BATV exception not working

Hi Everyone!

we use UTM as our SMTP proxy. One of my colleagues does not receive mails because they get instantly rejected because of BATV. But those mails aren't SPAM or something, they're legitimate. My feeling is that those get the BATV flag because they are actually sent to a mailing list from outside of our organization (which my colleague is subscribed to) and that is creating the problem.

Now I just wanted to create a BATV exception, but this does not work, the exception is ignored. For the exception I set my colleague as receiver, but since the mail is sent to a mailing list this does not work (I think?). But even if I put the mailing list as receiver or sender this does not work.

The only thing working so far is to put the sending server on the exception. But since the mail is sent by Microsoft (Outlook online) there are dozens of servers who might send the mail, so that is not a solution.

How can I set the BATV exception without disabling it all together? And why is the UTM ignoring it when I put my colleague as the receiver?

Here's the SMTP proxy log and some screenshots.

Thanks!

BATV

BATV

exception config

2021:06:02-03:56:12 *****fw01-1 exim-in[12468]: 2021-06-02 03:56:12 SMTP connection from [40.107.101.41]:26592 (TCP/IP connection count = 1)
2021:06:02-03:56:13 *****fw01-1 exim-in[23667]: 2021-06-02 03:56:13 H=mail-mw2nam08on2041.outbound.protection.outlook.com (NAM04-MW2-obe.outbound.protection.outlook.com) [40.107.101.41]:26592 Warning: ****.net profile excludes greylisting: Skipping greylisting for this message
2021:06:02-03:56:13 *****fw01-1 exim-in[23667]: 2021-06-02 03:56:13 H=mail-mw2nam08on2041.outbound.protection.outlook.com (NAM04-MW2-obe.outbound.protection.outlook.com) [40.107.101.41]:26592 Warning: ****.net profile excludes SANDBOX scan
2021:06:02-03:56:13 *****fw01-1 exim-in[23667]: 2021-06-02 03:56:13 [40.107.101.41] F=<> R=<*.********@****.net> Verifying recipient address with callout
2021:06:02-03:56:13 *****fw01-1 exim-in[23667]: 2021-06-02 03:56:13 [40.107.101.41] F=<> R=<*.********@****.net> Accepted: is a bounce
2021:06:02-03:56:14 *****fw01-1 exim-in[23667]: 2021-06-02 03:56:14 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="40.107.101.41" from="" to="*.********@****.net, subject="" queueid="" size="145548" reason="batv" extra=""
2021:06:02-03:56:14 *****fw01-1 exim-in[23667]: 2021-06-02 03:56:14 H=mail-mw2nam08on2041.outbound.protection.outlook.com (NAM04-MW2-obe.outbound.protection.outlook.com) [40.107.101.41]:26592 X=TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256 CV=no rejected DATA
2021:06:02-03:56:14 *****fw01-1 exim-in[23667]: 2021-06-02 03:56:14 SMTP connection from mail-mw2nam08on2041.outbound.protection.outlook.com (NAM04-MW2-obe.outbound.protection.outlook.com) [40.107.101.41]:26592 closed by DROP in ACL

  • Maybe think of turn off that feature. I never managed BATV working without problems. Out of office reply is one thing that conflicts with that.

    Best regards 

    Alex 

    -

  • Hallo Markus,

    Can you show us the headers from the "legitimate" mail received at 2021-06-02 13:50?  Are the problem emails from a single mailing list to which your colleague subscribes?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Alexander,

    I'm afraid deactivating BATV completely is not an option. Since I added a bunch of servers to the exception list we receive a lot of "Hotmail" spam...

    spam

    (by the way, out of office replies seem to work without problems)

  • Hello Bob,

    here are the headers. I tried to censor every sensitive/private information. I hope this works for you nevertheless:

