This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SPAM (confirmed) - Problems with Cyren Database or bad pattern?

Are there any problems with the cyren spam database at the moment or any bad pattern?

UTM 9.506 - Pattern 138738

 

I've got a customer and regular mails from @siemens.com, @samsung.com, @dyson.com are rejected as Spam (confirmed)!? Also the customer self is not able to send mails to me -> customer domain is also classified as Spam (confirmed) at our UTM.

I checked blacklists and cyren but no entry! A lot of false positives?!?

I had a similar problems last week with an other customer. A lot of trouble at the moment...

 

Anybody else can confirm?

 

regards



This thread was automatically locked due to age.
Parents
  • This has started again on May. 6th.

    On three UTM 9.509-3 appliances in Norway. A large amount of emails from senders on Office 365 is rejected with "SPAM Confirmed" these are obviously false positives. And it is causing huge problems. Businesses are stopping up because of emails not being received. It has already had a cost of delayed shipments and lost orders. 

    I had to add an exeption where SPAM check was bypassed on all emails coming from Office 365 Outbound Security. This is a horrible solution but was necessary. Now I have to manually all day long scavenge the logs for emails that should not have passed and manually delete these.

    What is going on?

     

    Stig

  • We are having the exact same problem at several firewalls. Legitimate emails are being stopped with "Spam confirmed" as reason. No other explenation. It started monday morning may 7th.

    I reported this to Sophos support and received the following answer:

     

    "I have spoken to our global escalation team in regards to the pattern update and they have confirmed that there is no issues within the pattern.
    They also mentioned that Cyren do not block domains or RBL but the IP's that are associated to the domains. In addition to this they have said that getting samples to us is the best way to get this resolved for you."

    But how am I supposed to retrieve samples of emails that is never saved anywhere? And this is of such massive magnitude that I refuse to believe it is related to single senders and senders domains. I really hope Sophos will look further into this with Cyren.

  • One of my addresses is subscribed to a listelixr.net mailing list.  The first one I see incorrectly blocked was on 4/30.  It's accelerated now.

    We also occasionally buy/sell something on eBay.  Here's the result of grepping the SMTP logs since last year:

    zgrep 'mailx1.ebay.com' /var/log/smtp/2017/*/*|grep -oP '".*?"'|sort -n|uniq -c|sort -n
          2 "email rejected"
          5 "email quarantined"
        115 "email passed"
    zgrep 'mailx1.ebay.com' /var/log/smtp/2018/01/*|grep -oP '".*?"'|sort -n|uniq -c|sort -n
          4 "email passed"
    zgrep 'mailx1.ebay.com' /var/log/smtp/2018/02/*|grep -oP '".*?"'|sort -n|uniq -c|sort -n
          8 "email passed"
    zgrep 'mailx1.ebay.com' /var/log/smtp/2018/03/*|grep -oP '".*?"'|sort -n|uniq -c|sort -n
         18 "email passed"
    zgrep 'mailx1.ebay.com' /var/log/smtp/2018/04/*|grep -oP '".*?"'|sort -n|uniq -c|sort -n
          4 "email rejected"
          7 "email passed"

    Enough were rejected last month that none were sent this month.

    This is a definite problem that needs to get escalated immediately.  I will enter a case with Support and ring bells at Sophos...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have been on the phone with Sagar Dave at Sophos support for a couple of hours today. He remoted in to my screen and after a LOT of explenation I was able to make him understand what the problem was. He spoke with his Senior technician and after a while I got this promising answer:

     

    I consulted my senior team and have passed the details regarding faulty signature causing issues with legit inbound emails.
    It might take some time to remove the signatures as we don't have sample emails available currently.
    Also if we could change the ACTON of confirmed quarantine from DROP to QUARANTINE maybe we can get those samples.
    I also verified the logs and it's been confirmed that Anti-Spam engine is marking them as spam. For now you can create exceptions in order to avoid the issue.

     

    If any of you contact support about this it will not hurt if you tell them to look at my ticket with id #8097489

     

    I hope this gets fixed quite soon. This is so big in scale that my paranoia triggers. What if this is a targeted attack/manipulation of filters to make organizations switch off antispam on their firewalls.

  • Hei stig, Hallo Rolf-Arn and welcome both to the UTM Community!

    I have set 'Reject at SMTP time: Off' and 'Confirmed spam action: Quarantine' so that I can try to capture one of the emails that have been being rejected.  If anyone else can do that and capture an example or two, PM me to get my email address and I'll forward your capture to the Escalation Engineer that's working with Cyren right now.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Hei stig, Hallo Rolf-Arn and welcome both to the UTM Community!

    I have set 'Reject at SMTP time: Off' and 'Confirmed spam action: Quarantine' so that I can try to capture one of the emails that have been being rejected.  If anyone else can do that and capture an example or two, PM me to get my email address and I'll forward your capture to the Escalation Engineer that's working with Cyren right now.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hi Community,

    If you affected by this issue, please follow the directions as advised above by  to set your spam action to Quarantine to properly capture these emails. We will be needing these samples to further the investigation.

    Best,


    Florentino
    Director, Global Community & Digital Support

    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • Do you wonder if this is a problem for you?

    Here's a quick way to get a list of all email senders to you (user@domain.com) that were blocked as confirmed spam this year:

    zgrep 'reason="as" extra="confirmed"' /var/log/smtp/2018/*/*|grep 'to="user@domain.com"'|grep -oP 'from=".*?"'|sort -n|uniq -c|sort -n

    Or, just the ones this month:

    zgrep 'reason="as" extra="confirmed"' /var/log/smtp/2018/05/*|grep 'to="user@domain.com"'|grep -oP 'from=".*?"'|sort -n|uniq -c|sort -n

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I can also confirm strange issues with spam confirmed at customer sites in the last days.

    Glad to hear that Sophos now really tries to fix/analyse this issue instead of just telling "false positives"! Of course there can be "false positives" but not in this way...

     

    regards

  • I've captured four so far. Still need others to open a ticket and submit or to submit via me.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I quarantine everything that is marked as Spam.   Today, I flagged several using "release and report as false positives"   Is that sufficient?

  • I received an email 3.5 hours ago from Sophos Support (the people that interface for the developers and Sophos Labs):

    I have received an update on my submission. Labs has confirmed that they have found the cause for the misclassification and have corrected our data accordingly.
    Please let me know if you have any more of these false positives.

    Please post here if you don't perceive that the problem has been fixed.

    Thanks to SWeissflog for opening this thread!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA