This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mail gmail placed in quarantine

All mail coming from gmail are considered like spam and placed in quarantine

 

 

 

2017-07-20T14:59:27 q=5970B73F_63125_1931_1 f=<anis.android@gmail.com> t=<assistanceadsl@orangetunisie.tn> pmx_reason=?q?External_Spam_over_50 at=1,220,multipart/alternative at=1,27,text/html at=1,2,text/plain b=ok h=SXL_IP_SPAM h=EMPTY_BODY h=FORGED_FROM_GMAIL h=HTML_90_100 h=HTML_NO_HTTP h=BODYTEXTH_SIZE_10000_LESS h=BODYTEXTP_SIZE_3000_LESS h=BODYTEXTP_SIZE_400_LESS h=BODY_SIZE_1000_LESS h=BODY_SIZE_2000_LESS h=BODY_SIZE_200_299 h=BODY_SIZE_5000_LESS h=BODY_SIZE_7000_LESS h=DKIM_SIGNATURE h=HEX28_LC_NOT_GOOGLE h=NO_CTA_URI_FOUND h=NO_URI_FOUND h=NO_URI_HTTPS h=SMALL_BODY h=WEBMAIL_SOURCE h=__CT h=__CTYPE_HAS_BOUNDARY h=__CTYPE_MULTIPART h=__CTYPE_MULTIPART_ALT h=__FRAUD_WEBMAIL h=__FRAUD_WEBMAIL_FROM h=__FROM_GMAIL h=__HAS_FROM h=__HAS_HTML h=__HAS_MSGID h=__HEX28_LC_BOUNDARY h=__HTML_TAG_DIV h=__MIME_HTML h=__MIME_TEXT_H h=__MIME_TEXT_H1 h=__MIME_TEXT_H2 h=__MIME_TEXT_P h=__MIME_TEXT_P1 h=__MIME_TEXT_P2 h=__MIME_VERSION h=__PHISH_SPEAR_HTTP_RECEIVED h=__PHISH_SPEAR_STRUCTURE_1 h=__RUS_MIME_NO_TEXT h=__SANE_MSGID h=__SUBJ_ALPHA_START h=__TO_MALFORMED_2 h=__TO_NO_NAME h=__YOUTUBE_RCVD s=?q?reception_orangetunisietn pmx_action=?q?quarantine,External_Spam_over_50,-,assistanceadsl@orangetunisie.tn,assistanceadsl@orangetunisie.tn vs p=0.846 Inbound fur=1.1.1.1 Size=3085 External_Spam_Over_50 r=1.1.1.12 tm=0.30 a=d/eom



This thread was automatically locked due to age.
Parents
  • HelloOTNSECOTN

    Based on this log log of characteristics indicate that it could be a spam.

    For me this message is tagged because is member of our XSL database.

    Please note , that fur (first Untrusted Relay) is special, same for r (relay)

    Log :

    2017-07-20T14:59:27 q=5970B73F_63125_1931_1 f=<anis.android@gmail.com> t=<assistanceadsl@orangetunisie.tn> pmx_reason=?q?External_Spam_over_50 at=1,220,multipart/alternative at=1,27,text/html at=1,2,text/plain b=ok h=SXL_IP_SPAM h=EMPTY_BODY h=FORGED_FROM_GMAIL h=HTML_90_100 h=HTML_NO_HTTP h=BODYTEXTH_SIZE_10000_LESS h=BODYTEXTP_SIZE_3000_LESS h=BODYTEXTP_SIZE_400_LESS h=BODY_SIZE_1000_LESS h=BODY_SIZE_2000_LESS h=BODY_SIZE_200_299 h=BODY_SIZE_5000_LESS h=BODY_SIZE_7000_LESS h=DKIM_SIGNATURE h=HEX28_LC_NOT_GOOGLE h=NO_CTA_URI_FOUND h=NO_URI_FOUND h=NO_URI_HTTPS h=SMALL_BODY h=WEBMAIL_SOURCE h=__CT h=__CTYPE_HAS_BOUNDARY h=__CTYPE_MULTIPART h=__CTYPE_MULTIPART_ALT h=__FRAUD_WEBMAIL h=__FRAUD_WEBMAIL_FROM h=__FROM_GMAIL h=__HAS_FROM h=__HAS_HTML h=__HAS_MSGID h=__HEX28_LC_BOUNDARY h=__HTML_TAG_DIV h=__MIME_HTML h=__MIME_TEXT_H h=__MIME_TEXT_H1 h=__MIME_TEXT_H2 h=__MIME_TEXT_P h=__MIME_TEXT_P1 h=__MIME_TEXT_P2 h=__MIME_VERSION h=__PHISH_SPEAR_HTTP_RECEIVED h=__PHISH_SPEAR_STRUCTURE_1 h=__RUS_MIME_NO_TEXT h=__SANE_MSGID h=__SUBJ_ALPHA_START h=__TO_MALFORMED_2 h=__TO_NO_NAME h=__YOUTUBE_RCVD s=?q?reception_orangetunisietn pmx_action=?q?quarantine,External_Spam_over_50,-,assistanceadsl@orangetunisie.tn,assistanceadsl@orangetunisie.tn vs p=0.846 Inbound fur=1.1.1.1 Size=3085 External_Spam_Over_50 r=1.1.1.12 tm=0.30 a=d/eom

