Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 2 subscribers
  • Views 4455 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

email quarantined (considered as spam), but unclear why

Steven Lievens

Hi all,

a lot of outging messsages, originating from the internal mailserver are marked as spam, mostly autoreply on mailboxes. It is unclear why this problem started recently.

2019:08:05-17:02:36 utm-01-1 smtpd[12458]: SCANNER[12458]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="10.143.x.x" from="" to="replaced@gmail.com" subject="Automatisch antwoord: Ziek..." queueid="1hueVQ-0003Ew-CU" size="63346" reason="as" extra=""
2019:08:05-17:02:36 utm-01-1 smtpd[12458]: SCANNER[12458]: 1hueVO-0004bI-2A => work R=SCANNER T=SCANNERq
2019:08:05-17:02:36 utm-01-1 smtpd[12458]: SCANNER[12458]: 1hueVO-0004bI-2A Completed

This is an extract from the smtp.log, filtering ons queueid, pid, ... does not reveal more usefull information. Any idea how to identify the exact reason why these type of emails get quarantined? Are there other log files available? I tried working myself through the exim config file as well in order to understand how emails are processed, more specifically by the AV's (Sophos + Avira), but also this does not provide any insights.

Thx for your feedback on this.

Kr,

steven



This thread was automatically locked due to age.
  • 0

    Hi Steven,

    You may refer to this post by Douglas here:How to analyze the SMTP log file or check this KBA Sophos UTM: Most common issues for SMTP

    Specific to your concern, it looks to be detected by the Spam engine. I would recommend submitting any of the sample emails to our labs or creating a case with Sophos Support.

    Regards

    Jaydeep

  • 0 in reply to Jaydeep

    Thx Jaydeep for the useful feedback.

     

    In the meantime I found it is the CTAS-daemon considering the email as bulk and therefor being quarantined by smtpd.

    2019:08:05-17:02:34 utm-01-1 exim-in[17688]: 2019-08-05 17:02:34 1hueVO-0004bI-2A ctasd reports 'Bulk' RefID:str=0001.0A0B0211.5D4809AA.0060,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
    2019:08:05-17:02:34 utm-01-1 exim-in[17688]: 2019-08-05 17:02:34 1hueVO-0004bI-2A <= <> H=mail-01.domain.be [10.143.20.5]:55549 P=esmtps X=TLSv1.2:AES256-SHA:256 S=65224 id=fd2ba532ae6847269a70ee64840e23f5@MAIL-01.domein.be
    2019:08:05-17:02:35 utm-01-1 smtpd[12347]: QMGR[12347]: 1hueVO-0004bI-2A moved to work queue
    2019:08:05-17:02:36 utm-01-1 smtpd[12458]: SCANNER[12458]: 1hueVQ-0003Ew-CU <=  R=1hueVO-0004bI-2A P=INPUT S=63346
    2019:08:05-17:02:36 utm-01-1 smtpd[12458]: SCANNER[12458]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="10.143.x.x" from="" to="destination@gmail.com" subject="Automatisch antwoord: Ziekte..." queueid="1hueVQ-0003Ew-CU" size="63346" reason="as" extra=""

    I logged a case with Sophos for this, but I was also wondering if there is any tool to get more insights in why this daemon considers this email as 'Bulk'?

    I've found a ctasd.bin command line binary which spawns some services, as well as cloud based analyzer url: resolver%d.ast.ctmail.com. So can we use one of these tools and feed it with the specific email and get a more detailed output of the analysis?

    Thx,

    steven

     

     

  • 0 in reply to Steven Lievens

    I'm not sure if you will be able to identify the reason behind Emails being considered as Spam as it's a signature-based detection. CTASD is an AntiSpam engine service so maybe Sophos Support engineer can tell you the reason. 

    Regards

    Jaydeep

  • 0

    Hoi Steven and welcome to the UTM Community!

    What version are you using?  This issue was fixed early in V9.0x, so if it's happening again, I would get a support ticket open with Sophos.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob,

    the firewall has version 9.604-2 installed.

    There is already a ticket in parallel with Sophos support, but still didn't receive an answer.

     

    @all

    Thx for your input.

    Still, if anyone would be aware of a CLI tool to analyze email and get a detailed output, I'm happy to hear about this ;).

     

    Cheers,

    steven

Unfiltered HTML