    Received: from AM9PR10MB5021.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:206::46) by
     AM7PR10MB3285.EURPRD10.PROD.OUTLOOK.COM with HTTPS via
     AM5PR0601CA0081.EURPRD06.PROD.OUTLOOK.COM; Wed, 2 Jun 2021 11:50:02 +0000
    Received: from AS8PR04CA0016.eurprd04.prod.outlook.com (2603:10a6:20b:310::21)
     by AM9PR10MB5021.EURPRD10.PROD.OUTLOOK.COM (2603:10a6:20b:41f::11) with
     Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4173.21; Wed, 2 Jun
     2021 11:50:01 +0000
    Received: from HE1EUR02FT044.eop-EUR02.prod.protection.outlook.com
     (2603:10a6:20b:310:cafe::fe) by AS8PR04CA0016.outlook.office365.com
     (2603:10a6:20b:310::21) with Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4195.20 via Frontend
     Transport; Wed, 2 Jun 2021 11:50:01 +0000
    Authentication-Results: spf=none (sender IP is ***.***.***.*)
     smtp.helo=mail.****.***; ********.mail.onmicrosoft.com; dkim=pass (signature
     was verified)
     header.d=mstechdiscussions.onmicrosoft.com;********.mail.onmicrosoft.com;
     dmarc=fail action=none header.from=hotmail.com;
    Received-SPF: None (protection.outlook.com: mail.****.*** does not designate
     permitted sender hosts)
    Received: from mail.****.*** (***.***.***.*) by
     HE1EUR02FT044.mail.protection.outlook.com (10.152.11.75) with Microsoft SMTP
     Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id
     15.20.4195.18 via Frontend Transport; Wed, 2 Jun 2021 11:50:00 +0000
    Received: from *UTM*.****.*** (***.***.***.*) by *SMTPSERVER*.****.***
     (***.***.***.**) with Microsoft SMTP Server (TLS) id 15.0.1497.2; Wed, 2 Jun
     2021 13:50:00 +0200
    Received: from mail-dm6nam12on2066.outbound.protection.outlook.com ([40.107.243.66]:52577 helo=NAM12-DM6-obe.outbound.protection.outlook.com)
    	by *UTM*.****.*** with esmtps  (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    	(Exim 4.94.2)
    	id 1loPNl-0006BO-0F
    	for *.********@****.***; Wed, 02 Jun 2021 13:49:57 +0200
    X-SASI-Hits: AUTH_RES_PASS 0.000000, BODYTEXTH_SIZE_10000_LESS 0.000000,
    	BODYTEXTH_SIZE_3000_MORE 0.000000, BODYTEXTP_SIZE_3000_LESS 0.000000,
    	BODY_SIZE_6000_6999 0.000000, BODY_SIZE_7000_LESS 0.000000,
    	DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000,
    	HREF_LABEL_TEXT_NO_URI 0.000000, HREF_LABEL_TEXT_ONLY 0.000000,
    	HTML_70_90 0.100000, IN_REP_TO 0.000000, KNOWN_MTA_TFX 0.000000,
    	LEGITIMATE_SIGNS 0.000000, MSG_THREAD 0.000000, REFERENCES 0.000000,
    	SUPERLONG_LINE 0.050000, SXL_IP_TFX_WM 0.000000, TEXT_DIRECTION 0.000000,
    	TEXT_DIR_LTR_ONLY 0.000000, URI_WITH_PATH_ONLY 0.000000,
    	WEBMAIL_SOURCE 0.000000, __ANY_URI 0.000000, __ARCAUTH_DKIM_NONE 0.000000,
    	__ARCAUTH_DKIM_PASSED 0.000000, __ARCAUTH_DMARC_NONE 0.000000,
    	__ARCAUTH_DMARC_PASSED 0.000000, __ARCAUTH_NONE 0.000000,
    	__ARCAUTH_PASSED 0.000000, __ARC_SEAL_MICROSOFT 0.000000,
    	__ARC_SIGNATURE_MICROSOFT 0.000000, __AUTH_RES_DKIM_PASS 0.000000,
    	__AUTH_RES_DMARC_PASS 0.000000, __AUTH_RES_PASS 0.000000,
    	__BODY_NO_MAILTO 0.000000, __BODY_TEXT_X4 0.000000,
    	__BOUNCE_CHALLENGE_SUBJ 0.000000, __BOUNCE_NDR_SUBJ_EXEMPT 0.000000,
    	__CP_URI_IN_BODY 0.000000, __CT 0.000000, __CTYPE_HAS_BOUNDARY 0.000000,
    	__CTYPE_MULTIPART 0.000000, __CTYPE_MULTIPART_ALT 0.000000,
    	__DKIM_ALIGNS_1 0.000000, __DKIM_ALIGNS_2 0.000000, __DQ_NEG_HEUR 0.000000,
    	__DQ_NEG_IP 0.000000, __FRAUD_CLAIM_MAILTO 0.000000, __FRAUD_COMMON 0.000000,
    	__FRAUD_WEBMAIL 0.000000, __FRAUD_WEBMAIL_FROM 0.000000,
    	__FROM_HOTMAIL 0.000000, __FUR_RDNS_OUTLOOK 0.000000, __HAS_FROM 0.000000,
