This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Many good emails rejected

Hello,

since a few days we have a problem with emails which are directly rejected as Spam with no further reason. The sender of the emails are known business partners and we communicate often with them.

We did no change on the utm recently but the amount of falsely rejected mails are just to high to put them manually on a whitelist ask our partners everytime to send it again.

What is going on with the spam filter definitions?



This thread was automatically locked due to age.
Parents
  • Hi Revan,

    can you post something from your smtp live log?

    We shall look after the "reason=" i suspect it will read "reason=as"??

    Plese obfuscate the log so no emails / ip are visible when you copy paste :-)

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

  • 2020:10:29-14:11:26 vutm exim-in[21112]: 2020-10-29 14:11:26 SMTP connection from [xxx (TCP/IP connection count = 1)
    2020:10:29-14:11:26 vutm exim-in[3280]: 2020-10-29 14:11:26 H=xxx xxx Warning: xxx profile excludes greylisting: Skipping greylisting for this message
    2020:10:29-14:11:26 vutm exim-in[3280]: 2020-10-29 14:11:26 H=xxx Warning: xxx profile excludes SANDBOX scan
    2020:10:29-14:11:26 vutm exim-in[3280]: 2020-10-29 14:11:26 [xxx] F=<xxx> R=<xxx> Verifying recipient address with callout
    2020:10:29-14:11:26 vutm exim-in[3280]: 2020-10-29 14:11:26 1kY7iA-0000qu-1v DKIM: d=sxxx s=sxxx c=relaxed/relaxed a=rsa-sha256 [verification succeeded]
    2020:10:29-14:11:26 vutm exim-in[3280]: 2020-10-29 14:11:26 1kY7iA-0000qu-1v ctasd reports 'Bulk' RefID:str=0001.0A682F22.5F9AA345.0010,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
    2020:10:29-14:11:26 vutm exim-in[3280]: 2020-10-29 14:11:26 1kY7iA-0000qu-1v id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="xxx" from="xxx" to="xxx" subject="xxx" queueid="1kY7iA-0000qu-1v" size="14651" reason="as" extra=""
    2020:10:29-14:11:26 vutm exim-in[3280]: [1\34] 2020-10-29 14:11:26 1kY7iA-0000qu-1v H=xxx [xxx F=<xxx> rejected after DATA
    2020:10:29-14:11:26 vutm exim-in[3280]: [2\34] Envelope-from: <xxx>
    2020:10:29-14:11:26 vutm exim-in[3280]: [3\34] Envelope-to: <xxx>
    2020:10:29-14:11:26 vutm exim-in[3280]: [4\34] P Received: from xxx)
    2020:10:29-14:11:26 vutm exim-in[3280]: [5\34] 	by xxx with esmtps (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256)
    2020:10:29-14:11:26 vutm exim-in[3280]: [6\34] 	(Exim 4.82_1-5b7a7c0-XX)
    2020:10:29-14:11:26 vutm exim-in[3280]: [7\34] 	(envelope-from <xxx>)
    2020:10:29-14:11:26 vutm exim-in[3280]: [8\34] 	id 1kY7iA-0000qu-1v
    2020:10:29-14:11:26 vutm exim-in[3280]: [9\34] 	for xxx; Thu, 29 Oct 2020 14:11:26 +0100
    2020:10:29-14:11:26 vutm exim-in[3280]: [10\34] P Received: from pps.filterd (xxx)
    2020:10:29-14:11:26 vutm exim-in[3280]: [11\34] 	by xxx (8.16.0.42/8.16.0.42) with SMTP id 09TD3jHT014259
    2020:10:29-14:11:26 vutm exim-in[3280]: [12\34] 	for <xxx>; Thu, 29 Oct 2020 14:11:26 +0100
    2020:10:29-14:11:26 vutm exim-in[3280]: [13\34]   X-CTCH-RefID: str=0001.0A682F22.5F9AA345.0010,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
    2020:10:29-14:11:26 vutm exim-in[3280]: [14\34]   DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=xxx; h=date : from :
