Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

questions about spoofs

We just setup Sophos Email Gateway on top of GSuite... everything works, followed the setup and turn on all warnings 

Spam Filtering - turned on tag subject line

End-user message settings - turned on all smart banners

Sender Check - turned on tag subject line

then ran this test https://emailspooftest.com

E9 and E10 emails were not flagged by Sophos Gateway any way (which is honestly a bit odd)

none of the test emails E1 to E10 showed smart banners of any kind though all other emails do

thoughts?

thank you

jiri



Edited tags
[edited by: Raphael Alganes at 1:18 AM (GMT -7) on 8 Jun 2023]
Parents Reply Children
  • yes, it goes through sophos servers

    what is perhaps even more interesting that notifications from sophos forum itself (literally notification on this question) is not showing any banner neither, here is the notification email I just received as a notification

    Delivered-To: jiri.novak@deep-labs.com
    Received: by 2002:a05:6a10:2a90:0:0:0:0 with SMTP id ja16csp2906708pxb;
            Mon, 18 Jan 2021 15:55:37 -0800 (PST)
    X-Google-Smtp-Source: ABdhPJygjEx11Ml3O1g7dsvJJS+Mv7Tq0wib7sONCAkBpPJjOmTjKqdti/0e6FEpN/IfNIGK8XvM
    X-Received: by 2002:a62:e516:0:b029:156:3b35:9423 with SMTP id n22-20020a62e5160000b02901563b359423mr1673529pff.19.1611014136906;
            Mon, 18 Jan 2021 15:55:36 -0800 (PST)
    ARC-Seal: i=1; a=rsa-sha256; t=1611014136; cv=none;
            d=google.com; s=arc-20160816;
            b=md3tMd7DN7H+i0dtS8MxYnTEQyve9K8VyAVInHTM5NRxHMlu5V5TCoomWhXgX4qDyl
             44SsPIUPQJNmAY5Xotm0pnT16nxst0nhz9QoY1fZJAP50p0Vej5UFxY9SLYPkS9BHL78
             ZJSrv6rS6HEdbAL+bxePksbEXjsv41uedXQJTKYZkz2A0x4LyQnXbvGwt7VyfGm65Fej
             K1O2TKOMEghqgotRhsq7lPhRan3IwjTF5o/QMnctTztA/xdYhGFHzqL9IqflikT1pdhk
             zd6T9YYAtg8BvCs2SQ598xHRKOfZxaFklssgiTt+7qdRIYV+5CZpZVQr5E3JlTlA88m3
             zo4w==
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
            h=content-transfer-encoding:subject:date:to:from:mime-version
             :references:in-reply-to:message-id;
            bh=7HEfJKj9Hy9kLaCSPRpZhZ6hOc9tKW+t1gBijeBhJMg=;
            b=repwjUVNhTvIH+lGcETZC+QCFv7dvAQaiSBj5/gnPYWhi/CeLRsv+YCr/HrecFT/D8
             w1VafoykQucdarhCcD9GVuF97wMnfd6ZfNL28LJPMD3kZIPdpN7SW+0mAKjatNG6sRsQ
             yFLhfONeV6EMug3ou5Vn/c7fqASlmxcndSnYKI0/GKqQwYRP8OPGlCf7jLY6KA+Q2YB5
             6R2wSPfxVUiW7LMyMZYETfVm1VokkQ4zwI0YSF7FQjBF4oeTt3SoCrMkYTeovvsd86JC
             yWB8VJvq5osiprcMpVrvehGIo8YxmE7Z34Fd9Pt0D4GQUXyWg+tbA4Amac8/E09zr4AW
             n7QA==
    ARC-Authentication-Results: i=1; mx.google.com;
           spf=pass (google.com: domain of noreply@mail.community.sophos.com designates 52.210.173.117 as permitted sender) smtp.mailfrom=noreply@mail.community.sophos.com
    Return-Path: <noreply@mail.community.sophos.com>
    Received: from outbound-52-41-236-76-us-west-2.prod.hydra.sophos.com (outbound-52-41-236-76-us-west-2.prod.hydra.sophos.com. [52.41.236.76])
