Sophos Email Appliance - Spam still getting through

I'm considering this option as well. How have things worked out with it so far with the "Delayed Queue Readiness" enabled?

-Richard

The queue didn't help for us.  In fact, it seems like more messages that aren't snowshoe started coming in also.  We have taken such a black eye on this, that I have started a trial with one of the hosted spam filters for the past 24 hours.  It has probably caught about 2/3 of the snowshoe, that is, if 4 messages are sent, it usually catches 2 or 3 or them, so marginally better.  I will switch over to another hosted filter (it has many positive reviews) today and see how it goes.  

Again, this has been most disappointing.  I know every security product provider struggles with challenges- but this one has been ongoing with almost zero communication from Sophos.  

I noticed that all of our snowshoe spam was coming from 2 different Class B addresses every day.  I blocked those two whole subnets and haven't had problems with that anymore (until they move to other addresses at which point I'll have to black list those).  That can't be my end solution to this.  I tried a Barracuda filter and it seemed better but the encryption options are horrible and in the end I still had to black list those addresses.  

I also have the delay options enabled but I'm not sure it'll do anything for us either.  When I looked at the spam getting through I'd check throughout the day against other RBLs (including sophos) and many times it would take up to several hours before an IP address got blocked so delaying a message for 10 minutes (which is how long they'll be delayed) won't probably do anything.  I wonder if they even test this stuff out first or if we're the betas...

Anybody know if you can actually see from the logs that this delay feature is in fact doing something?  Like an entry that shows a message was delayed and then rescanned?  We aren't past 11 days yet but once we are it would be good to know what's going on beyond just whether or not SPAM gets through.

Yes, you can see them in the logs but you cannot search for them.  As I've gone through the logs and click on a newer email it may say:

It'll then say something about delaying the email.

It's been a few weeks since they enabled the DQR on my device, and the Snowshoe spam is much more manageable now.  Are any of you seeing the same results?

I had DQR enabled on May 28th. I wasn't expecting any difference until after 11 days but already the last few days it has been much better. (not sure if related or just a coincidence)

It's been pretty much stopped for us, but that happened shortly after after it was turned on for me too.  Which shouldn't have happened if it's really in a learning stage for 11 days, unless enabling it also makes some other scanning change that has made a difference without the delay feature.  Since you can't really search for delayed messages and see what it's doing, it's pretty hard to say. 

In a nut shell the delay queue has a learning process.. When that is complete it will activate. This will alter the mail flow slightly.

Once new mail arrives, it will undergo a new set of tests that will determine if the mail should be delayed.. During this test the process is exactly the same as it was before the feature.

When mail is re-queued it is rescanned for AV and SPAM.. Assuming it passes the mail is delivered.

In regards to visibility.. I'm very sure you will see improvements to the UI soon.

In terms of .. Is it responsible for the reduction in snowshoe spam? .. You bet!!..

In regards to searching for them.. Currently you would need to export the maillog to say a splunk server and you could generate some sort of reports by searching for delayed