Stopping Ads SPAM - How do you deal with?

Hi Luk,

Bulk mail and spam are treated very differently, In order to get the best results you should ensure you have the following rules.

High spam, Medium spam, BATV and Bulkmail rules. 

the defaults can be found here

https://community.sophos.com/kb/en-us/120802

You could configure the end user portal to allow users to black/white list both spam and bulk mail as well.  This ensure that users that wish to receive them can override the spam score and have it delivered to them via their own personal list. 

In regards to a "spam" score, there is no spam score for bulk mail, it is not treated as spam, It's a separate entity on its own.

Red_Warrior,

thanks for your reply but mine is more a discussion that a question.Sophos and other Anti-spam in general in the last few months are having issue with many ads email and so a new feature, mechanism should be discovered/added in order to prevent unsolicited mail.

Having a SPAM score on email can help Adminstrators to analyze what they receive and adjust their anti-spam settings. Pure Message in this is a step ahead.

Every country, every Organizations is victim of different spam and not having granularity on anti-spam settings is not helping Admins to control their environment.

Controlling Allow/block lists is not an ideal approach when you have thousands of mailboxes.

Thanks

if you wish to see spam scores / hits.. there are several ways to accomplish this.

the easiest way would be to add a banner (or mark a log) 

modify your high and medium spam rules.

within the rule is the : Additional actions tab

select add banner, append to the bottom.

for your banner text use 

%%HITS%% or %%SPAM_REPORT%% (for a complete list see : http://esa.sophos.com/docs/esa/webhelp/index.html#sea/concepts/PolAboutActionsTempVars.html )

• %%HITS%%: A listing of all the rules that were found by the spam engine.
• %%SPAM_REPORT%%: A verbose listing of the antispam rules triggered by the message
   

If for example you added both, you would have something like this appended to each email.. (you could tailor the rule or make it user specific if you don't want your users to get this information)

In regards to controlling black/white lists, each user can maintain their own lists when enabled.  You should only add a domain you wish to white list globally through the UI. 