            by mx.google.com with ESMTPS id w9si21884803pgc.217.2021.01.18.15.55.36
            for <jiri.novak@deep-labs.com>
            (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
            Mon, 18 Jan 2021 15:55:36 -0800 (PST)
    Received-SPF: pass (google.com: domain of noreply@mail.community.sophos.com designates 52.210.173.117 as permitted sender) client-ip=52.210.173.117;
    Authentication-Results: mx.google.com;
           spf=pass (google.com: domain of noreply@mail.community.sophos.com designates 52.210.173.117 as permitted sender) smtp.mailfrom=noreply@mail.community.sophos.com
    Received: from ip-172-17-101-185.us-west-2.compute.internal (ip-172-17-101-185.us-west-2.compute.internal [127.0.0.1]) by outbound-52-41-236-76-us-west-2.prod.hydra.sophos.com (Postfix) with ESMTP id 4DKTF446spz1xn1 for <jiri.novak@deep-labs.com>; Mon, 18 Jan 2021 23:55:36 +0000 (UTC)
    Authentication-Results: mx-01-us-west-2.prod.hydra.sophos.com; spf=pass smtp.mailfrom=noreply@mail.community.sophos.com; dkim=none; dmarc=pass (recordpolicy=none) header.from=mail.community.sophos.com
    Received-SPF: pass receiver=mx-01-us-west-2.prod.hydra.sophos.com; client-ip=52.210.173.117; envelope-from=<noreply@mail.community.sophos.com>; helo=euw1-prd1-job-001.telligent.com;
    X-Sophos-Email-ID: a75eefc65f8245ef87d46a13ad841842
    Received: from euw1-prd1-job-001.telligent.com (euw1-prd1-job-001.telligent.com [52.210.173.117]) by mx-01-us-west-2.prod.hydra.sophos.com (Postfix) with ESMTP id 4DKTDz4pZYz1xmv for <jiri.novak@deep-labs.com>; Mon, 18 Jan 2021 23:55:31 +0000 (UTC)
    Received: from EC2AMAZ-05TI699 ([127.0.0.1]) by euw1-prd1-job-001.telligent.com with Microsoft SMTPSVC(10.0.14393.2608);
      Mon, 18 Jan 2021 23:55:30 +0000
    X-Sender: Sophos Community <noreply@mail.community.sophos.com>
    X-Receiver: "Jiri Novak1" <jiri.novak@deep-labs.com>
    Message-ID: <eec30807-9ad8-49fa-ac80-0f20d84c5996@community.sophos.com>
    In-Reply-To: <eec30807-9ad8-49fa-ac80-0f20d84c5996@community.sophos.com>
    References: <eec30807-9ad8-49fa-ac80-0f20d84c5996@community.sophos.com>
    MIME-Version: 1.0
    From: Sophos Community <noreply@mail.community.sophos.com>
    To: Jiri Novak1 <jiri.novak@deep-labs.com>
    Date: 18 Jan 2021 23:55:30 +0000
    Subject: RE: questions about spoofs
    Content-Type: multipart/related; boundary="-=_ANM001_=-f643ad0ee6a04ac2a6c00f688017aa5a"; type="multipart/alternative,multipart/alternative"
    X-OriginalArrivalTime: 18 Jan 2021 23:55:30.0515 (UTC) FILETIME=[6704DA30:01D6EDF5]
    Content-Transfer-Encoding: 8bit
    X-Sophos-Email: [us-west-2] Antispam-Engine: 3.4.3, AntispamData: 2021.1.18.234219
    X-Sophos-SenderHistory: ip=52.210.173.117, fs=67879505, fso=67879505, da=104472739, mc=7907, sc=16, hc=7891, sp=0, re=0, sd=0, hd=22
    X-LASED-SpamProbabilty: 0.089074
    X-LASED-Hits: BODYTEXTH_SIZE_10000_LESS 0.000000, BODYTEXTH_SIZE_3000_MORE 0.000000, BODYTEXTP_SIZE_3000_LESS 0.000000, BODY_SIZE_10000_PLUS 0.000000, DQ_S_H 0.000000, HREF_LABEL_TEXT_NO_URI 0.000000, HTML_90_100 0.100000, INBOUND_SOPHOS 0.000000, INVOICE_ATTACHMENT 0.100000, IN_REP_TO 0.000000, JPG_COMMON_HEADER_ORDER 0.000000, JPG_SPAMMY_SEGMENT 0.000000, JPG_SPAMMY_Y_RESOLUTION 0.000000, REFERENCES 0.000000, STYLE_RATWARE_REF 0.000000, SUBJ_STARTS_IN_SPACE 0.100000, SUPERLONG_LINE 0.050000, TRANSACTIONAL 0.000000, __ANY_URI 0.000000, __AUTH_RES_DMARC_PASS 0.000000, __AUTH_RES_PASS 0.000000, __BODY_NO_MAILTO 0.000000, __BODY_TEXT_X4 0.000000, __BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000, __CP_MEDIA_BODY 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000, __CTYPE_MULTIPART_ALT 0.000000, __DQ_IP_FSO_LARGE 0.000000, __DQ_S_HIST_1 0.000000, __DQ_S_IP_MC_100_P 0.000000, __DQ_S_IP_MC_10_P 0.000000, __DQ_S_IP_MC_1K_P 0.000000, __DQ_S_IP_MC_1_P 0.000000, __DQ_S_IP_MC_5_P 0.000000, __DQ_S_IP_RE_0 0.000000, __DQ_S_IP_RE_49_L 0.000000, __DQ_S_IP_RE_4_L 0.000000, __DQ_S_IP_RE_99_L 0.000000, __DQ_S_IP_RE_9_L 0.000000, __DQ_S_IP_SC_10_P 0.000000, __DQ_S_IP_SC_1_P 0.000000, __DQ_S_IP_SC_5_P 0.000000, __DQ_S_IP_SP_0_P 0.000000, __EMBEDDED_IMG 0.000000, __EXTRA_MPART_TYPE_1 0.000000, __EXTRA_MPART_TYPE_N1 0.000000, __FROM_NOREPLY 0.000000, __FROM_TRANSACTIONAL 0.000000, __FROM_TR_SOPHOS 0.000000, __HAS_ATTACHMENT 0.000000, __HAS_ATTACHMENT1 0.000000, __HAS_ATTACHMENT2 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000, __HAS_XOAT 0.000000, __HREF_LABEL_IMG 0.000000, __HREF_LABEL_TEXT 0.000000, __HTML_AHREF_TAG 0.000000, __HTML_HREF_TAG_X2 0.000000, __HTML_TAG_CENTER 0.000000, __HTML_TAG_DIV 0.000000, __HTML_TAG_IMG_X2 0.000000, __HTML_TAG_TABLE 0.000000, __HTTPS_URI 0.000000, __HTTP_IMAGE_TAG 0.000000, __IMG_ATTACHED 0.000000, __IMG_THEN_TEXT 0.000000, __INVOICE_MULTILINGUAL 0.000000, __IN_REP_TO 0.000000, __JPG_SPAMMY_SEGMENT_2 0.000000, __JPG_SPAMMY_Y_RESOLUTION_3 0.000000, __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000, __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000, __MULTIPLE_URI_HTML 0.000000, __MULTIPLE_URI_TEXT 0.000000, __PNG_WIDTH_100 0.000000, __RATWARE_SIGNATURE_3_N1 0.000000, __REFERENCES 0.000000, __SANE_MSGID 0.000000, __SEXTORTION_PORN 0.000000, __STOCK_PHRASE_7 0.000000, __STYLE_RATWARE 0.000000, __STYLE_RATWARE_NEG 0.000000, __STYLE_TAG 0.000000, __SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_NEGATE 0.000000, __TAG_EXISTS_HTML 0.000000, __TO_MALFORMED_2 0.000000, __TO_NAME 0.000000, __TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000, __URI_ENDS_IN_SLASH 0.000000, __URI_HAS_HYPHEN_USC 0.000000, __URI_IN_BODY 0.000000, __URI_IN_BODY_HTTP_X10 0.000000, __URI_MAILTO 0.000000, __URI_NOT_IMG 0.000000, __URI_NO_WWW 0.000000, __URI_NS 0.000000, __URI_WITHOUT_PATH 0.000000, __URI_WITH_PATH 0.000000
    X-Sophos-Email-Transport-Route: smtp_encrypt:routing-mx.deep-labs.com:25
    X-LASED-Spam: NonSpam
    
    ---=_ANM001_=-f643ad0ee6a04ac2a6c00f688017aa5a
    content-type: multipart/alternative; boundary="-=_ANM002_=-f643ad0ee6a04ac2a6c00f688017aa5a"
    Content-Transfer-Encoding: 8bit
    
    ---=_ANM002_=-f643ad0ee6a04ac2a6c00f688017aa5a
    Content-Type: text/plain; charset=utf-8
    Content-Transfer-Encoding: quoted-printable
    
    Update from Sophos Community
    
    
    [https://us-west-2.protection.sophos.com?d=3Dsophos.com&u=3DaHR0cHM6Ly9jb21=
    tdW5pdHkuc29waG9zLmNvbS8=3D&i=3DNTllNjI2M2UyZjUxNGUxMmEwNmYzM2Q5&t=3DcVdsMX=
    hWUmtHcldIaFU0NmdvOE1FZFRXKzVQT0JvRTQ4Q0pKNE5GUzRzbz0=3D&h=3Da75eefc65f8245=
    ef87d46a13ad841842]
    
    [https://us-west-2.protection.sophos.com?d=3Dsophos.com&u=3DaHR0cHM6Ly9jb21=
    tdW5pdHkuc29waG9zLmNvbS9tZW1iZXJzL2VtbW9zb3Bob3M=3D&i=3DNTllNjI2M2UyZjUxNGU=
    xMmEwNmYzM2Q5&t=3DYWRmV1JkQVpRdVZRZU5TbDd4a3NhQkcwb3lvV3VyOWdaZlFLMi8xK3JIR=
    T0=3D&h=3Da75eefc65f8245ef87d46a13ad841842]
    
    emmosophos  [https://us-west-2.protection.sophos.com?d=3Dsophos.com&u=3DaHR=
    0cHM6Ly9jb21tdW5pdHkuc29waG9zLmNvbS9tZW1iZXJzL2VtbW9zb3Bob3M=3D&i=3DNTllNjI=
    2M2UyZjUxNGUxMmEwNmYzM2Q5&t=3DYWRmV1JkQVpRdVZRZU5TbDd4a3NhQkcwb3lvV3VyOWdaZ=
    lFLMi8xK3JIRT0=3D&h=3Da75eefc65f8245ef87d46a13ad841842]
    
    Hello Jiri,
    
    Thank you for contacting the Sophos Community!
    
    If you check the email headers are you seeing the header from Sophos Centra=
    l?
    
    Regards,
    
    View online  [https://us-west-2.protection.sophos.com?d=3Dsophos.com&u=3DaH=
    R0cHM6Ly9jb21tdW5pdHkuc29waG9zLmNvbS9zb3Bob3MtZW1haWwvZi9kaXNjdXNzaW9ucy8xM=
    jUzODgvcXVlc3Rpb25zLWFib3V0LXNwb29mcy80NTgxOTkjNDU4MTk5&i=3DNTllNjI2M2UyZjU=
    xNGUxMmEwNmYzM2Q5&t=3DM0RVMEM0ak1Zb0QxMHZNVkltRUJpK05NenYzbkErUEV4UGZ6RGxZW=
    nFiST0=3D&h=3Da75eefc65f8245ef87d46a13ad841842]
    
    You received this notification because you subscribed to the forum. =C2=A0T=
    o unsubscribe from only this thread,  go here  [https://us-west-2.protectio=
    n.sophos.com?d=3Dsophos.com&u=3DaHR0cHM6Ly9jb21tdW5pdHkuc29waG9zLmNvbS9zb3B=
    ob3MtZW1haWwvZi9kaXNjdXNzaW9ucy8xMjUzODgvcXVlc3Rpb25zLWFib3V0LXNwb29mcy9tdX=
    Rl&i=3DNTllNjI2M2UyZjUxNGUxMmEwNmYzM2Q5&t=3DNE9vdnBhTkVYRXRNQWorY2MzU25MRlB=
    QMUpCdkZNTlJDM2dVdnpiTEdNWT0=3D&h=3Da75eefc65f8245ef87d46a13ad841842].
    
    Flag  [https://us-west-2.protection.sophos.com?d=3Dsophos.com&u=3DaHR0cHM6L=
    y9jb21tdW5pdHkuc29waG9zLmNvbS9zb3Bob3MtZW1haWwvZi9kaXNjdXNzaW9ucy8xMjUzODgv=
    cXVlc3Rpb25zLWFib3V0LXNwb29mcy80NTgxOTk_QWJ1c2VDb250ZW50SWQ9ZWYyZDcxOTYtNWR=
    lYy00OGE3LWI5MGQtNzRhMjk5MjY1MTMzJkFidXNlQ29udGVudFR5cGVJZD1mNTg2NzY5Yi0wOD=
    IyLTQ2OGEtYjdmMy1hOTRkNDgwZWQ5YjAmQWJ1c2VGbGFnPXRydWU=3D&i=3DNTllNjI2M2UyZj=
    UxNGUxMmEwNmYzM2Q5&t=3DL0YvTmVET3YzdC9jRkp6STJtaDJjdUFzdGR1b3lJWjM1ZlhtT1NE=
    OHhtdz0=3D&h=3Da75eefc65f8245ef87d46a13ad841842]=C2=A0this post=C2=A0as spa=
    m/abuse.
    ---=_ANM002_=-f643ad0ee6a04ac2a6c00f688017aa5a
    Content-Type: text/html; charset=utf-8
    Content-Transfer-Encoding: quoted-printable
    