    	__HAS_HTML 0.000000, __HAS_MSGID 0.000000, __HAS_REFERENCES 0.000000,
    	__HREF_LABEL_TEXT 0.000000, __HTML_AHREF_TAG 0.000000,
    	__HTML_ATTR_DIR 0.000000, __HTML_DIR_LTR 0.000000,
    	__HTML_HREF_TAG_X2 0.000000, __HTML_TAG_DIV 0.000000, __HTTPS_URI 0.000000,
    	__IN_REP_TO 0.000000, __MAIL_CHAIN 0.000000, __MIME_HTML 0.000000,
    	__MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000, __MIME_TEXT_H2 0.000000,
    	__MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000, __MIME_TEXT_P2 0.000000,
    	__MIME_VERSION 0.000000, __MULTIPLE_RCPTS_TO_X2 0.000000,
    	__MULTIPLE_URI_HTML 0.000000, __MULTIPLE_URI_TEXT 0.000000,
    	__RATWARE_SIGNATURE_3_N1 0.000000, __RCVD_PASS 0.000000,
    	__RDNS_WEBMAIL 0.000000, __REFERENCES 0.000000, __SANE_MSGID 0.000000,
    	__STOCK_PHRASE_7 0.000000, __SUBJ_ALPHA_END 0.000000,
    	__SUBJ_ALPHA_NEGATE 0.000000, __SUBJ_REPLY 0.000000,
    	__TAG_EXISTS_HTML 0.000000, __TEXT_DIR_LTR 0.000000,
    	__TO_MALFORMED_2 0.000000, __TO_NAME 0.000000,
    	__TO_NAME_DIFF_FROM_ACC 0.000000, __TO_REAL_NAMES 0.000000,
    	__URI_ENDS_IN_SLASH 0.000000, __URI_IN_BODY 0.000000,
    	__URI_IN_BODY_HTTP_X10 0.000000, __URI_MAILTO 0.000000,
    	__URI_NOT_IMG 0.000000, __URI_NO_WWW 0.000000, __URI_NS 0.000000,
    	__URI_WITH_PATH 0.000000
    X-SASI-Probability: 8%
    X-SASI-RCODE: 200
    X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2021.6.2.111815
    ARC-Seal: i=3; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
     b=hSdYT4iub9x8QrTbdojD9AiM/K26b04ZGIghK6jwViy5uW49GJ7G1uqQ/eiyNkKhfBv3gh4wKhvAq4q4NceJA8D2GSFJJBsUMTijYnqn2DmeAnavgJjF+uOpreIQ/nWdueVvhuQ5BXnduRSseB15nSh8/Cpu2gr5z/uhm1ESSsispWQULh+bubvyCG4LBohVAMB8fZIz7aqtgGk/4001yqS8NfHWjZvhvi3wdGAA3PIltQwK1X0K6Au0YLnoRLlX0utVStsVzMOPxNqf0pCTFsp42bgA5GuOT4EAITyLyjJS1EDpLkYSZ4c1Hm/KBhDvJ4SWDtUR77ApnIwRZQwvUg==
    ARC-Message-Signature: i=3; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
     s=arcselector9901;
     h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
     bh=gwfmLm87xvavisfoszo6BlTRy3Me9LnSFGqKiSsT83s=;
     b=Mu8fUFhQpZCKTDYGNI3Bk8C/qa2M6jpBFqB196MwhbIJf34Ip3wSQVOi6+RJPgOy81w92c93GBd9fG8ZE7IEZfslla/w4raOL3uB7XdgEAfYwW8/pMzBfdalK7qxbc6IZopRYdc1qO9mkUnPmXd95Gs8NoqQzrDkagQncFfAc0H3BJtqmGHZEZGLmXYta5W99rJhJHBhvbLTtXTt/4L3lIBd7Ydsn8mGrt/fPi06ZPaN1mWvriW1vtGA06oMYVW1oyo44BKKVfYj8LHJqXW2pv9s0ET5MRy4MM20PrDX6crh0j5obW5Vnq2W6/vWgwaxLdi7GJCerOtrtGVHj4eCkg==
    ARC-Authentication-Results: i=3; mx.microsoft.com 1; spf=pass (sender ip is
     40.92.70.92) smtp.rcpttodomain=mstechdiscussions.com
     smtp.mailfrom=hotmail.com; dmarc=pass (p=none sp=none pct=100) action=none
     header.from=hotmail.com; dkim=pass (signature was verified)
     header.d=hotmail.com; arc=pass (0 oda=0 ltdi=1)
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
     d=mstechdiscussions.onmicrosoft.com;
     s=selector2-mstechdiscussions-onmicrosoft-com;
     h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
     bh=gwfmLm87xvavisfoszo6BlTRy3Me9LnSFGqKiSsT83s=;
     b=0tSul3e1Qgyp6q9HU20d8wEe/YNg1MpnLLF8QtkfxdYBpJznN8roW0Y87OZOw5m1G8DGF/um2AxxxasCzl32tG2qs0teSckiQMEIYM080RiQj8QXSxTsvnpGdrjh7XefCJRYdepXcK9UuqbGs/Nwkse2nl6c7EyowXYLgvEnSQ8=
    Received: from SA1PR01MB6621.prod.exchangelabs.com (2603:10b6:806:1a7::21) by
     SN6PR01MB5200.prod.exchangelabs.com (2603:10b6:805:bc::10) with Microsoft
     SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
     15.20.4173.24; Wed, 2 Jun 2021 11:49:43 +0000
    ARC-Seal: i=2; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=pass;