    Action: 

    • Retrieve the message on edge server
    • perform the following command : pmx-spam scan MSG (copy/past output of this command)

    --

    Best regards,
    Florian (aka LEFBE)
    Sophos Technical Account Manager

  • Hi LIFBE

    Sorry but how i can retrieve the message on edge server, which command i must use

     

Reply Children
  • Hi OTNSECOTN,

    I hope your weekend was nice

    The best action is describe below:

    • Find the impacted message in Quarantine [Quarantine > Manage Quarantine]
    • Click on blue enveloppe
    • Go to quarantine info tab
    • Milter host give you the name of the edge server you manage this email
    • Global-id provide the file name stored on milter host (like 1835-1) | 1835 is the mail in quarantine, 1 is the location ID (mainly edge server)
    • On edge server, perform the following command : find /opt/pmx6/var/qdir/ -name "1835" (please adapt the number)
    • you will get the stored path of you email.
    • perform the commands provided above

    --

    Best regards,
    Florian (aka LEFBE)
    Sophos Technical Account Manager

  • Hi LEFBE
    Thank you for your response, and i have great pleasure to discuss with you
    you can find the result of two message scan below

     

    $ pmx-spam scan /opt/pmx6/var/qdir/cur/5/19/19599
    Subroutine Logger::log redefined at /opt/pmx6/bin/pmx-spam line 256.
    Scanning /opt/pmx6/var/qdir/cur/5/19/19599#1
    Use of uninitialized value in subroutine entry at /opt/pmx6/lib/site_perl/5.8.7/i686-linux-thread-multi/ActiveState/PCRE.pm line 94.
    Use of uninitialized value in subroutine entry at /opt/pmx6/lib/site_perl/5.8.7/i686-linux-thread-multi/ActiveState/PCRE.pm line 94.
    Use of uninitialized value in subroutine entry at /opt/pmx6/lib/site_perl/5.8.7/i686-linux-thread-multi/ActiveState/SpamEngine/Plugin/uri.pm line 107.
        BODYTEXTH_SIZE_10000_LESS: w+=00.000 pd+=00.000 t=+00.000 [ text/html, 860]
         BODYTEXTP_SIZE_3000_LESS: w+=00.000 pd+=00.000 t=+00.000 [ text/plain, 207]
          BODYTEXTP_SIZE_400_LESS: w+=00.000 pd+=00.000 t=+00.000 [text/plain, 207]
              BODY_SIZE_3000_3999: w+=00.000 pd+=00.000 t=+00.000 [1 multipart/alter                                                                             native, 3470]
              BODY_SIZE_5000_LESS: w+=00.000 pd+=00.000 t=+00.000
              BODY_SIZE_7000_LESS: w+=00.000 pd+=00.000 t=+00.000
                   DKIM_SIGNATURE: w+=00.000 pd+=00.000 t=+00.000 [v]
                FORGED_FROM_GMAIL: w+=00.100 pd+=00.000 t=+00.100
                FRAUD_LITTLE_BODY: w+=02.000 pd+=00.000 t=+02.100
              HEX28_LC_NOT_GOOGLE: w+=00.000 pd+=00.000 t=+02.100
                       HTML_70_90: w+=00.100 pd+=00.000 t=+02.200 [0.776485788113695                                                                             ]
                     HTML_NO_HTTP: w+=00.100 pd+=00.000 t=+02.300
                        IN_REP_TO: w+=00.000 pd+=00.000 t=+02.300
                 LEGITIMATE_SIGNS: w+=00.000 pd+=00.000 t=+02.300
                 LEO_OBFU_SUBJ_RE: w+=00.100 pd+=00.000 t=+02.400 [Re: Test sophos]
                       MSG_THREAD: w+=00.000 pd+=00.000 t=+02.400
                     NO_URI_HTTPS: w+=00.000 pd+=00.000 t=+02.400
                       REFERENCES: w+=00.000 pd+=00.000 t=+02.400
                      SXL_IP_SPAM: w+=08.000 pd+=00.000 t=+10.400 [6.232.203.196.fur                                                                             ]
                   WEBMAIL_SOURCE: w+=00.000 pd+=00.000 t=+10.400
      Summary: total=10.400 pdelta=0.000 p=94%
     
     
      
     
     
     
     
      $ pmx-spam scan /opt/pmx6/var/qdir/cur/5/19/19553
    Subroutine Logger::log redefined at /opt/pmx6/bin/pmx-spam line 256.
    Scanning /opt/pmx6/var/qdir/cur/5/19/19553#1
    Use of uninitialized value in subroutine entry at /opt/pmx6/lib/site_perl/5.8.7/i686-linux-thread-multi/ActiveState/PCRE.pm line 94.
    Use of uninitialized value in subroutine entry at /opt/pmx6/lib/site_perl/5.8.7/i686-linux-thread-multi/ActiveState/PCRE.pm line 94.
    Use of uninitialized value in subroutine entry at /opt/pmx6/lib/site_perl/5.8.7/i686-linux-thread-multi/ActiveState/SpamEngine/Plugin/uri.pm line 107.
    Use of uninitialized value in subroutine entry at /opt/pmx6/lib/site_perl/5.8.7/i686-linux-thread-multi/ActiveState/SpamEngine/Plugin/uri.pm line 107.
    Use of uninitialized value in subroutine entry at /opt/pmx6/lib/site_perl/5.8.7/i686-linux-thread-multi/ActiveState/SpamEngine/Plugin/uri.pm line 107.
        BODYTEXTH_SIZE_10000_LESS: w+=00.000 pd+=00.000 t=+00.000 [ text/html, 490]
         BODYTEXTP_SIZE_3000_LESS: w+=00.000 pd+=00.000 t=+00.000 [ text/plain, 193]
          BODYTEXTP_SIZE_400_LESS: w+=00.000 pd+=00.000 t=+00.000 [text/plain, 193]
              BODY_SIZE_2000_2999: w+=00.000 pd+=00.000 t=+00.000 [1 multipart/alternative, 2982]
              BODY_SIZE_5000_LESS: w+=00.000 pd+=00.000 t=+00.000
              BODY_SIZE_7000_LESS: w+=00.000 pd+=00.000 t=+00.000
                   DKIM_SIGNATURE: w+=00.000 pd+=00.000 t=+00.000 [v]
                FORGED_FROM_GMAIL: w+=00.100 pd+=00.000 t=+00.100
                FRAUD_LITTLE_BODY: w+=02.000 pd+=00.000 t=+02.100
              HEX28_LC_NOT_GOOGLE: w+=00.000 pd+=00.000 t=+02.100
                       HTML_50_70: w+=00.100 pd+=00.000 t=+02.200 [0.574235807860262]
                     HTML_NO_HTTP: w+=00.100 pd+=00.000 t=+02.300
                        IN_REP_TO: w+=00.000 pd+=00.000 t=+02.300
                 LEGITIMATE_SIGNS: w+=00.000 pd+=00.000 t=+02.300
                       MSG_THREAD: w+=00.000 pd+=00.000 t=+02.300
                     NO_URI_HTTPS: w+=00.000 pd+=00.000 t=+02.300
                       REFERENCES: w+=00.000 pd+=00.000 t=+02.300
                      SXL_IP_SPAM: w+=08.000 pd+=00.000 t=+10.300 [133.232.203.196.fur]
                   WEBMAIL_SOURCE: w+=00.000 pd+=00.000 t=+10.300
      Summary: total=10.300 pdelta=0.000 p=93%

     

     

     

    Best regards

    Mohamed NASRI

  • Hello Mohamed,

    My first diagnostic was good :) 

    The output you provide me indicate that the both line below generate a score near 80% (w+=08.000)

    • SXL_IP_SPAM: w+=08.000 pd+=00.000 t=+10.400 [6.232.203.196.fur]
    • SXL_IP_SPAM: w+=08.000 pd+=00.000 t=+10.300 [133.232.203.196.fur]

    To verify, go to the following link : https://www.sophos.com/en-us/threat-center/threat-analyses.aspx#

    On the right, add the IP into the box and validate.

    Please note that you need to revert the IP as follow: 

    • 6.232.203.196 is 196.203.232.6
    • 133.232.203.196 is 196.203.232.133

    I've just checked on my side and both are detected as spam.

    Solution:

    If you want to remove these IP form our anti spam, click on Submit an Appeal, the SophosLabs will check remove them.

    Please note: if these IPs continue to have a spam activities, she go back into our Anti-Spam

    Additional information, Spamhaus ZEN detected them as spam too.

    Here one example: https://www.spamhaus.org/query/ip/196.203.232.133

     

    I hope my information will help you.

    Have a nice day, 

    --

    Best regards,
    Florian (aka LEFBE)
    Sophos Technical Account Manager

  • Thanks a lot for your response

    I Submit an Appeal for this three IP 196.203.232.5, 196.203.232.6 and 196.203.232.133 and i hop that resolve my problem

     

    Best regards

    Mohamed NASRI 

  • Hello Mohamed, 

    This morning the 3 IPs are not listed anymore.

    To be sure, re run to pmt-spam scan command on the same file.

    have a nice day, 

    --

    Best regards,
    Florian (aka LEFBE)
    Sophos Technical Account Manager