This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

"550 Administrative prohibition" issues due to confirmed spam

Hi there,

today incoming messages from 2 customer domains have been rejected to "550 Administrative prohibition". #hostname #5.2.0 SMTP; 550 Administrative prohibition> #SMTP#. A couple of minutes later new messages are delivered successfully again. Sophos 'Mail Manager' marked them as confirmed spam.

Both sender addresses are NOT blacklisted, SPF record are set up correctly and Cyren marks them with 'No Risk'. How can I debug reason="as" extra="confirmed" and ctasd reports 'Confirmed'? Why does Sophos UTM blocks those messages? Firmware version: 9.510-5

Logfile excerpt:
2018:10:01-14:59:29 utm exim-in[5956]: 2018-10-01 14:59:29 SMTP connection from [SERVERIP]:37133 (TCP/IP connection count = 1)
2018:10:01-14:59:29 utm exim-in[21173]: 2018-10-01 14:59:29 [SERVERIP] F=<client@domain.com> R=<user@ourdomain.com> Verifying recipient address with callout
2018:10:01-14:59:34 utm exim-in[21173]: 2018-10-01 14:59:34 1g6xnN-0005VV-2y ctasd reports 'Confirmed'
2018:10:01-14:59:34 utm exim-in[21173]: 2018-10-01 14:59:34 1g6xnN-0005VV-2y id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="SERVERIP" from="client@domain.com" to="user@ourdomain.com" subject="WG: XXXX H\303\266" queueid="1g6xnN-0005VV-2y" size="19171841" reason="as" extra="confirmed"



This thread was automatically locked due to age.
  • UTM uses Cyren as a spam database. 

    https://community.sophos.com/kb/en-us/115670

    Please report a false positive with samples. 

    EDIT by BAlfson 2018-11-16: https://community.sophos.com/kb/en-us/115670 has now been corrected.

    __________________________________________________________________________________________________________________

  • This is a problem.  Cyren is not keeping up their side of the bargain.  They appear to be milking the CommTouch tool without adapting it to new exploits and capabilities.

    I recommend changing from "Blackhole" to "Quarantine" for 'Confirmed spam action'.  This will require that folks log into their User Portal or that the UTM mail admin log into Mail Manager to delete the real spams and 'Release and report as false positive' for those falsely identified as "Confirmed."  This doesn't need to be a permanent change as it's easy to whitelist a domain for anti-spam and to report false positives.

    I had to open a case with Support to get some of these taken care of.

    I now have another case open for dozens of 'is-spam' reports made without a change in false-negative behavior.  Apparently, labs.sophos.com has anti-spam/virus that strips many of the reported is-spams, so they never get taken care of.

    I'll PM MBP the case #s.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for your reply. Since both messages have already been blocked I don't have access to the full mail header. I have added the domain names to the exception list, though. However exceptions should be a temporary solution, only.

    BAlfson. I see. Thanks, I will give it a try. We pretty much 'Release and report as false positive' regularly. Sometimes a couple of hours later those messages (e.g. from wetranfer, eBay private messages... ) are being quarantined for another email address. It looks like reported false positives are delayed to Sophos labs? Is there any way to report spam or false positives to Cyren directly?

  • This week I got the same error for one customer. I managed to find the cause, not a permanent solution.

     

    We send out an E-mail with our corporate website in the signature, abc.com.

    The customer replied, but their anti phishing software from the customer modified our signature in the reply into:

    <a href="http://antiphishing.customer.fr/1/YXZlcmR1eW5AcHJvbGFpZGlzLmZyfFZSQzA1ODk0OA%3D%3D/www.abc.com/"

     

    This is being recognized by my UTM 9 as: Rejected: Spam (confirmed)

     

    As long as the customer deletes the antiphishing link in the reply, e-mail traffic is back to normal.

  • What Support and I learned is that Sophos does not forward is-spam@labs.Sophos.com reports from XG or UTM to CYREN as is-spam is just for their other mail products.  The case is still open and we're still waiting on Sophos to come up with a solution.

