Unplanned Outage: Due to a technical glitch, customers might see higher wait times on Sophos Call Lines. We request for your kind cooperation. Please prefer logging a case via Sophos Support Portal, unless the situation is critical for you.
We've been getting a lot of spam from a particular sender lately. Typically I'll go in the Sophos Mail filter, find the log of the message, block the sender and the host. This time I wasn't able to find a log of the message at all. I've widened my search time, searched by email address, subject, recipient and still can't find a log of this message. If I can't find the log, I can't block by host. I was able to block them by email address yesterday but of my users are still getting spam email from them. The user alerted me to the message by using the Outlook "Report Message" button. I know that deletes the message and sends me a copy, but there should still be a log of the message.
Another odd thing is when I get the copy of this particular email in my inbox it's not a .eml file. Below is a screenshot.
Would you please check the Email header and see if you can find "X-SEA-Spam" in it? If the email is scanned or processed by Sophos Email Appliance, it should have that header in it.
There's no listing of the email in any of the Sophos mail logs. I'll have to see if I can find anything in Exchange.
You need to check the Spam Email's headers from user's inbox and see for the header I mentioned.
When the user clicks the "Report Message" button the email is removed from their inbox. As I said above, the copy sent to me by Sophos is not a .eml file so I can't view the header of it. I even included a screenshot to show what I end up getting sent to me.
Alright, I'd suggest you verify your configuration as suggested in this KBA: Sophos Email Appliance: Recommended Anti-Spam configuration and if you're still receiving emails, you should create a case with Sophos Support.
Verified my configuration is correct. I'll be opening a ticket with Sophos now. Thanks for your help.
Great. Please DM me the case number once the case is registered.