    2020:10:29-14:11:26 vutm exim-in[3280]: [15\34]  subject : to : message-id : mime-version : content-type; s=xxx;
    2020:10:29-14:11:26 vutm exim-in[3280]: [16\34]  bh=kjLzUU85+/lX/nOPiWzP/dU1cvSvV9ALp+c+sOofFvI=;
    2020:10:29-14:11:26 vutm exim-in[3280]: [17\34]  b=Hh8icHj6VbsekuhmpPTBCH+my7SI+2jRt0XQCL/tZzxLSl6rqPlN3Ofr36gxdUBMOFOy
    2020:10:29-14:11:26 vutm exim-in[3280]: [18\34]  VTwOzVubMklgEkgcVWc87OPwnN2NTV5bzySc973RGxciM0gQA3hHSLNVM4Jo8zHxhAay
    2020:10:29-14:11:26 vutm exim-in[3280]: [19\34]  FmF9aY6ihH6k2Us3kfgiuOds1OqtG5bcEUmWwLmGegeDvFr6+Nyk1Fl3eqaZ7U+fMYVg
    2020:10:29-14:11:26 vutm exim-in[3280]: [20\34]  1aFex36ml+sdqbmYxtVQakpjmXoCAPtQiKmWp+mAKq+HyeXM8OPOv72BBfB/zKAvbeXe
    2020:10:29-14:11:26 vutm exim-in[3280]: [21\34]  BmP3AkEjdCnw+PzZd+VTy1bZBx8XADnLTa67lYju6Shr5XOOVoNU9fh3fKRhT0G2eZUp cQ== 
    2020:10:29-14:11:26 vutm exim-in[3280]: [22\34]   X-PGP-Universal: processed;
    2020:10:29-14:11:26 vutm exim-in[3280]: [23\34] 	by BRUDEPGP2.de.eu.sew on Thu, 29 Oct 2020 14:11:26 +0100
    2020:10:29-14:11:26 vutm exim-in[3280]: [24\34]   Date: Thu, 29 Oct 2020 14:09:49 +0100
    2020:10:29-14:11:26 vutm exim-in[3280]: [25\34] F From: xxxe>
    2020:10:29-14:11:26 vutm exim-in[3280]: [26\34]   Subject: xxx
    2020:10:29-14:11:26 vutm exim-in[3280]: [27\34] T To: <xxx>
    2020:10:29-14:11:26 vutm exim-in[3280]: [28\34] I Message-ID: <xxx>
    2020:10:29-14:11:26 vutm exim-in[3280]: [29\34]   MIME-Version: 1.0
    2020:10:29-14:11:26 vutm exim-in[3280]: [30\34]   Importance: Normal
    2020:10:29-14:11:26 vutm exim-in[3280]: [31\34]   X-Priority: 3 (Normal)
    2020:10:29-14:11:26 vutm exim-in[3280]: [32\34]   X-Mailer: SAP NetWeaver 750
    2020:10:29-14:11:26 vutm exim-in[3280]: [33\34]   X-OLX-Disclaimer: DEBRUMSX14.DE.EU.SEW
    2020:10:29-14:11:26 vutm exim-in[3280]: [34/34]   Content-Type: multipart/mixed; boundary="=_1866DA8754A21EDB86BD066CA3D9C0CC"
    2020:10:29-14:11:26 vutm exim-in[3280]: 2020-10-29 14:11:26 1kY7iA-0000qu-1v SMTP connection from xxx closed by DROP in ACL

  • Thanks for this :-)

    "ctasd reports 'Bulk'" means that the 3rd party antispam solution that Sophos uses called formerly Commtouch, now Cyren, has flagged theese mails as "Bulk" mails. i have seen this often, i have tried calling Cyren many times with no luck, so what you can do is this - if the mails er legit:

    - Create exception for domain to skip Antispam alone, not all the other antispam features :-)

    - Contact cyren to ask them delist, first lookup here https://www.cyren.com/security-center#spam: 

    Normally this stop after a day or two, if more domains sending legit emails are blocked.

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

Reply
  • Thanks for this :-)

    "ctasd reports 'Bulk'" means that the 3rd party antispam solution that Sophos uses called formerly Commtouch, now Cyren, has flagged theese mails as "Bulk" mails. i have seen this often, i have tried calling Cyren many times with no luck, so what you can do is this - if the mails er legit:

    - Create exception for domain to skip Antispam alone, not all the other antispam features :-)

    - Contact cyren to ask them delist, first lookup here https://www.cyren.com/security-center#spam: 

    Normally this stop after a day or two, if more domains sending legit emails are blocked.

    -----

    Best regards
    Martin

    Sophos XGS 2100 @ Home | Sophos v20 Technician

Children