9.706 - anti-spam engine changed to SASI

The spam in question is within the thread mentioned. see link above.

Here we got some more Spam that's comming thru and this one is Bank Phising and not very funny :

2021:07:21-08:36:50 matrix exim-in[21713]: [1\63] 2021-07-21 08:36:50 1m65qb-0005eD-1y H=m239-7.eu.mailgun.net [185.250.239.7]:61738 X=TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128 CV=no F=<bounce+49b234.36bd12-admin=domainname.de@outbound-mg-eu.sportlink-clubsites.nl> temporarily rejected after DATA: Temporary local problem, please try again!
2021:07:21-08:36:50 matrix exim-in[21713]: [2\63] Envelope-from: <bounce+49b234.36bd12-admin=domainname.de@outbound-mg-eu.sportlink-clubsites.nl>
2021:07:21-08:36:50 matrix exim-in[21713]: [3\63] Envelope-to: <user@domain.de>
2021:07:21-08:36:50 matrix exim-in[21713]: [4\63] P Received: from m239-7.eu.mailgun.net ([185.250.239.7]:61738)
2021:07:21-08:36:50 matrix exim-in[21713]: [5\63] by mail.hostname.net with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
2021:07:21-08:36:50 matrix exim-in[21713]: [6\63] (Exim 4.94.2)
2021:07:21-08:36:50 matrix exim-in[21713]: [7\63] (envelope-from <bounce+49b234.36bd12-admin=domainname.de@outbound-mg-eu.sportlink-clubsites.nl>)
2021:07:21-08:36:50 matrix exim-in[21713]: [8\63] id 1m65qb-0005eD-1y
2021:07:21-08:36:50 matrix exim-in[21713]: [9\63] for user@domain.de; Wed, 21 Jul 2021 08:36:49 +0200
2021:07:21-08:36:50 matrix exim-in[21713]: [10\63] X-SASI-Hits: BODYTEXTH_SIZE_3000_MORE 0.000000, BODY_SIZE_10000_PLUS 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [11\63] CTE_BASE64 0.000000, CTYPE_JUST_HTML 0.847999, DKIM_ALIGNS 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [12\63] DKIM_SIGNATURE 0.000000, FONT_STYLE_0PT 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [13\63] FROM_NAME_ONE_WORD 0.050000, HREF_LABEL_TEXT_NO_URI 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [14\63] HREF_LABEL_TEXT_ONLY 0.000000, HTML_50_70 0.100000, KNOWN_MTA_TFX 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [15\63] LINK_TO_IMAGE 0.000000, LIST_HEADER 0.000000, MISSING_HEADERS 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [16\63] SENDER_NO_AUTH 0.000000, SINGLE_HREF_URI_IN_BODY 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [17\63] SUPERLONG_LINE 0.050000, SXL_IP_TFX_WM 0.000000, TO_MALFORMED 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [18\63] URI_ENDS_IN_HTML 0.000000, URI_WITH_PATH_ONLY 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [19\63] UTF8_SUBJ_OBFU 0.100000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [20\63] __BODY_TEXT_X4 0.000000, __CT 0.000000, __CTE 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [21\63] __CTYPE_HTML 0.000000, __CTYPE_IS_HTML 0.000000, __DKIM_ALIGNS_1 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [22\63] __DKIM_ALIGNS_2 0.000000, __FRAUD_INTRO 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [23\63] __FRAUD_MONEY_CURRENCY 0.000000, __FRAUD_MONEY_CURRENCY_EURO 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [24\63] __FROM_DOMAIN_NOT_IN_BODY 0.000000, __FROM_NAME_NOT_IN_ADDR 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [25\63] __HAS_FROM 0.000000, __HAS_HTML 0.000000, __HAS_MSGID 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [26\63] __HAS_SENDER 0.000000, __HREF_LABEL_TEXT 0.000000, __HTML_AHREF_TAG 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [27\63] __HTML_BAD_END 0.000000, __HTML_TAG_CENTER 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [28\63] __HTML_TAG_IMG_X2 0.000000, __HTML_TAG_TABLE 0.000000, __HTTPS_URI 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [29\63] __IMG_THEN_TEXT 0.000000, __MAL_TELEKOM_FROM_NAME 