    <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org=
    /TR/xhtml1/DTD/xhtml1-strict.dtd">=20
    <html xmlns=3D"http://www.w3.org/1999/xhtml">
    <head>
    =09<meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Dutf-8"=
     />
    =09<meta name=3D"viewport" content=3D"width=3Ddevice-width, initial-scale=
    =3D1, maximum-scale=3D1"/>
    =09<style type=3D"text/css">
    =09=09#outlook a {padding:0;}
    body{width:100% !important; -webkit-text-size-adjust:100%; -ms-text-size-ad=
    just:100%; margin:0; padding:0; background: #ffffff;}
    .ExternalClass {width:100%;}
    .ExternalClass, .ExternalClass p, .ExternalClass span, .ExternalClass font,=
     .ExternalClass td, .ExternalClass div {line-height: 100%;}
    #backgroundTable {margin:0; padding:0; width:100% !important; line-height: =
    100% !important;}
    img {outline:none; text-decoration:none; -ms-interpolation-mode: bicubic; m=
    ax-width: 300px;}=20
    object, embed, video, table {max-width: 100%;}
    pre {max-width: auto; overflow:auto;}
    p {margin: 1em 0;}
    a {border:none;color: #0087c3 !important; text-decoration: none !important;=
    }
    a:active { color: #0087c3 !important; }
    a:visited { color: #0087c3 !important; }
    table td {border-collapse: collapse;}
    table { border-collapse:collapse; mso-table-lspace:0pt; mso-table-rspace:0p=
    t; }
    =09</style>
    </head>
    <body>=20
     <span id=3D"--zimbra-community-reply-marker-start--"></span>=20
     <table id=3D"backgroundTable" style=3D"width: 100%; min-height: 100%; padd=
    ing: 0px; border-collapse: collapse; margin-left: auto; margin-right: auto;=
    " border=3D"0" cellpadding=3D"20">=20
      <tbody>=20
       <tr>=20
        <td style=3D"background: #eee; padding: 20px;">=20
         <table style=3D"max-width: 600px; padding: 0px; border-collapse: colla=
    pse; margin-left: auto; margin-right: auto; width: 90%;" border=3D"0" cellp=
    adding=3D"20" align=3D"center">=20
          <tbody>=20
           <tr>=20
            <td style=3D"padding: 0 20px; border-bottom: 1px solid #d9d9d9; fon=
    t-family: Arial, Helvetica, sans-serif; background: #f6f6f6; height: 82px; =
    -moz-border-radius: 11px 11px 0 0; border-radius: 11px 11px 0 0;"><a href=
    =3D"https://us-west-2.protection.sophos.com?d=3Dsophos.com&u=3DaHR0cHM6=
    Ly9jb21tdW5pdHkuc29waG9zLmNvbS8=3D&i=3DNTllNjI2M2UyZjUxNGUxMmEwNmYzM2Q5=
    &t=3DcVdsMXhWUmtHcldIaFU0NmdvOE1FZFRXKzVQT0JvRTQ4Q0pKNE5GUzRzbz0=3D&amp=
    ;h=3Da75eefc65f8245ef87d46a13ad841842" title=3D"">
              <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">=20
               <tbody>=20
                <tr>=20
                 <td><img src=3D"cid:sophos_2D00_community_2D00_logo_2D00_blue-=
    png_2D00_150x42-png@mail.community.sophos.com" width=3D"150" height=3D"42" =
    title=3D"Zimbra Community" style=3D"width:150px;max-width:100%;max-height:4=
    2px" /></td>=20
                 <td style=3D"padding-left: 10px;" valign=3D"middle"><span styl=
    e=3D"color: #7f7f7f; text-decoration: none; font-size: 10pt; font-family: A=
    rial, Helvetica, sans-serif;">Update from Sophos Community</span></td>=
    =20
                </tr>=20
               </tbody>=20
              </table></a></td>=20
           </tr>=20
           <tr>=20
            <td style=3D"padding: 20px 20px 10px; background: #FFFFFF; font-fam=
    ily: Arial, Helvetica, sans-serif; font-size: 10pt;">
             <table border=3D"0" cellspacing=3D"0" cellpadding=3D"0">=20
              <tbody>=20
               <tr>=20
                <td><a href=3D"https://us-west-2.protection.sophos.com?d=3Dsoph=
    os.com&u=3DaHR0cHM6Ly9jb21tdW5pdHkuc29waG9zLmNvbS9tZW1iZXJzL2VtbW9zb3Bo=
    b3M=3D&i=3DNTllNjI2M2UyZjUxNGUxMmEwNmYzM2Q5&t=3DYWRmV1JkQVpRdVZRZU5=
    TbDd4a3NhQkcwb3lvV3VyOWdaZlFLMi8xK3JIRT0=3D&h=3Da75eefc65f8245ef87d46a1=
    3ad841842" title=3D"">
                  <div style=3D"width: 70px; height: 70px; overflow: hidden; bo=
    rder-radius: 35px; -moz-border-radius: 35px;">
                   <img src=3D"cid:4UAJJH887JPE-jpg_2D00_70x70x2-jpg@mail.commu=
    nity.sophos.com" width=3D"70" height=3D"70" title=3D"" style=3D"width:70px;=
    max-width:100%;max-height:70px" />
                  </div></a></td>=20
                <td style=3D"padding-left: 10px;"><a href=3D"https://us-west-2.=
    protection.sophos.com?d=3Dsophos.com&u=3DaHR0cHM6Ly9jb21tdW5pdHkuc29waG=
    9zLmNvbS9tZW1iZXJzL2VtbW9zb3Bob3M=3D&i=3DNTllNjI2M2UyZjUxNGUxMmEwNmYzM2=
    Q5&t=3DYWRmV1JkQVpRdVZRZU5TbDd4a3NhQkcwb3lvV3VyOWdaZlFLMi8xK3JIRT0=3D&a=
    mp;h=3Da75eefc65f8245ef87d46a13ad841842" title=3D""><span style=3D"text-dec=
    oration: none; color: #0087c3;">emmosophos</span></a></td>=20
               </tr>=20
              </tbody>=20
             </table> <p><p>Hello Jiri,</p> <p>Thank you for contacting the Sop=
    hos Community!</p> <p>If you check the email headers are you seeing the hea=
    der from Sophos Central?</p> <p>Regards,</p> <p></p></p> <p><a href=3D"http=
    s://us-west-2.protection.sophos.com?d=3Dsophos.com&u=3DaHR0cHM6Ly9jb21t=
    dW5pdHkuc29waG9zLmNvbS9zb3Bob3MtZW1haWwvZi9kaXNjdXNzaW9ucy8xMjUzODgvcXVlc3R=
    pb25zLWFib3V0LXNwb29mcy80NTgxOTkjNDU4MTk5&i=3DNTllNjI2M2UyZjUxNGUxMmEwN=
    mYzM2Q5&t=3DM0RVMEM0ak1Zb0QxMHZNVkltRUJpK05NenYzbkErUEV4UGZ6RGxZWnFiST0=
    =3D&h=3Da75eefc65f8245ef87d46a13ad841842" title=3D""><span style=3D"tex=
    t-decoration: none; color: #0087c3;">View online</span></a></p></td>=20
           </tr>=20
           <tr>=20
            <td style=3D"padding: 0; height: 11px; width: 100%; background: #FF=
    FFFF; -moz-border-radius: 0 0 11px 11px; border-radius: 0 0 11px 11px;">&nb=
    sp;</td>=20
           </tr>=20
           <tr>=20
            <td style=3D"padding: 15px 20px; font-family: Arial, Helvetica, san=
    s-serif; font-size: 8pt; color: #7f7f7f;"><p>You received this notification=
     because you subscribed to the forum.  To unsubscribe from only this t=
    hread, <a href=3D"https://us-west-2.protection.sophos.com?d=3Dsophos.com&am=
    p;u=3DaHR0cHM6Ly9jb21tdW5pdHkuc29waG9zLmNvbS9zb3Bob3MtZW1haWwvZi9kaXNjdXNza=
    W9ucy8xMjUzODgvcXVlc3Rpb25zLWFib3V0LXNwb29mcy9tdXRl&i=3DNTllNjI2M2UyZjU=
    xNGUxMmEwNmYzM2Q5&t=3DNE9vdnBhTkVYRXRNQWorY2MzU25MRlBQMUpCdkZNTlJDM2dVd=
    npiTEdNWT0=3D&h=3Da75eefc65f8245ef87d46a13ad841842" title=3D""><span st=
    yle=3D"text-decoration: none; color: #0087c3;">go here</span></a>.</p> <p><=
    a href=3D"https://us-west-2.protection.sophos.com?d=3Dsophos.com&u=3DaH=
    R0cHM6Ly9jb21tdW5pdHkuc29waG9zLmNvbS9zb3Bob3MtZW1haWwvZi9kaXNjdXNzaW9ucy8xM=
    jUzODgvcXVlc3Rpb25zLWFib3V0LXNwb29mcy80NTgxOTk_QWJ1c2VDb250ZW50SWQ9ZWYyZDcx=
    OTYtNWRlYy00OGE3LWI5MGQtNzRhMjk5MjY1MTMzJkFidXNlQ29udGVudFR5cGVJZD1mNTg2NzY=
    5Yi0wODIyLTQ2OGEtYjdmMy1hOTRkNDgwZWQ5YjAmQWJ1c2VGbGFnPXRydWU=3D&i=3DNTl=
    lNjI2M2UyZjUxNGUxMmEwNmYzM2Q5&t=3DL0YvTmVET3YzdC9jRkp6STJtaDJjdUFzdGR1b=
    3lJWjM1ZlhtT1NEOHhtdz0=3D&h=3Da75eefc65f8245ef87d46a13ad841842" title=
    =3D""><span style=3D"text-decoration: none; color: #0087c3;">Flag</span></a=
    > this post as spam/abuse.</p>
             <div style=3D"width: 1px; height: 1px; overflow: hidden;">
              <img src=3D"https://community.sophos.com/notification/read?Notifi=
    cationId=3D07f5c306-df3b-4d56-9249-0b0020dd38b1" style=3D"max-width:100%" /=
    >
             </div></td>=20
           </tr>=20
          </tbody>=20
         </table> </td>=20
       </tr>=20
      </tbody>=20
     </table>=20
     <span id=3D"--zimbra-community-reply-marker-end--"></span>=20
    </body></html>
    ---=_ANM002_=-f643ad0ee6a04ac2a6c00f688017aa5a--
    ---=_ANM001_=-f643ad0ee6a04ac2a6c00f688017aa5a
    Content-Transfer-Encoding: base64
    Content-ID: <sophos_2D00_community_2D00_logo_2D00_blue-png_2D00_150x42-png@mail.community.sophos.com>
    Content-Type: image/png; name=sophos_2D00_community_2D00_logo_2D00_blue-png_2D00_150x42-png
    
