This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Report as Spam

We are relatively new to using the SEA and our end-users complain about continuing to get emails from senders they have marked as "Report as Spam" (RAS). From my understanding, marking an email RAS doesn't mean for certain that going forward the email will be blocked because it is reviewed by Sophos before being added to their spam list. The thing is my users don't want to see the email again period. They are not interested in whether Sophos thinks it is spam or not. The only thing that matters is the end-user has made their decision and that is it. 

In our old system, a link was added to each email. If we wanted to no longer receive emails from the person or domain, we just clicked it and done. This was a great feature! My end-users are not wanting any email of virtually any type that is not coming directly from another person. We currently discard all high and medium spams. What I do now is have a copy of a RAS email sent to me and manually add the address to our list. It could easily take me an hour a day for something that use to be automated. The problem with how I am doing now is it is not at the user level of blocking, I am doing it for our whole domain, and I block the sender's whole domain. 

Our end-users are not interested in blocking them via web portal level. It is too difficult to use and hard to block messages in quarantine too. I asked about Sophos taking the emails we are sending to RAS and blocking them for our individual users in our domain. They said no or more gently that is not how it works. So, how are you blocking emails that the end users want blocked? Are you going around the product and just blocking at the mail server level...mark as junk? We are using Exchange.

We really like the other features of the SEA, but what would I give to have our old spam filter back. 

 

Thanks,

John



This thread was automatically locked due to age.
Parents
  • Hi John

    If you are deleting medium and high spam then what you are probally having issues with is bulk mail.  I would create a policy for bulk and set the action to tag subject or if you really wish delete.

    Please note that setting medium and bulk mail to delete is not recomended.

    In the case of the applaince , the only thing in your quarantine would be virus or if you have rules that quarantine mail.

    If you wish to install the outlook plugin that will gove you 1 touch spam submission and remove the message.. again tho if your deleting spam than chances are what is arriving is either not spam, bulkmail or unknown spam.

    If you are getting spam in thr inbox with it set to delete you may wish to ensure your settings match my kb on recomended spam settings .. other things that can cause fp or unidentified spam scores are pix mailguard, upstream load balancers and other ips products that block mta’s from connecting to the appliance.

  • Hi RW!

     

    I always appreciate your help! I think I am mis-communicating about our user's experience. To us, spam is basically any email that we do not want. It is unsolicited, and therefore we do not want it. So what we call spam might not technically be spam or bulk as defined by the SEA. 

    Our old provider had the following categories they checked. If it was any of these, it quarantined or discarded them. Please don't take this wrong, but we went from having maybe one or two emails per user per week come through that should have been stopped to now twenty or thirty a day per user.

    Types:

     

     

    VR: Virus
    BC: Blocked by Customer
    DM: Direct Marketing
    FD: Fraud

    FG: From a Foreign Domain
    LS: List-Server
    NL: Newsletter
    SP: Spam

    VA: Virus Alert
    YG: Yahoo Groups
    CL: Chain Letter

     

    Then the second issue is even if we mark it as spam and don't want to see it again, that is not happening automatically. I am having to go in to a rule and add each host name and I am doing that for our entire domain. So if someone wants some direct marketing material from some store but someone else has said it is spam, then the one wanting it will not get it. There is no easy automatic way to ban email at the user level. The web portal is to cumbersome on a good day.

    Example of rule that I have built for emails that we identify as spam. This is a manual process and impacts the entire domain. I suspect it will really hurt performance as it grows.

    So that is my problem. We define spam differently and there is no easy automated way to block email. Yes, the RAS button removes the email, but it isn't communicate back to our appliance and blocking it regardless if Sophos thinks it is spam or not. All to often, our users click the RAS and the emails keep pouring in. The web portal way to block is inefficient. Our old provider put a link at the bottom of the email if we wanted to block it. Click on it and it was blocked.

    We like some many other features of the SEA but blocking unwanted emails has become an issue for us. I figure there is much that can be done now, but I just wanted to make sure I wasn't missing some feature that would be more like our old experience.

    Thank you,

    John

  • interesting problem and very unique usecase.  You may need to think outside the box a bit.

    couple notes on your categories.

