List of expressions automatically marked as SPAM by Sophos UTM



some internal users were receiving valid emails from an external domain but with the same "Subject".

I assume that, after a few emails, the Sophos started to mark emails containing that same subject, as SPAM.


I disable the "Antispam checking" (and also "Expression blocking) for the sender's email address, so those emails will not be marked as spam. 


My question is: Where can I find the list of expressions (or strings) that the Sophos checks and that it uses to mark emails as SPAM?



  • You did not say what reason was shown in Mail Manager.   I am inferring that the messages were classified as "Confirmed Spam", but it is an important part of the diagnostic process.

    My understanding is that UTM throws the message over to the Antivirus product, and gets only a result indicator ("OK", "Probable Spam", "Confirmed SPAM").

    I would be surprised if the AntiVirus is blocking simply on a regex expression in the subject line.   My experience with the AntiVirus has been very good.

    Have you, or the sender, checked to see if they were placed on a reputation black list when the problem occurred?   This seems like the most likely reason for your problem.   Mxtoolbox . com is a tool for a domain owner to monitor his reputation on more than 60 RBLs.

  • In reply to DouglasFoster:

    Hi Douglas,


    Mail manager lists all emails with the affected subject, without adding SPAM to it... so there's no difference.

    The profile for our domain is configured to: Spam action: Warn


    So I don't think an Antivirus is involved here...


    About blacklist, is not in any, and also when I configured an exception (no antispam checking nor expression blocking for the emails' sender address), all works fine (no SPAM added to the emails).


    Btw, I thought they would show up on the Mail Manager as SPAM, and so I could choose "release and report as false positive", but they went through... meaning they are all listed as "delivered"... (well, that's in fact the normal behavior...)



  • In reply to The Bee:

    "Warn" means that UTM adds the "Spam Marker" text to the beginning of the subject line, and then delivers the message anyway.

    "Quarantine' means that UTM holds the message so that someone can decide whether to deliver or delete the message.

    If you are finding UTM difficult to learn, I strongly suggest you hire a Sophos Partner to help with both the security strategy and the implementation.   Your network is too important to leave with insufficient protection while you learn the both the theory and application of mail filtering and web filtering defenses. 

  • In reply to DouglasFoster:

    Hi Douglas, 


    I do understand how "warn" and "quarantine" works (that's why I wrote that is the "normal behavior").


    But what I'm looking is for the list of expressions the Sophos creates automatically. Are they in a file or in a DB? can we print them in the console?


  • In reply to The Bee:

    I don't think UTM has any regular-expression processing of the type that you assume occurred.  But you have confused me about what symptoms actually occurred.  Whatever occurred, it should be straightforward to use Mail Manager to see what UTM decided about the message.   Once that is clear, one can discuss options for causing something different to happen next time.

  • In reply to DouglasFoster:

    This is what I think it happened: some users were testing an app that will send emails from an external domain to one of our domains. The subject was the same, so at first all emails went through, but after a while they were labeled ( profile was set to "warn" ) as SPAM, then some went through and then again they were blocked as SPAM.


    What I did was just create an exception.


    So I assume what the Sophos did was to look at the subject and/or body (or headers...) for text and tagged those emails based on that. That's why I was thinking maybe there was a DB with expressions?

  • In reply to The Bee:

    Looking at Doug's comment, I think he was thinking anti-spam but wrote antivirus.  To be able to give you a specific answer, you would need to post the section of the SMTP log containing the lines related to one email that was classified as spam but was not.

    Cheers - Bob