     b=fPi9buEOb0xGeB8XYsoWZjlWOGQ/aR0Ak4YfEe0O2qRrfvzWPRJ9Pw5GnkQFx3yVuHH0WmTNDd4fOl+zwfWNzEnNFqGe1DP+XWCGzi99/wpKDGSo3vJ1ZOa11P3KCO7x8DYq352giByl8aBOvXJLyvsVqqMdMhcHKXv+KCdKRFvVub/X1PmUuRx6o10BAIPoYkJKSO9hVGIb7F8ircHF1daViMuOoE7+oHmw97668OBFW3qqw50btbCNQdFCMCuK8qQDWJf6vXXGRpF0WcxK7CRux87CkFdTk6Gj6945gPhO22a6c6fIFgHiy6/Xs9f2jLA4Mo+uN9wmafXQBF2tWw==
    ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
     s=arcselector9901;
     h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
     bh=gwfmLm87xvavisfoszo6BlTRy3Me9LnSFGqKiSsT83s=;
     b=HCbZQP+PJH1Sjfe33SQQonmeu25DcssbFimP/Vp65cS2cKwcUsLb76xq3dIjl07Wq6gOP8xKhVWh2p0DFiSm0DoFdUhOE6cFrdt5VO+1uDXUBosxyxfELImgeEyYODuABtPgcoJBt6MlKksULFLODunO/mz+BEoI7/IKF0GCa6p2Dtmz78LtAaMRBZQo6QruO9/gxGXqgdHfOGYwqC6rwGZ8bUmEw4kkWT47A2eW9oukF26BAuSHAPQRuabQ9hlGqXSKxe6Xdo3R0NTbFkEYDCJmJZrp3EZwurZARU9TDh4Aj5AKHwjwbnwZtj8g3+iDuqzo2nRLC/+jCgFm2sbSyw==
    ARC-Authentication-Results: i=2; mx.microsoft.com 1; spf=pass (sender ip is
     40.92.70.92) smtp.rcpttodomain=mstechdiscussions.com
     smtp.mailfrom=hotmail.com; dmarc=pass (p=none sp=none pct=100) action=none
     header.from=hotmail.com; dkim=pass (signature was verified)
     header.d=hotmail.com; arc=pass (0 oda=0 ltdi=1)
    Received: from DM5PR21CA0038.namprd21.prod.outlook.com (2603:10b6:3:ed::24) by
     SA1PR01MB6621.prod.exchangelabs.com (2603:10b6:806:1a7::21) with Microsoft
     SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
     15.20.4173.21; Wed, 2 Jun 2021 11:49:41 +0000
    Received: from DM3NAM02FT022.eop-nam02.prod.protection.outlook.com
     (2603:10b6:3:ed:cafe::5c) by DM5PR21CA0038.outlook.office365.com
     (2603:10b6:3:ed::24) with Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4219.3 via Frontend
     Transport; Wed, 2 Jun 2021 11:49:41 +0000
    Authentication-Results-Original: spf=pass (sender IP is 40.92.70.92)
     smtp.mailfrom=hotmail.com; mstechdiscussions.com; dkim=pass (signature was
     verified) header.d=hotmail.com;mstechdiscussions.com; dmarc=pass action=none
     header.from=hotmail.com;
    Received-SPF: Pass (protection.outlook.com: domain of hotmail.com designates
     40.92.70.92 as permitted sender) receiver=protection.outlook.com;
     client-ip=40.92.70.92; helo=EUR03-AM5-obe.outbound.protection.outlook.com;
    Received: from EUR03-AM5-obe.outbound.protection.outlook.com (40.92.70.92) by
     DM3NAM02FT022.mail.protection.outlook.com (10.13.5.89) with Microsoft SMTP
     Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
     15.20.4195.18 via Frontend Transport; Wed, 2 Jun 2021 11:49:41 +0000
    ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
     b=DPzapfnPYGFFeNJi3SmUM8nxQiN299cXBZNJ/AdvgpEpCazf5/lVOy4C07MeWP1+Dzfifm1ZL93/ZOE/e2sr40k3eMHm39r8867DR10yr1+Hos6qF/UagBnjUhxlUCshrRvgbCZPZX+bbTRJ2J/BJsDkJ1OfaqJsSpwzdSpLIDeMOkwMnZ8w4jy5v+RHrsy41//G5bJ/+DEUK2uI0LGDr3y8p9A6WL9F1DZZEPo2MYAOotoNvUjwjfGmYGdPIxE6PFtO/jliE7VQho6iMSmaWAyWoJyc/YcHFChVkh31K1lIPIdOicbvKptU94zaD7yqE+jKNrGd5yTwtYp2B41ozQ==
    ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
     s=arcselector9901;
     h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
     bh=gwfmLm87xvavisfoszo6BlTRy3Me9LnSFGqKiSsT83s=;
     b=XwooZrl++W5/vsl8cAUe+71Gj1N8gdJuR7UbGn+R2KcjVVKfZ4x3OMoJFYhNYRgKf2KnOd5xnfmC0TPxNsIX6B9LmbWdTBGpCBP9shZ8kzMwPo/ubE5UPl55eLNfO+Ju0KQaHCcvs4nfsNqBQqWVx7tL6AFfDup5/16Td6R4W/VZOBiO6guAagJNOwMVEuWqqhyGcn1OYNHwUXg7OWZNC4zTX6w+vuTIDDPKq6CLtaqIZslf617li511HCVc8qKbUi5DQXHZ6YnPCfSTupb9E6N4WtpN1poObXq7XnzXane8YDsz9QcQt7LcmS+S5amSP7jqtTT39GVEnIzdfTNmow==
    ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none;
     dkim=none; arc=none
    DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com;
