This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Phisthreat emails slow to go out, or don't go out at all

We have been unable to get the "test" to work when creating a campaign. Nothing happens, no error, no warning, no email arrives.

When testing campaigns we thought the emails were not going out, we discovered that they did go out, but may not leave the sophos servers for hours, or even days. We checked the global and campaign settings and the intervals are all blank, which mean that all emails go out at once. I tested myself with only a single account enrolled in the campaign. It has been several hours and the email has not arrived yet.

It is very very hard to test against our anti-spam system when I have to wait days to see if the whitelisting for phishthreat emails is correct. Can these deliveries be done in a timely manner?

 

DAve

 

 



This thread was automatically locked due to age.
Parents
  • Hi Dave,

    If you review the Campaign Overview, what is the status of these emails,? Are they shown as 'Pending', 'Sent' or anything else? 

    If they show as 'Pending' then chances are the start date for the campaign is in the future.

    If they show as 'Sent' then this tells us the email is successfully out of the Phish Threat system, and trying to reach the recipient's address.

    Phish Threat does offer the ability to send out a test email straight away whilst setting up the campaign:

    This test email can be used to check you've correctly white listed our IPs and/ or domains. 

    Regards,

    Byron 

  • Yes, we know about the test. We also read what little there is about running a campaign and watched the videos.

    The problem is that the messages take days to leave the Sophos servers. Days.

    Received: from mail.greenfieldin.org ([127.0.0.1])
    	by localhost (XXXXX.greenfieldin.org [127.0.0.1]) (amavisd-new, port 10024)
    	with ESMTP id EKM6gS_Pa2vv for <dgoodrich@greenfieldin.org>;
    	Sun,  6 Aug 2017 18:30:28 -0400 (EDT)
    Received: from mail.greenfieldin.org (XXXXX.greenfieldin.org [10.16.2.92])
    	by XXXXX.greenfieldin.org (Postfix) with SMTP id 5383F6638004
    	for <XXXXX@greenfieldin.org>; Sun,  6 Aug 2017 18:30:28 -0400 (EDT)
    Received: from jive.phishthreat.com (jive.phishthreat.com [107.170.253.6])
    	by XXXXX.greenfieldin.org (Postfix) with ESMTPS id 2274C6638003
    	for <XXXXX@greenfieldin.org>; Sun,  6 Aug 2017 18:30:28 -0400 (EDT)
    Received: from PhishThreatVM (unknown [13.89.43.225])
    	by jive.phishthreat.com (Postfix) with ESMTP id 51F5A18020B
    	for <XXXXX@greenfieldin.org>; Thu,  3 Aug 2017 12:29:55 -0600 (MDT)

    Dave
  • Hello Dave,

    Please could you send me your Sophos license number directly and I'll raise a support request on your behalf. It seems further investigation is required here. 

    For others reading this post I'll be sure to update it once we've taken a look into this. 

    Regards,

    Byron 

  • Thank you Byron,

    Yesterday morning seemed much better. I was able to get the emails, both test and campaign, delivered promptly. Again this morning the emails are delivering in minutes instead of days as well. We finished our setup and successfully passed all emails through both Pure Message and our MTA AV system.

    At this point everything seems much faster than last week. We will send our first campaign out this afternoon.

    DAve

  • We started our first full campaign yesterday morning, 199 recipients. I have not received my email yet. Looking at the dashboard gives no useful information. It claims all 199 emails are pending, yet also shows 15 have been opened.

    Do we know where the emails are? I do not see them in any of my MTA queues and the dashboard gives me precious little information.

    DAve

  • No change this morning. I still have not gotten my campaign email and the dashboard, or campaign overview, are not updating.

    Do we know where my emails are? Do we know where my email are? Do we know when reporting will catch up? It has been nearly 48 hours.

    DAve

  • Hi Dave,

    Please could you send me your Sophos license number directly and I'll raise a support request on your behalf. It seems further investigation is required here.

    Thanks,

    Byron

  • PM sent to Byron this morning as the dashboard has not changed, still nothing reported and the phishing emails are still straggling in.

    DAve

  • Still no change, and I still have not gotten my phish email. The system still says none have gone out, yet 49 people have opened the emails. I can confirm that some have been delivered.

    DAve

  • No change this morning in the sent line, I do have one user who completed training and that showed up oddly enough. One test email has come through the IT department, my co-worker got it yesterday. Still nothing for me.

     

    The value of this tool is the timely and accurate reporting of what our users do, we are just not seeing that here.

    DAve

Reply
  • No change this morning in the sent line, I do have one user who completed training and that showed up oddly enough. One test email has come through the IT department, my co-worker got it yesterday. Still nothing for me.

     

    The value of this tool is the timely and accurate reporting of what our users do, we are just not seeing that here.

    DAve

Children
  • We have a change in behavior now, we have multiple people reporting they received the same message again. The reporting is still incorrect/behind/wrong.

    Byron,

    Did you get what you needed from the mail logs? I need to end this campaign as having multiple emails being delivered to employees is not creating a training environment, it is creating confusion.

    DAve

  • We have ended the campaign at this point as Byron's team researches the issue. We are debating whether we should try another campaign at this point.

    DAve

  • Hi Dave,

    I'm the product manager for Sophos Phish Threat. First off, thanks for raising this and apologies for the frustration I'm sure it's caused. I can assure you we're actively investigating the issue and hope to find a resolution as soon as possible.

    Additionally, I want to clarify one thing: the only type of campaigns affected are Attachment campaigns. Should you choose to start a new campaign, know that Phishing, Credential Harvesting, and Training campaigns are all functioning as expected.

    Thanks,
    Scott

  • Thanks Scott. Please keep this thread open and let us know when the problem is resolved. We may run a training campaign next week and then another test campaign the week after. We do not want to barrage the users all at once with PT, rather it should be a once per month at some random date/time for as long as we maintain the license.

     

    DAve

  • I cancelled the campaign Friday morning and emails are still arriving to my employees. If I had to hazard a guess, I would say the problem lies in the Phish Threat mail queue. Can anyone tell how many emails destined for my domain (greenfieldin.org) are still in there? While you are there, can you stop them? Please.

    DAve

  • My vote goes for a stuffed mail queue on jive.phishthreat.com.

    After Byron's message about the attachment PT campaigns having issues I tried a training campaign, but only to the IT staff which is just four people. Everyone got their training email, and their reminders, all at the same time. The emails were three days late and came in one flood.

    We have stopped the planned use of Phish Threat and moved on to other projects until the system is working in a timely manner.

    DAve

     

  • Hi Dave,

    I've been informed by our Development team that the problem has now been resolved. Please update this post if there are any problems on your side. 

    Regards,

    Byron

     

  • Thanks Byron,

    We have work piling up this week. I will try to get to it Monday and send another test campaign out then.

     

    DAve

  • Byron,

    The system seems to be working as intended now, thank you! We did a short test campaign this morning and when everything worked, we created a new campaign for the whole City and ran it with success.

    We had one issue so far, but that was with Endpoint not catching the malware attachment on the PhishThreat email on every machine, just some of them. I have opened a thread on the Endpoint forum about that.

    DAve