We have four or five customers still on SG units and on-prem e-mail hosting. Since applying 9.706-9 for the 21Nails remediation we've had complaints at least one of them every few days over the last few weeks. It's not always the same customer on the same day, but these clients have rarely had complaints before and now we're having repeat complaints.
Reviewing logs, I can see that SASI is operational and some messages are being blocked due to RBL, SPF, and confirmed spam, but there are waves of messages making it through, sometimes a hundred or more, over a 12 hour window.
We're not new to this, and we understand how honeypot detection works, and that if a customer is at the top of a spam list they're vulnerable, but the volume involved is unusually high, the duration is unusually high, the repetition is unusual, and that it started about a week after 9.706-9 in addition to that our two on-prem XG customers don't have a complaint has us wondering.
We formed a Sophos case about two weeks ago and it didn't go further than "are you getting definition updates? Then submit the false negatives." No thank you. We've got hundreds of messages.
I'm curious if anyone else has been seeing similar increases of failed detection in the last month or so.
Hi Paul Gazo,
Thank you for reaching out to the Community!
Would it be possible for you to provide the support case number by sending a personal message? Have you provided original sample emails and logs for investigation?
I don't actually have an open call on this. Another tech at our company formed that case about two weeks ago. I can get it if there's value, but I don't have it at-hand.
No, we did not provide samples. I say, it's multiple customers over multiple weeks, and hundreds of messages. Really overwhelmingly "why bother?"
Sophos Lab would need original sample emails and logs from the firewall to investigate the issue further. If you could find the open support case, please send the case number to me via personal message, and I'll help with the follow-up. If you can't find the case number, open a new case and provided the original email samples, logs, and access to your firewall through support access.
I appreciate the offer. I can't currently justify spending (more) customer-billable time doing this, which I'd have to do the moment I connect up and start pulling specific messages, logs, and pursuing this as a support case. Your offer to pursue this is great, but I'm mainly trying to reach out to the community right now to see if what we're seeing is unique to our customers somehow, or if it is a wider issue that merits billable time being spent.
I hope this make sense.
Our SMTP Proxy is in a 9.706 UTM instance at AWS. We're not seeing a lot more false negatives since Up2Dating from 9.705-3.
I haven't yet given the OK to my clients to upgrade past 7.705-3, so I can't give you any better information. Sophos' rapid response to the 21 Nails announcement makes me uncomfortable with newer versions.
Cheers - Bob
Thank you for the feedback. It's appreciated.
I'm not sure how much customization to exim Sophos actually did so I can't speculate how much work properly patching might be. I just hope they've done it right and have proper documentation for any alterations they've ever made. But yeah, always a little concerned about rapid turnaround. More worried about getting remotely owned though!
the following additional RBLs I have in place and very good results:
Just as a hint, but maybe there are regional differences on that.