[SFOS 18.5MR3] Poor spam detection after update to Sophos Anti-Spam Interface

Hi everyone,
I am setting up a separate thread as I did not receive any specific reply in other threads.

The case concerns Sophos Anti-Spam Interface after upgrading from v18.5MR2 to v18.5MR3 and from v19EAP1 to v19EAP2.

Before updating, antispam works great in legacy mode, detects a lot of intrusive messages and tags with a prefix (near 99%). After updating, only some messages are detected as spam and tagged (I did not do any changes in configuration).

What it comes from? How can I edit my lists to achieve pre-update spam detection?

Greetings



Edited TAGs
[edited by: emmosophos at 6:02 PM (GMT -7) on 28 Mar 2022]
Parents Reply Children
  • Hello Karlos, 

    the thread is a bit cluttered. So its confirmed that spam engine has problems on a XG210 with 18.5.3? 

    I had the problems in the sasi log: 

    vector::_M_range_check
    Rebootet and its a bit better but the error still persists.
    Major problem on smtpd.log is:

    spam scanning failed, unable to connect local antispam

     

    But sometimes it does work. Found mails this night with:

    spam scanning result: 'NonSpam'

    and

    spam scanning result: 'Confirmed'

    We use IPv4 for all clients etc, but for compatibility our Sophos has an IPv6 too. For instance, Gmail Mails are delivered via IPv6 to the MTA. 

    More information in my ticket: 05194806 

    Is it possible to get the fix as hotfix? MR-4 will take some time I guess, and we getting all sort of porn spam etc. now.. this is a little sad for an expensive mail solution

    PS: your telephone indian support is bad, he tried to mess up with my exceptions and allow malware and drop all spam (even probable spam) 

    I actually think he doesn't know what exception means because he said something like, okay RBL is on.. 
    no its skipping RBL (but in our case only for / from internal systems, like ticket systems, phone systems etc) 


    Thanks that this community is here, otherwise we would drop Sophos.

  • When can we expect SFOS 18.5 MR4 or a hotfix? I don't get any anwser on my ticket since a week. Your paid support is a joke.

  • Just to give you guys an update (not sure why Karlos not doing it) I've got a binary fix (smtp service) from the Sophos Devs, looks good so far, the spam detection seems to work fine again and the error message in the log is also gone. I'm still looking if anything else is not working anymore. I think that after a positive feedback to Sophos, this can be distributed to all of you. 
    3rd Level Support is awesome :) 

  • Im receive today call from support(They ask 3rd Level support) that my system can't be patched, because patch is currently availible only for 18.5 MR3 and patch for 19 is not ready... Now I need to wait that they(GES) notify me when it will be ready...

  • Hey Karlos, we have the same issue for some customer. When can we expect that Fix ?

  • Apologies for the delay as I was away recently and thank you and for updating the thread with your case findings with Support.

    Currently, the fix will be included in 18.5 MR 4 (target release date is June 2022) and v19 MR1. You can request for a patch if you can't wait for the release by opening a case with Support. This issue has been identified as NC-90702.

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Hi  can you confirm that patch is availible only for 18.5 MR3? Or there is also patch for v19 but my support person give me wrong info?

    Thanks.

  • Just FYI, we are affected too. Lots of Spam is passing though since the update from 18.5 MR2 to MR3. We had support apply the NC-90702 fix and rebooted all appliances/services after that, but still spam with a X-SASI-SpamProbability: 89% is passing through and not landing in the quarantine. Case 05204156, maybe you can take a look. We noticed that Spam with a probability of 90%+ is landing in the quarantine, as it was before the MR3 patch. is there a way to modify that variable, so we can set it to 50% or something?

  • The patch for v19 was a bit delayed but should now be available. GES should be notifying you shortly, if they haven't already. 

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Im receive reply from GES and yesterday has been installed patch on my v19 HA cluster.

    Now I need analyze emails(Around 2200 emails) from yesterday and report back...