Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Poor Spamfilter v20MR2

Hi everybody,

we have installed a Sophos v20 MR2. However, we had to realize that the spam filtering is very poor compared to the UTM. The Sophos is acting as an MX and works in MTA mode. Spam protection is active as a policy and basically has all options active -> Greylisting, BATV, SPF, RBL (Premium and Standard) and Callout. Nevertheless, a lot of spam is being delivered, which was not the case before. Has anyone been able to determine this yet or does something else need to be configured? 



Edited TAGs
[edited by: Raphael Alganes at 11:15 AM (GMT -7) on 9 Oct 2024]
Parents
  • I can confirm that spam filter on XG is not ok for few years... If remember correctly it became bad after upgrade to 18.5 MR3. I’m sure that spam detection didn't work ok anymore when Sophos change SPAM engine to SASI ... I had with Sophos team multiple opened tickets and none of them didn't solve issues completely. Their team add reported spam/phishing emails to block list and after few weeks we start receiving them again... Most spam which we receive and is not filtered have high score for example last one have X-SASI-SpamProbability: 41% which is for me pretty high and has been delivered...

    I’m recommend to support team multiple options which maybe will help us users decrease spam/phishing emails delivered to end user but nothing happen...

    Recommendations:

    1.) Is possible to integrate in XG some spam rules where we can create them. For example that if email contain some strings that it mark it as spam?

    2.) Also in XG need to be implemented better filter for blocked senders. For example we would like block  *@*.ru  ,  *@*.jp  and similar TLD's of senders which we don't want receive emails but GUI do not allow us to do this… Is possible to do this with modify some configuration file?

    3.) Is possible set threshold % what will be marked as probable spam and what spam? For example all emails with X-SASI-SpamProbability over 5% are marked as probable spam and all with X-SASI-SpamProbability more than 20% marked as spam… If not is possible yet can be in some near future added option to CLI that we can set probable spam and spam % threshold or change it manually in some conf file? Something like:
    set mta probablespam 5
    set mta spam 10

    This will mean that all emails with score more than 10% will be marked as SPAM and all emails from 5% to 10% will be marked as PROBABLE SPAM.

    This settings will help us customers fine tune sensitivity of detection… Most of hosting control panel(Like cPanel) have this settings for mailscanner for many years…

  • All points are right now supported in Central Email, which could be used by customers, if they want to migrate to Central. 

    __________________________________________________________________________________________________________________

  • SFOS uses SASI, as you stated. If SASI does not find the spam, we can look into this with a support case. But customization is not included in SFOS. Those features were implemented for Central Email.

    Central Email is like Email Protection a subscription , as a customer you can choose, which feature you need. 

    __________________________________________________________________________________________________________________

  • Add this case number to your collection.

    E: 07283388 

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • But your ID is talking about IMAP/POP Scanning, not MTA? I thing this is not related, as SMTP / MTA is different compared to IMAP/POP. Many techniques of SASI and MTA are not applicable for IMAP. 

    __________________________________________________________________________________________________________________

  • Thanks for your time and answers.

    We don't need features which I’m write if ordered "Spam Protection" in Firewall will work as must and if it will work as in most email servers which use mailscanner or similar spam scanner...

    Let's try be more technical to understand how SASI work different than simple mailscanner…

    When remote SMTP server connect to Firewall and try send email to internal email server, firewall check this email. Firewall check all “email security” options like RBL, Whitelisting, SPF, if recipient exits and other… Then it scan body by antivirus(Sophos AND Avira???) and if contain some markers which are usually used in spam/phishing email. Then it add  “X-SASI-SpamProbability” with some score to header.

    What threshold is set that email is spam or probable spam ? Because in my samples I also se some very high scored email(More than 40%) has been delivered to user and is some email have that high value I think it must be at least marked as “probable spam”…

  • Just to be sure, you are blocking Probable spam in your policy? Because that is an extra option in the policy. 

    __________________________________________________________________________________________________________________

  • I was using MTA for sometime with no benefit.

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Yes. Sophos team has multiple times(Everytime when we open ticket) check if settings are ok...

  • Basically SFOS is having a threshold score of 50 for probable spam. 

    Turning it down / making it adjustable would be a feature request for the future. You can open the feature request via Feedback loop in the product. 


    I can only encourage to look into Central Email as a cloud based email solution, which can do this today. 

    BTW: Central Email scans the email and sends it to your on premise email server. 

    You can also talk to Sophos Sales to get a midterm upgrade / credit of your current email subscription and move to CEMA. 

    __________________________________________________________________________________________________________________

  • I submitted some of the spam message to the Sohps laboratory and the spam came back with the same results as genuine mail message, probably spam with a reputation of 30. I am waiting on a detailed report from the Labs. So, it is not an imap issue.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • We are also not happy what Sophos did here with SFOS E-Mail Protection (especially compared to UTM). The answer here is always Central Email BUT there are a lot of customers that don´t want cloud things and Central E-Mail Protection also costs sometimes x10 compared to SFOS Email Protection or UTM E-Mail Protection...

    For me it´s clear that Sophos is not interested to do anything here for SFOS E-Mail Protection and just want to push their Central Email Protection - it´s clear an intentionally decission from Sophos and that's a pity. A few customers are already looking for an other hardware/gateway solution for E-Mail Spamfiltering...

    It should normally be no problem to correct things here in SFOS E-Mail Protection for Sophos and make this solution a really good solution (as it was on UTM)...But this is not what Sophos wants...

    The most horrible things on SFOS:

    Poor Spamfilter: Too much spam passing - we´re filtering with another AV-Solution after Sophos and there is a lot of real spam that we see after the Sophos filtering.

    Quarantine Digest:You may use an AD-group for the E-Mailusers but you have to select Quarantine Digest MANUALLY for every user and this only possible after the user did any authentication against the SFOS System...Also you have to do it for every new AD-User!

    No Quarantine for E-Mails with blocked MIME or Filetypes - blocked MIME or Filetypes will just be cutted off the E-Mail

    Sync from Mails/Quarantine Digest in a HA-Environment - just a completely crazy implementation

    (Missing S/MIME Encryption - it would be ok if this would be the only thing that is missing/not working here)

    regards

Reply
  • We are also not happy what Sophos did here with SFOS E-Mail Protection (especially compared to UTM). The answer here is always Central Email BUT there are a lot of customers that don´t want cloud things and Central E-Mail Protection also costs sometimes x10 compared to SFOS Email Protection or UTM E-Mail Protection...

    For me it´s clear that Sophos is not interested to do anything here for SFOS E-Mail Protection and just want to push their Central Email Protection - it´s clear an intentionally decission from Sophos and that's a pity. A few customers are already looking for an other hardware/gateway solution for E-Mail Spamfiltering...

    It should normally be no problem to correct things here in SFOS E-Mail Protection for Sophos and make this solution a really good solution (as it was on UTM)...But this is not what Sophos wants...

    The most horrible things on SFOS:

    Poor Spamfilter: Too much spam passing - we´re filtering with another AV-Solution after Sophos and there is a lot of real spam that we see after the Sophos filtering.

    Quarantine Digest:You may use an AD-group for the E-Mailusers but you have to select Quarantine Digest MANUALLY for every user and this only possible after the user did any authentication against the SFOS System...Also you have to do it for every new AD-User!

    No Quarantine for E-Mails with blocked MIME or Filetypes - blocked MIME or Filetypes will just be cutted off the E-Mail

    Sync from Mails/Quarantine Digest in a HA-Environment - just a completely crazy implementation

    (Missing S/MIME Encryption - it would be ok if this would be the only thing that is missing/not working here)

    regards

Children
No Data