Reflexion will be End-of-life on March 31,2023. See Sophos Reflexion EoL FAQs to learn more.
We are running Sophos UTM 9 on AWS marketplace and everything is up to date.
One of our users is getting a lot of spam a day, I had a look at the headers of the emails, the headers all look something below.
It seems that UTM marks it as possible spam but let it through, I am just wondering why it wasn't blocked?
Subject: Enquiry
X-PHP-Script: gsmartkids.com/index.php for 212.102.57.25
X-PHP-Originating-Script: 1055:Email.php
From: G-Smart Kids <gsmartkids@gmail.com>
Reply-To: G-Smart Kids <gsmartkids@gmail.com>
X-Sender: gsmartkids@gmail.com
X-Mailer: CodeIgniter
Message-ID: <615ef2ba72677@gmail.com>
Date: Thu, 7 Oct 2021 09:14:34 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - custom25new.weblinkindia.net
X-AntiAbuse: Original Domain - xxxx.xxx.au
X-AntiAbuse: Originator/Caller UID/GID - [1055 993] / [47 12]
X-AntiAbuse: Sender Address Domain - gmail.com
X-Get-Message-Sender-Via: custom25new.weblinkindia.net: authenticated_id: gsmartkids/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: custom25new.weblinkindia.net: gsmartkids
X-Source:
X-Source-Args: /opt/cpanel/ea-php56/root/usr/bin/php-cgi
X-Source-Dir: gsmartkids.com:/public_html
X-Spam-Score: 11.0
X-Spam-Report: Spam detection software, running on the system "ip-xxxxxxxxxx.xx-southeast-2.compute.xxxxxx",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
support@xxxxxx.xxx.xx for details.
Content preview: Dear TommyReilaMK Enquiry has been submitted with following
info : ?? [...]
Content analysis details: (11.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
[score: 0.5004]
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
(gsmartkids[at]gmail.com)
0.0 SPF_NONE SPF: sender does not publish an SPF Record
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
3.4 GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website +
no rDNS
2.5 PHP_ORIG_SCRIPT Sent by bot & other signs
1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
0.0 FILL_THIS_FORM Fill in a form with personal information
2.0 SPOOFED_FREEMAIL No description available.
0.6 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...
-0.6 TXREP TXREP: Score normalizing based on sender's reputation
Return-Path: gsmartkids@gmail.com
X-MS-Exchange-Organization-Network-Message-Id: 87acb6cc-4ecf-40b3-82e5-08d989945e77
X-MS-Exchange-Organization-AuthSource: EX2016-MDB-C.xxxxxxx.Hosted
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.2230550
X-MS-Exchange-Processed-By-BccFoldering: 15.01.2308.008
Content-Type: multipart/alternative; boundary="B_3716526623_2008493348"
MIME-Version: 1.0
Are you sure, the spam is detected by sophos?
As i know, sophos marks the subject and add [SPAM] by default.
... but your subject isn't changed.
Dirk
Systema Gesellschaft für angewandte Datentechnik mbH // Sophos Platinum PartnerSophos Solution Partner since 2003 If a post solves your question, click the 'Verify Answer' link at this post.