     s=selector1;
     h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
     bh=gwfmLm87xvavisfoszo6BlTRy3Me9LnSFGqKiSsT83s=;
     b=i6fhgJxWJqfLT5CbIp8w80vTqw4D8buuhJdUcMqwwiZQUbib998Whg7IsubQYmaH0HU393NlE+cyMtEu1QlcHm2qpTEr6XlD1qNak+eQW/V6OabJdwzdAjC8EV9m3+s7NbDvRPMhrZd39lRMVkBfAKLUCy4Noc3pC23c/64BlxMt6wR+8RIUuhYFBhCGTrcMxveizCoJBI+WWhdA6Fgm+DG0S5nnZRwEE7sQS+ugH0z45Sd5moHLVJ9723i0gO4Trb9E/MspbBJNrDqlWQFZl5EzXPPJzkO+Ap/Zi6mZWHCnSJbbni3lJ/ZyX+RQvhLNQax7LLIXQlLLQXgRP258LQ==
    Received: from AM5EUR03FT023.eop-EUR03.prod.protection.outlook.com
     (2a01:111:e400:7e08::4b) by
     AM5EUR03HT148.eop-EUR03.prod.protection.outlook.com (2a01:111:e400:7e08::415)
     with Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.30; Wed, 2 Jun
     2021 11:49:39 +0000
    Received: from VI1PR10MB2127.EURPRD10.PROD.OUTLOOK.COM
     (2a01:111:e400:7e08::49) by AM5EUR03FT023.mail.protection.outlook.com
     (2a01:111:e400:7e08::169) with Microsoft SMTP Server (version=TLS1_2,
     cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4150.30 via Frontend
     Transport; Wed, 2 Jun 2021 11:49:39 +0000
    Received: from VI1PR10MB2127.EURPRD10.PROD.OUTLOOK.COM
     ([fe80::a123:14bd:1420:3ad3]) by VI1PR10MB2127.EURPRD10.PROD.OUTLOOK.COM
     ([fe80::a123:14bd:1420:3ad3%7]) with mapi id 15.20.4173.030; Wed, 2 Jun 2021
     11:49:39 +0000
    From: **************
    To: **************
    Subject: **************
    Thread-Topic: **************
    Thread-Index: **************
    Date: Wed, 2 Jun 2021 11:49:39 +0000
    Message-ID: <*******************************@VI1PR10MB2127.EURPRD10.PROD.OUTLOOK.COM>
    References: <*******************************@mail.gmail.com>
    In-Reply-To: <*******************************@mail.gmail.com>
    Accept-Language: en-GB, en-US
    Content-Language: en-GB
    X-MS-Has-Attach:
    X-MS-TNEF-Correlator:
    x-incomingtopheadermarker: OriginalChecksum:32DBE48684200F15B09862B3BCB63AF68AAAD7C26A9D6FC7158B6FEAAAC86BDD;UpperCasedChecksum:963B3D8B616483A9207F4865118907B5F4CC2E92B37B8562EDBF5F0413E71BD0;SizeAsReceived:6980;Count:44
    x-ms-exchange-messagesentrepresentingtype: 1
    x-tmn: [4qWSjbXinIkl/tUcclXO/SuGZL2Nu6Lq]
    x-ms-publictraffictype: Email
    x-incomingheadercount: 44
    x-eopattributedmessage: 2
    X-MS-Office365-Filtering-Correlation-Id: e754ca65-e430-434b-2b5b-08d925bc8dba
    x-ms-traffictypediagnostic:
     AM5EUR03HT148:|SA1PR01MB6621:|SN6PR01MB5200:|AM9PR10MB5021:
    X-Microsoft-Antispam-Untrusted: BCL:0;
    X-Microsoft-Antispam-Message-Info-Original: /hL8dflPd2gkz7iwU8UMB1Fz8IAkmfMBoUSCqxTlEBvDfn4/xgT0+jZArwRyfF0Qdvnr1nH5lY8BqvkFTWiOdKjlH3ackrvoOw2seNvK0+dds5NAn/gHtqLPbDTdobb8WEbV60Z/bC+H2AbM4qrEt8+JFNbdaHabgK2JbgNlW2cLw2Cmsa8FsALzNA2gksCRolyZnSL/bNmuM9JuMSYgllQqCU7EVo16BO0AQZOwXMZZUW3wAQSBCnC6YDw/1cJk7n7H78pP30u3kJV1h+5eODXUmXrrjOsI1izE2EYptfi5t1ZYmuKTDb45jRpF+LrjHwqM2o5QZnFfzqn5I4Rq0Sy95n3norgvvyH9WOvAMvtm720rj+K7vHJoVK4VZXyaGYaaFzqRCj/7SJNafltx/5DJwY1xObqStlKxkIE++bQHCjNE9eX3UKsxh1v1a7L0p6iUgtk7CoFP083X2Fi9ow==
    x-ms-exchange-antispam-messagedata: VteW1UZN6D2bRS/mOnnVDCvdzReAUS7dZHYFj6CoDhJ0yqkUqGfR4crDb2lK5YLBC09yftT2GesV0IC2W+9k8wjNAFVC702lNHwIJh5eNqzGAl3JlEUg+oKwrNUSQIfqWEcEDez+gMA6/YxsIUVQAQ==
    x-ms-exchange-transport-forked: True
    Content-Type: multipart/alternative;
    	boundary="_000_VI1PR10MB212741A1056FDCE39DD12CF4DE3D9VI1PR10MB2127EURP_"
    MIME-Version: 1.0
    X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM5EUR03HT148
    Return-Path: <>
    X-MS-Exchange-Transport-CrossTenantHeadersStripped: DM3NAM02FT022.eop-nam02.prod.protection.outlook.com
