This knowledge base article contains the recommended baseline configuration for detecting spam on an email appliance. The following headings below describe the default configuration and the settings in which you should at the minimum configure.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Email ApplianceSophos Email Appliance Virtual
The Sophos Email Appliance (SEA) has two default inbound Anti-Spam policy rules. They are High Spam and Medium Spam which have different actions. Messages that are classified as High are discarded and Medium ones are quarantined as shown below.
It is recommended to leave these settings as default.
Along with the inbound policy, there are equivalent outbound policy rules that check for High Spam and Medium Spam. However, on outbound rules the action is to quarantine the message rather than discard and quarantine. It is also recommended to leave these as their default settings.
Both the inbound and outbound policy rules have the ability to select what senders or recipients are exempt or not exempt from being tested. By default all recipients are tested inbound, and all senders are tested outbound.
Leave the entries at their default if experiencing unexpected results.
Note: Include only applies to the added recipients and/or senders, and Exclude only applies to added recipients and/or senders.
The Sophos Email Appliance has a feature that allows for messages to be blocked based on Sender Genotype. It is recommended to select the default settings as shown below.
Note: If your appliance does not receive SMTP connections directly from the internet or is behind another relay, you will need to change the service from "connection-level" blocking to "policy-level" blocking.
Bulk messages are messages that are sent from email service providers that deliver solicited and unsolicited content. The bulk message rule will target all messages that are of bulk in nature. These are messages which users have opted to receive, not spam. It is recommended to take action on bulk messages and have individual users allow list only those bulk messages they want delivered.
The bulk policy rule is found under the Additional Policy as an inbound rule type only. It is recommend that the rule be created with an action of "tag and continue". This way users can still receive bulk mail messages, but those at the same time that didn't want them will know that these are bulk messages and not spam.
The opposite method would be quarantine the message as bulk and have each user maintain their personal list of approved bulk senders through the enduser quarantine interface.
Administrators have the ability to globally allow and restrict senders and hosts. Allowed hosts/senders have a default action of deliver.
The Allow List identifies specific hosts and senders to be white-listed through the mail filter; therefore bypassing the Anti-Spam tests.
Entries in the lists must be in the following syntax.
IP Address, host, domain, or CIDR range
ie. 188.8.131.52, 184.108.40.206/10, host.example.com
Domain or email address
ie. @example.com, or email@example.com
Anti-Spoof: Please see this Anti-Spoof Protection kb
Additional Notes: Do not put domains into the hosts table for allow lists! This could potentially allow unwanted messages through.
If unwanted messages that appear to be spam in nature, review your allow lists to make sure that host or sender was not exempt from testing.
Administrators have the ability to allow users to edit their Allow/Block senders list from within the enduser quarantine interface. These entries are not manageable by the admin in the administration interface. Be sure to verify that if a spam message is received that the individual user did not allow that by entering in a domain or sender address in their personal list.
The SMTP Options page contains a tab called Perimeter Protection, the default settings are to "Block mail from non-existent domains" and "Denial of service & directory harvest protection". It is recommended to leave the settings as shown below.
Also on the SMTP Options page there is a tab called Delay Queue. When turned on, the appliance will delay suspected spam that was not caught on the first round of scanning between 10 - 60 mins, and rescan it afterwards. This will help prevent snowshoe spam campaigns from being delivered on initial arrival. By default, Delay Queue status is set to "Collect", which will gather information about suspect spam, but not actively delay mail. It is recommended to turn the feature on, but leave the rest of the settings at their defaults as shown below.
Trusted relays are hosts that connect the appliance to the internet. These hosts are either gateways or forwarders or perhaps another email server passing messages to the appliance.
Adding a trusted relay value will exclude that address from being queried in the spam score. Only add trusted relays if mail is forwarded from a legitimate host/gateway in your network.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.