This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Stopping Ads SPAM - How do you deal with?

In the last 3 years, Spammer found many different way to bypass spam filters on any vendor. Users receive email from ADS website (newsletter) where they never subscribed for. I can confirm it. I have a mailbox on a customer site and I used it to subscribe on Techtarget, HP newsletter and few other IT newsletter and now....on that mailbox I receive a lot of newsletter from other website. Real Estate, Holiday promotions, Tickets promotions, etc...

So I know that websites share information among them and cookies play another important part of the spam, but how are you guys preventing this sort of SPAM?

The advice is to use the working email only for business usage only and this is regulated by "Acceptable Use Policy" and by blocking certain web categories, but this is not enough as users can access email from home, subscribe from home (they signed the AUP so they should not use it).

I would like to also know how Sophos Labs are classifying those emails (the spam score). On Pure Message there was the spam score level and you can adjust the spam and suspicious spam based on score level but this is not possible on SEA. This is a missing feature I would like to see.

Guys, what is your point of view? Do you have the same issue?

Thanks



This thread was automatically locked due to age.
  • Hi Luk,

    Bulk mail and spam are treated very differently, In order to get the best results you should ensure you have the following rules.

    High spam, Medium spam, BATV and Bulkmail rules. 

     

    the defaults can be found here

    https://community.sophos.com/kb/en-us/120802

     

    You could configure the end user portal to allow users to black/white list both spam and bulk mail as well.  This ensure that users that wish to receive them can override the spam score and have it delivered to them via their own personal list. 

     

    In regards to a "spam" score, there is no spam score for bulk mail, it is not treated as spam, It's a separate entity on its own.

  • Red_Warrior,

    thanks for your reply but mine is more a discussion that a question.Sophos and other Anti-spam in general in the last few months are having issue with many ads email and so a new feature, mechanism should be discovered/added in order to prevent unsolicited mail.

    Having a SPAM score on email can help Adminstrators to analyze what they receive and adjust their anti-spam settings. Pure Message in this is a step ahead.

    Every country, every Organizations is victim of different spam and not having granularity on anti-spam settings is not helping Admins to control their environment.

    Controlling Allow/block lists is not an ideal approach when you have thousands of mailboxes.

    Thanks

  • if you wish to see spam scores / hits.. there are several ways to accomplish this.

    the easiest way would be to add a banner (or mark a log) 

     

    modify your high and medium spam rules.

    within the rule is the : Additional actions tab

    select add banner, append to the bottom.

    for your banner text use 

    %%HITS%% or %%SPAM_REPORT%% (for a complete list see : http://esa.sophos.com/docs/esa/webhelp/index.html#sea/concepts/PolAboutActionsTempVars.html )

     

    • %%HITS%%: A listing of all the rules that were found by the spam engine.
    • %%SPAM_REPORT%%: A verbose listing of the antispam rules triggered by the message
       

     

    If for example you added both, you would have something like this appended to each email.. (you could tailor the rule or make it user specific if you don't want your users to get this information)

     

    In regards to controlling black/white lists, each user can maintain their own lists when enabled.  You should only add a domain you wish to white list globally through the UI. 

     

    sample of HITS / SPAM_REPORT

     