    
    ---=_ANM001_=-f643ad0ee6a04ac2a6c00f688017aa5a
    Content-Transfer-Encoding: base64
    Content-ID: <4UAJJH887JPE-jpg_2D00_70x70x2-jpg@mail.community.sophos.com>
    Content-Type: image/jpeg; name=4UAJJH887JPE-jpg_2D00_70x70x2-jpg
    
    
    ---=_ANM001_=-f643ad0ee6a04ac2a6c00f688017aa5a--
    

  • Yes, all go through sophos server (looked at email headers)

    Interestingly enough, sophos forums notification (of this thread) did not include smart banner neither (we did not add sophos.com to approved list), attached is sophos forum notification email (tried to copy paste it as code but got flagged for spam)

    https://www.dropbox.com/s/ozfuds8b0x6m5no/email.txt?dl=0

  • Hello Jiri,

    Emails coming from sophos.com will not get the banner this is by design.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • That's very strange behavior honestly, sophos forum notifications bypass basic setting of the email gateway platform? Why? Banner are simple green-yellow-red. Showing "nothing" is simply not a good way to teach users what to watch for. It is external email not coming from our domain, it should be flagged. Btw Sophos forum emails don't even use DKIM 

    Authentication-Results: mx-01-us-west-2.prod.hydra.sophos.com; spf=pass smtp.mailfrom=noreply@mail.community.sophos.com; dkim=none;

    if you run tests on https://emailspooftest.com you get similar "no banner" behavior and on top you get emails through which should be flagged as spam E9 and E10

    honestly this seems like a bug, not a feature to me

  • I just opened my inbox

    - there are some emails with no banner from random outside domains (some even flagged as bulk)

    - emails from haveibeenpwned.com have green banner though they clearly impersonate our domain, the email came with striped dkim though our domain clearly says it must use sophos dkim, I am also very unsure how sophos makes sure outgoing emails are truly coming from us, there is no real auth between google email server and sophos gateway (blind trust i guess)

  • Hello Jiri,

    Thank you for the feedback I will pass your comments to PM, but as mentioned this is by design. Usually, users won’t get emails from sophos.com directly, for example, emails coming from Password Recovery for SSP will get the banner added.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hello Jiri,

    I would recommend you to open a case with Support to get those emails without banner investigated as well as the impersonation.

    Also, take a look at this KB for questions about banners.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.