Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
one of our client´s user upon sending a mail with a PDF attachment (German Order Confirmation document) sometimes receives the below message:
"Your message to the following recipients was quarantined:
<email@example.com>, quarantine reason: Spam ()
Please contact your IT administrator for further assistance."
What could be the reason for this?
Where can I find further information in the UTM Controll Center on why a particular mail has been rejected as SPAM?
I would look in mail manager, although this may not give you the exact answer you are looking for. If you have the SMTP Proxy enabled then the logs would be in the SMTP Proxy Logs. As for Spam this is typically related to your spam score, this can get more in-depth as you go down the secure email rabbit hole as well. Not to mention other settings that are just cut and dry like blocking any email with no subject.
Personally I like to use https://www.unlocktheinbox.com/spamscore/ and I am not trying to sell anything here just making a recommendation, I think it is 5 or 10 dollars and they will give you a complete remote on your email.
UTM uses a third party to score a message, and all that is logged is confirmed spam, probable spam or OK.
Questions to investigate:
In reply to DouglasFoster:
Thank you for the valuable input on this issue.
In MailManager I found the mail which was marked as SPAM and it got deleted a day later by one of the Admins. Now I need to wait for the next incident to happen to analyze the mail further. When just taking the text of the mail and pasting it into the analysis of Unlocktheinbox it doesn´t make much sense I think, since it´s just the text of the mail itself without additional Header and Attachment information, etc. When the next mail gets trapped in UTM I would like to have a closer look as to what it looks like and see the SPAM score.
Is there any further analysis that I can do in mail manager or with the mail score itself?
Is there a breakdown of the factors that contribute to the mail score and what actually causes the mail to bounce back?
So far I only was able to analyze the mail that the user gave me from his Outlook Sent Items folder but not the actual one that quarantined in UTM to which additional content was perhaps added to or removed from after sending it from Outlook.
Regarding your questions:
Additional general information:
This issue is tied to only one user out of a department of four people that sends the same kind of mails and of which no-one else experiences this issue.
The Exchange settings are the same for all four users.
I told the user that we would like to do a test and send the next mail that bounces back for him from another user´s Outlook and see what happens. But I expect it not to bounce from the other user´s exchange account.
Thank you for your help with this!
In reply to Julius Mensing:
Just a couple quick thoughts on all the above,
Does this user have a unique signature being auto filled in by outlook? Something with LinkedIn or Facebook or some other link in it?
Is there any foreign language in it? (This is considered)
Ok now to mail manager-
If using Outlook, go to the users computer, look in there sent folder, find the email, double click to open in new window, select actions, resend.
Also drag the email from the sent folder into a new email so it is added as an attachment and send that to yourself so you have a real copy of the email with attachments, headers and body.
Once you have an exact copy of the email try running tests from your account and another co-workers, eliminate certain parts of the email until it goes through to determine what is flagging the higher score.
Although this could also be a situation were many different aspects are simply adding up to create a higher score. I would also check your basics to see if your email domain is properly configured as well. This would require access to your Domain DNS records, if you do not have it, you can still check and point out it is not helping anyone to not have the security aspects setup.
In regards to SPAM scores and overall general email security there are more things to consider than just the subject, body and attachments. Please note that this is more a general description, each part will contribute to overall security and specific parts will lower your spam score. There is SPF, DMARC & DKIM to consider and more, I would suggest purchasing an unlock the inbox report, this would give you a great starter report to go off of, however if you do not want to go that route you can learn much of this manually through various sites for free.
In reply to badrobot:
Thank you for the further input.
Regarding the questions:
On mail manager I am wondering if it actually is enough to just look at the Outlook Mail in the Sent folder and analyze that further, send to the guys from UnlockTheInbox, etc. or whether it´s not better to take the mail that arrived in UTM and is quarantined there. I guess that some changes can happen also in-between Outlook and UTM, isn´t it?
So at the moment I guess I have to wait for a new mail to be quarantined for this user and then make a further analysis on it.
Just resend from their sent folder, the utm should catch it again, then take the one from the sent folder and compare them!
I just did a resend of the mail that got quarantined on the 17th of January and this time it went through without any issues.
Next time the user has the issue I will have to do the comparison then.
Hallo Julius - welcome to the UTM Community!
As others said above, UTM uses a third-party product. CommTouch was acquired by McAfee and the tool in the UTM is still ctasd (CommTouch anti spam daemon) which calculates a signature for each email accepted by the SMTP Proxy and then queries the McAfee cloud service to determine if the signature is close/identical to others that are confirmed spam, bulk/spam or not spam. Their algorithms keep changing based on feedback provided by customers.
Instead of simply deleting the emails from the Quarantine, the admin should have selected 'Release and report as false positive'. In that way, you can "train" their tool to handle your mail correctly.
Cheers - Bob
In reply to BAlfson:
Hi Bob and Others,
over three months have passed now with "training" Sophos to release the mails from this particular user and tell it that it is not spam.
However his mails still constantly get marked as spam and it´s quite frustrating for him and us Admins since we always need to go to the Mail Manager and release the mail.
Is there any way to find out why especially his mails are always marked as spam?
For example today we already had three mails that were marked falsely as spam.
Whereas all the mails of his colleagues in the same department with similar content and attachments don´t get marked as spam.
Thank you for your further thoughts!!!
You could create an Exception for Antispam for just that individual's email address. I'd want to be certain that the domain had an SPF record in its authoritative name server though.
thank you for the further thoughts.
When checking on various websites for a SPF record for our domain I can´t find any record.
What would be the implications if I had the exception without an SPF record?
I have now set up an SMTP exception with the employees address (as Sender Address Patterns) skipping "Antispam checking"and will see how it works.
I wasn't sure if this was inbound or outbound. Since it's outbound, your solution looks good to me.
You could create an SPF record for your organization in your authoritative name server.
Thank you Bob