    X-MS-Exchange-Transport-CrossTenantHeadersPromoted: DM3NAM02FT022.eop-nam02.prod.protection.outlook.com
    X-MS-Office365-Filtering-Correlation-Id-Prvs: 64c13e16-e286-4050-8284-08d925bc80a2
    X-LD-Processed: 7d2ff1b9-931e-4cd3-b18e-f439fecd6bb9,ExtAddr,ExtAddr
    X-Microsoft-Antispam-PRVS: <SN6PR01MB5200A5FA76FB32A6483896BDDE3D9@SN6PR01MB5200.prod.exchangelabs.com>
    X-MS-Oob-TLC-OOBClassifiers: OLM:3276;OLM:3276;
    X-MS-Exchange-SenderADCheck: 0
    X-Microsoft-Antispam-Untrusted: BCL:0;
    X-Microsoft-Antispam-Message-Info-Original:
     f4YPEzstTjaRU/ucY0/HiY3b4RfiV4rQHAA7f640vG2pl1gp94+xlP/4tx+uVW+UJE7fkZ+hNiYgoevaI5xFmnqvLZfPXCjpdHubivqLbFTLNSYMRkXUggQM9dsteb1fvP1Io0bR7ooSBwMyxYXeC3LqbtWiUGQZF1hV3Vg0Irft6ijytAN+wz4LWrcBw9rMmGrD9ZM6RYDT9/dqf/FIRbmuUHPAVF5WnNrJu/S4MRw+1ta2H+9/GjYPdMJ/fQUqgH0VgCW1XPxKv+6BbsTajon6TyKXFDqeItxwZg+IiwWWLfnSXyNOcluHoCeONj/DKpjrY6flcwsMDE7nOauVsnTXZc9MkUim72RVsoicp3S4ulJts1lbLNn3kSARXd7mJnVACiawujd9TcX4D2IJlTOwnJB5cHS90u95b6RV8Ov0STO3qL72gKXMXzPqC93rN0JY7khPElBN1r0ssJo6a66hDBevAhhHNe4JM+wKRYwk4KqxGXQx9Y3fqkVSuSMMYaeab/+f46T31yylHWLlkm/a40G+7DpzVcRm7NLVX1iIopGRxtlhAg2naU+yeWX6wYf7jsgdt88oGJLHnptdPH76UlGRj7llk8HDyI2gUFXwMDPn1vxnYBOutvjH0ARCBMiBwgxJbQ7Utkk5xM7w3JD3PvwwYjwtuoRLHAtM1vL4965W8OhF9ZWko79te17udNV0i6ndKmgphU0ZqITXQpQGlRV3n+TBw8OyBGy50GA=
    X-Forefront-Antispam-Report-Untrusted:
     CIP:40.92.70.92;CTRY:NL;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:EUR03-AM5-obe.outbound.protection.outlook.com;PTR:mail-oln040092070092.outbound.protection.outlook.com;CAT:NONE;SFS:(39860400002)(396003)(376002)(136003)(346002)(2906002)(9686003)(166002)(68406010)(82202003)(3480700007)(336012)(70586007)(498600001)(26005)(52536014)(966005)(8676002)(7336002)(53546011)(6506007)(5660300002)(7416002)(2160300002)(86362001)(7366002)(7276002)(7406005)(33656002)(316002)(110136005)(786003)(7636003)(88732003)(76576003)(45080400002)(7696005)(55016002)(57042006);DIR:OUT;SFP:1101;
    X-ExternalRecipientOutboundConnectors: 7d2ff1b9-931e-4cd3-b18e-f439fecd6bb9
    X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
    X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR01MB5200
    X-OrganizationHeadersPreserved: *SMTPSERVER*.****.***
    X-MS-Exchange-Organization-ExpirationStartTime: 02 Jun 2021 11:50:01.1503
     (UTC)
    X-MS-Exchange-Organization-ExpirationStartTimeReason: OriginalSubmit
    X-MS-Exchange-Organization-ExpirationInterval: 1:00:00:00.0000000
    X-MS-Exchange-Organization-ExpirationIntervalReason: OriginalSubmit
    X-MS-Exchange-Organization-Network-Message-Id:
     e754ca65-e430-434b-2b5b-08d925bc8dba
    X-MS-Exchange-Organization-MessageDirectionality: Originating
    X-CrossPremisesHeadersPromoted:
     HE1EUR02FT044.eop-EUR02.prod.protection.outlook.com
    X-CrossPremisesHeadersFiltered:
     HE1EUR02FT044.eop-EUR02.prod.protection.outlook.com
    X-MS-Exchange-Transport-CrossTenantHeadersStripped:
     HE1EUR02FT044.eop-EUR02.prod.protection.outlook.com
    X-MS-Exchange-Organization-AuthSource: *SMTPSERVER*.****.***
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-OriginatorOrg: ****.***
    X-MS-Office365-Filtering-Correlation-Id-Prvs:
     70acd7a9-66f4-44fe-1008-08d925bc81e6
    X-MS-Exchange-Organization-SCL: 1
    X-Microsoft-Antispam: BCL:0;
    X-Forefront-Antispam-Report:
     CIP:***.***.***.*;CTRY:DE;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:mail.****.***;PTR:*UTM*.****.***;CAT:NONE;SFS:(4636009)(5660300002)(63766006)(8636004)(8936002)(1096003)(33656002)(52536014)(45080400002)(42882007)(84300400001)(53546011)(22186003)(156005)(3480700007)(7696005)(110136005)(7636003)(78352004)(82310400003)(9686003)(58800400005)(6506007)(8676002)(82202003)(166002)(55016002)(36005)(966005)(336012)(57042006);DIR:INB;
