We'd love to hear about it! Click here to go to the product suggestion community
Hello,some of our partners can't send us emails!They are not on any blacklist, have valid RDNS, have valid SPF.I see absolutly no reason why they should be blocked.What is going on? And how can i avoid that this happens to any of our other partners?We don't have the administrative Resources to report every false positive to Sophos so please don't just send me the link to report.I read somewhere that i could disable reject spam at smtp time. What is the impact of this setting? does every spam goes to quarantine then? what about the wasted disc space then?The NDR says: "550 Administrative prohibition"
EDIT: then again some of the emails from the same partnerdomain get through without any problems2019:09:05-08:34:27 asg-1 exim-in: 2019-09-05 08:34:27 SMTP connection from [x.x.x.x]:37546 (TCP/IP connection count = 1)2019:09:05-08:34:28 asg-1 exim-in: 2019-09-05 08:34:28 H=smtp.partnerdomain.xxx [x.x.x.x]:37546 Warning: ourdomain.xxx profile excludes SANDBOX scan2019:09:05-08:34:28 asg-1 exim-in: 2019-09-05 08:34:28 [x.x.x.x] F=<email@example.com> R=<firstname.lastname@example.org> Verifying recipient address in Active Directory2019:09:05-08:34:28 asg-1 exim-in: 2019-09-05 08:34:28 1i5lLg-0006t2-2C ctasd reports 'Confirmed' RefID:str=0001.0A0C020D.5D70AC74.008D,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=82019:09:05-08:34:28 asg-1 exim-in: 2019-09-05 08:34:28 1i5lLg-0006t2-2C id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="x.x.x.x" from="email@example.com" to="firstname.lastname@example.org" subject="Fehler mit Mailadresse hweigl" queueid="1i5lLg-0006t2-2C" size="16708" reason="as" extra="confirmed
Thanks and Regards
Ho Daniel Schatz
Looking into the logs carefully, I see that AntiSpam engine has reported this particular Email as Confirmed Spam which you can see from the following logline;
Daniel Schatz2019:09:05-08:34:28 asg-1 exim-in: 2019-09-05 08:34:28 1i5lLg-0006t2-2C ctasd reports 'Confirmed' RefID:str=0001.0A0C020D.5D70AC74.008D,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8
And the SMTP exim-in log says the same
Daniel Schatz2019:09:05-08:34:28 asg-1 exim-in: 2019-09-05 08:34:28 1i5lLg-0006t2-2C id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="x.x.x.x" from="email@example.com" to="firstname.lastname@example.org" subject="Fehler mit Mailadresse hweigl" queueid="1i5lLg-0006t2-2C" size="16708" reason="as" extra="confirmed
You may turn off the option Reject at SMTP time and then will definitely increase the Size of Quaranitne List as Mails will be put into Quarantine instead of being Rejected straight away. However, it should not be a concern as you can set a limit after how many days Quarantine Emails will be deleted. You may configure that setting Email Protection > Mail Manager > Configuration.
In reply to Jaydeep:
Hi Jaydeep and thanks for the answer.My Question is still why has this email been blocked in the first place?Did the spam confirmed Tag come from Cyren?
This never happened with valid partner email until recently.as already reported some email from the same domain get through without any trouble.Sometimes even from the SAME sender
In reply to Daniel Schatz:
Hi Daniel Schatz
Each email is scanned individually and that's why contains a unique "RefID:str" and one cannot tell what was found in the Email to be considered as Confirmed Spam. The tag has come from Cyren. If the rate of False positive is too high, try to find any similarities in the Email and if you're not sure, it might be worth creating a case.
Wurde via PM gelöst!
Jaydeep, this is the first time I've heard of the solution suggested by Thorsten. I know that as late as March of this year, this was unknown to Support. Over a period of six months, I reported over 100 false positives and finally told Support I wasn't doing it anymore - that they had a problem and they needed to identify it.
Someone needs to do a KB article about this and to make sure it's documented in Support's problem-solving system. If Thorsten is indeed the first one to propose this, the KBA should acknowledge his contribution.
Cheers - Bob
In reply to BAlfson:
I've checked that article and we will be checking these details soon with our GES team and try to come up with an article. And we'll surely acknowledge ThorstenSult article and his contribution. It might take some time as we will need to apply this in some real scenarios as Lab setup won't help much in this case.Thanks to both of you.
Hi BAlfson and ThorstenSult
I had it checked with our GES team and they have referred this issue to the one we had reported earlier and a workaround suggested as Thorsten has mentioned. Please refer this KBA Advisory: Sophos XG, UTM, Cyberoam and Central Email may be quarantining legitimate emails which was published on 27th May 2019.
So, here's the problem with this exposure, Jaydeep. You cannot select to reject Confirmed spam at SMTP time and you must select to have Confirmed spam quarantined. I just released a Confirmed spam for myself today.
Exactly. That's what I suggested in my first reply to this post.