Release Notes: https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_185_rn.html
Old V18.5 MR3 Thread: https://community.sophos.com/sophos-xg-firewall/f/discussions/133547/sophos-firewall-v18-5-mr3-feedback-and-experiences
I still have a problem with a large amount of spam that is not filtered by SOPHOS Anti-Spam.I have to manually add domains to the blacklist.
18.5 MR3 and 19.0 onwards replace the anti-spam engine with SASI, which is used in Sophos UTM since last year and also in Sophos Mail.
The detection rate was significantly lower with the changeover on the UTM so the XG dev team learned nothing from that experience :-(
If you want a better detection rate, revert to 18.5 MR2, move your mail filtering somewhere else, or engage with Sophos Support to get the detection rate improved. Those suggestions are listed in order of time to resolution.
There's probably a case here for Sophos providing a discounted and pro-rated amount for a Sophos Mail subscription to cover the remainder of the Mail Protection subscription if they're not interested in replacing/improving a substandard anti-spam implementation with one that performs well (i.e. the one they ripped out).
SASI was in the Email Appliance for decades. So it is actually not a new technology. Instead it was used by most of the enterprise customers out there. Also SASI was used in Pure Message for Unix. You even find references to back in 2005 to SASI.
I would recommend to check your general settings of Spam Protection as well. SPF, DKIM etc.
There is an issue with UTM/SFOS and old hardware as well: https://support.sophos.com/support/s/article/KB-000042345?language=en_US
In general Central Email has more tools compared to UTM/SFOS. It works on a different level especially because of the architecture. As Sophos Labs is in control of the MX records, it can immediately detect spam waves and prevent this. Because you only have 3 different MX records for all customers, you see a broader scale of data compared to a decentralized spam solution like a firewall. Then there are smart banner etc. Other features to prevent spam of occurring in the first place.
Irrespective of SASI's heritage, its implementation in both UTM and SFOS has been underwhelming.
How did any QA team sign off on replacing an antispam engine with high detection rates with an engine that had two significant operational errors (evidenced by NC-90702 and NC-93678)?
Sophos Labs would have billions of ham and spam messages that could have been fed through both engines with appropriate metrics taken and then only swapping the antispam engine once the replacement offered the same or better detection rate.
As for Spam Protection settings they're the same between 18.5 MR2 and 18.5 MR4/18.5 MR3 with patch.
Finally, Central Email *should* have a ton of extra capability that you get from a cloud-scale implementation and workload. Given that Mail Protection is now a subscription add-on, perhaps consideration should be given to offloading antispam processing in a similar fashion to Zero-Day Protection? Why have all these cloud-scale implementation and capabilities with no ability for edge devices to make use of it?
Why doing Email on a Firewall in the first place? A Firewall is not a Email Proxy.
You can see, what the Labs are capable of doing : https://ai.sophos.com/demos/sophos-ai-catbert-phishing-detection-model-demo/
This kind of technology should not be run on a decentralized solution. Asking for Intelix all the time will take time. That is not useful.
I find your answer incredible.
you criticize us for using technology provided by Sophos (Antispam Engine).
This worked for years.
Suddenly, Sophos decides to change the way it works, and you ask us why we use this feature?
It's obvious. Because Sophos allows you to do it, and it costs less than the complete decentralized solution
Performing email on a firewall is logical because the firewall is first line of defence for an internal server. The edge device as promoted over many years.
moving mail to the cloud is not logical because you still have to provide a secure connection to the cloud server which exposes you to attacks.
XG115W - v19.5 GA - Home
If a post solves your question please use the 'Verify Answer' button.
That is not the case Ian. The approach in IT Security is to minimize the attack surface.
Nevertheless where your Email Solution is (Inhouse or hosted), to open the Email Solution to everybody is violating this approach. The better approach is to have something, which is secure, looking for your content and then approach you with a filtered message.
The question is: Are you able to monitore and react to any attacks going on to your firewall or not? What are you doing, if somebody is trying to exploit your email solution?
The other problem is: Is your Email service (internal server) secure? Is the product itself secure? Looking at solutions like Exchange, you can read about the several exploits out there and what damage they can cause.
Looking at hosted solutions, this approach is getting outdated.
About this point: Sebastien HENRY - What about the future and what about the current attack surface going on? You see everywhere customers getting exploited and attacked, because they use tech which is outdated and outdated approaches. Customers are moving to hosted Email solutions, because they do not want to deal with this stress anymore and other reasons.
Nevertheless, this is to far off topic for this thread anyway. That is just my opinion.