This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 identified the incoming email as possible spam, but it lets it through

We are running Sophos UTM 9 on AWS marketplace and everything is up to date.

One of our users is getting a lot of spam a day, I had a look at the headers of the emails, the headers all look something below.

It seems that UTM marks it as possible spam but let it through, I am just wondering why it wasn't blocked?

Subject: Enquiry

X-PHP-Script: gsmartkids.com/index.php for 212.102.57.25

X-PHP-Originating-Script: 1055:Email.php

From: G-Smart Kids <gsmartkids@gmail.com>

Reply-To: G-Smart Kids <gsmartkids@gmail.com>

X-Sender: gsmartkids@gmail.com

X-Mailer: CodeIgniter

Message-ID: <615ef2ba72677@gmail.com>

Date: Thu, 7 Oct 2021 09:14:34 -0400

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - custom25new.weblinkindia.net

X-AntiAbuse: Original Domain - xxxx.xxx.au

X-AntiAbuse: Originator/Caller UID/GID - [1055 993] / [47 12]

X-AntiAbuse: Sender Address Domain - gmail.com

X-Get-Message-Sender-Via: custom25new.weblinkindia.net: authenticated_id: gsmartkids/only user confirmed/virtual account not confirmed

X-Authenticated-Sender: custom25new.weblinkindia.net: gsmartkids

X-Source:

X-Source-Args: /opt/cpanel/ea-php56/root/usr/bin/php-cgi

X-Source-Dir: gsmartkids.com:/public_html

X-Spam-Score: 11.0

X-Spam-Report: Spam detection software, running on the system "ip-xxxxxxxxxx.xx-southeast-2.compute.xxxxxx",

 has identified this incoming email as possible spam.  The original

 message has been attached to this so you can view it or label

 similar future email.  If you have any questions, see

 support@xxxxxx.xxx.xx for details.

 

 Content preview:  Dear TommyReilaMK Enquiry has been submitted with following

    info : ?? [...]

 

 Content analysis details:   (11.0 points, 5.0 required)

 

  pts rule name              description

 ---- ---------------------- --------------------------------------------------

  0.8 BAYES_50               BODY: Bayes spam probability is 40 to 60%

                             [score: 0.5004]

  0.0 FREEMAIL_FROM          Sender email is commonly abused enduser mail provider

                             (gsmartkids[at]gmail.com)

  0.0 SPF_NONE               SPF: sender does not publish an SPF Record

  0.0 SPF_HELO_NONE          SPF: HELO does not publish an SPF Record

  0.0 HTML_MESSAGE           BODY: HTML included in message

  0.8 RDNS_NONE              Delivered to internal network by a host with no rDNS

  3.4 GOOG_REDIR_NORDNS      Google redirect to obscure spamvertised website +

                             no rDNS

  2.5 PHP_ORIG_SCRIPT        Sent by bot & other signs

  1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS

  0.0 FILL_THIS_FORM         Fill in a form with personal information

  2.0 SPOOFED_FREEMAIL       No description available.

  0.6 SPOOF_GMAIL_MID        From Gmail but it doesn't seem to be...

 -0.6 TXREP                  TXREP: Score normalizing based on sender's reputation

Return-Path: gsmartkids@gmail.com

X-MS-Exchange-Organization-Network-Message-Id: 87acb6cc-4ecf-40b3-82e5-08d989945e77

X-MS-Exchange-Organization-AuthSource: EX2016-MDB-C.xxxxxxx.Hosted

X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.2230550

X-MS-Exchange-Processed-By-BccFoldering: 15.01.2308.008

Content-Type: multipart/alternative; boundary="B_3716526623_2008493348"

MIME-Version: 1.0



This thread was automatically locked due to age.
  • Are you sure, the spam is detected by sophos?

    As i know, sophos marks the subject and add [SPAM] by default.

    ... but your subject isn't changed.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Hi Johnny and welcome to the UTM Community!

    As Dirk said, that's not an email that went through the UTM's SMTP Proxy.  If it had, you would see something like the below in the headers.

    Cheers - Bob

    X-SASI-Hits: BODYTEXTH_SIZE_3000_MORE 0.000000, BODY_SIZE_10000_PLUS 0.000000,
        BODY_SIZE_25K_PLUS 0.000000, BULK_EMAIL_SENDER 0.000000, DATE_TZ_NA 0.000000,
        DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000, ECARD_WORD 0.000000,
        FROM_NAME_ONE_WORD 0.050000, HREF_LABEL_TEXT_NO_URI 0.000000,
        HREF_LABEL_TEXT_ONLY 0.000000, HTML_90_100 0.100000,
        HTML_BAD_EXTRAS 0.000000, KNOWN_MTA_TFX 0.000000, LEGITIMATE_SIGNS 0.000000,
        LINK_TO_IMAGE 0.000000, LIST_HEADER 0.000000, OBFUSCATION 0.000000,
        REPLYTO_FROM_DIFF_ADDY 0.100000, SINGLE_HREF_URI_IN_BODY 0.000000,
        STYLE_RATWARE_REF 0.000000, SUPERLONG_LINE 0.050000, SXL_IP_TFX_ESP 0.000000,
        SXL_IP_TFX_WM 0.000000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000,
        __CANPHARM_COPYRIGHT 0.000000, __COURIER_PHRASE 0.000000,
        __CP_NOT_1 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000,
        __CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000,
        __CTYPE_MULTIPART_ALT 0.000000, __DKIM_ALIGNS_1 0.000000,
        __DKIM_ALIGNS_2 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000,
        __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000,
        __HAS_LIST_HEADER 0.000000, __HAS_LIST_ID 0.000000,
        __HAS_LIST_UNSUBSCRIBE 0.000000, __HAS_MSGID 0.000000,
        __HAS_REPLYTO 0.000000, __HREF_LABEL_TEXT 0.000000,
        __HTML_AHREF_TAG 0.000000, __HTML_BAD_END 0.000000,
        __HTML_BAD_START 0.000000, __HTML_STYLE_DEF_HIDDEN 0.000000,
        __HTML_TAG_CENTER 0.000000, __HTML_TAG_IMG_X2 0.000000,
        __HTML_TAG_TABLE 0.000000, __HTTPS_URI 0.000000, __IMG_THEN_TEXT 0.000000,
        __INT_PROD_COMP 0.000000, __LEGIT_LIST_HEADER 0.000000,
        __MEDS_PLAIN_MEDICATION 0.000000, __MEDS_PLAIN_RX 0.000000,
        __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000,
        __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000,
        __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000,
        __MSGID_DOMAIN_NOT_IN_HDRS 0.000000, __MULTIPLE_URI_TEXT 0.000000,
        __PHISH_PHRASE_NL4 0.000000, __PHISH_SUBJ_PHRASE4 0.000000,
        __SANE_MSGID 0.000000, __STOCK_PHRASE_7 0.000000, __STYLE_RATWARE 0.000000,
        __STYLE_RATWARE_NEG 0.000000, __SUBJ_ALPHA_END 0.000000,
        __SUBJ_TRANSACTIONAL 0.000000, __SUBJ_TR_GEN 0.000000,
        __TAG_EXISTS_HTML 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
        __URI_IN_BODY 0.000000, __URI_IN_BODY_HTTP_X10 0.000000,
        __URI_NOT_IMG 0.000000, __URI_NO_MAILTO 0.000000, __URI_NS 0.000000,
        __URI_WITHOUT_PATH 0.000000, __URI_WITH_PATH 0.000000
    X-SASI-Probability: 8%
    X-SASI-RCODE: 200
    X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2021.10.15.173315

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA