This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Domain Verification

Hello,

I am evaluating Sophos Email Appliance and I noticed some behavior that is really annoying.

I receive a complaint that a spam was received and when I checked the sender's domain I discovered that there is no MX record what so ever for that domain. 

In another case, the IP is completely different than the published MX record.

I opened a ticket with the support, but unfortunately, they failed to understand what is RDNS and failed to understand the basics of doamin-to-IP verification.

In used to work with UTM and RDNS was applied strictly and it will never allow "wrong" IP to pass.

 

Any suggestion ? do not you think IP-Domain verification is essential ?

Am I missing something ?

 

 

 

 

 

  



This thread was automatically locked due to age.
Parents
  • Hi Hashim

     

     

    There are a couple of considerations ..

    please see my spam configuration KB : https://community.sophos.com/kb/en-us/120802

    note: the delay queue feature is a highly effective tool when combating spam.. it requires 10.5 days before it will start enforcing (so you may not be at 100% as of yet) 

     

    in regards to things to try:

    #1 configuration / policy / smtp options / perimeter protection  .. both of these check boxes should be checked.. this will tell postfix to drop mail from any non-existent envelope sender/mta.

    #2 if the configured dns is slow.. (do not use external dns like 8.8.8.8)

    #3 ensure the connecting ip is not listed as an internal mail host.

    #4 if you are using an upstream proxy or load balancer, ensure it is allowing the actual mta to connect and it is not stripping/replacing ips.

    #5 as per the spam configuration.. ensure your filtering rules are configure as per the kb

    #6 the delay queue is a powerful anti-spam tool, however it takes 10.6 days to start enforcing . if its before then this feature is not active.

     

    In regards to the message its self.. its important to ensure your looking at the envelope sender and not a DATA from .

    In the message headers you will see lines like:\

     

    (snip)

     

    Received by: 

    Received by: 

    Received by: 

    From: Heart Attack Defense <heart.attack.defense@fatbrainfeeds.com>
    To: "jimmy, bob" <mydomain@domain.com>
    Subject: An Early Warning Sign Of YOUR Heart Attack?

    (snip)

    very last received by, is the actual connecting mta.. anything past that is the DATA from.

    If everything still seems correct and or theirs question about ips/ load balancers or upstream proxies. You should submit samples to is-spam@labs.sophos.com (create a new message, drag / drop all of the spam as .eml attachments)

    there could be an actual spam rule, or other issue that could be identified by escalating the samples to the labs team.


    I would also recommend configuring a syslog server and exporting the message.log file and the mail.log file.. this will give you all of the logs associated to the email including the triggered rules and postfix logs.



    Unfortunately the logs are a must, and posting your logs on a public forum is not recommended.. however you can defiantly refer to these comments within your ticket.

    Cheers
     
  • Thanks Red_Warrior and sorry for my late response.

    I have applied all of the suggested configuration and the device is on production for more than 2 months.

Reply Children
No Data