Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion
  • Hi,

    I still have a problem with a large amount of spam that is not filtered by SOPHOS Anti-Spam.
    I have to manually add domains to the blacklist.

  • 18.5 MR3 and 19.0 onwards replace the anti-spam engine with SASI, which is used in Sophos UTM since last year and also in Sophos Mail.

    The detection rate was significantly lower with the changeover on the UTM so the XG dev team learned nothing from that experience :-(

    If you want a better detection rate, revert to 18.5 MR2, move your mail filtering somewhere else, or engage with Sophos Support to get the detection rate improved. Those suggestions are listed in order of time to resolution.

    There's probably a case here for Sophos providing a discounted and pro-rated amount for a Sophos Mail subscription to cover the remainder of the Mail Protection subscription if they're not interested in replacing/improving a substandard anti-spam implementation with one that performs well (i.e. the one they ripped out).

  • SASI was in the Email Appliance for decades. So it is actually not a new technology. Instead it was used by most of the enterprise customers out there. Also SASI was used in Pure Message for Unix. You even find references to back in 2005 to SASI.

    I would recommend to check your general settings of Spam Protection as well. SPF, DKIM etc. 

    There is an issue with UTM/SFOS and old hardware as well:

    In general Central Email has more tools compared to UTM/SFOS. It works on a different level especially because of the architecture. As Sophos Labs is in control of the MX records, it can immediately detect spam waves and prevent this. Because you only have 3 different MX records for all customers, you see a broader scale of data compared to a decentralized spam solution like a firewall. Then there are smart banner etc. Other features to prevent spam of occurring in the first place. 


  • Irrespective of SASI's heritage, its implementation in both UTM and SFOS has been underwhelming.

    How did any QA team sign off on replacing an antispam engine with high detection rates with an engine that had two significant operational errors (evidenced by NC-90702 and NC-93678)?

    Sophos Labs would have billions of ham and spam messages that could have been fed through both engines with appropriate metrics taken and then only swapping the antispam engine once the replacement offered the same or better detection rate.

    As for Spam Protection settings they're the same between 18.5 MR2 and 18.5 MR4/18.5 MR3 with patch.

    Finally, Central Email *should* have a ton of extra capability that you get from a cloud-scale implementation and workload. Given that Mail Protection is now a subscription add-on, perhaps consideration should be given to offloading antispam processing in a similar fashion to Zero-Day Protection? Why have all these cloud-scale implementation and capabilities with no ability for edge devices to make use of it?

  • Why doing Email on a Firewall in the first place? A Firewall is not a Email Proxy. 

    You can see, what the Labs are capable of doing :

    This kind of technology should not be run on a decentralized solution. Asking for Intelix all the time will take time. That is not useful. 


Reply Children
  • Hello,

    I find your answer incredible.
    you criticize us for using technology provided by Sophos (Antispam Engine).
    This worked for years.
    Suddenly, Sophos decides to change the way it works, and you ask us why we use this feature?
    It's obvious. Because Sophos allows you to do it, and it costs less than the complete decentralized solution
  • Performing email on a firewall is logical because the firewall is first line of defence for an internal server. The edge device as promoted over many years.

    moving mail to the cloud is not logical because you still have to provide a secure connection to the cloud server which exposes you to attacks.


    XG115W - v19.5.3 mr-3 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • That is not the case Ian. The approach in IT Security is to minimize the attack surface. 

    Nevertheless where your Email Solution is (Inhouse or hosted), to open the Email Solution to everybody is violating this approach. The better approach is to have something, which is secure, looking for your content and then approach you with a filtered message. 

    The question is: Are you able to monitore and react to any attacks going on to your firewall or not? What are you doing, if somebody is trying to exploit your email solution? 

    The other problem is: Is your Email service (internal server) secure? Is the product itself secure? Looking at solutions like Exchange, you can read about the several exploits out there and what damage they can cause. 

    Looking at hosted solutions, this approach is getting outdated. 

    About this point: - What about the future and what about the current attack surface going on? You see everywhere customers getting exploited and attacked, because they use tech which is outdated and outdated approaches. Customers are moving to hosted Email solutions, because they do not want to deal with this stress anymore and other reasons. 

    Nevertheless, this is to far off topic for this thread anyway. That is just my opinion. 


  • Um, because it's a feature set of the firewall and there's a subscription option for it?

    Also stop with the up-sell of Central Email. Yes, of course it's far more capable than what's available in an edge device - as it should be.

    The point here is that SASI was put into SFOS without any real effort made to ensure the protection offering matched the existing antispam engine. It was put in without even ensuring the engine actually worked. It's just another example of negligible QA processes in place for release engineering,

     If it's a deliberate case of deprecating antispam capability in SFOS (unlikely; incompetence nearly always trumps malice) then an effort should be made for existing subscription holders to transition to Central Email at a discounted rate.

    Your comment about offloading Intelix decisions all the time is odd. E-mail isn't interactive, so any delays incurred by waiting for a cloud response aren't going to make a huge difference, unlike Zero-Day Protection kicking in and making people wait for the download to start, or interfering with scripted downloads that are expecting the actual file rather than a Sophos intermediate page.

  • What?!?! Is this guy a Sophos employee? Asking customers why they are using features advertised as core functionality of a device?

    `Yeah, of course that doesn't work, you aren't supposed to actually *use* that feature, duh!`

  • That is not my point. I am a Security Advisor. You can get the bare minimum security feature or the best grade security product. If you want to talk about MTR and how to deal with security threats in the future, we can discuss this in more detail. 

    The future of attacks is here and now. SFOS and UTM does not have the tools to protect you against such advanced attacks.