9.706 - anti-spam engine changed to SASI

One of the changes is that: Email Protection anti-spam engine changed to Sophos Anti-Spam Interface (SASI)

Anybody has experience with that change? Does it effect the rate of recognition? I haven't figured out yet if the Commtouch Advanced Security Daemon (ctasd) is dropped with this or not. And if so aren't the results from cyren no longer used?

Best regards

Alex

Parents
  • For those having this problem it is probably due to hardware considered to old.

    https://support.sophos.com/support/s/article/KB-000042345?language=en_US

    This is the straw that broke the camels back for me after 25 years of using Astaro, moving to OPNsense right now.

  • Hi Simon,

    thanks for the link, this was an issue on our installation!

    In short, the new sophos anti-spam engine need the SSSE3 CPU instruction set for optimal performance (aka "pattern matching"). 

    We run our Sophos UTM test-installation in a proxmox virtual cluster and with the default CPU setup (kvm64) the SSSE3 CPU option will not be passed to the guest. So obviously only the RBL-part was working. To change this, alter the CPU Type to "host" in the proxmox guest.

    If've also proven some Sophos SG-boxes for this CPU feature. Starting from Rev.2 models SSSE3 seems supported, so the new anti-spam engine should work here fully operational. To check this yourself, read the full KB-article above.

    I will post my new test-results here in about two weeks. If you have an old unused domain which just gets spam and you want support my anti spam-test, just contact me please via pm.

    bye Josef

    Firewall consultant since 1995
    Astaro consultant since 2001
    Sophos partner since 2012
    BERGMANN engineering & consulting GmbH, Wien/Austria

  • I checked th KB articel and did what described in the articel.

    nothing found.

    hostname:/root # grep SSSE3 /var/log/sasi.log
    hostname:/root #

    hostname:/root # grep flags -m1 /proc/cpuinfo
    flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch ida arat xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap

    but still nothing works with the spam engine. so still 0 Quarantine

    also my FW is NOT a VM .

    so it would be interesting what and if Josef finds something.

Reply
  • I checked th KB articel and did what described in the articel.

    nothing found.

    hostname:/root # grep SSSE3 /var/log/sasi.log
    hostname:/root #

    hostname:/root # grep flags -m1 /proc/cpuinfo
    flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch ida arat xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap

    but still nothing works with the spam engine. so still 0 Quarantine

    also my FW is NOT a VM .

    so it would be interesting what and if Josef finds something.

Children
  • Well i like to ask, if i am still the only one with this issue right now.

    because i have no more ideas what i can do..

    the firewall ist not a VM.

    Hardware:

    lspci
    00:00.0 Host bridge: Intel Corporation Device 9b63 (rev 03)
    00:01.0 PCI bridge: Intel Corporation Xeon E3-1200 v5/E3-1500 v5/6th Gen Core Processor PCIe Controller (x16) (rev 03)
    00:14.0 USB controller: Intel Corporation Device 43ed (rev 11)
    00:14.2 RAM memory: Intel Corporation Device 43ef (rev 11)
    00:14.3 Network controller: Intel Corporation Device 43f0 (rev 11)
    00:16.0 Communication controller: Intel Corporation Device 43e0 (rev 11)
    00:17.0 SATA controller: Intel Corporation Device 43d2 (rev 11)
    00:1b.0 PCI bridge: Intel Corporation Device 43c0 (rev 11)
    00:1b.3 PCI bridge: Intel Corporation Device 43c3 (rev 11)
    00:1b.4 PCI bridge: Intel Corporation Device 43c4 (rev 11)
    00:1d.0 PCI bridge: Intel Corporation Device 43b0 (rev 11)
    00:1d.4 PCI bridge: Intel Corporation Device 43b4 (rev 11)
    00:1f.0 ISA bridge: Intel Corporation Device 4385 (rev 11)
    00:1f.4 SMBus: Intel Corporation Device 43a3 (rev 11)
    00:1f.5 Serial bus controller [0c80]: Intel Corporation Device 43a4 (rev 11)
    01:00.0 VGA compatible controller: NVIDIA Corporation GT218 [GeForce 210] (rev a2)
    01:00.1 Audio device: NVIDIA Corporation High Definition Audio Controller (rev a1)
    03:00.0 Ethernet controller: Intel Corporation 82574L Gigabit Network Connection
    04:00.0 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)
    04:00.1 Ethernet controller: Intel Corporation I350 Gigabit Network Connection (rev 01)

    i did a fresh install , used a backup , an still nothin works as on the old hardware. 

    and i sryl like to know why!

    Everything is on 0 , the 6 spammails got blocked via RBL

    So what is going on here ?  this is not normal!

  • Hi Wolfgang,

    check what is set in Email Protection - SMTP - Antispam on
    Reject at SMTP time: Confirmed Spam
    Spam action: Quarantine
    or if you're using Profiles check this settings in the profile ...

    Check if the box gets the lastest spam patterns, in Management - Up2Date - Pattern (current pattern on 30.7.2021 14:25 CET is 202416 so your number here should be equal or higher).

    Check in the Mail Manager SMTP Log if the pattern works, uncheck every Reason filter except "Spam", the you should see matches like "Rejected: Spam (confirmed)" or "Quarantined: Spam".

    bye Josef

    Firewall consultant since 1995
    Astaro consultant since 2001
    Sophos partner since 2012
    BERGMANN engineering & consulting GmbH, Wien/Austria

  • Hi Josef,

    thanks for your answer. The Pattern is not up to date. So the question is why? why does the utm not download the new pattern ?

    also i can't see anything like: "Rejected: Spam (confirmed)" or "Quarantined: Spam".  in the Mail Manager SMTP Log .

    i did the pattern update now via manual update. so let's see what happens.

  • Hi Wolfgang,

    I am really interested in your case for two reasons. First, your claims are holding me back from upgrading my production UTMs because I heavily rely on the SMTP proxy (my home UTM is fine..) and second, because of this, Sophos released the SSSE3 advisory.

    However I think you have to distinguish between blocked and quarantined mail. A blocked mail is a blocked mail and not a quarintined one. Therefore you can have 6 blocked mails and zero are in quarintine.

    I would suggest you post complete screenshots of your SMTP configuration.
    I guess Josef is right and your mails are "rejected at SMTP time"

  • Yes you are right, i have a lot of "rejected at SMTP time" 

    So here we go (Part1):

    Profile mode, because i have my own HP and some hobby sites here and using them also as mail domains.

    SMTP Profile use Golbal Settings


  •  i just looked into the Mailmanager  :

    Could it be that easy ? was it just an old pattern ? so did i overlooked that i am not on the newest spam pattern only ?

    i have no clue!

  • Great! Overall your sreenshots are looking good. I would suggest enabling "strict RDNS checks" and setting TLS to 1.2 but I can't spot a misconfiguration here.

    And well...it is working! :)

    Do you have automatic pattern download disabled?

  • No, i had it disabeld, but i put it on again. so i have a close look what happens till end of the week

  • I gues my last answer was kinda unclear.

    so i had it disabled for the manual update only. before that it was not disabled at all.