"Wanna" ransomware outbreak. Please see this Sophos article sophos.com/kb/126733 for advice on how to protect your organization. Immediate action recommended.
When using a Microsoft ISA firewall to publish the email appliance for SMTP traffic, you may experience a higher number of spam messages than expected. Also, you may notice false-positive detections by the Sender Genotype (IP reputation) service.
NOTE: This issue may affect other firewalls, depending on their configuration. Please contact your firewall vendor for details.
Known to apply to the following Sophos product(s) and version(s)
Sophos Email Appliance
The ISA SMTP publishing rule can modify both the TCP connection and information in the Received headers. This prevents the Sender Genotype Service from scanning the Senders' IP correctly.
This happens when the SMTP publishing rule has the following setting enabled:
'Requests appear to come from the ISA server computer'
This issue occurs because the Sender Genotype tries to ascertain the 'First Unknown Relay' I.P. address to determine it's reputation. The First Unknown Relay I.P. address should always be the I.P. of the sending mail server.
Sender Genotype Connection Level Blocking
Normally, when an SMTP connection is initiated the connecting relay is the Senders' I.P. address. However, the ISA can be configured to modify the connection so it appears to originate from the ISA server.
In this scenario, connection level blocking is not possible.
Sender Genotype Policy Level Blocking
If policy level blocking is enabled, or if connection level blocking fails, we will receive the message and then analyze the headers to determine the 'First Unknown Relay'.
Consider this correct Received Header:
Received: from test (mailserver.sender.tld [220.127.116.11]) by ESA.domain.tld (Sophos Email Appliance) with ESMTP id 2A7DC1F2488F_CF3CC27F for <email@example.com>; Mon, 29 Nov 2010 15:51:57 +0000 (GMT)
When the appliance receives the message we will scan the I.P. address 18.104.22.168 as the 'First Unknown Relay' address. This is correct, because in this example 22.214.171.124 was the sender of the message.
Now, consider the same Received header when the message has passed through an ISA:
Received: from test (unknown [192.168.1.254]) by ESA.domain.tld (Sophos Email Appliance) with SMTP id F31151F248BA_CF3CB8EF for <firstname.lastname@example.org>; Mon, 29 Nov 2010 15:49:18 +0000 (GMT)
In this example, the ISA has replaced the I.P. of the sending mail server with it's own I.P. address 192.168.1.254
As the ISA server in this scenario is using a private I.P. address, we will continue looking through the received chain for the First Unknown Relay. This can cause the appliance to reject legitimate mail. For example we could choose a dynamically assigned I.P. address as the First Unknown Relay and therefore reject this as a suspicious sender.
Sender Genotype service does not work correctly (in either mode) when ISA SMTP publishing rule has the following setting enabled:
'Requests appear to come from the ISA server computer''
Configure the ISA SMTP publishing rule so that requests appear to come from the original client:
Please contact Microsoft for assistance with configuring your ISA server.
For help with configuring the Sender Genotype Service, please see this article: KBA 112944 - Configuring the Sender Genotype Service
You can check the reputation of an I.P. address, and request that the I.P. be re-classified by using our online tool here: http://www.sophos.com/security/ip-lookup
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. If you need technical support please post a question to our community. Alternatively for licensed products open a support ticket.