Whitelisting Email Address Not Working

We have an email that comes everyday with a designated from address of say test@testdomain.com. We've attempted to whitelist it to not end up in a user's quarantine but it still does. The email is being sent from a mail service provider thats actually from address is always unique (ie: 827m1887311901@server9.constanctcontact.com ) usually from a variety of shared IP addresses. Any suggestion on how we could whitelist this type of email for this user? I wouldn't want to get all their IP's because they probably send a fair amount of trash our way but imply adding in the original test@testdomain.com email as a whitelist doesn't work. Thanks!

Parents
  • Hi Michael and welcome to the UTM Community!

    Are these emails from Constant Contact or???

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No it technically looks like its being sent by an Amazon SES service. Below are two examples of the actual sending service. 

    54.240.48.182 - 01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@amazonses.com 

    54.240.11.127 - 01000179eb25cdf6-406b4846-0261-4c69-a327-f91d664758fd-000000@amazonses.com

  • Are you on 7.705-7, Michael?

    Please insert a picture of the Edit of how you're trying to whitelist.  Also, copy here the lines from the SMTP log relevant to an email being incorrectly quarantined.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  That is the address the end user sees as it is sent from. 

    We are on UTM firmware 9.705-7

  • I meant the text lines in the SMTP proxy log found at 'Logging & Reporting >> View Log Files', Michael.

    Ahhhh, the address in the From field is not necessarily the same as the Sender.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • When querying that log for that Amazon SES IP on that day here is the record it produces:

    2021:06:10-06:38:54 sophos exim-in[6387]: 2021-06-10 06:38:54 SMTP connection from [54.240.11.16]:58517 (TCP/IP connection count = 1)
    2021:06:10-06:38:54 sophos exim-in[936]: 2021-06-10 06:38:54 H=a11-16.smtp-out.amazonses.com [54.240.11.16]:58517 Warning: mikedomain.gov profile excludes SANDBOX scan
    2021:06:10-06:38:54 sophos exim-in[936]: 2021-06-10 06:38:54 [54.240.11.16] F=<01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@amazonses.com> R=<mikec@mikedomain.gov> Verifying recipient address with callout
    2021:06:10-06:38:54 sophos exim-in[936]: 2021-06-10 06:38:54 1lrI5O-0000F6-2e Greylisting: 54.240.11.16 is a known retry host
    2021:06:10-06:38:54 sophos exim-in[936]: 2021-06-10 06:38:54 1lrI5O-0000F6-2e <= 01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@amazonses.com H=a11-16.smtp-out.amazonses.com [54.240.11.16]:58517 P=esmtps X=TLS1.2:ECDHE-RSA-AES128-SHA256:128 CV=no S=3098 DKIM=amazonses.com id=01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@email.amazonses.com
    2021:06:10-06:39:00 sophos smtpd[956]: SCANNER[956]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="54.240.11.16" from="01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@amazonses.com" to="mikec@mikedomain.gov" subject="Notification from the Massachusetts Department of Unemployment Assistance (DUA)" queueid="1lrI5U-0000FQ-GQ" size="1245" reason="as" extra=""
    2021:06:10-06:39:19 sophos exim-in[936]: 2021-06-10 06:39:19 SMTP connection from a11-16.smtp-out.amazonses.com [54.240.11.16]:58517 closed by QUIT

  • The sender is "01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@amazonses.com instead of the defma.org address seen in the From field.  I suspect these emails are getting caught by an "unintended feature" introduced in the 9.705-7 Up2Date which was a rushed response to the 21 Nails threat.  I don't think there's any way to whitelist such sender addresses except *.amazonses.com and that doesn't seem wise to me.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • The sender is "01000179f57b4342-414f03ec-d0e5-4441-a97f-c42abda32f6c-000000@amazonses.com instead of the defma.org address seen in the From field.  I suspect these emails are getting caught by an "unintended feature" introduced in the 9.705-7 Up2Date which was a rushed response to the 21 Nails threat.  I don't think there's any way to whitelist such sender addresses except *.amazonses.com and that doesn't seem wise to me.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data