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [30\63] __MAL_TELEKOM_URI_LABEL 0.000000, __MIME_HTML 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [31\63] __MIME_HTML_ONLY 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [32\63] __MIME_VERSION 0.000000, __PHISH_PHRASE2 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [33\63] __PHISH_SPEAR_GREETING 0.000000, __PHISH_SPEAR_STRUCTURE_1 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [34\63] __SANE_MSGID 0.000000, __SUBJ_ALPHA_END 0.000000, __SUBJ_ALPHA_END2 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [35\63] __SUBJ_HIGHBIT 0.000000, __TAG_EXISTS_HTML 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [36\63] __URI_HAS_HYPHEN_USC 0.000000, __URI_IN_BODY 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [37\63] __URI_NOT_IMG 0.000000, __URI_NO_MAILTO 0.000000, __URI_NO_WWW 0.000000,
2021:07:21-08:36:50 matrix exim-in[21713]: [38\63] __URI_NS 0.000000, __URI_WITH_PATH 0.000000, __UTF8_SUBJ 0.000000
2021:07:21-08:36:50 matrix exim-in[21713]: [39\63] X-SASI-Probability: 12%
2021:07:21-08:36:50 matrix exim-in[21713]: [40\63] X-SASI-RCODE: 200
2021:07:21-08:36:50 matrix exim-in[21713]: [41\63] X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2021.7.21.60915
2021:07:21-08:36:50 matrix exim-in[21713]: [42\63] DKIM-Signature: a=rsa-sha256; v=1; c=relaxed/relaxed;
2021:07:21-08:36:50 matrix exim-in[21713]: [43\63] d=outbound-mg-eu.sportlink-clubsites.nl; q=dns/txt; s=email;
2021:07:21-08:36:50 matrix exim-in[21713]: [44\63] t=1626849409; h=From: Subject: Content-Transfer-Encoding: MIME-Version:
2021:07:21-08:36:50 matrix exim-in[21713]: [45\63] Content-Type: Date: Message-Id: Sender;
2021:07:21-08:36:50 matrix exim-in[21713]: [46\63] bh=MBWEIS6gaqSZMw7oEFrGg8ffeVDk4zClNVDbyRk7RHY=; b=KY22tMfOEHHwA2MWa+SXBa5Qmm2lA83cE6rTu7+pUUc8N4JUT0sYnkcRT7HYvW3dnu0fmD6g
2021:07:21-08:36:50 matrix exim-in[21713]: [47\63] LAVsEMslsedztOxsA/qjGqBunE2ujPMu4+oCKNTYNK0D82umbYN+5oiP85aXpXfEgNhTcUeH
2021:07:21-08:36:50 matrix exim-in[21713]: [48\63] AXmN7ait3hkqUwvgKawrrmiv9Qo=
2021:07:21-08:36:50 matrix exim-in[21713]: [49\63] X-Mailgun-Sending-Ip: 185.250.239.7
2021:07:21-08:36:50 matrix exim-in[21713]: [50\63] X-Mailgun-Sid: WyIzZmVlNyIsICJhZG1pbkBtaW5kc2V0LmRlIiwgIjM2YmQxMiJd
2021:07:21-08:36:50 matrix exim-in[21713]: [51\63] P Received: from [0.0.147.115] (<unknown> [193.32.164.27]) by
2021:07:21-08:36:50 matrix exim-in[21713]: [52\63] smtp-out-n02.prod.eu-central-1.postgun.com with SMTP id
2021:07:21-08:36:50 matrix exim-in[21713]: [53\63] 60f7c080e8fa35afb770266d (version=TLS1.2,
2021:07:21-08:36:50 matrix exim-in[21713]: [54\63] cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256); Wed, 21 Jul 2021 06:36:48
2021:07:21-08:36:50 matrix exim-in[21713]: [55\63] GMT
2021:07:21-08:36:50 matrix exim-in[21713]: [56\63] S Sender: postmaster@outbound-mg-eu.sportlink-clubsites.nl
2021:07:21-08:36:50 matrix exim-in[21713]: [57\63] I Message-Id: <20210721063648.e8e679633bf32405@outbound-mg-eu.sportlink-clubsites.nl>
2021:07:21-08:36:50 matrix exim-in[21713]: [58\63] Date: Wed, 21 Jul 2021 06:36:48 +0000
2021:07:21-08:36:50 matrix exim-in[21713]: [59\63] Content-Type: text/html; charset="utf-8"
2021:07:21-08:36:50 matrix exim-in[21713]: [60\63] MIME-Version: 1.0
2021:07:21-08:36:50 matrix exim-in[21713]: [61\63] Content-Transfer-Encoding: base64
2021:07:21-08:36:50 matrix exim-in[21713]: [62\63] Subject: =?utf-8?q?Unberechtigte_Lastschriften_zur=C3=BCckbuchen?=
2021:07:21-08:36:50 matrix exim-in[21713]: [63/63] F From: Volksbank <postmaster@outbound-mg-eu.sportlink-clubsites.nl>
2021:07:21-08:36:50 matrix exim-in[21713]: 2021-07-21 08:36:50 SMTP connection from m239-7.eu.mailgun.net [185.250.239.7]:61738 closed by QUIT

