Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 1 reply
  • Subscribers 4 subscribers
  • Views 5517 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Retrieve emails that have been incorrectly discarded?

Tony Smith2

 Hi,

Using SEA virtual appliance - I have some emails that have been rated as High Spam & Discarded.

They are from a gmail account with some pictures attached - very little text. I do not know why they have been rated so highly.

Is there any way they can be retrieved? I am unable to submit a false positive to sophos not-spam.

The end user would also very much like the emails. 

 

Regards,

Tony

 



This thread was automatically locked due to age.
  • 0

    Hi Tony,

    No messages / copies are stored on the appliance with an action of discard.  In this case it would not be possible to retrieve the original message.  There are some things you can do.

    If you export the mail/message logs to a syslog server you can see the milter policy action in the messages log.  This would provide you with the rule and reason why it was triggered (unlike the ui that would show "high spam rule" etc.

    If you can have the original sender recreate the false positive, have them create a new message.. grad / drop the FP as a .eml attachment and send it to not-spam@labs.sophos.com then open a support case the engineer may be able to see what caused the hit (ie the message has a received by in the header of a black listed ip)   as well if there is some sort of error with the domain/sender the engineer can raise a labs request.

    Another option would be to add the sender to the white-listed senders (not the spam rule)  however this will disable spam checking from any domain listed there.

    You could also temporarily change the high spam option to quarantine instead of discard. Once you have the message in the quarantine, locate the message in the ui and release it to yourself.  Then create an exception on your outbound spam rules and send it to not-spam as above.

    Also have a look at the messages log,  click on the more info link at the bottom.. then under message details.. look for any lines that say received by: xxx  enter those ip's into mxtoolbox.coms black list checker. 

    the last thing to check is make sure that your dns is good, some message require whats called an sxl look up.. so if they are been blocked by an upstream firewall or slow dns they could cause false positives.. (dns should be less than 1000ms or 1 seconds)  normally around 50ms is good.

     

    Due to the way spam is scored ( a logarithmic) scale.. its very very difficult to hit that 90% score on message body only .. if there are attachments (including small pictures and such) or other relay ip addresses your best bet is to look at those first.   IE a png renamed to a jpg on a signature file would trigger suspect rules.

Unfiltered HTML