Hi everyone,I am setting up a separate thread as I did not receive any specific reply in other threads.
The case concerns Sophos Anti-Spam Interface after upgrading from v18.5MR2 to v18.5MR3 and from v19EAP1 to v19EAP2.
Before updating, antispam works great in legacy mode, detects a lot of intrusive messages and tags with a prefix (near 99%). After updating, only some messages are detected as spam and tagged (I did not do any changes in configuration).
What it comes from? How can I edit my lists to achieve pre-update spam detection?
Greetings
Just to update this thread, RE: NC-90702, development will include a fix in SFOS 18.5 MR4 and 19.0 MR1.
I am curious.
Are only Home Users seeing this issue? Because it looks like, only Home Appliance are affected by this potential issue. Or does somebody with a Appliance (SG/XG/XGS) have the same issue?
__________________________________________________________________________________________________________________
Hi LuCar Toni,
I've got a few customers upgraded to MR3, one off them has this problem and so am I with my LAB/Home version. Customer is xg210 with paid license. The thing that's the same is we both do IPv6 on the in and outside.
Opened case Nr: 05143473
Bart.
Bart van der Horst
Sophos XG v18(.5) / v19 Certified Architecthttps://www.bpaz.nl
same issue here. the support said to me: "The issue is now different, the issue is not caused due to the system issue but the detection issue so we have no other option to submit a sample to the LABS https://support.sophos.com/support/s/article/KB-000034302?language=en_US Other than that there is no Sophos Support intervention needed." Thats no solution...
Hi DejanBukovec, please send over the new case ID once created. Ensure you mention your old case ID so they can be linked.
Please allow me to follow up with your case
sure, case 05204156
Hi Karlos,
New case ID is 05307033 and has been created today few minutes ago.
Old case has been 05249138 and has been closed today because patch has been applied.
Hi Markus & DejanBukovec, a new development case ID has been assigned to investigate this further: NC-94529
Karlos Thanks for this informations.
The root cause was identified and remediated on June 8th, could you confirm?
We are still in contact with GES. Yesterday they check FW and reply that NC-90702 is installed and pattern also successfully updated, but we still receive spam/phishing emails from "cpanel" and something like "email server" ... Case ID is still 05307033 and there is also upladed some of spam/phishing emails...
Edit: Karlos I'm receive confirmation that we have NC-90702 and NC-94529 patch applied on our appliance, but we still receive spam&phishing emails(I know that one of our user receive 1-2/day)... I didn't analyze how many we receive them on other users...
Hi DejanBukovec thank you for the update. Now that you've submitted false negative samples, please allow our Labs team some time to analyze.
Hi Karlos
I hope that they will fix issue ASAP because we receive phishing emails(We right now do not receive spam emails) at daily basis and I send them to Sophos Labs ...
Ticket has been closed because both pathes has been applied and this is now "problem" of Sophos Labs... Do you know if patteren is in SASI engine new and do not include database from 18.5 MR1 or older? Or why we in MR1 didn't receive that phishing emails but now(Same/Next day after update) we start receiving them?
Hi DejanBukovec,
Sorry to hear that you are still experiencing issues. Could you confirm you are using MTA mode? If so, you will need to open a new ticket with Support so we can investigate further.
If anyone else on this thread is still experiencing SPAM issues post hotfixes and are on MTA mode/upgraded to 18.5.4 - please reply back to this or send me a DM. Please note that the hotfixes only fixed the issue for MTA mode.
Hi Karlos Yes we use MTA mode(From beginning when it has been implemented in XG) :
Do I need write something "special" in new ticket or just mention that we have patch NC-90702 and NC-94529 and still receiving phishing emails...
All received emails are scanned but score is to low(Around 10%)... I report all mails to sophos lab...
Hi,
im having this issue too, on v19 in MTA mode hotfixes are installed automatically.
Restarting services via service antispam:restart -ds nosync doesn't fix the issue.
My /log/sasi.log is full of range ckeck errors: DNS/Request.cpp:246] vector::_M_range_check
Same as DejanBukovecmy X-SASI-SpamProbability is all around 10%
any suggestions?
Yes, please mention that you have received both patches and that you are on MTA mode and you have already been submitting SPAM samples to labs. Once opened, please provide the Support ID. Thank you.
Hi RedTunnel97, could you also confirm that your anti-spam pattern update was last updated less than 2 weeks ago?
Hi Karlos i can confirm the AntiSpam Version 10.219 from 21.06.2022 is installed, and still receiving lots of spammails
Do you have an open Support case? Have you submitted false negative samples to our Labs?