    X-MS-Exchange-CrossTenant-OriginalArrivalTime: 02 Jun 2021 11:50:00.9964
     (UTC)
    X-MS-Exchange-CrossTenant-Network-Message-Id: e754ca65-e430-434b-2b5b-08d925bc8dba
    X-MS-Exchange-CrossTenant-Id: 06a63a20-b4de-43e3-9dcf-3e1a1532bfaa
    X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=06a63a20-b4de-43e3-9dcf-3e1a1532bfaa;Ip=[***.***.***.*];Helo=[mail.****.***]
    X-MS-Exchange-CrossTenant-AuthSource: *SMTPSERVER*.****.***
    X-MS-Exchange-CrossTenant-AuthAs: Anonymous
    X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
    X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM9PR10MB5021
    X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.3046114
    X-MS-Exchange-Processed-By-BccFoldering: 15.20.4173.030
    X-Microsoft-Antispam-Mailbox-Delivery:
    	rwl:1;ucf:1;jmr:0;auth:0;dest:C;OFR:CustomRules;ENG:(20160514016)(750129)(520011016)(520005050)(944506458)(944626604);
    X-Microsoft-Antispam-Message-Info:
    	=?us-ascii?Q?lHvL2IeUcg0M0M//6/YTpQ0v0mAktVV4ekDeuQ9ek3e6Pb9dvGPJ/iqQxmaD?=
     =?us-ascii?Q?Tl3WNiTH8DfskAN+KXemK0vPMng+3fHwul0dgKZ/0Dnq7S8o6/4GhejeWSVM?=
     =?us-ascii?Q?JCNhNvt2t7tb/4SY4FOkgOMBbmfVjIwrNv4ml+cGBRLwofo96DtsVXKyCPma?=
     =?us-ascii?Q?PsEofB72eXaAGAHU+55hiKZiN5NIejaZ9L1WzjMk1w0x81SxARLj6HFIO/K6?=
     =?us-ascii?Q?TWus4vxLDO1uR9KIrGPZIBi+MUwwO/f2W3eLbuk6z9g4j8ONkb4EVstxqtZ7?=
     =?us-ascii?Q?qlAHylq4+p4aAKvKeP459dlQXLGr/PFQ4SPnLf35p8j1enZ2ShCPCaKi2AVC?=
     =?us-ascii?Q?51OIWy6HesQFQ2QAgzEh9Zp4eIDb2Z5PhnLfbkJS37BgliEC75O7hYyNC0JI?=
     =?us-ascii?Q?Pe065c1zzowLQgW967ELNYuCGfN856wh74jbkvGxj/gTlwGPSW2KkHs0Dr3B?=
     =?us-ascii?Q?c4qgC1uppPavmpILnFCt7Sj37Twh01HJ9ifNlmiBl2bhfJ5fuGJQVq7w7cpO?=
     =?us-ascii?Q?inaRusYQY/gOaom4dvzrrAe24zro3iRrmV5fxwub/plgcb2WtLixMFK1SiMp?=
     =?us-ascii?Q?W6j5GQmpo3LRkmIch096tQcFFtGB/dY/kPFHF8IsBeP2lMx1EcIdHEYVn7jW?=
     =?us-ascii?Q?ClWjsF/ieS5kimJ33cMexQrWQi7xqAy4au+BpMYKpEygPGUYA/wFt++GSpdc?=
     =?us-ascii?Q?FjEjfpbpAH+7fCuBpTN3X81ktuvsUBWKPUg+aUPLLjiJ7kIF1DaM6LVaQamW?=
     =?us-ascii?Q?zkiDpNBX44xaD+t6D6b7+IZN+CdqR6nZLB1qUxXF2Us2+AUfggg3VeplPxrN?=
     =?us-ascii?Q?1/fYj7ZJtFJMwts+DbFbQJNeoQn+KvByRcW7G0Hb8dP30AiPGQPiBuhfEsvZ?=
     =?us-ascii?Q?baSe66JwaT7keyegGNEyoRPn+tsy8n3qVUSfLePT3DafpxQpMQvZ9EKF7Ju8?=
     =?us-ascii?Q?vXVydADOcGl6ToqUktpUtaO3sxGW0Ex5WTED6E3Qi8Tf18Lpeu1zwlgKipuC?=
     =?us-ascii?Q?Dm3AVNdV0ILt2EuFPh6LmrI0Y4bPpYPROQH0SVj1paHaBVkvoIuMlSoAiSmS?=
     =?us-ascii?Q?NCso4V3Kej9f9KmXyHfWf/e/g4psHcBHrXwKRtMMHj7nOykHHq/RdwGowWSQ?=
     =?us-ascii?Q?YsCJ20ECzVt0pea7rGCpzZTf56WzGS9YoEZ2HEYPwrfINNNc6gyLXh55OlaE?=
     =?us-ascii?Q?27YkZ7hcs0omVOsksa+WVynAtSLZbX6l9nvaVnURLJmLPmWpQesPfcerfwZE?=
     =?us-ascii?Q?W16sIlaF/uXouBoGO1n6qcazL/Pg2lMh0PJJA4mxv8Z/hvzSqs5I0jH0wczJ?=
     =?us-ascii?Q?NfASu9W6a1+q8PHtaOKBMXndcqEQ4gjeGiNz1cY7hIa0Va4FE2FvOyzAqvrU?=
     =?us-ascii?Q?8dGy1jOS1942c0s6PpmY26pfWLFvOvlYR1P1FNa3qDjk/2bDSwhGJEqY4YO4?=
     =?us-ascii?Q?4AxNuG527varNbxuixfoM/KMaD6JUZ8wEj++M+HKqeFabHakuqne/HZrHDa9?=
     =?us-ascii?Q?4tYXc52l7Gp/ktVJNYdie8XYNa9yZhPxpHds3cmnuFasPWm2WT6XuWxA9lq0?=
     =?us-ascii?Q?rzG8Re2AO38wMjo1XwGG8BIss8ae7hjxiTzTGq0vgCXR5nN8Nt3HK+IMFAEE?=
     =?us-ascii?Q?hRjjdfm3V1gDJpKAVW7q4O76FbuY78yjt1vzWYqADu/TWR36W58bzsydfgaz?=
     =?us-ascii?Q?LsCxtyGdv0L8RksYAtPxfLcUL74PpKU82uWZl+iUbkMqC4u0D2pg5MQhlMIl?=
     =?us-ascii?Q?FnwE0yeQHJRa9NgF0Q47QvFHbZ2Jhr1KDEBsztScRERoIFyIHoT+15YY46Sp?=
     =?us-ascii?Q?VDB1J9+mcabQ5k5jwgCPD/3+vJjedmWCEO/bZEQbzGZZ0pblLU5+oPEiwhtc?=
     =?us-ascii?Q?755woPlSQOcKq0dT2g=3D=3D?=
    