    MIME-Version: 1.0
    Content-Type: multipart/mixed; 
    	boundary="----=_Part_2958930_401560851.1500410258147"
    X-SpOps: id=1500410260.58985 feed=is-spam-raw prty=1
    X-SpamView-Hits: 
     FREEWEB_J_MP 8, IMGSPAM_BODY 0.5, HTML_70_90 0.1, FROM_SAME_AS_TO 0.05, KNOWN_FREEWEB_URI 0.05, SUBJ_FREE_CAP 0.001, BODYTEXTH_SIZE_10000_LESS 0, BODYTEXTP_SIZE_3000_LESS 0, BODYTEXTP_SIZE_400_LESS 0, BODY_SIZE_3000_3999 0, BODY_SIZE_5000_LESS 0, BODY_SIZE_7000_LESS 0, BOUNCE_FROM_E_NULL 0, BOUNCE_RFC822_ATTACH_COMBINED 0, BOUNCE_RFC822_ATTACH_E 0, ECARD_WORD 0, FROM_SAME_AS_TO_DOMAIN 0, IMGSPAM_BODY_2_3 0, NO_REAL_NAME 0, NO_URI_HTTPS 0, SV_ATTACHMENT_NOT_IMG 0, SV_B_HTML_SIMP_EXISTS 0, SV_CS_DQ_FNS_RCVD 0, SV_CS_MIME_VERSION 0, SV_DATE_TIMESTAMP_IN_HDR_X3 0, SV_FROM_DOMAIN_IN_RCVD 0, SV_FROM_SAMEAS_TO 0, SV_HAS_ATTACHMENT 0, SV_HAS_ATTACHMENT_NORFC 0, SV_HAS_HTTP_URI 0, SV_HELO_INTERNAL_IP 0, SV_HREF_LABEL_IMG 0, SV_HREF_LABEL_TEXT 0, SV_HTML_HEADER 0, SV_HTML_NO_HTML 0, SV_HTML_SINGLE_URI 0, SV_HTML_TAG_CENTER 0, SV_HTML_WITHOUT_HTML 0, SV_INTERNAL_IP_RCVD 0, SV_MESSAGE_ATTACHED 0,
     SV_MPART_1_2 0, SV_MPMIXED_MIME1_1_SB 0, SV_MULTI_HREF_SAME_DOMAIN 0, SV_MULTI_URI_SAME_DOMAIN 0, SV_RAND_URI 0, SV_RAWEOB_NO_MAILTO 0, SV_RCVD_DATE_EQ_DATE 0, SV_SNOWSHOE_DELAY 0, SV_SUBJECT_LONG 0, SV_TEXT_AT_BEGINNING_ONLY 0, SV_URI_IMG_SRC 0, SV_URI_MULTILABEL 0, SV_URI_MULTI_SAME_DOMAIN 0, URI_WITH_PATH_ONLY 0, __ANY_URI 0, __ATTACHMENT_SIZE_0_10K 0, __BOUNCE_NDR_SUBJ_EXEMPT 0, __CT 0, __CTYPE_HAS_BOUNDARY 0, __CTYPE_MULTIPART 0, __CTYPE_MULTIPART_MIXED 0, __HAS_ATTACHMENT 0, __HAS_ATTACHMENT1 0, __HAS_ATTACHMENT2 0, __HAS_FROM 0, __HAS_HTML 0, __HAS_MSGID 0, __HTML_AHREF_TAG 0, __HTML_TAG_CENTER 0, __HTML_TAG_IMG_X2 0, __HTTP_IMAGE_TAG 0, __IMGSPAM_BODY 0, __IMGSPAM_BODY_2_3 0, __KNOWN_FREEWEB_URI2 0, __MAL_TELEKOM_URI 0, __MIME_TEXT_H 0, __MIME_TEXT_H1 0, __MIME_TEXT_H2 0, __MIME_TEXT_P 0, __MIME_TEXT_P1 0, __MIME_TEXT_P2 0, __MIME_VERSION 0, __MULTIPLE_URI_HTML 0,
     __MULTIPLE_URI_TEXT 0, __RFC822_ATTACH 0, __SANE_MSGID 0, __SUBJ_ALPHA_END 0, __SUBJ_ALPHA_NEGATE 0, __SV_COMMON_TLD 0, __SV_MULTIPLE_URI_NOSIG 0, __SV_PHISH_SUBJ1 0, __TAG_EXISTS_BODY 0, __TO_MALFORMED_2 0, __TO_NO_NAME 0, __URI_IN_BODY 0, __URI_NOT_IMG 0, __URI_NO_MAILTO 0, __URI_NO_WWW 0, __URI_WITH_PATH 0
    

