Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Poor Spamfilter v20MR2

Hi everybody,

we have installed a Sophos v20 MR2. However, we had to realize that the spam filtering is very poor compared to the UTM. The Sophos is acting as an MX and works in MTA mode. Spam protection is active as a policy and basically has all options active -> Greylisting, BATV, SPF, RBL (Premium and Standard) and Callout. Nevertheless, a lot of spam is being delivered, which was not the case before. Has anyone been able to determine this yet or does something else need to be configured? 



Edited TAGs
[edited by: Raphael Alganes at 11:15 AM (GMT -7) on 9 Oct 2024]
Parents
  • I can confirm that spam filter on XG is not ok for few years... If remember correctly it became bad after upgrade to 18.5 MR3. I’m sure that spam detection didn't work ok anymore when Sophos change SPAM engine to SASI ... I had with Sophos team multiple opened tickets and none of them didn't solve issues completely. Their team add reported spam/phishing emails to block list and after few weeks we start receiving them again... Most spam which we receive and is not filtered have high score for example last one have X-SASI-SpamProbability: 41% which is for me pretty high and has been delivered...

    I’m recommend to support team multiple options which maybe will help us users decrease spam/phishing emails delivered to end user but nothing happen...

    Recommendations:

    1.) Is possible to integrate in XG some spam rules where we can create them. For example that if email contain some strings that it mark it as spam?

    2.) Also in XG need to be implemented better filter for blocked senders. For example we would like block  *@*.ru  ,  *@*.jp  and similar TLD's of senders which we don't want receive emails but GUI do not allow us to do this… Is possible to do this with modify some configuration file?

    3.) Is possible set threshold % what will be marked as probable spam and what spam? For example all emails with X-SASI-SpamProbability over 5% are marked as probable spam and all with X-SASI-SpamProbability more than 20% marked as spam… If not is possible yet can be in some near future added option to CLI that we can set probable spam and spam % threshold or change it manually in some conf file? Something like:
    set mta probablespam 5
    set mta spam 10

    This will mean that all emails with score more than 10% will be marked as SPAM and all emails from 5% to 10% will be marked as PROBABLE SPAM.

    This settings will help us customers fine tune sensitivity of detection… Most of hosting control panel(Like cPanel) have this settings for mailscanner for many years…

  • All points are right now supported in Central Email, which could be used by customers, if they want to migrate to Central. 

    __________________________________________________________________________________________________________________

Reply Children
  • We are not talking about Central Email(Which is not Free)!!! If Central Email work as you say why Sophos for XG users do not offer some scanning proxy in Central Email(To scan emails for spam/phishing)? For example they pay only one account... If we would like use Emails in cloud then I know for our company that we will chose "Microsoft 365" which cost same and we know that spam/phishing filter work very good...

    In XG we pay for "Email Protection" subscription which do not work. If this protection can't be provided then maybe is better than is removed and user do not rely on it...

  • SFOS uses SASI, as you stated. If SASI does not find the spam, we can look into this with a support case. But customization is not included in SFOS. Those features were implemented for Central Email.

    Central Email is like Email Protection a subscription , as a customer you can choose, which feature you need. 

    __________________________________________________________________________________________________________________

  • Add this case number to your collection.

    E: 07283388 

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • But your ID is talking about IMAP/POP Scanning, not MTA? I thing this is not related, as SMTP / MTA is different compared to IMAP/POP. Many techniques of SASI and MTA are not applicable for IMAP. 

    __________________________________________________________________________________________________________________

  • Thanks for your time and answers.

    We don't need features which I’m write if ordered "Spam Protection" in Firewall will work as must and if it will work as in most email servers which use mailscanner or similar spam scanner...

    Let's try be more technical to understand how SASI work different than simple mailscanner…

    When remote SMTP server connect to Firewall and try send email to internal email server, firewall check this email. Firewall check all “email security” options like RBL, Whitelisting, SPF, if recipient exits and other… Then it scan body by antivirus(Sophos AND Avira???) and if contain some markers which are usually used in spam/phishing email. Then it add  “X-SASI-SpamProbability” with some score to header.

    What threshold is set that email is spam or probable spam ? Because in my samples I also se some very high scored email(More than 40%) has been delivered to user and is some email have that high value I think it must be at least marked as “probable spam”…

  • Just to be sure, you are blocking Probable spam in your policy? Because that is an extra option in the policy. 

    __________________________________________________________________________________________________________________

  • I was using MTA for sometime with no benefit.

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yes. Sophos team has multiple times(Everytime when we open ticket) check if settings are ok...

  • Basically SFOS is having a threshold score of 50 for probable spam. 

    Turning it down / making it adjustable would be a feature request for the future. You can open the feature request via Feedback loop in the product. 


    I can only encourage to look into Central Email as a cloud based email solution, which can do this today. 

    BTW: Central Email scans the email and sends it to your on premise email server. 

    You can also talk to Sophos Sales to get a midterm upgrade / credit of your current email subscription and move to CEMA. 

    __________________________________________________________________________________________________________________

  • I submitted some of the spam message to the Sohps laboratory and the spam came back with the same results as genuine mail message, probably spam with a reputation of 30. I am waiting on a detailed report from the Labs. So, it is not an imap issue.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.