:from:mime-version:dkim-signature

         :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;

        bh=a66VV+YuO2pMkRWnJ9M60TWOYFEetR+6cVUWSfOFPWg=;

        b=n3aF+9r/ZvusAwWKjx5SNpO1eE+8mYCsJvdHnCS8cJkH84oEurHid/chq4OUdyaLJm

         3QIDOiyJPYUKML43Ni4YMnn/D0uBhmrY6uYkyPFdkAZDcyUZxx8t2jOK18H5KZF+w8l8

         9OMbbqHspoPilTrDD3HRjah40WEtal6OHX5M0d6xODHaCRWEE8Rs2OUxB8+6XShC+BqV

         XwHlIY0qcHHoZKRR/sb7vTraQHNph16RB9VYrHH6rd3zJLK/iFGe3C1XwQKPBt+JO5Lj

         eT0eAWDz+CiPemRBLBnD7pBU9BDR0bMtrgGPaVvyakPOkmRDOyy5W9tSAtzq1K2VyaVt

         GnBw==

X-Gm-Message-State: AFqh2koYn+lJ+/5cs5Thrkbvgwq8qxR40mDtXSht7CbXvC5+36bf3ozt 3yRuz/qDZ3dSVQGKafiYBJAGtg9FwFMlBS4Pb116kvVhZvmMmoW6YRJVrDiO6qB45tLqCt3kYJQ PCMZmHyzL29u9d0rWZLZL2VNmNlkbco5mVyo=

X-Received: by 2002:a81:6a43:0:b0:476:6693:fd57 with SMTP id f64-20020a816a43000000b004766693fd57mr16297627ywc.2.1673628899503;

        Fri, 13 Jan 2023 08:54:59 -0800 (PST)

X-Received: by 2002:a81:6a43:0:b0:476:6693:fd57 with SMTP id f64-20020a816a43000000b004766693fd57mr16297591ywc.2.1673628898419;

        Fri, 13 Jan 2023 08:54:58 -0800 (PST)

ARC-Seal: i=1; a=rsa-sha256; t=1673628898; cv=none;

        d=google.com; s=arc-20160816;

        b=VNXcd2k4rwfDRGny/ljWXrtPbgPbRC0etN+HZFIeTtW7ftiVqng3bMzgEg0y3DzQjV

         hNAguMkUyCQ2Y0GcoK1ushphXjkfqyRwan/s/dz/ryvYIO5+QLBSX5o2D8M2oBEamJ0k

         lq521PFTi2c+WBn32L4mOat8vcVnomFRPRnyqQEEfabZcM64bbEmMiRG+UrbdzVYJ82C

         kgwRD5D1AegN5t74351BKAuy+itXTrT1ze7lEWQ19kB+mslXvRSbNEd6e8OPQKt5kD/Q

         uWj9yDpTuguaFzf/iNyug5PfugTuNRIfZMdUMsQSgI/05Qds8PvKuHjUQEA7AQGEcFRF

         6sHg==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;

        h=to:subject:message-id:date:from:mime-version:dkim-signature;

        bh=a66VV+YuO2pMkRWnJ9M60TWOYFEetR+6cVUWSfOFPWg=;

        b=VkGI7YFXsZSFqaG+9cyy085TvqtA7pCoehNrcbyvSxtlCUNryxNKAC0z7pMlkdNWMR

         5mVtrlxK46ijkKqsT0n2e9k1Yl6H9ALK3YQeT7hf05YbKA7Dd2lqW4xsepzL3MeEozne

         EMPmfnW3isJB6DBm2A5RKFt47a+J1UBS32ErUbRUAc0eKEdqGF13o6p/LINWgzqt9oY3

         94Z3lwpgQx+d9cQYpe73W3V3njtbrmjKj8ZR/u+6wJ68yJjaMc8ClRnUZIkjfdlKAT/z

         djtB/LBrpMgtNAv+3ZmycGjKcS7RLislDD75fQFqw6xAdcjHLwFmb09l3KqOe6IAH4AC

         9yXw==

ARC-Authentication-Results: i=1; mx.google.com;

       dkim=pass header.i=@gmail.com header.s=20210112 header.b=Y2bizebV;

       spf=pass (google.com: domain of redacted @gmail.com designates 209.85.220.41 as permitted sender) smtp.mailfrom= redacted @gmail.com;

