SEA High spam rating problems.

Hi,

Our SEA is set pretty much with default recommended values. Its set to discard "High" rated spam and quarantine "Medium" spam.

This appears to work but 

- In the last 24 hours I have 3 different occurrences of an end user sending an email from a personal gmail account (and an aol.com account) with a subject line filled in but no text in the body of the email - WITH a jpg photo attached.

The email is rated as "High spam to all" and discarded. I really do not wish to whitelist any emails addresses. Is there something I am missing in the settings? I have also disabled the sender genotype filtering as this puts many genuine emails into quarantine.

Its not practical to set spam high to quarantine - there are very few features left to turn off - I will be left having to manually filter all our mail!

The Only fix for the above is to as the end users to add a blocked keyword into the email. this forces the message to get blocked in quarantine, then I can forward the message to myself and pass to the end user. 

Does anyone else have the same problems? Is there a better solution? 

Thanks,

Tony

  • The fact you have disabled "sender genotype filtering" is troubling - this is standard IP reputation blocking and if you are having trouble with this I would say that you have not setup the networking correctly - The Email Appliance must be exposed directly to they internet (DNAT etc - no proxying) and the first hop (MX gateway) in the chain. If its the second in the chain then you must set the upstream server/s as a trusted relay so that it will not do network reputation tests on these relays.

    This can effect not only the IP reputation but also many other rules in SEA so should be set regardless if there is an upstream MX server.

     

     

    You really need to look at the logs to get a good idea on what is going on and unfortunately SEA is terrible with its log output in the GUI - you really need to use the syslog output so you can see the full MTA and SEA logs on each message to get a good idea on what is going on. BUT based on your description I think you have an issue with an upstream relay that is untrusted and needs to be trusted to work properly.

  • In reply to AlexBruce:

    Hi Alex,

    Many thanks for this information. I need to double check my networking. Our mx record external IP enters our network into a Sophos UTM then a DNAT rule passes the traffic to the LAN address of the SEA virtual appliance. Do I need to enter our external IP address as an upstream relay?

    Thanks & Regards,

    Tony

  • In reply to Tony Smith2:

    Are you using the UTM Email Protection? Do you have some form of upstream in-the-cloud filtering like SMX?

     

    If its a direct DNAT rule and the MX record is pointing to the external IP of the UTM then that should be fine and no need for using upstream trust. As to why genotype is not working for you is very strange then as this is clearly blacklisted IPs that really should be blocked. Similar but generally better than using standard xen list on Spamhaus etc. The only other thing being are you using the "proactive IP connection control for blocking suspicious hosts" option and your are dealing with mailservers that are coming from dynamic IP ranges (ISP dynamic IPs) then this will block them. Disabling this might help but generally you shouldn't be accepting email from dynamic IP ranges as they wont be legitimate mail servers.