Sophos Email Appliance - Spam still getting through

We're having the same issues, and not getting anywhere with sophos support on it. I'm submitting most of the ones that get through to is-spam@labs.sophos.com but it doesn't seem to do any good. Gotten to the point where I'm going to look for a different product once our contract is up.

I am getting alot of this as well getting through what has happened has something changed on Sophos filters?

coming from multiple addresses although content is the same

Same issue here, product is configured correctly and Report as Spam feature doesn't seem to do any bit of good.  What's makes this irritating is that SpamHaus has almost all of these already marked as blacklisted. 

Working with support even at tier 2 doesn't do any bit of difference.  Word on the street is that they won't be able to do anything for at least several months, so time to get used to this.  Spammers are using sophisticated approaches.  And that will take Sophos several months to catch up to them.

Add me to the list. I can't even manually block it. The last few days the domain extension has been like @xxx.click. The xxx part always changes but the .click is always there. I don't see a way to block all email that comes in with .click in the domain. I tried to go into Additional Policy and add a rule to block all emails that contain .click in the header by adding a rule to quarantine all emails that contain (substring match) and set the value as .click but it doesn't seem to work. 

Sophos would be able to block a lot of these by simply greylisting all domains that aren't .com, .gov, .net, .biz,or .org.  In other words all domains that have more than 4 characters in the domain (jsmith@whatever.XXXX).  I was reading an article by a spam specialist that was indicating that these snowshoe campaigns are usually hit and run.  So if you greylist them, you temporarily give them a soft fail.  If the MTA is legitimate, it will try to resend, otherwise, no harm done, other than delaying the message for a few minutes.  Again this would only be for domain extensions past three characters.

Seems to me like that's the way to go for now.

If spammers change their ways again, then simply re-write the algorithm to slow down anybody that is not sending from a popular domain extension.

Were in the same boat here, with a significant amount making it through to our end users.  The content of the messages is always visably SPAM (eg gift cards, loose weight, etc).  We are also unable to use the Outlook addon to report SPAM, as there is a bug with it and Outlook 2013 that causes their systems to be unable to read it (long running support ticket open for this, with the answer of "were looking into it").  Were also seeing all of it from non standard domains such as .link and .rocks, but have not been able to sucessfully create a rule with regex to block all of those TLD's (we have a support ticket open to question about blocking TLD's, but have not heard back).

Our support contracts expire this year, we are also pursuing other options as an organization, and may replace all of our SOPHOS products because of this.

We have been able to block TLDs with a rule that can be created as below:

Additional Policy -> Add  (for Inbound)

Select Rule Type: use only message attributes (Next)

Message Attributes  -> Add

Change dropdown box to : Header
Name : From
Change bubble to :  matches regular expression
Value we use is      .*@.*\.(xxx|link|rocks|nl|ru|sk|fr|it|pl|jp|hk|glb|info|club|invalid|click)

Rest of the config is up to you really.

****Note the regex above will catch anything in the sender domain area with the TLD names you configure

for example:  since I have the "sk" TLD listed (to catch spam from any @xxxxxxxxx.sk domain), an address like @skymailer.skyauction.com (since it contains a ".sk" entry) would also be filtered.  You can use logs and sender exceptions to excempt known good domains from the policy.  Might be a more elegant regex to use here but this one is working and meets my needs for now.

HTH Good luck!

Awesome tip.  Will try it out.

Thanks!

We are still reciving an exorband amount of SPAM in our end users inboxes, most of which is obvious SPAM.  We did get an update on our support request for blocking TLD's.  The instructions provided have worked, and are as follows

Create new policy under "Additional Policy"

Under "Select Users" option, choose "Include Sender" tab

Under "Custom Groups" add **@**.domain_you_wish_to_block (*Note you can add multiple entries)

This has largely done the job for us, but we are still watching inbound mail and blocking the spammy TLD's.  We do use some judgement on blocking, but it is simpler at this point to shoot first and ask questions later due to the sheer volume of unwanted content coming in.

It would be nice if Sophos would code in the ablity to use custom DNSBL or SURBL resources, as it would allow the customer to be as agressive as they would like.  Most of the public SURBL's are already updated, and are able to block the content that is coming in, but choosing the list is not a one size fits all solution.

Does anyone know if there is any movement on Sophos' part to address this?  Snowshoe is continually getting worse for us, with at least five pairs of messages getting through each day.  The real frustration is that as soon as one of these gets through, I look up the sending IP on an mx site and it is usually listed with at least three blacklists.  It is starting to reflect poorly on our IT department.  We had recently renewed for five more years on Sophos (wasn't my decision), but I'm ready to cut my losses and look at another option.