Sophos Email Appliance - Spam still getting through

I've asked and the answer is no.  You are welcome to call them and ask them if their upcoming version will have this functionality.  If you get extra info on it, please post it here for others.

thx

will do.  

thanks for the information.

Regards

This is the message I received from Sophos this afternoon:

A new update (3.8.1.0) has been launched that specifically addresses snowshoe spam. A new feature called "Delayed Queue Readiness" will addresses snowshow spam emails by delaying suspect emails for a specified period of time. By delaying delivery, the appliance creates a timed window to receive new anti-spam definitions created by Sophos Labs and re-scan the messages. Please note the update is available under Configurations -> System -> Updates and will require a reboot of the appliance.

Please also note the following:
1. Once the new version is loaded on the appliance – you MUST contact Support to have the delay queue function enabled. It is NOT automatically enabled and it CANNOT be enabled by the customer.
2. Once enabled, the appliance will begin an eleven (11) day learning period PRIOR to any emails being inspected/delayed via this new function – in short, do not expect catch rates to be impacted until the 12th day after the function has been enabled by Support.

I've noticed that these emails all come in from the same /24 netblock each day, the spammer just picks 5 IP's at a time from the range, blast out the spam using these 5 IP's for about 20 minutes and then stops and moves on to another 5 IP addresses from the same netblock for the next message.

I've resorted to blocking the whole /24 each time I see a new spam message come in, by using Configuration\Policy\Allow/Block lists. I dump the /24 of the first message I see to a txt file and upload the file to the Hosts tab.  This works to keep the bulk of the messages out.  My only hope is that there isn't a maximum number of IP's you can block on the appliance.  I also check the /24 in Angry IP Scanner to verify it isn't a legitimate site based on the DNS query response.

I've been on hold now for 1.5hrs with Technical Support trying to get the "Delayed Queue Readiness" option turned on.

I was on hold 2.5 hours before they picked up....They applied the Delayed Queue Readiness to the appliance and still getting hit hard by spam. Not as bad but what a pain. And a lot of duplicates which you would think those would be caught.

If you take a look at my post above the Delayed Queue Readiness feature shouldn't change much until the twelfth day after it's been enabled. Hopefully after a little more patience things will improve.

We also have been hit hard by spam, so much that I was told to find a new option.  I called support and was told I had it all configured correctly.  After downloading another vender's trial spam filter appliance our snowshoe spam was blocked completely.  The 2 features I feel made the difference were a delay feature when too many emails come in from the same address in a set amount of time and the ability to use RBL.  I added zen.spamhaus and a couple others and according to their logs about 30%-50% of spam are blocked because of those lists.  Unfourtunetly their encryption options are poor so I'll be continuing my search.  I may, however update my Sophos email appliance to see if that makes a difference.  It's so suprising that they have so many options to customize encryption but all anti-spam has is just "high" or "medium" and that's about it.  Getting in to block a /24 every morning isn't really going to be the best option.  

Am I missing something?  There is nothing in the release notes about this Delayed Queue Readiness feature.  Makes me think they aren't ready to release it to the masses if it's not published and you have to call support to turn it on.  I'm about to attempt to wade through support to get it turned on, hopefully it makes some difference in 12 days.  If you've got it turned on and are waiting for it to take effect, please post whether it helps or not once you're at that point.  Just a mystery to me why this thread is basically the only mention of it.

Guess I got lucky, I was only on hold for 45 minutes before someone picked up.  Anyway, what I was told is that this feature is going to be added to the GUI in a future release, couldn't tell me when.  So maybe you can say it's in a pilot release.  Whatever it is, hopefully it does something useful for this problem.  I don't need anymore Kohls gift cards or woodworking plans.

I believe we cross the 11 day threshhold this weekend, so we will see what happens starting Monday.  The lack of communication from Sophos on this entire process has been very disappointing.  I get the sense that there is an extremely small team that supports the email appliance.