    X-SpamView-Probability: 86% X-SpamView-Scanner: 6.3.3.2656215, Antispam-Engine: 2.7.2.2107409, Antispam-Data: 2017.7.18.203016 X-SpamView-QueueID: v6IKcM65020344 X-SpamView-Report: The following antispam rules were triggered by this message: Rule Score Description FREEWEB_J_MP 8.000 Known spammy web site on j.mp: j.mp: 2uzzw1p IMGSPAM_BODY 0.500 image spam as a few images outside of <td> wrapped in <a> HTML_70_90 0.100 Message is 70-90% HTML FROM_SAME_AS_TO 0.050 To Address is Same as From_Header Address KNOWN_FREEWEB_URI 0.050 uri is known to be related to a free hosting provider or free redirector SUBJ_FREE_CAP 0.001 Subject contains 'FREE' in CAPS BODYTEXTH_SIZE_10000_LESS 0.000 Body size of the text/html part is less than 10k BODYTEXTP_SIZE_3000_LESS 0.000 Body size of the text/plain part is less than 3k BODYTEXTP_SIZE_400_LESS 0.000 Body size of the text/plain part is less than 400 BODY_SIZE_3000_3999 0.000 Message body size is 3000 to 3999 bytes BODY_SIZE_5000_LESS 0.000 Message body size is less than 5000 bytes. BODY_SIZE_7000_LESS 0.000 Message body size is less than 7000 bytes. BOUNCE_FROM_E_NULL 0.000 Envelope From header contains NULL address BOUNCE_RFC822_ATTACH_COMBINED 0.000 Contains a NULL sender from or envelope from and an rfc822 attachment BOUNCE_RFC822_ATTACH_E 0.000 Contains a NULL sender envelope from and an rfc822 attachment ECARD_WORD 0.000 Message contains a word mentioning a card of some sort FROM_SAME_AS_TO_DOMAIN 0.000 The domain in the From header is the same as that in the To header IMGSPAM_BODY_2_3 0.000 image spam as a few images outside of <td> wrapped in <a> NO_REAL_NAME 0.000 From: does not include a real name NO_URI_HTTPS 0.000 No URI has httpS in URI Part SV_ATTACHMENT_NOT_IMG 0.000 Message has any attachment, as long as it is not an image (as found via the content-type "image/") SV_B_HTML_SIMP_EXISTS 0.000 b_html_simplified part exists SV_CS_DQ_FNS_RCVD 0.000 many Delay Queue FNs messages trigger these rcvd hdr rules (Incident 14382) refer to AS-926 SV_CS_MIME_VERSION 0.000 Tracking a mime version upper/lower case pattern found in CS text/html UTF-8 mgs incids #15365, #15654 SV_DATE_TIMESTAMP_IN_HDR_X3 0.000 The minutes and seconds from the timestamp of the Date header can be found in the headers 3 times (at least). 3 because if I assume the last one matches on the Date header again, then I want to make sure we see 2 more before that. SV_FROM_DOMAIN_IN_RCVD 0.000 The From domain can be found in the Received, and not as a potential envelope-from address or "self- match" SV_FROM_SAMEAS_TO 0.000 Tracking for P4 Change #2687441, AS-1301 SV_HAS_ATTACHMENT 0.000 Message has any attachment. As determined by the attach header and mimetree SV_HAS_ATTACHMENT_NORFC 0.000 Has almost any attachment SV_HAS_HTTP_URI 0.000 message has an http based uri SV_HELO_INTERNAL_IP 0.000 Internal IP address found in the Received header as "helo" SV_HREF_LABEL_IMG 0.000 Href tag uses image as the label SV_HREF_LABEL_TEXT 0.000 Href tag uses text as the label SV_HTML_HEADER 0.000 contains an HTML header ex. <H1> in body SV_HTML_NO_HTML 0.000 HTML part does not contain <html> tag SV_HTML_SINGLE_URI 0.000 Html content has just a single uri. 6742 SV_HTML_TAG_CENTER 0.000 Trying to find all centered HTML content SV_HTML_WITHOUT_HTML 0.000 Html part does not start with <html SV_INTERNAL_IP_RCVD 0.000 Internal IP address found in the Received header SV_MESSAGE_ATTACHED 0.000 Message contains an attached msg SV_MPART_1_2 0.000 Mime part 1.2 exists SV_MPMIXED_MIME1_1_SB 0.000 Multipart/mixed content type, mimepart 1.1 has small body size < 2k for mp/alt; < 1k for text/plain and text/html SV_MULTI_HREF_SAME_DOMAIN 0.000 Message has at least 3 "href=" tags pointing to the same domain with subdir SV_MULTI_URI_SAME_DOMAIN 0.000 Message has at least 3 http URIs pointing to the same domain with subdir SV_RAND_URI 0.000 uri contains 4 or more consonant in row which is weird SV_RAWEOB_NO_MAILTO 0.000 The raw body content does not have "mailto:" SV_RCVD_DATE_EQ_DATE 0.000 time stamp from the received header is identical to the Date: time stamp SV_SNOWSHOE_DELAY 0.000 Message with snowshoe characteristics SV_SUBJECT_LONG 0.000 match all Enlish words, special characters, High bits, as long as the length is at least 50 SV_TEXT_AT_BEGINNING_ONLY 0.000 There is text only near the beginning of the body SV_URI_IMG_SRC 0.000 A URI in the body references to an image SV_URI_MULTILABEL 0.000 The very same URI appears in the message with different labels SV_URI_MULTI_SAME_DOMAIN 0.000 Message has at least 3 CTA links pointing to the same domain with subdir URI_WITH_PATH_ONLY 0.000 The message does not contain a pathless URI
  • Thanks Red_Warrior this is a nice tip, however....no way to use custom anti-spam score settings like Pure Message.