    We cannot say for sure if this is the only problematic mailing list, but it seems so, yes.

    Thanks!

  • Markus, I was hoping to see why the SMTP Proxy interpreted the message as a bounce.  My guess is that the problem should be communicated to the folks that send emails that appear to be bounces - they would want to know about that.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    I informed my colleague and asked them to inform the senders. Maybe that'll help.

    If not: why is the UTM ignoring the BATV-exception when I put my colleague's mail address in the recipient list? If I could allow the mails just to them that would be enough for now (as setting the sending server as exceptions is not a solution, workload wise and security wise...).

    Thanks again!

  • My guess, Markus, would be an error in one of the definitions/patterns used in the Exception.  Do you have a colleague that could check?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hello Bob,

    unfortunately I am the colleague everybody asks to check something on the UTM. But that's not a problem, because I think the UTM works well and is quite easy to configure.

    I just can't get my head around this problem here. What error do you have in mind I should check in the exception definitions/patterns? Normally I think to add my colleagues email address to the recipient list should be enough for the BATV exception. Like this:

    batv exception

    Any ideas?

    Thanks again!

  • Ask someone else to confirm that the recipient addresses are correct - we always see what we know is there.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Ah, now I understand what you mean...

    Yes, a colleague of mine checked it, the addresses are correct.