This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Mail rejected "Administrative prohibition"

Hello,
some of our partners can't send us emails!
They are not on any blacklist, have valid RDNS, have valid SPF.
I see absolutly no reason why they should be blocked.
What is going on? And how can i avoid that this happens to any of our other partners?
We don't have the administrative Resources to report every false positive to Sophos so please don't just send me the link to report.
I read somewhere that i could disable reject spam at smtp time.
What is the impact of this setting? does every spam goes to quarantine then? what about the wasted disc space then?
The NDR says: "550 Administrative prohibition"

EDIT: then again some of the emails from the same partnerdomain get through without any problems

2019:09:05-08:34:27 asg-1 exim-in[5658]: 2019-09-05 08:34:27 SMTP connection from [x.x.x.x]:37546 (TCP/IP connection count = 1)
2019:09:05-08:34:28 asg-1 exim-in[26476]: 2019-09-05 08:34:28 H=smtp.partnerdomain.xxx [x.x.x.x]:37546 Warning: ourdomain.xxx profile excludes SANDBOX scan
2019:09:05-08:34:28 asg-1 exim-in[26476]: 2019-09-05 08:34:28 [x.x.x.x] F=<someone@partnerdomain.xxx> R=<someone@ourdomain.xxx> Verifying recipient address in Active Directory
2019:09:05-08:34:28 asg-1 exim-in[26476]: 2019-09-05 08:34:28 1i5lLg-0006t2-2C ctasd reports 'Confirmed' RefID:str=0001.0A0C020D.5D70AC74.008D,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8
2019:09:05-08:34:28 asg-1 exim-in[26476]: 2019-09-05 08:34:28 1i5lLg-0006t2-2C id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="x.x.x.x" from="someone@partnerdomain.xxx" to="someone@ourdomain.xxx" subject="Fehler mit Mailadresse hweigl" queueid="1i5lLg-0006t2-2C" size="16708" reason="as" extra="confirmed

Thanks and Regards



This thread was automatically locked due to age.
  • Ho  

    Looking into the logs carefully, I see that AntiSpam engine has reported this particular Email as Confirmed Spam which you can see from the following logline;

    Daniel Schatz said:
    2019:09:05-08:34:28 asg-1 exim-in[26476]: 2019-09-05 08:34:28 1i5lLg-0006t2-2C ctasd reports 'Confirmed' RefID:str=0001.0A0C020D.5D70AC74.008D,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8

    And the SMTP exim-in log says the same

    Daniel Schatz said:
    2019:09:05-08:34:28 asg-1 exim-in[26476]: 2019-09-05 08:34:28 1i5lLg-0006t2-2C id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="x.x.x.x" from="someone@partnerdomain.xxx" to="someone@ourdomain.xxx" subject="Fehler mit Mailadresse hweigl" queueid="1i5lLg-0006t2-2C" size="16708" reason="as" extra="confirmed

    You may turn off the option Reject at SMTP time and then will definitely increase the Size of Quaranitne List as Mails will be put into Quarantine instead of being Rejected straight away. However, it should not be a concern as you can set a limit after how many days Quarantine Emails will be deleted. You may configure that setting Email Protection > Mail Manager > Configuration. 

    Regards

    Jaydeep

  • Hi Jaydeep and thanks for the answer.
    My Question is still why has this email been blocked in the first place?
    Did the spam confirmed Tag come from Cyren?

    This never happened with valid partner email until recently.
    as already reported some email from the same domain get through without any trouble.
    Sometimes even from the SAME sender

  • Hi  

    Each email is scanned individually and that's why contains a unique "RefID:str" and one cannot tell what was found in the Email to be considered as Confirmed Spam. The tag has come from Cyren. If the rate of False positive is too high, try to find any similarities in the Email and if you're not sure, it might be worth creating a case.

    Regards

    Jaydeep

  • Jaydeep, this is the first time I've heard of the solution suggested by Thorsten.  I know that as late as March of this year, this was unknown to Support.  Over a period of six months, I reported over 100 false positives and finally told Support I wasn't doing it anymore - that they had a problem and they needed to identify it.

    Someone needs to do a KB article about this and to make sure it's documented in Support's problem-solving system.  If Thorsten is indeed the first one to propose this, the KBA should acknowledge his contribution.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi  

    I've checked that article and we will be checking these details soon with our GES team and try to come up with an article.  And we'll surely acknowledge  article and his contribution. It might take some time as we will need to apply this in some real scenarios as Lab setup won't help much in this case.

    Thanks to both of you.

    Regards

    Jaydeep

  • Hi  and  

    I had it checked with our GES team and they have referred this issue to the one we had reported earlier and a workaround suggested as Thorsten has mentioned. Please refer this KBA Advisory: Sophos XG, UTM, Cyberoam and Central Email may be quarantining legitimate emails which was published on 27th May 2019.

    Regards

    Jaydeep

  • So, here's the problem with this exposure, Jaydeep.  You cannot select to reject Confirmed spam at SMTP time and you must select to have Confirmed spam quarantined.  I just released a Confirmed spam for myself today.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Exactly. That's what I suggested in my first reply to this post.

    Regards

    Jaydeep