Hi Alex,

some observations from our test-installation which holds only "spam-domains":

• 10 days bevor the update: total 441 mails, from that 419 recognised as spam (111 Quarantine, 195 RBL) ->  old engine recognition rate 95%
• 10 days after the update: total 326 mails, from that 191 recognised as spam (0 Quarantine, 191 RBL) -> new engine recognition rate 59%

So from that numbers, the filterrate over all on the new engine is worse. It seems in the new engine only a RBL-filter works, which is not good.

Maybe I'm not that disappointed, because I always used some extra RBLs. These are zen.spamhaus.org, ix.dnsbl.manitu.net, b.barracudacentral.org and bl.spamcop.net.
Give it a try. Btw. something I learned not log ago, these extra RBLs are always rejecting emails. The settings in the GUI only have an effect of the Sophos own tests.

Best regards
Alex

RBLs are nice but will generally not help when the spam comes from abused/hacked accounts or from spam gangs which quickly change their infrastructur/IPs (which most of them do). Additionally on most of the RBLs you quickly run in a volume limitation when you use DNS-resolvers form providers (which is mostly the case).

Dear Sophos you must had content matching (words/sentences, URLs, GIFs...) in your spam engine, why is this obviously not working in the new version?

Well i guess they wont help you:

here are my RBL lists:

bl.spamcop.net

and i am using my very own dnsbl.

but nothing helps here with the new update. as u can see, i got the bank phishing anyway.

For those having this problem it is probably due to hardware considered to old.

https://support.sophos.com/support/s/article/KB-000042345?language=en_US

This is the straw that broke the camels back for me after 25 years of using Astaro, moving to OPNsense right now.

Well, i did this hardware upgrade, got all new ones and an extra intel CPU, but the problem is, that the detection rate is still as described in Josefs post.

so i dont think that this is "only"  a hardware issue .

Hi Simon,

thanks for the link, this was an issue on our installation!

In short, the new sophos anti-spam engine need the SSSE3 CPU instruction set for optimal performance (aka "pattern matching"). 

We run our Sophos UTM test-installation in a proxmox virtual cluster and with the default CPU setup (kvm64) the SSSE3 CPU option will not be passed to the guest. So obviously only the RBL-part was working. To change this, alter the CPU Type to "host" in the proxmox guest.

If've also proven some Sophos SG-boxes for this CPU feature. Starting from Rev.2 models SSSE3 seems supported, so the new anti-spam engine should work here fully operational. To check this yourself, read the full KB-article above.

I will post my new test-results here in about two weeks. If you have an old unused domain which just gets spam and you want support my anti spam-test, just contact me please via pm.

I checked th KB articel and did what described in the articel.

nothing found.

hostname:/root # grep SSSE3 /var/log/sasi.log
hostname:/root #

hostname:/root # grep flags -m1 /proc/cpuinfo
flags : fpu vme de pse tsc msr pae mce cx8 apic sep mtrr pge mca cmov pat pse36 clflush dts acpi mmx fxsr sse sse2 ss ht tm pbe syscall nx pdpe1gb rdtscp lm constant_tsc arch_perfmon pebs bts rep_good nopl xtopology nonstop_tsc aperfmperf eagerfpu pni pclmulqdq dtes64 monitor ds_cpl vmx est tm2 ssse3 fma cx16 xtpr pdcm pcid sse4_1 sse4_2 x2apic movbe popcnt tsc_deadline_timer aes xsave avx f16c rdrand lahf_lm abm 3dnowprefetch ida arat xsaveopt pln pts dtherm tpr_shadow vnmi flexpriority ept vpid fsgsbase tsc_adjust bmi1 avx2 smep bmi2 erms invpcid rdseed adx smap

but still nothing works with the spam engine. so still 0 Quarantine

also my FW is NOT a VM .

so it would be interesting what and if Josef finds something.