SPAM (confirmed) - Problems with Cyren Database or bad pattern?

Question

Are there any problems with the cyren spam database at the moment or any bad pattern? 
 UTM 9.506 - Pattern 138738 
 
 I've got a customer and regular mails from @siemens.com, @samsung.com, @dyson.com are rejected as Spam (confirmed) !? Also the customer self is not able to send mails to me -> customer domain is also classified as Spam (confirmed) at our UTM. 
 I checked blacklists and cyren but no entry! A lot of false positives?!? 
 I had a similar problems last week with an other customer. A lot of trouble at the moment... 
 
 Anybody else can confirm? 
 
 regards

sachingurung · Answer

Hi, 
 Did you verify the detection through online 3rd party tools like MXtoolbox to confirm if their IP's are blacklisted? Show us few log lines from the smtp.log that reflects the block as SPAM. Meanwhile, you can configure an exception policy to bypass Spam checks through the UTM. 
 Thanks

BrucekConvergent · Answer

Guys, if this is being blocked as "spam" (the exact reason will be in the logs as Sachin mentioned) then there is an issue with the Cyren anti-spam system. Most are not familiar with how this works; there is no pattern db, etc. referenced on the UTM when doing the spam check; instead an algorithm is run against the email, and a "signature" is generated. This is compared with a real-time lookup on Cyren's (maybe Sophos hosts some mirrors, but I can't recall, been a while) spam database. Cyren uses a number of methods to update their spam DB constantly... I have at times noted issues with their system (as happens with any anti-spam system), and pointing it out to Sophos (or in some cases, I've taken it direct to Cyren... back when they were known as Commtouch). They will need to work with Cyren to resolve the issue. 
 
 The most likely reason for this is I am now seeing spammers leveraging Office 365 and other cloud mail services to spam folks (most likely via hijacked accounts) and so that's probably why this is happening. I would open a case with Sophos Support instead of posting on this forum to get this issue moving.

Rolf-Arne Schulze · Answer

I have been on the phone with Sagar Dave at Sophos support for a couple of hours today. He remoted in to my screen and after a LOT of explenation I was able to make him understand what the problem was. He spoke with his Senior technician and after a while I got this promising answer: 
 
 I consulted my senior team and have passed the details regarding faulty signature causing issues with legit inbound emails. It might take some time to remove the signatures as we don't have sample emails available currently. Also if we could change the ACTON of confirmed quarantine from DROP to QUARANTINE maybe we can get those samples. I also verified the logs and it's been confirmed that Anti-Spam engine is marking them as spam. For now you can create exceptions in order to avoid the issue. 
 
 If any of you contact support about this it will not hurt if you tell them to look at my ticket with id #8097489 
 
 I hope this gets fixed quite soon. This is so big in scale that my paranoia triggers. What if this is a targeted attack/manipulation of filters to make organizations switch off antispam on their firewalls.

BAlfson · Answer

I received an email 3.5 hours ago from Sophos Support (the people that interface for the developers and Sophos Labs): 
 I have received an update on my submission. Labs has confirmed that they have found the cause for the misclassification and have corrected our data accordingly. Please let me know if you have any more of these false positives. 
 Please post here if you don't perceive that the problem has been fixed. 
 Thanks to SWeissflog for opening this thread! 
 Cheers - Bob