Sophos Email customers using IP-based mailflow rule connectors must migrate to certificate-based configuration by March 31st. To see if you're affected Click Here.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Central Email: spam issues

We have reported several issues to the Sophos support but basicly it hasn't been fixed. 

The problem is related to impersonating your domain email adresses with malicious urls. 

- Base email Security

DMARC and SPF are checked against the Helo email server. When that is using it's own spf and dmarc settings they will not fail as it is not checked against the from email adress, so your domain SPF and DMARC are never taken into account. 

So basicly header anomolies is useless. 

The response of support was to delete the Base Email Security policy and recreate it instead of fixing their check logic.

Now we found another one. When we block the email server helo name with an add block setting, this is not enforced as they use another from adress. Argh! I have now added their IP adress also and in some cases I had to add whole ranges. An add block IP range would be helpfull.

Frustrated.

Fred



Edited tags
[edited by: Raphael Alganes at 6:14 AM (GMT -7) on 7 Jun 2023]
Parents
  • Today I saw another email that was allowed through, but this time our DMARC policy was recorded correctly (quarantine) as the header.from shows our domain but still the Base Email Security Policy was not applied (DMARC Fail Quarantaine, Header Anamolies Reject):

    spf=pass smtp.helo=spammer.domain; dkim=none;
    dmarc=fail (recordpolicy=quarantine) header.from=yourdomain.com
    Received-SPF: pass receiver=mx-01-eu-central-1.prod.hydra.sophos.com;
    client-ip=45.158.14.46; envelope-from=<>; helo=spammer.domain;
    X-Sophos-Product-Type: Gateway
    X-Sophos-Email-ID: a3208286e1844ec9ae73fab1a9bd537d
    Received: from spammer.domain (45-158-14-46.hostlab.net.tr [45.158.14.46])
    by mx-01-eu-central-1.prod.hydra.sophos.com (Postfix) with ESMTP id
    4KSjrY28CfzHnHS

    the SPF pass is not from yourdomain.com or Sophos does not read it correctly.

Reply
  • Today I saw another email that was allowed through, but this time our DMARC policy was recorded correctly (quarantine) as the header.from shows our domain but still the Base Email Security Policy was not applied (DMARC Fail Quarantaine, Header Anamolies Reject):

    spf=pass smtp.helo=spammer.domain; dkim=none;
    dmarc=fail (recordpolicy=quarantine) header.from=yourdomain.com
    Received-SPF: pass receiver=mx-01-eu-central-1.prod.hydra.sophos.com;
    client-ip=45.158.14.46; envelope-from=<>; helo=spammer.domain;
    X-Sophos-Product-Type: Gateway
    X-Sophos-Email-ID: a3208286e1844ec9ae73fab1a9bd537d
    Received: from spammer.domain (45-158-14-46.hostlab.net.tr [45.158.14.46])
    by mx-01-eu-central-1.prod.hydra.sophos.com (Postfix) with ESMTP id
    4KSjrY28CfzHnHS

    the SPF pass is not from yourdomain.com or Sophos does not read it correctly.

Children
No Data