    Since this case was opened, I've submitted 70+ spams to the guy in support and he has, in turn, submitted them to CYREN.  I can see that most similar ones are now being blocked.  I'll submit five more today from this week.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Today yet another 2 customer email have been rejected with "550 Administrative prohibition". #hostname #5.2.0 SMTP. reason="as" extra="confirmed" and ctasd reports 'Confirmed. Antispam settings for 'Confirmed spam' action are set to: 'Quarantine'. Why does utm still blocks email which are marked as 'Confirmed spam'?

    a) Are there any known spam filter issues or bad database pattern?

    Here is what I have checked so far:
    - The sender address is NOT blacklisted,
    - SPF/DKIM Record is set up correctly
    - Cyren marks the sender ip address with 'No Risk'.
    - Meanwhile, I have added the domain to the exception policy.
    - The original sender email looks good. No special signature markup
    - The sender address has been able to send multiple emails in past past
    - I have submitted both messages to not-spam@sophos.com

    It's impossible to figure out what's going on. How can I debug reason="as"?

  • UTM: How to report false positive or false negative viruses and spam emails has now been corrected.

    Hallo eyos,

    Please show the lines from the SMTP log for emails incorrectly rejected.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I have attached two logfiles.

    2018:11:15-16:32:49 utm exim-in[27630]: 2018-11-15 16:32:49 [SERVERIP] F=<client@domain.com> R=<user@ourdomain.com> Verifying recipient address with callout
    2018:11:15-16:32:49 utm exim-in[27630]: 2018-11-15 16:32:49 1gNJdR-0007Be-18 DKIM: d=domain.com s=default_1809 c=relaxed/relaxed a=rsa-sha256 [verification succeeded]
    2018:11:15-16:32:49 utm exim-in[27630]: 2018-11-15 16:32:49 1gNJdR-0007Be-18 ctasd reports 'Confirmed' RefID:str=0001.0A0C0208.5BED91A1.0079,ss=1,re=0.000,recu=0.000,reip=0.000,pt=R_658252,cl=4,cld=1,fgs=0
    2018:11:15-16:32:49 utm exim-in[27630]: 2018-11-15 16:32:49 1gNJdR-0007Be-18 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="SERVERIP" from="client@domain.com" to="user@ourdomain.com" subject="ppt" queueid="1gNJdR-0007Be-18" size="5110" reason="as" extra="confirmed"
    2018:11:15-16:32:49 utm exim-in[27630]: [1\45] 2018-11-15 16:32:49 1gNJdR-0007Be-18 H=SERVER [SERVERIP]:58440 F=<client@domain.com> rejected after DATA

    ---

    2018:11:15-16:36:52 utm exim-in[28172]: 2018-11-15 16:36:52 [SERVERIP] F=<client@domain.com> R=<user@ourdomain.com> Verifying recipient address with callout
    2018:11:15-16:36:52 utm exim-in[28172]: 2018-11-15 16:36:52 1gNJhM-0007KO-1D DKIM: d=domain.com s=default_1809 c=relaxed/relaxed a=rsa-sha256 [verification succeeded]
    2018:11:15-16:36:52 utm exim-in[28172]: 2018-11-15 16:36:52 1gNJhM-0007KO-1D ctasd reports 'Confirmed' RefID:str=0001.0A0C020A.5BED9294.0070,ss=1,re=0.000,recu=0.000,reip=0.000,pt=R_658252,cl=4,cld=1,fgs=0
    2018:11:15-16:36:52 utm exim-in[28172]: 2018-11-15 16:36:52 1gNJhM-0007KO-1D id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="SERVERIP" from="client@domain.com" to="user@ourdomain.com" subject="ppt pr" queueid="1gNJhM-0007KO-1D" size="5058" reason="as" extra="confirmed"
    2018:11:15-16:36:52 utm exim-in[28172]: [1\45] 2018-11-15 16:36:52 1gNJhM-0007KO-1D H=SERVER [SERVERIP]:58500 F=<client@domain.com> rejected after DATA

  • How about a picture of your 'Antispam' tab that includes the 'Spam Detection During SMTP Transaction' and 'Spam Filter' sections...

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thank you for your reply.