Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +4 person also asked this people also asked this
  • Locked Locked
  • Replies 117 replies
  • Answers 2 answers
  • Subscribers 56 subscribers
  • Views 26047 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[SFOS 18.5MR3] Poor spam detection after update to Sophos Anti-Spam Interface

darnoK

Hi everyone,
I am setting up a separate thread as I did not receive any specific reply in other threads.

The case concerns Sophos Anti-Spam Interface after upgrading from v18.5MR2 to v18.5MR3 and from v19EAP1 to v19EAP2.

Before updating, antispam works great in legacy mode, detects a lot of intrusive messages and tags with a prefix (near 99%). After updating, only some messages are detected as spam and tagged (I did not do any changes in configuration).

What it comes from? How can I edit my lists to achieve pre-update spam detection?

Greetings



This thread was automatically locked due to age.
  • 0 in reply to DejanBukovec

    and the anti-spam pattern has not updated for 6 days.

    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to darnoK

    And unfortunately stops working :/

  • 0 in reply to rfcat_vk

    Same for me, but then, ATP was not updated for 4 days. I guess there are simply no new rules.

  • 0 in reply to darnoK

    For me its still working, I can see I get all X-SASI headers in the incoming emails. Maybe you need to restart the firewall as I did.

  • 0 in reply to EdmundSackbauer

    Changed the default imap/pop3 policies and created two of my own. One spam message came through with added text but not in a place the a mail rule could use to check and shift to a spam folder. The message header does not contain any X-SASI type information, so I suspect all my incoming mail will now be classified as spam.

    That will be a check to followup with tomorrow's mail messages. I didn't have to wait long and new spam message appeared with the same format but not usable in a mail rule.

    Ian

    The two messages marked as probable spam do not appear in the email log. Funny, I am seeing messages from February 2022 being delivered tonight, though I can't see them in the inbox being delivered today. More testing and observing tomorrow.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to Bart van der Horst

    This issue has been assigned Development Reference ID NC-90702 and we will keep this post updated as we get more information.

    Best,

    Karlos
    Community Support Engineer | Sophos Technical Support
    Knowledge Base  |  @SophosSupport  | Sign up for SMS Alerts
    If a post solves your question use the 'This helped me' link.
  • 0 in reply to rfcat_vk

    Mixed results, now receiving messages marked as spam that were previously delivered in 2021. Some of the fresh spam is marked correctly and put in the junk folder others have the correct comment added by the XG but not in the correct place in the subject line. None of the spam messages are appearing in the logviewer as having been received.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Hi folks,

    this gets stranger and stranger. The mail messages delivered to my mac mini do not show any subject change, whereas the same messages in the iPhone and ipads do. I read the messages on the iPad first then checked the mac mini (mac mail).

    All message appear in logviewer as clean mail.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Spam is being sent from Russian IP addresses and not even being tagged as probable spam. Next thing to better understand how to block source mail addresses in XG the addresses that get passed from the ISP mail servers as being legitimate?

    Ian

    Dropped the idea of using source mail addresses, too many spam senders marked as trusted sites. Using phrases see if that improved the hit rate.

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    Are there any resources on how SASI works?
    Currently I get mixed results with my home license. Some emails are quarantined, and all X-SASI headers are there. And then some mails go through with just these lines:

    X-Sophos-IBS: fail
    X-SASI-RCODE: none
    X-Sophos-Firewall: smtpd v1.0

    Those mails that are going through like this are properly signed via DKIM. Is any mail with correct DKIM signature bypassed by further spam processing?

    RBL and RDNS checks seem to work always.

    And another question, as a User who had formerly the UTM: When I release mails from quarantine, are they reported as false positive? In UTM I had an option to report so while releasing.

Unfiltered HTML