This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outgoing Mail with subject "Obtaining Your Experian Report" being blocked since 10-29-2018

I manage a Sophos UTM-9 for a a "fix-your-credit" company which sends a lot of email to customers about their credit reports. This Sophos has been up for more than two years. Since 10-29-2018 I noted that all outbound email with subject line "Obtaining Your Experian Report" is quarantined as Spam. This is not a NEW subject line and has been used for a long time. Example ...

2018:10:31-14:18:05 REDACTED smtpd[13057]: SCANNER[13057]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="REDACTED" from="REDACTED-Internal-User" to="REDACTED-External-User" subject="Obtaining Your Experian Report" queueid="1gHv49-0003Ob-5S" size="37610" reason="as" extra=""

I have read through many threads in this forum and can see this is really a function of he SCANNER in the cloud and that reason="as" simply means Anti-Spam (thanks  Since I have made absolutely no changes to the Sophos in some time and since I have never had this issue until recently, I am curious what exactly is causing this. From previous posts on this subject it seems that it may be difficult to know exactly what triggered this as it is not an internal algorithm within the Sophos, itself.

Anyone experienced something similar in the last week or so. It is Halloween so maybe a ghost in the machine.[:D]



This thread was automatically locked due to age.
Parents
  • Quick fix for the time being -

    I added <company.domain> to the SMTP exception list so that mail will no longer be checked for Spam. There is some risk involved with that as an infected machine (or an unruly employee) could send Spam on behalf of <company.domain> but we still scan for malware to help reduce this risk.

    I also setup Anti-spam to only block Confirmed spam as it appears that the ctasd engine on the Sophos is flagging these emails as Bulk email. I found no way to lookup the code that ctasd generates in the logs at https://www.cyren.com/. My guess is  that the company sends out so many of these standard formatted emails that folks may have flagged it as Spam enough where Cyren now has that signature. Only guessing but strange that they sent these same emails for years without issue.

  • That Exception's a good, quick solution, Kip, but I would have selected to quarantine regular spam.  You could create an 'Antispam checking' Exception for the single Sender address used for mailing campaigns.

    The other problem is that recipients anti-spam might be blocking/blackholing their Experian messages.  You might be able to get your client's messages considered non-spam by Cyren.  Here's a copy of the relevant portion of KB article 115670:

    1. Log into the Webadmin and navigate to Email Protection > Mail Manager.
    2. Click Open Mail Manager in New Window.
    3. Check 3 of the false positive emails in the SMTP Quarantine and select Download in the drop-down menu.
    4. Compress the samples into a password protected ZIP file.
    5. Switch back to the Webadmin and navigate to Logging & Reporting > View Log Files > Today's Log Files or Archived Log Files depending on the time of the occurrence.
      Note: We do need the log file showing the arrival of the submitted email samples.
    6. Select the SMTP proxy and Download as archive.
    7. Open a support ticket through myUTM.
    8. Attach the samples and the SMTP logs. Don't forget to add the following information to your message:
      For spam:
      What Mail-Server is being used?
    9. Submit your ticket.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • That Exception's a good, quick solution, Kip, but I would have selected to quarantine regular spam.  You could create an 'Antispam checking' Exception for the single Sender address used for mailing campaigns.

    The other problem is that recipients anti-spam might be blocking/blackholing their Experian messages.  You might be able to get your client's messages considered non-spam by Cyren.  Here's a copy of the relevant portion of KB article 115670:

    1. Log into the Webadmin and navigate to Email Protection > Mail Manager.
    2. Click Open Mail Manager in New Window.
    3. Check 3 of the false positive emails in the SMTP Quarantine and select Download in the drop-down menu.
    4. Compress the samples into a password protected ZIP file.
    5. Switch back to the Webadmin and navigate to Logging & Reporting > View Log Files > Today's Log Files or Archived Log Files depending on the time of the occurrence.
      Note: We do need the log file showing the arrival of the submitted email samples.
    6. Select the SMTP proxy and Download as archive.
    7. Open a support ticket through myUTM.
    8. Attach the samples and the SMTP logs. Don't forget to add the following information to your message:
      For spam:
      What Mail-Server is being used?
    9. Submit your ticket.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Thanks again @BAlfson. I did create the Exception but it's not a single sender. It's every agent in the company sending the same email template but that should be covered by *@<company.domain>. I noticed that some real Spam was still getting quarantined and marked simply as Spam and not Confirmed Spam so maybe changing that setting was not really all inclusive so I will change it back as it appears my anti-spam exception is what really fixed it (or allowed it for now).

    Thanks for the KB article. I may pursue that but this Sophos is at a company that was just bought out and the new owners will probably replace my equipment with theirs and then it will be their problem. They like Palo Alto so the Sophos will likely be removed within the next few months (hope they give it back to me :-).

    I did verify that their MX is not blackholed so hoping the recipients are not having issues. This customer had very stringent requirements to keep all communications behind the firewall so they use Zimbra in-house and Zimbra just relays through the Sophos SMTP Proxy. All that is changing due to the buyout and they will likely all be Exchange Cloud soon.