       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com

Return-Path: <redacted @gmail.com>

Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.220.41])

        by mx.google.com with SMTPS id t125-20020a817883000000b0047dda0ae7a2sor10522931ywc.120.2023.01.13.08.54.58

        for <redacted>

        (Google Transport Security);

        Fri, 13 Jan 2023 08:54:58 -0800 (PST)

Received-SPF: pass (google.com: domain of redacted @gmail.com designates 209.85.220.41 as permitted sender) client-ip=209.85.220.41;

DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;

        d=gmail.com; s=20210112;

        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject

         :date:message-id:reply-to;

        bh=a66VV+YuO2pMkRWnJ9M60TWOYFEetR+6cVUWSfOFPWg=;

        b=Y2bizebVmASWK2LTUwEM/6ZOXs6EbloJswLL1Clcg4xtjE631omaU9tjOfWu6sS/JV

         URVgl1QWIWC6IweNMwlvjUrRhvFUdjsYGB+gg855/VnPW46DmAdEOAtYwZGvuApfifnB

         r5vnp/Fv3CCr6UndxRvGYVt873VVBWDfjaunZX4PBKxP0VhL10A415+3MUBjyou1qMJX

         xsV5zL7BeYUggJL55EnrV1bq2toYyomWSKqWcdmZwVL6KSZdzLcVuDOWJX+e1ztA7KU9

         c2E1dbN1Pdp+bReCHP2peeBjEjJFHmsJKHvV+OsLFTcVkDLjFLqOGk/1v1ZeB4vyyaw9

         1rqA==

X-Google-Smtp-Source: AMrXdXuFAgW+XOWMnBnsaXiN3NRSG8mBYMD8jrWsZXNxj4I3vLtFTtVLh+qYEcyTldK8ghlVTkGiI00rs8N52X/dCZs=

X-Received: by 2002:a05:690c:b85:b0:477:771b:25f7 with SMTP id ck5-20020a05690c0b8500b00477771b25f7mr2019440ywb.41.1673628898016; Fri, 13 Jan 2023 08:54:58 -0800 (PST)

MIME-Version: 1.0

From: redacted account <redacted @gmail.com>

Date: Fri, 13 Jan 2023 11:54:47 -0500

Message-ID: <CABQ6FrhDGWerx-6pWD6UYvnvZiz_vx=iG6LSvGhZydQ5fVeDDg@mail.gmail.com>

Subject: [blank]

To: "redacted" <redacted>

Content-Type: multipart/alternative; boundary="000000000000f3c5b005f22817b9"

--000000000000f3c5b005f22817b9

Content-Type: text/plain; charset="UTF-8"

--000000000000f3c5b005f22817b9

Content-Type: text/html; charset="UTF-8"

<div dir="ltr"><br></div>

--000000000000f3c5b005f22817b9--

Technically, no email is ever empty, even if your email client doesn't display any content. The way spammers "spray" their victims is by implementing an invisible picture (just one white or transparent pixel) linked to a URL, which they then monitor. 

It will be very hard to filter that, even with full blown third party email security solutions, as these emails never really look the same, the filenames of the hidden image is always different, and most email security solutions can't see what is on the image (although with the advent of AI, this might change soon enough). 

Long story short, the Google support guy was basically right with what he told you. That being said, there are thousands of other "markers" by which spam can be detected, and Gmail's spam filter is one of the best on the planet (if not the best), so most of these emails should already be filtered out. 

You should be much more concerned about BEC and phishing attacks and divert your energy into blocking those (again, Google is already doing a fantastic job here, much better than Microsoft, for example). If you want an extra layer of security on top of that, look at email security gateways (ESG) from vendors that tap right into Gmail's APIs to scan for malicious content. Notable vendors I can recommend are IronScales and Avanan. 

@demetri I don't know the logic, but as per my testing I think @cryptochrome is right in one way.

The body contains something always, which makes it impossible to filter (at least as per my testing)

But i was able to do a filter on blank subject easily, I suppose your blank body mails don't contain the subject either, why don't you try catching the emails without subject here?

Let me know if you need any help trying that way.

Thank you both, I really appreciate your responses. The messages in question typically do have content in the subject line, so unfortunately that would not work. Here's an example of the end of a blank test message.

I wonder if I could filter to match the string including the trailing hyphens.

Content-Type: text/plain; charset="UTF-8"

--

 I realize I'm down a rabbit hole at this point and wasting some time, but hey...

thanks