Hi everyone,I am setting up a separate thread as I did not receive any specific reply in other threads.
The case concerns Sophos Anti-Spam Interface after upgrading from v18.5MR2 to v18.5MR3 and from v19EAP1 to v19EAP2.
Before updating, antispam works great in legacy mode, detects a lot of intrusive messages and tags with a prefix (near 99%). After updating, only some messages are detected as spam and tagged (I did not do any changes in configuration).
What it comes from? How can I edit my lists to achieve pre-update spam detection?
Just to update this thread, RE: NC-90702, development will include a fix in SFOS 18.5 MR4 and 19.0 MR1.
I am curious.
Are only Home Users seeing this issue? Because it looks like, only Home Appliance are affected by this potential issue. Or does somebody with a Appliance (SG/XG/XGS) have the same issue?
Hi LuCar Toni,
I've got a few customers upgraded to MR3, one off them has this problem and so am I with my LAB/Home version. Customer is xg210 with paid license. The thing that's the same is we both do IPv6 on the in and outside.
Opened case Nr: 05143473
Bart van der Horst
Sophos XG v18(.5) / v19 Certified Architecthttps://www.bpaz.nl
Appliances has been restarted few times same as anti-spam &smtpd service.
XG just forward spam and phishing emails to local email server... Most of that spam emails are blocked by mailscanner on email server so simple free scanner detect them...
All spam emails have header:
X-Sophos-Firewall: smtpd v1.0
and in log apear:
MSG May 18 14:16:53Z [1nrKTs-0004lD-81]: spam scanning failed, unable to connect local antispam
I have opened case with Sophos support and get response that it is known issue and they escelate issue to higher level to provide patch for issue...Will see if they will patch units before next MR1 release...
Just to give you guys an update (not sure why Karlos not doing it) I've got a binary fix (smtp service) from the Sophos Devs, looks good so far, the spam detection seems to work fine again and the error message in the log is also gone. I'm still looking if anything else is not working anymore. I think that after a positive feedback to Sophos, this can be distributed to all of you. 3rd Level Support is awesome :)
Im receive today call from support(They ask 3rd Level support) that my system can't be patched, because patch is currently availible only for 18.5 MR3 and patch for 19 is not ready... Now I need to wait that they(GES) notify me when it will be ready...
Hey Karlos, we have the same issue for some customer. When can we expect that Fix ?
Apologies for the delay as I was away recently and thank you forcont and DejanBukovec for updating the thread with your case findings with Support.
Currently, Phil Becker the fix will be included in 18.5 MR 4 (target release date is June 2022) and v19 MR1. You can request for a patch if you can't wait for the release by opening a case with Support. This issue has been identified as NC-90702.
Hi Karlos can you confirm that patch is availible only for 18.5 MR3? Or there is also patch for v19 but my support person give me wrong info?
Just FYI, we are affected too. Lots of Spam is passing though since the update from 18.5 MR2 to MR3. We had support apply the NC-90702 fix and rebooted all appliances/services after that, but still spam with a X-SASI-SpamProbability: 89% is passing through and not landing in the quarantine. Case 05204156, maybe you can take a look. We noticed that Spam with a probability of 90%+ is landing in the quarantine, as it was before the MR3 patch. is there a way to modify that variable, so we can set it to 50% or something?
The patch for v19 was a bit delayed but should now be available. GES should be notifying you shortly, if they haven't already.
Im receive reply from GES and yesterday has been installed patch on my v19 HA cluster.
Now I need analyze emails(Around 2200 emails) from yesterday and report back...
I need to update this thread and open new support ticket... Sophos support has fix errors when spam engine try scan email(NC-90702) on our XGS136(HA cluster) but we still receive a lot of phishing and spam emails as before... Now emails are scanned but X-SASI-SpamProbability score it way to low...P.S. I need to add that before when we use 18.5 MR1(If remember correct) we don't have that issues...
same issue here. the support said to me: "The issue is now different, the issue is not caused due to the system issue but the detection issue so we have no other option to submit a sample to the LABS https://support.sophos.com/support/s/article/KB-000034302?language=en_US Other than that there is no Sophos Support intervention needed." Thats no solution...
Hi DejanBukovec, please send over the new case ID once created. Ensure you mention your old case ID so they can be linked.
Please allow me to follow up with your case
sure, case 05204156
New case ID is 05307033 and has been created today few minutes ago.
Old case has been 05249138 and has been closed today because patch has been applied.
Hi Markus & DejanBukovec, a new development case ID has been assigned to investigate this further: NC-94529
Karlos Thanks for this informations.
The root cause was identified and remediated on June 8th, could you confirm?
We are still in contact with GES. Yesterday they check FW and reply that NC-90702 is installed and pattern also successfully updated, but we still receive spam/phishing emails from "cpanel" and something like "email server" ... Case ID is still 05307033 and there is also upladed some of spam/phishing emails...
Edit: Karlos I'm receive confirmation that we have NC-90702 and NC-94529 patch applied on our appliance, but we still receive spam&phishing emails(I know that one of our user receive 1-2/day)... I didn't analyze how many we receive them on other users...
Hi DejanBukovec thank you for the update. Now that you've submitted false negative samples, please allow our Labs team some time to analyze.