    Think about to import anti-spam score toggle levels from Pure Message.

    You can keep standard settings for Standard Users (High, Medium and Low) and advanced settings for Advanced users.

    This can improve anti-spam cathing level per Organization and make Sophos Customers happy.

    Different kind of Organizations > different SPAM >different settings.

    Thanks

  • The Spam score should appear inside the SEA logs and not to every users.Only Admins need this sort of information.

    This is not acceptable.

    Thanks

  • lferrara said:

    The Spam score should appear inside the SEA logs and not to every users.Only Admins need this sort of information.

    This is not acceptable.

    Thanks

     

    If you have a syslog server you can export all of this information,  under alerts and monitoring, select syslog check off all of the boxes and it will export the mail logs and the message logs.. 

    the mail log is the Post fix log for each message.. the messages log is the milter logs for each message.  

    example of the message log.

    2017-06-09T11:19:05 q=593AE689_26406_1_1 f=<cut> t=<cut> pmx_reason=Spam at=1,9518,text/plain b=ok h=SXL_URI h=BID_TLD h=FROM_BID_TLD h=DATE_IN_PAST_96_XX h=HTML_00_01 h=HTML_00_10 h=SUPERLONG_LINE h=CS_SUSP_TLD_BODY h=CS_SUSP_TLD_FROM h=DATE_TZ_NA h=DQ_SUSP_4 h=FONT_STYLE_1PT h=NO_URI_HTTPS h=URI_ENDS_IN_HTML h=__ANY_URI h=__C230066_P5 h=__CP_MEDIA_BODY h=__CP_URI_IN_BODY h=__CS_PROD_FROM h=__DQ_HEUR_4 h=__HAS_FROM h=__HAS_MSGID h=__HIGHBITS h=__HTML_AHREF_TAG h=__HTML_FONT_GREEN h=__MIME_TEXT_ONLY h=__MIME_TEXT_P h=__MIME_TEXT_P1 h=__MULTIPLE_URI_TEXT h=__SANE_MSGID h=__STOCK_PHRASE_24 h=__TO_MALFORMED_2 h=__TO_NO_NAME h=__URI_IN_BODY h=__URI_NOT_IMG h=__URI_NS h=__URI_NS_NXDOMAIN h=__URI_WITHOUT_PATH h=__URI_WITH_PATH s=?q?Over_7000_landscaping_ideas_inside..._(open_now) pmx_action=keep,Spam,-,cut@nowhere.com vs p=0.814 fur=none Size=9948 r=200.18.2.1 tm=16.45 a=a/eom

     

    the f and t , to and from, s= subject p=spam score fur=first untrusted relay. 

     

     

  • Red,

    this is not possible. I appreciate your help but you need to add some extra features on SEA. Yours are workaround.

    I have spent years on Pure message by protecting 4000+ users and the result was great. Every week I analyzed the SPAM score report from Pure Message logs and adjusted the Spam and Suspicious spam toggle level in order to catch even few SPAM previuos seen as Suspecious SPAM only by using SPAM Score.

    On SEA this is a big limitation, because you control the SPAM level.

  • Yes, that's true you can not simply open your policy.siv and add some staged spam score..  the email appliance counts 50% and lower as good mail, 51%>89% is medium and 90+ is high spam.. the only option to change this is via a feature request.

    In regards to what can help you right this very second?

    You may wish to get in on the dogfood release of PMX 6.4.  PM me with your company information and contact info and I will create a case for you and send you the repo information.  If your not able/into running a beta you can look forward to the initial release of 6.4. This version includes the delay queue feature of the SEA.

  • Thanks RED. I am still using Pure Message wherever possible. My advices are to improve SEA.

    If you want to open a feature request on behalf of me, let me know via a PM and I will provide you the info requested.

    Regards