sample of HITS / SPAM_REPORT

MIME-Version: 1.0
Content-Type: multipart/mixed; 
	boundary="----=_Part_2958930_401560851.1500410258147"
X-SpOps: id=1500410260.58985 feed=is-spam-raw prty=1
X-SpamView-Hits: 
 FREEWEB_J_MP 8, IMGSPAM_BODY 0.5, HTML_70_90 0.1, FROM_SAME_AS_TO 0.05, KNOWN_FREEWEB_URI 0.05, SUBJ_FREE_CAP 0.001, BODYTEXTH_SIZE_10000_LESS 0, BODYTEXTP_SIZE_3000_LESS 0, BODYTEXTP_SIZE_400_LESS 0, BODY_SIZE_3000_3999 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, BOUNCE_FROM_E_NULL 0, BOUNCE_RFC822_ATTACH_COMBINED 0, BOUNCE_RFC822_ATTACH_E 0, ECARD_WORD 0, FROM_SAME_AS_TO_DOMAIN 0, IMGSPAM_BODY_2_3 0, NO_REAL_NAME 0, NO_URI_HTTPS 0, SV_ATTACHMENT_NOT_IMG 0, SV_B_HTML_SIMP_EXISTS 0, SV_CS_DQ_FNS_RCVD 0, SV_CS_MIME_VERSION 0, SV_DATE_TIMESTAMP_IN_HDR_X3 0, SV_FROM_DOMAIN_IN_RCVD 0, SV_FROM_SAMEAS_TO 0, SV_HAS_ATTACHMENT 0, SV_HAS_ATTACHMENT_NORFC 0, SV_HAS_HTTP_URI 0, SV_HELO_INTERNAL_IP 0, SV_HREF_LABEL_IMG 0, SV_HREF_LABEL_TEXT 0, SV_HTML_HEADER 0, SV_HTML_NO_HTML 0, SV_HTML_SINGLE_URI 0, SV_HTML_TAG_CENTER 0, SV_HTML_WITHOUT_HTML 0, SV_INTERNAL_IP_RCVD 0, SV_MESSAGE_ATTACHED 0,
 SV_MPART_1_2 0, SV_MPMIXED_MIME1_1_SB 0, SV_MULTI_HREF_SAME_DOMAIN 0, SV_MULTI_URI_SAME_DOMAIN 0, SV_RAND_URI 0, SV_RAWEOB_NO_MAILTO 0, SV_RCVD_DATE_EQ_DATE 0, SV_SNOWSHOE_DELAY 0, SV_SUBJECT_LONG 0, SV_TEXT_AT_BEGINNING_ONLY 0, SV_URI_IMG_SRC 0, SV_URI_MULTILABEL 0, SV_URI_MULTI_SAME_DOMAIN 0, URI_WITH_PATH_ONLY 0, __ANY_URI 0, __ATTACHMENT_SIZE_0_10K 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_MIXED 0, __HAS_ATTACHMENT 0, __HAS_ATTACHMENT1 0, __HAS_ATTACHMENT2 0, __HAS_FROM 0, __HAS_HTML 0, __HAS_MSGID 0, __HTML_AHREF_TAG 0, __HTML_TAG_CENTER 0, __HTML_TAG_IMG_X2 0, __HTTP_IMAGE_TAG 0, __IMGSPAM_BODY 0, __IMGSPAM_BODY_2_3 0, __KNOWN_FREEWEB_URI2 0, __MAL_TELEKOM_URI 0, __MIME_TEXT_H 0, __MIME_TEXT_H1 0, __MIME_TEXT_H2 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_TEXT_P2 0, __MIME_VERSION 0, __MULTIPLE_URI_HTML 0,
 __MULTIPLE_URI_TEXT 0, __RFC822_ATTACH 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __SUBJ_ALPHA_NEGATE 0, __SV_COMMON_TLD 0, __SV_MULTIPLE_URI_NOSIG 0, __SV_PHISH_SUBJ1 0, __TAG_EXISTS_BODY 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_IN_BODY 0, __URI_NOT_IMG 0, __URI_NO_MAILTO 0, __URI_NO_WWW 0, __URI_WITH_PATH 0


