I've migrated from PureMessage to Sophos Central Email a couple of weeks ago and I am seeing an issue with spam that I can't quite figure out.
I updated my MX record to use the two Sophos servers, 99% of our mail is flowing inbound as expected with a number of genuine bulk and spam mail being caught in Quarantine as expected.
However, I am seeing quite a bit of junk mail coming through and completely bypassing the Sophos servers, obvious to see as the 'Received: from' value is not the Sophos server but random I.P addresses.
I still have PureMessage running so I am able to capture them before they hit the users inboxes but how is this scenario possible?
I was concerned it was an Exchange misconfiguration but everything looks fine there.
On another note, would it be recommend to update my Exchange Receive connector to only accept mail from the Sophos servers?
You should turn of SMTP from any other source than Central. Thats the first lesson, to prevent this to be happen. Central should be the only peer, which should be allowed to send you Emails.
Maybe there are spammer, still sitting with the old MX record in their Cache and using this.
Bit of a delayed response but this is pretty normal for junk/spam to do this. Over the last 20 odd years I've seen this where the illegitimate senders just hold on to MX records which have something that responds on the end of them. Prime spamming targets.
If you haven't already close it off, best defence.