This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

I can see why an email is tagged how spam?

Hi all, i'm using a sophos utm SG430 v.9.5, i'm trying to find on smtp proxy log why an email is tagged how *** SPAM *** (a spam level?) but i don't know where i must search, this is an example:

 

2017:11:13-14:15:12 c2 exim-in[31676]: 2017-11-13 14:15:12 [ipgreylisted] F=<emailfrom@taggedspam.it> R=<pippo@myemail.it> Verifying recipient address with callout
2017:11:13-14:15:12 c2 exim-in[31676]: 2017-11-13 14:15:12 1eEEa0-0008Eu-2i DKIM: d=segugio.it s=splio c=relaxed/relaxed a=rsa-sha256 i=emailfrom@taggedspam.it [verification succeeded]
2017:11:13-14:15:13 c2 exim-in[5458]: 2017-11-13 14:15:13 SMTP connection from [senderip]:49114 (TCP/IP connection count = 3)
2017:11:13-14:15:13 c2 exim-in[31676]: 2017-11-13 14:15:13 1eEEa0-0008Eu-2i ctasd reports 'Bulk' RefID:str=0001.0A0C0201.5A099AE1.0035,ss=3,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
2017:11:13-14:15:13 c2 exim-in[31676]: 2017-11-13 14:15:13 1eEEa0-0008Eu-2i Greylisting: Greylisted ipgreylisted
2017:11:13-14:15:13 c2 exim-in[31676]: [1\38] 2017-11-13 14:15:13 1eEEa0-0008Eu-2i H=******** [ipgreylisted]:50356 F=<emailfrom@taggedspam.it> temporarily rejected after DATA: Temporary local problem, please try again!
2017:11:13-14:15:13 c2 exim-in[31676]: [2\38] Envelope-from: <emailfrom@taggedspam.it>
2017:11:13-14:15:13 c2 exim-in[31676]: [3\38] Envelope-to: <pippo@myemail.it>
2017:11:13-14:15:13 c2 exim-in[31676]: [4\38] P Received: from ******** ([ipgreylisted]:50356)
2017:11:13-14:15:13 c2 exim-in[31676]: [5\38] by myserver with esmtp (Exim 4.82_1-5b7a7c0-XX)
2017:11:13-14:15:13 c2 exim-in[31676]: [6\38] (envelope-from <emailfrom@taggedspam.it>)
2017:11:13-14:15:13 c2 exim-in[31676]: [7\38] id 1eEEa0-0008Eu-2i
2017:11:13-14:15:13 c2 exim-in[31676]: [8\38] for pippo@myemail.it; Mon, 13 Nov 2017 14:15:12 +0100
2017:11:13-14:15:13 c2 exim-in[31676]: [9\38] X-CTCH-RefID: str=0001.0A0C0201.5A099AE1.0035,ss=3,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
2017:11:13-14:15:13 c2 exim-in[31676]: [10\38] DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=splio; d=segugio.it;
2017:11:13-14:15:13 c2 exim-in[31676]: [11\38] h=X-CSA-complaints:Message-ID:List-Unsubscribe:List-Unsubscribe-Post:List-ID:
2017:11:13-14:15:13 c2 exim-in[31676]: [12\38] Feedback-ID:MIME-Version:From:To:Subject:Reply-To:Content-Type:
2017:11:13-14:15:13 c2 exim-in[31676]: [13\38] Content-Transfer-Encoding:Date; i=emailfrom@taggedspam.it;
2017:11:13-14:15:13 c2 exim-in[31676]: [14\38] bh=o1mYAi5BRfgf1QpLDq60OrC5xQUL+O9a4Ffe037Be/A=;
2017:11:13-14:15:13 c2 exim-in[31676]: [15\38] b=wGw7pUGBvVGlV4GX0sMXXcGNpHnEAYnozRCEmolavW4jyQnrstk1eMDqA3GiMDFvb1xVePTrTgzY