X-SpamView-Probability: 86%
X-SpamView-Scanner: 6.3.3.2656215, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2017.7.18.203016
X-SpamView-QueueID: v6IKcM65020344
X-SpamView-Report: The following antispam rules were triggered by this message:
	Rule                           Score Description
	FREEWEB_J_MP                   8.000 Known spammy web site on j.mp: j.mp: 2uzzw1p
	IMGSPAM_BODY                   0.500 image spam as a few images outside of <td> wrapped
					     in <a>
	HTML_70_90                     0.100 Message is 70-90% HTML
	FROM_SAME_AS_TO                0.050 To Address is Same as From_Header Address
	KNOWN_FREEWEB_URI              0.050 uri  is known to be related to a free hosting
					     provider or free redirector
	SUBJ_FREE_CAP                  0.001 Subject contains 'FREE' in CAPS
	BODYTEXTH_SIZE_10000_LESS      0.000 Body size of the text/html part is less than 10k
	BODYTEXTP_SIZE_3000_LESS       0.000 Body size of the text/plain part is less than 3k
	BODYTEXTP_SIZE_400_LESS        0.000 Body size of the text/plain part is less than 400
	BODY_SIZE_3000_3999            0.000 Message body size is 3000 to 3999 bytes
	BODY_SIZE_5000_LESS            0.000 Message body size is less than 5000 bytes.
	BODY_SIZE_7000_LESS            0.000 Message body size is less than 7000 bytes.
	BOUNCE_FROM_E_NULL             0.000 Envelope From header contains NULL address
	BOUNCE_RFC822_ATTACH_COMBINED  0.000 Contains a NULL sender from or envelope from and an
					     rfc822 attachment
	BOUNCE_RFC822_ATTACH_E         0.000 Contains a NULL sender envelope from and an rfc822
					     attachment
	ECARD_WORD                     0.000 Message contains a word mentioning a card of some
					     sort
	FROM_SAME_AS_TO_DOMAIN         0.000 The domain in the From header is the same as that
					     in the To header
	IMGSPAM_BODY_2_3               0.000 image spam as a few images outside of <td> wrapped
					     in <a>
	NO_REAL_NAME                   0.000 From: does not include a real name
	NO_URI_HTTPS                   0.000 No URI has httpS in URI Part
	SV_ATTACHMENT_NOT_IMG          0.000 Message has any attachment, as long as it is not an
					     image (as found via the content-type "image/")
	SV_B_HTML_SIMP_EXISTS          0.000 b_html_simplified part exists
	SV_CS_DQ_FNS_RCVD              0.000 many Delay Queue FNs messages trigger these rcvd
					     hdr rules (Incident 14382) refer to AS-926
	SV_CS_MIME_VERSION             0.000 Tracking a mime version upper/lower case pattern
					     found in CS text/html UTF-8 mgs incids #15365,
					     #15654
	SV_DATE_TIMESTAMP_IN_HDR_X3    0.000 The minutes and seconds from the timestamp of the
					     Date header can be found in the headers 3 times (at
					     least). 3 because if I assume the last one matches
					     on the Date header again, then I want to make sure
					     we see 2 more before that.
	SV_FROM_DOMAIN_IN_RCVD         0.000 The From domain can be found in the Received, and
					     not as a potential envelope-from address or "self-
					     match"
	SV_FROM_SAMEAS_TO              0.000 Tracking for P4 Change #2687441, AS-1301
	SV_HAS_ATTACHMENT              0.000 Message has any attachment. As determined by the
					     attach header and mimetree
	SV_HAS_ATTACHMENT_NORFC        0.000 Has almost any attachment
	SV_HAS_HTTP_URI                0.000 message has an http based uri
	SV_HELO_INTERNAL_IP            0.000 Internal IP address found in the Received header as
					     "helo"
	SV_HREF_LABEL_IMG              0.000 Href tag uses image as the label
	SV_HREF_LABEL_TEXT             0.000 Href tag uses text as the label
	SV_HTML_HEADER                 0.000 contains an HTML header ex. <H1> in body
	SV_HTML_NO_HTML                0.000 HTML part does not contain <html> tag
	SV_HTML_SINGLE_URI             0.000 Html content has just a single uri. 6742
	SV_HTML_TAG_CENTER             0.000 Trying to find all centered HTML content
	SV_HTML_WITHOUT_HTML           0.000 Html part does not start with <html
	SV_INTERNAL_IP_RCVD            0.000 Internal IP address found in the Received header
	SV_MESSAGE_ATTACHED            0.000 Message contains an attached msg
	SV_MPART_1_2                   0.000 Mime part 1.2 exists
	SV_MPMIXED_MIME1_1_SB          0.000 Multipart/mixed content type, mimepart 1.1 has
					     small body size < 2k for mp/alt; < 1k for
					     text/plain and text/html
	SV_MULTI_HREF_SAME_DOMAIN      0.000 Message has at least 3 "href=" tags pointing to the
					     same domain with subdir
	SV_MULTI_URI_SAME_DOMAIN       0.000 Message has at least 3 http URIs pointing to the
					     same domain with subdir
	SV_RAND_URI                    0.000 uri contains 4 or more consonant in row which is
					     weird
	SV_RAWEOB_NO_MAILTO            0.000 The raw body content does not have "mailto:"
	SV_RCVD_DATE_EQ_DATE           0.000 time stamp from the received header is identical to
					     the Date: time stamp
	SV_SNOWSHOE_DELAY              0.000 Message with snowshoe characteristics
	SV_SUBJECT_LONG                0.000 match all Enlish words, special characters, High
					     bits, as long as the length is at least 50
	SV_TEXT_AT_BEGINNING_ONLY      0.000 There is text only near the beginning of the body
	SV_URI_IMG_SRC                 0.000 A URI in the body references to an image
	SV_URI_MULTILABEL              0.000 The very same URI appears in the message with
					     different labels
	SV_URI_MULTI_SAME_DOMAIN       0.000 Message has at least 3 CTA links pointing to the
					     same domain with subdir
	URI_WITH_PATH_ONLY             0.000 The message does not contain a pathless URI

Thanks Red_Warrior this is a nice tip, however....no way to use custom anti-spam score settings like Pure Message.

Think about to import anti-spam score toggle levels from Pure Message.

You can keep standard settings for Standard Users (High, Medium and Low) and advanced settings for Advanced users.

This can improve anti-spam cathing level per Organization and make Sophos Customers happy.

Different kind of Organizations > different SPAM >different settings.

Thanks

The Spam score should appear inside the SEA logs and not to every users.Only Admins need this sort of information.

This is not acceptable.

Thanks

lferrara said:

The Spam score should appear inside the SEA logs and not to every users.Only Admins need this sort of information.

This is not acceptable.

Thanks

If you have a syslog server you can export all of this information,  under alerts and monitoring, select syslog check off all of the boxes and it will export the mail logs and the message logs.. 

the mail log is the Post fix log for each message.. the messages log is the milter logs for each message.  

example of the message log.

2017-06-09T11:19:05 q=593AE689_26406_1_1 f=<cut> t=<cut> pmx_reason=Spam at=1,9518,text/plain b=ok h=SXL_URI h=BID_TLD h=FROM_BID_TLD h=DATE_IN_PAST_96_XX h=HTML_00_01 h=HTML_00_10 h=SUPERLONG_LINE h=CS_SUSP_TLD_BODY h=CS_SUSP_TLD_FROM h=DATE_TZ_NA h=DQ_SUSP_4 h=FONT_STYLE_1PT h=NO_URI_HTTPS h=URI_ENDS_IN_HTML h=__ANY_URI h=__C230066_P5 h=__CP_MEDIA_BODY h=__CP_URI_IN_BODY h=__CS_PROD_FROM h=__DQ_HEUR_4 h=__HAS_FROM h=__HAS_MSGID h=__HIGHBITS h=__HTML_AHREF_TAG h=__HTML_FONT_GREEN h=__MIME_TEXT_ONLY h=__MIME_TEXT_P h=__MIME_TEXT_P1 h=__MULTIPLE_URI_TEXT h=__SANE_MSGID h=__STOCK_PHRASE_24 h=__TO_MALFORMED_2 h=__TO_NO_NAME h=__URI_IN_BODY h=__URI_NOT_IMG h=__URI_NS h=__URI_NS_NXDOMAIN h=__URI_WITHOUT_PATH h=__URI_WITH_PATH s=?q?Over_7000_landscaping_ideas_inside..._(open_now) pmx_action=keep,Spam,-,cut@nowhere.com vs p=0.814 fur=none Size=9948 r=200.18.2.1 tm=16.45 a=a/eom

the f and t , to and from, s= subject p=spam score fur=first untrusted relay. 

Red,

this is not possible. I appreciate your help but you need to add some extra features on SEA. Yours are workaround.

I have spent years on Pure message by protecting 4000+ users and the result was great. Every week I analyzed the SPAM score report from Pure Message logs and adjusted the Spam and Suspicious spam toggle level in order to catch even few SPAM previuos seen as Suspecious SPAM only by using SPAM Score.

On SEA this is a big limitation, because you control the SPAM level.

Yes, that's true you can not simply open your policy.siv and add some staged spam score..  the email appliance counts 50% and lower as good mail, 51%>89% is medium and 90+ is high spam.. the only option to change this is via a feature request.

In regards to what can help you right this very second?

You may wish to get in on the dogfood release of PMX 6.4.  PM me with your company information and contact info and I will create a case for you and send you the repo information.  If your not able/into running a beta you can look forward to the initial release of 6.4. This version includes the delay queue feature of the SEA.

Yes, that's true you can not simply open your policy.siv and add some staged spam score..  the email appliance counts 50% and lower as good mail, 51%>89% is medium and 90+ is high spam.. the only option to change this is via a feature request.

In regards to what can help you right this very second?

You may wish to get in on the dogfood release of PMX 6.4.  PM me with your company information and contact info and I will create a case for you and send you the repo information.  If your not able/into running a beta you can look forward to the initial release of 6.4. This version includes the delay queue feature of the SEA.

Thanks RED. I am still using Pure Message wherever possible. My advices are to improve SEA.

If you want to open a feature request on behalf of me, let me know via a PM and I will provide you the info requested.

Regards

Hi Luk,

Unfortunately I am not allowed to open feature requests on your behalf.   (we used to be able to) I had a look at the usual place  https://ideas.sophos.com  and it seems that the section for pmx,sea,pmex is currently .. not there..  I checked with the community manager and they are manually adding them as they come up until its fixed.

I would create the feature request as a new thread entitled as such, and then CC your account manager, that will be your best bet.   In the meantime I will find someone to fix the feature request forums. 

cheers