Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[SFOS 18.5MR3] Poor spam detection after update to Sophos Anti-Spam Interface

Hi everyone,
I am setting up a separate thread as I did not receive any specific reply in other threads.

The case concerns Sophos Anti-Spam Interface after upgrading from v18.5MR2 to v18.5MR3 and from v19EAP1 to v19EAP2.

Before updating, antispam works great in legacy mode, detects a lot of intrusive messages and tags with a prefix (near 99%). After updating, only some messages are detected as spam and tagged (I did not do any changes in configuration).

What it comes from? How can I edit my lists to achieve pre-update spam detection?

Greetings



This thread was automatically locked due to age.
Parents
  • Hello,

    Would it be possible to get the output of the /log/u2d.log and /log/sasi.log as well as a few samples .eml files via DM (especially interested in the X-SASI-* headers) so I can provide this info to the pertinent team to investigate.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • 2022-04-04.18:20:31 ERROR [Main] [ precompile.cpp:647] Downloaded file could not be verified with checksum. Discarding /sdisk/sasi/asdb.tmp
    2022-04-04.18:21:22 ERROR [Main] [ laseserver.cpp:159] Couldn't fetch new signatures: Downloaded file could not be verified with checksum. Discarding /sdisk/sasi/asdb.antispam Exiting..

    Bart van der Horst


    Sophos XG v18-v21 Certified Architect

  • Hi  Emmanuel,

    I sent you the .eml files.

    Bart van der Horst


    Sophos XG v18-v21 Certified Architect

  • DB errors are back too:

    2022-04-04.21:23:57 ERROR [Main] [ precompile.cpp:715] Downloaded file could not be verified with checksum. Discarding /sdisk/sasi/asdb.delta
    2022-04-04.23:24:07 ERROR [Main] [ precompile.cpp:697] Downloaded file could not be verified with checksum. Discarding /sdisk/sasi/asdb.tmp
    2022-04-05.05:32:44 ERROR [Main] [ precompile.cpp:661] Couldn't fetch: sasi.sophosupd.com/.../asdb.antispam.old.csum
    2022-04-05.05:40:45 ERROR [Main] [ precompile.cpp:661] Couldn't fetch: sasi.sophosupd.com/.../asdb.antispam.old.csum
    2022-04-05.05:48:38 ERROR [Main] [ precompile.cpp:724] Precompile exception: Failed to apply delta to signatures.
    2022-04-05.06:09:01 ERROR [ 3] [ DNS/Request.cpp:246] vector::_M_range_check
    2022-04-05.08:12:47 ERROR [Main] [ precompile.cpp:697] Downloaded file could not be verified with checksum. Discarding /sdisk/sasi/asdb.tmp
    2022-04-05.17:01:28 ERROR [Main] [ precompile.cpp:715] Downloaded file could not be verified with checksum. Discarding /sdisk/sasi/asdb.delta
    2022-04-05.18:21:36 ERROR [Main] [ precompile.cpp:697] Downloaded file could not be verified with checksum. Discarding /sdisk/sasi/asdb.tmp
    2022-04-05.19:25:38 ERROR [Main] [ precompile.cpp:715] Downloaded file could not be verified with checksum. Discarding /sdisk/sasi/asdb.delta

    Bart van der Horst


    Sophos XG v18-v21 Certified Architect

  • Hello Bart,

    Thank you for the email Samples.

    I have submitted them to the pertinent team.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
  • Hi Emmanuel,

    I think I have the DB errors resolved.

    On this line 2022-04-05.05:32:44 ERROR [Main] [ precompile.cpp:661] Couldn't fetch: sasi.sophosupd.com/.../asdb.antispam.old.csum

    It says cant fetch, so I checked sasi.sophosupd.com with nslookup, found out that it has only an ipv4 address. I have both ipv4 and ipv6 and I have ipv6 on priority in the dns page, changed that to ipv4 and, no errors anymore. Maybe you could check this on your end why the sasi update server has no ipv6 address, or at leased no dns pointing to it.

    So maybe ipv6 is the whole problem with sasi, i did not have any spam detection problems with previous firmware so it could be.

    Now I've got to wait for spam...

     

    Bart van der Horst


    Sophos XG v18-v21 Certified Architect

  • I folded, reverted to mr2, spam is detected normally now. 

    Bart van der Horst


    Sophos XG v18-v21 Certified Architect

  • Interesting to see. Did you test the new sophos spam engine with v19 EAP2 too?
    My SG-home is running with it but i have no mail server to test it.

    _______________________________________________________

    Sophos SG 210 with Sophos XG Home - 20.0 MR 1

    If a post solves your question please use the 'Verify Answer' button.

  • It is supposed to work on imap/s and as far as I can see does not.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Problem also exist in v19EAP2.
    I'm back to v18.5MR2 and all anti-spam features working fine.

  • I am using v19 eAP2. I have two mail accounts with the ISP, there is only one IP4 mail rule and one IPv6 mail rule which is not passing traffic. Tonight I started a detailed investigation in the spam issue. I received a spam mail message which I cannot find in the XG logviewer - mail tab. The  message does not appear in the mail quarantine log.

    So, conclusion, the messages are not examined by the XG mail function therefore a bug.

    Ian

    So, when I forward the message to my other accounts, it is scanned by the XG, but not tagged as spam. Thinking about this, the result is as expected because the original message is not being used as a source server.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.



    Added after thoughts about why the forwarded messages did not show as spam.
    [edited by: rfcat_vk at 9:20 PM (GMT -7) on 7 Apr 2022]
  • Hello Bart,

    Thank you for the update. 

    I have replied to your DM with some additional info.

    Regards,


     
    Emmanuel (EmmoSophos)
    Technical Team Lead, Global Community Support
    Sophos Support VideosProduct Documentation  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' link.
Reply Children
No Data