2017:11:13-14:15:13 c2 exim-in[31676]: [16\38] R1clIhw8XKyZAhT6dz5KWMujIFep0sfwy/KsAE/7uaEmkScIJSJuVTWVLxAnbpdWcaGXhhB0gJLS
2017:11:13-14:15:13 c2 exim-in[31676]: [17\38] saIosxi6zDdfSK0Z8is=
2017:11:13-14:15:13 c2 exim-in[31676]: [18\38] P Received: by ******** id h16de02bhok1 for <pippo@myemail.it>; Mon, 13 Nov 2017 14:15:12 +0100 (envelope-from <emailfrom@taggedspam.it>)
2017:11:13-14:15:13 c2 exim-in[31676]: [19\38] X-Abuse-Reports-To: abuse@splio.com
2017:11:13-14:15:13 c2 exim-in[31676]: [20\38] X-CSA-complaints: whitelist-complaints@eco.de
2017:11:13-14:15:13 c2 exim-in[31676]: [21\38] I Message-ID: <6uwRAGklB-7215076@segugio.it>
2017:11:13-14:15:13 c2 exim-in[31676]: [22\38] X-Auto-Response-Suppress: OOF,AutoReply
2017:11:13-14:15:13 c2 exim-in[31676]: [23\38] X-CampaignID: 6uwRAGklB
2017:11:13-14:15:13 c2 exim-in[31676]: [24\38] List-Unsubscribe: <s3s.fr/.../g'loria.html>, <mailto:un-6uwRAGklB-centrolibri.it=email@***.it
2017:11:13-14:15:13 c2 exim-in[31676]: [25\38] List-Unsubscribe-Post: List-Unsubscribe=One-Click
2017:11:13-14:15:13 c2 exim-in[31676]: [26\38] List-ID: v3segugio
2017:11:13-14:15:13 c2 exim-in[31676]: [27\38] Feedback-ID: 6uwRAGklB:v3segugio:splio
2017:11:13-14:15:13 c2 exim-in[31676]: [28\38] X-SignalSpam-CID: 6uwRAGklB:v3segugio:splio
2017:11:13-14:15:13 c2 exim-in[31676]: [29\38] MIME-Version: 1.0
2017:11:13-14:15:13 c2 exim-in[31676]: [30\38] F From: "Segugio.it" <emailfrom@taggedspam.it>
2017:11:13-14:15:13 c2 exim-in[31676]: [31\38] T To: =?UTF-8?Q?=20?= <pippo@myemail.it>
2017:11:13-14:15:13 c2 exim-in[31676]: [32\38] Subject: =?UTF-8?Q?=E2=9C=94Assicurazioni_online:_cresce_la_fiducia_grazie?=
2017:11:13-14:15:13 c2 exim-in[31676]: [33\38] =?UTF-8?Q?_a_3_vantaggi?=
2017:11:13-14:15:13 c2 exim-in[31676]: [34\38] R Reply-To: <incopyemail@spammed.it>
2017:11:13-14:15:13 c2 exim-in[31676]: [35\38] Content-Type: text/html;
2017:11:13-14:15:13 c2 exim-in[31676]: [36\38] charset="utf-8"
2017:11:13-14:15:13 c2 exim-in[31676]: [37\38] Content-Transfer-Encoding: quoted-printable
2017:11:13-14:15:13 c2 exim-in[31676]: [38/38] Date: Mon, 13 Nov 2017 14:15:12 +0100
2017:11:13-14:15:13 c2 exim-in[31676]: 2017-11-13 14:15:13 SMTP connection from ******** [ipgreylisted]:50356 closed by QUIT

 

 

in this case emailfrom@taggedspam.it is tagged how spam (and is true) but i can seehow the utm know that this is spam?

Thanks all



This thread was automatically locked due to age.
  • Ciao Gabriele and welcome to the UTM Community!

    In this case, the email was "temporarily rejected after DATA" because you have greylisting activated.  You would need to look later in the SMTP log to find when the message was accepted.  I guess that this email was marked as spam by the sending MTA.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA