Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[SFOS 18.5MR3] Poor spam detection after update to Sophos Anti-Spam Interface

Hi everyone,
I am setting up a separate thread as I did not receive any specific reply in other threads.

The case concerns Sophos Anti-Spam Interface after upgrading from v18.5MR2 to v18.5MR3 and from v19EAP1 to v19EAP2.

Before updating, antispam works great in legacy mode, detects a lot of intrusive messages and tags with a prefix (near 99%). After updating, only some messages are detected as spam and tagged (I did not do any changes in configuration).

What it comes from? How can I edit my lists to achieve pre-update spam detection?

Greetings



This thread was automatically locked due to age.
Parents
  • I am curious.

    Are only Home Users seeing this issue? Because it looks like, only Home Appliance are affected by this potential issue. Or does somebody with a Appliance (SG/XG/XGS) have the same issue? 

    __________________________________________________________________________________________________________________

  • Hi ,

    I've got a few customers upgraded to MR3, one off them has this problem and so am I with my LAB/Home version. Customer is xg210 with paid license. The thing that's the same is we both do IPv6 on the in and outside.

    Opened case Nr: 05143473

    Bart.

    Bart van der Horst


    Sophos XG v18-v21 Certified Architect

  • Appliances has been restarted few times same as anti-spam &smtpd service.

    XG just forward spam and phishing emails to local email server... Most of that spam emails are blocked by mailscanner on email server so simple free scanner detect them...

    All spam emails have header:

    X-Sophos-IBS: fail

    X-SASI-RCODE: none

    X-Sophos-Firewall: smtpd v1.0

    and in log apear:

    MSG   May 18 14:16:53Z [1nrKTs-0004lD-81]: spam scanning failed, unable to connect local antispam

    I have opened case with Sophos support and get response that it is known issue and they escelate issue to higher level to provide patch for issue...
    Will see if they will patch units before next MR1 release...

  • Just to give you guys an update (not sure why Karlos not doing it) I've got a binary fix (smtp service) from the Sophos Devs, looks good so far, the spam detection seems to work fine again and the error message in the log is also gone. I'm still looking if anything else is not working anymore. I think that after a positive feedback to Sophos, this can be distributed to all of you. 
    3rd Level Support is awesome :) 

  • Im receive today call from support(They ask 3rd Level support) that my system can't be patched, because patch is currently availible only for 18.5 MR3 and patch for 19 is not ready... Now I need to wait that they(GES) notify me when it will be ready...

  • Hey Karlos, we have the same issue for some customer. When can we expect that Fix ?

  • Apologies for the delay as I was away recently and thank you and for updating the thread with your case findings with Support.

    Currently, the fix will be included in 18.5 MR 4 (target release date is June 2022) and v19 MR1. You can request for a patch if you can't wait for the release by opening a case with Support. This issue has been identified as NC-90702.

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Hi  can you confirm that patch is availible only for 18.5 MR3? Or there is also patch for v19 but my support person give me wrong info?

    Thanks.

  • Just FYI, we are affected too. Lots of Spam is passing though since the update from 18.5 MR2 to MR3. We had support apply the NC-90702 fix and rebooted all appliances/services after that, but still spam with a X-SASI-SpamProbability: 89% is passing through and not landing in the quarantine. Case 05204156, maybe you can take a look. We noticed that Spam with a probability of 90%+ is landing in the quarantine, as it was before the MR3 patch. is there a way to modify that variable, so we can set it to 50% or something?

  • The patch for v19 was a bit delayed but should now be available. GES should be notifying you shortly, if they haven't already. 

    Karlos
    Community Support Engineer | Sophos Technical Support

    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • Im receive reply from GES and yesterday has been installed patch on my v19 HA cluster.

    Now I need analyze emails(Around 2200 emails) from yesterday and report back...

  • I need to update this thread and open new support ticket... Sophos support has fix errors when spam engine try scan email(NC-90702) on our XGS136(HA cluster) but we still receive a lot of phishing and spam emails as before... Now emails are scanned but X-SASI-SpamProbability score it way to low...

    P.S. I need to add that before when we use 18.5 MR1(If remember correct) we don't have that issues...

Reply
  • I need to update this thread and open new support ticket... Sophos support has fix errors when spam engine try scan email(NC-90702) on our XGS136(HA cluster) but we still receive a lot of phishing and spam emails as before... Now emails are scanned but X-SASI-SpamProbability score it way to low...

    P.S. I need to add that before when we use 18.5 MR1(If remember correct) we don't have that issues...

Children