This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to filter spoofing emails without delay queue?

Hi guys,

in the past few months we kinda get flooded with spoofing SPAM mails. 

The big issue is that these spoofing emails are getting better day by day and it gets way harder to find out if its a real email or spam mails.
As long as we had the delay queue in place we didn't have many issues with it.

Unfortunately we had to shorten the delay queue time to 5 minutes because so many colleagues complaint at the CEOs.

I checked the email log of one of these spoofing emails to see why the email appliance didn't filter it out.
The reason for forwarding the email was, that the email sender pretended to be from our domain which is managed by the email appliance.
So it says the domain is whitelisted and forwards it to the receiver.

Do you have any idea, how we can fight back against these spoofing emails?
Is there any config we could activate to keep them out?

Thanks!



This thread was automatically locked due to age.
  • Hi Matt,

    Couple of things..  

    #1

    Have a look at my kb for anti-spam configuration here: https://community.sophos.com/kb/en-us/120802

    #2

    Dealing with antispoof is actually really easy... drop your top level domain in the block list.. (make sure your filtering options are set up like the kb above)  here is a reference: 

    https://community.sophos.com/kb/en-us/118845

    #3

    By messing with the delay queue times .. (especially dropping it to 5 mins) you have actually crippled the service .. delay queue is designed as secondary scanning.. so it wont do anything for spoofed emails and such.. its more designed to add the Yes/No or Maybe ... factor in scanning messages..   the recommended settings are in the kb above.. you should probably ensure they match.   Although the how delay queue cant be described on a public forum .. what I can tell that is crippled is the time..

     

    that threshold 10-60 mins for example breaks down into 5 "buckets" the majority of mail that triggers delay queue hits on the first bucket..  so for example.. the default 10-60 mins .. bucket 1 is 17 mins .. 27, 38, 49 and 60 mins..

    delay queue targets unsolicited snow-show spam in particular.   (in real short forum friendly notes) snowshoe spam is essentially when a spammer specifically targets an ip/mx record and trys to deliver a LOT of mail directly to you. this often results in poor catch rate because the path the message takes longer to propagate  out and hit one of the many spam traps (aka real time blacklists) 

    as a general rule it takes about 10-12 mins for the entire process of getting blacklisted..

    for example.

    you spam an ip.. you hammer on it with a script.. by the time your emails travel the internet, hit a spam trap, that trap updates (for example maybe its sorbs) they update the list with your ip.. then sorbs pushes that list out to its subscribers (pretty much every spam company out there including us) .. the list is consumed.. then repackaged into a SEA data update.. then pushed out to your appliance.. then you consume that data..

     

    this entire process takes several mins.. could be your appliance just checked and doesnt update for another 2 mins.. or perhaps its busy and it takes a few mins to update the data..  

    anyways.. the default level 1 bucket is delaying mail just long enough to get and apply that latest update.. when you change the min max time.. those 5 bucket times also scale the change. .so if you 5-10 mins.. you would have to hit bucket 4 to actually allow enough time for the appliance to update and catch the spam.

     

    delay queue also tracks good and bad mail and who sent it.. the chance of FP is very low as its specifically for snowshoe spam.. I would ensure its enabled as its a very very useful feature..  

     

    If you configure your SA rules as above, drop your domains in the blacklists and have delay queue working.. and still have issues..

     

    I would...

     

    from the inbox of the user that received the spam.. create a new message .. drag and drop all of the spam as .eml attachments .. send it to is-spam@labs.sophos.com and then open a support case ... The engineer will be able to look at how it is grading, what rules its hitting (or not hitting) and if necessary escalate that spam directly to the labs team.

  • Hi Red_Warrior,

    thank you so much for your detailed answer and the links.

    Honestly, it's so easy to get rid of the spoofing mails :). Just didn't get it things together :).


    I deployed all the recommended settings on our SEA and also configured the block rules.

    I'm pretty sure this solves all our issues.

    And thanks a lot for explaining the delay queue. I restored the default settings that this amazing feature works as designed.

    Thanks!

    Cheers,

    Matt