    VR: Virus - done via antivirus rules under threat protection, the appliance at best will automatically quarantine a virus as such, in turn only an administrator can release it. or the sample is destroyed.. there is no scenario where a non administrator can allow a virus nor can you disable AV scanning.
    BC: Blocked by Customer - done via the portal, a user would need to specifically say block x domain.. per-user block lists are run against any message addressed to a user that has a list.. there is no way to automate this via a 1 touch solution (i would recommend a feature request) otherwise policy would have to be created in the admin ui.
    DM: Direct Marketing - this is covered via a bulk mail rule.. simply create a rule under additional policy for bulk mail and delete it
    FD: Fraud - fraud messages are covered under anti spam rules and will automatically trigger a high spam rule to ensure it is deleted

    FG: From a Foreign Domain - not specicially covered but if you wanted to make a rule to drop all mail from Russia .. see my kb here and add as many countries as you wish : community.sophos.com/.../370052 List-Server - you could create a list of servers / mtas or domains with regular expressions.. see below for links and samples.NL: Newsletter - covered under bulk mail
    SP: Spam - as rules
    VA: Virus Alert - we do not alert, we automatically quarantine / destroy viruses on sight
    YG: Yahoo Groups - you may need an allow rule for this specific domain.. 
    CL: Chain Letter - covered under AS rules.

    the report as spam does not append rules to the appliance, it sends the email to labs where it is automatically added to data updates.. those updates are pushed out and mail is dropped as spam.

     

     

     

    some things you could try ..  (I do NOT recommend ANY of these options) 

     

    create a rule to drop ALL mail and create a rule to exclude white listed domains. ie: **@**.com or **@**.net etc. 

    you could also create outbound rules to append X-headers on sent mail, then create a rule to look for that header

    your exclusions would go above your delete all mail.

    keep in mind, there is NO recycle bin.. destroyed mail is gone forever.

     

    as you pointed out the more policy you have, the slower mail is processed as each message that is accepted is compared line by line, this drop all policy aims to reduce policy by only searching for the white-listed domains. 

     

    if there is other more specific issues or rules you need to make, you can do so, but there is no way for the appliance to magically figure out who wants what mail, and it can only identify items as bulk mail and spam based on the universally accepted criteria of such .. ie: blacklists, known bulk mailers and similar.

     

    in regards to regular expressions have a look here under the pmx documentation for accepted regex

    https://docs.sophos.com/msg/pmx/help/en-us/msg/pmx/concepts/AdmDevRegex.html

     

    some notes:

    **@**.com would drop all mail from any domain.com

    or **@subdomain.mydomain.com$  would mean it must end in this exact domain.

    * means 1 word.. ** means any number of words

    do NOT use sub-string matches with wild cards.

  • Thank ya again RW. I will take a deeper look at your response.

    Quick question, would there be any benefit of us installing PureMessage on our Exchange server? More specifically, can a user block an email in PureMessage? Click a button or whatever. So while something might get passed the SEA, PM would see the block and stop it. 

  • There are 2 reasons to run puremessage for exchange with an email appliance.

    #1 it offers anti-virus mail box scanning after the message has arrived to the mail box.  (ie if a virus is 0 day at the SEA and a detection comes out 3hrs later, store scanning would quarantine those messages after the fact)

    just make sure you install the AV only version, its best NOT to install the full version with anti-spam as this well because this will give you 2 quarantines to manage.. (major pita)

     

    #2 puremessage can scan mail destined to other internal email boxes.   so if you wanted to spam scan between mail boxes, or have key word filters you could do that with all mail been delivered internally. 

     

    I highly recommend an AV only install on the mailbox servers as this will give you some extra protection in the event a virus is 0 day at the smtp gateway and later detected.. if the mailbox server trys to serve an email with a virus .. it would be blocked.   in the AV/AS game.. every second counts.

Reply
  • There are 2 reasons to run puremessage for exchange with an email appliance.

    #1 it offers anti-virus mail box scanning after the message has arrived to the mail box.  (ie if a virus is 0 day at the SEA and a detection comes out 3hrs later, store scanning would quarantine those messages after the fact)

    just make sure you install the AV only version, its best NOT to install the full version with anti-spam as this well because this will give you 2 quarantines to manage.. (major pita)

     

    #2 puremessage can scan mail destined to other internal email boxes.   so if you wanted to spam scan between mail boxes, or have key word filters you could do that with all mail been delivered internally. 

     

    I highly recommend an AV only install on the mailbox servers as this will give you some extra protection in the event a virus is 0 day at the smtp gateway and later detected.. if the mailbox server trys to serve an email with a virus .. it would be blocked.   in the AV/AS game.. every second counts.

Children
No Data