Sophos is investigating reports from Sophos XG, UTM, Cyberoam and Central customers that legitimate email is being quarantined.
Note: This issue seems to be mostly affecting customers with British domains (co.uk, ltd.uk, .uk).
Applies to the following Sophos product(s) and version(s) Sophos XG, UTM, Cyberoam and Centra Email
Some Sophos customers may experience legitimate emails being blocked or quarantined. Inbound and outbound emails are affected.
Some appliances are still reporting false positive SPAM detections due to cached lookups. Sophos has released a hotfix via a pattern update to clear the cache automatically on SG/XG appliances. This has now been released for all versions of the UTM and XG.
Note: If you are still experiencing false positive detections, the steps below will clear the cache manually for each affected product.
We also recommend reviewing the content of your quarantine to ensure that any erroneously quarantined emails are released. This can be done by either the administrator or by the end user if the respective product end user portal is enabled.
To clear the cache manually, run the following commands as root:
/var/mdw/scripts/ctasd_inbound stop /var/mdw/scripts/ctasd_outbound stop mv /var/cache/ctasd /var/cache/ctasd.old /var/mdw/scripts/ctasd_inbound start /var/mdw/scripts/ctasd_outbound start
In order to review the quarantine and release any affected mail please refer to the Mail Manager section (Page 336) of the UTM Adminsitrator Guide Mail Manager can be located under Email Protection > Mail Manager in the UTM user interface
Sophos XG Firewall:
To clear the cache manually, login as admin and run the following commands:
service antispam:stop -ds nosync rm -rf /sdisk/as/* rm -rf /sdisk/os/* service antispam:start -ds nosync
In order to review the quarantine and release any affected mail please refer to the Sophos XG Firewall online help section. SMTP Quarantine can be located under Email > SMTP Quarantine in the XG Firewall user interface
Affected customers please contact support. In order to review the quarantine and release any affected mail please refer to page 41 of the Cyberoam OS Administration Guide
No action required to clear the cache. Services were restarted at noon on 8th May and no new mail should be affected by this issue after this time. In order to review the quarantine for Sophos Email and release any affected mail please refer to the Sophos Email online help
The issue with the live lookup data has been resolved however some cached data may still be causing problems. Any customers still experiencing issues with false positive detections should carry out the steps above for their impacted product.
If symptoms are still being experienced after carrying out these steps, please contact Sophos Support with a sample of the released email if possible.
Moving forward, customers should subscribe to the Sophos SMS Mobile Notification service to be notified of product issues such as this.
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.