This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM 9 identified the incoming email as possible spam, but it lets it through

We are running Sophos UTM 9 on AWS marketplace and everything is up to date.

One of our users is getting a lot of spam a day, I had a look at the headers of the emails, the headers all look something below.

It seems that UTM marks it as possible spam but let it through, I am just wondering why it wasn't blocked?

Subject: Enquiry

X-PHP-Script: gsmartkids.com/index.php for 212.102.57.25

X-PHP-Originating-Script: 1055:Email.php

From: G-Smart Kids <gsmartkids@gmail.com>

Reply-To: G-Smart Kids <gsmartkids@gmail.com>

X-Sender: gsmartkids@gmail.com

X-Mailer: CodeIgniter

Message-ID: <615ef2ba72677@gmail.com>

Date: Thu, 7 Oct 2021 09:14:34 -0400

X-AntiAbuse: This header was added to track abuse, please include it with any abuse report

X-AntiAbuse: Primary Hostname - custom25new.weblinkindia.net

X-AntiAbuse: Original Domain - xxxx.xxx.au

X-AntiAbuse: Originator/Caller UID/GID - [1055 993] / [47 12]

X-AntiAbuse: Sender Address Domain - gmail.com

X-Get-Message-Sender-Via: custom25new.weblinkindia.net: authenticated_id: gsmartkids/only user confirmed/virtual account not confirmed

X-Authenticated-Sender: custom25new.weblinkindia.net: gsmartkids

X-Source:

X-Source-Args: /opt/cpanel/ea-php56/root/usr/bin/php-cgi

X-Source-Dir: gsmartkids.com:/public_html

X-Spam-Score: 11.0

X-Spam-Report: Spam detection software, running on the system "ip-xxxxxxxxxx.xx-southeast-2.compute.xxxxxx",

has identified this incoming email as possible spam. The original

message has been attached to this so you can view it or label

similar future email. If you have any questions, see

support@xxxxxx.xxx.xx for details.

Content preview: Dear TommyReilaMK Enquiry has been submitted with following

info : ?? [...]

Content analysis details: (11.0 points, 5.0 required)

pts rule name description

---- ---------------------- --------------------------------------------------

0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%

[score: 0.5004]

0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider

(gsmartkids[at]gmail.com)

0.0 SPF_NONE SPF: sender does not publish an SPF Record

0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record

0.0 HTML_MESSAGE BODY: HTML included in message

0.8 RDNS_NONE Delivered to internal network by a host with no rDNS

3.4 GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website +

no rDNS

2.5 PHP_ORIG_SCRIPT Sent by bot & other signs

1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS

0.0 FILL_THIS_FORM Fill in a form with personal information

2.0 SPOOFED_FREEMAIL No description available.

0.6 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...

-0.6 TXREP TXREP: Score normalizing based on sender's reputation

Return-Path: gsmartkids@gmail.com

X-MS-Exchange-Organization-Network-Message-Id: 87acb6cc-4ecf-40b3-82e5-08d989945e77

X-MS-Exchange-Organization-AuthSource: EX2016-MDB-C.xxxxxxx.Hosted

X-MS-Exchange-Organization-AuthAs: Anonymous

X-MS-Exchange-Transport-EndToEndLatency: 00:00:00.2230550

X-MS-Exchange-Processed-By-BccFoldering: 15.01.2308.008

Content-Type: multipart/alternative; boundary="B_3716526623_2008493348"

MIME-Version: 1.0

This thread was automatically locked due to age.

Parents

0 BAlfson over 2 years ago

Hi Johnny and welcome to the UTM Community!

As Dirk said, that's not an email that went through the UTM's SMTP Proxy. If it had, you would see something like the below in the headers.

Cheers - Bob

X-SASI-Hits: BODYTEXTH_SIZE_3000_MORE 0.000000, BODY_SIZE_10000_PLUS 0.000000,
    BODY_SIZE_25K_PLUS 0.000000, BULK_EMAIL_SENDER 0.000000, DATE_TZ_NA 0.000000,
    DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000, ECARD_WORD 0.000000,
    FROM_NAME_ONE_WORD 0.050000, HREF_LABEL_TEXT_NO_URI 0.000000,
    HREF_LABEL_TEXT_ONLY 0.000000, HTML_90_100 0.100000,
    HTML_BAD_EXTRAS 0.000000, KNOWN_MTA_TFX 0.000000, LEGITIMATE_SIGNS 0.000000,
    LINK_TO_IMAGE 0.000000, LIST_HEADER 0.000000, OBFUSCATION 0.000000,
    REPLYTO_FROM_DIFF_ADDY 0.100000, SINGLE_HREF_URI_IN_BODY 0.000000,
    STYLE_RATWARE_REF 0.000000, SUPERLONG_LINE 0.050000, SXL_IP_TFX_ESP 0.000000,
    SXL_IP_TFX_WM 0.000000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000,
    __CANPHARM_COPYRIGHT 0.000000, __COURIER_PHRASE 0.000000,
    __CP_NOT_1 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000,
    __CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000,
    __CTYPE_MULTIPART_ALT 0.000000, __DKIM_ALIGNS_1 0.000000,
    __DKIM_ALIGNS_2 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000,
    __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000,
    __HAS_LIST_HEADER 0.000000, __HAS_LIST_ID 0.000000,
    __HAS_LIST_UNSUBSCRIBE 0.000000, __HAS_MSGID 0.000000,
    __HAS_REPLYTO 0.000000, __HREF_LABEL_TEXT 0.000000,
    __HTML_AHREF_TAG 0.000000, __HTML_BAD_END 0.000000,
    __HTML_BAD_START 0.000000, __HTML_STYLE_DEF_HIDDEN 0.000000,
    __HTML_TAG_CENTER 0.000000, __HTML_TAG_IMG_X2 0.000000,
    __HTML_TAG_TABLE 0.000000, __HTTPS_URI 0.000000, __IMG_THEN_TEXT 0.000000,
    __INT_PROD_COMP 0.000000, __LEGIT_LIST_HEADER 0.000000,
    __MEDS_PLAIN_MEDICATION 0.000000, __MEDS_PLAIN_RX 0.000000,
    __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000,
    __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000,
    __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000,
    __MSGID_DOMAIN_NOT_IN_HDRS 0.000000, __MULTIPLE_URI_TEXT 0.000000,
    __PHISH_PHRASE_NL4 0.000000, __PHISH_SUBJ_PHRASE4 0.000000,
    __SANE_MSGID 0.000000, __STOCK_PHRASE_7 0.000000, __STYLE_RATWARE 0.000000,
    __STYLE_RATWARE_NEG 0.000000, __SUBJ_ALPHA_END 0.000000,
    __SUBJ_TRANSACTIONAL 0.000000, __SUBJ_TR_GEN 0.000000,
    __TAG_EXISTS_HTML 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
    __URI_IN_BODY 0.000000, __URI_IN_BODY_HTTP_X10 0.000000,
    __URI_NOT_IMG 0.000000, __URI_NO_MAILTO 0.000000, __URI_NS 0.000000,
    __URI_WITHOUT_PATH 0.000000, __URI_WITH_PATH 0.000000
X-SASI-Probability: 8%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2021.10.15.173315

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 BAlfson over 2 years ago

Hi Johnny and welcome to the UTM Community!

As Dirk said, that's not an email that went through the UTM's SMTP Proxy. If it had, you would see something like the below in the headers.

Cheers - Bob

X-SASI-Hits: BODYTEXTH_SIZE_3000_MORE 0.000000, BODY_SIZE_10000_PLUS 0.000000,
    BODY_SIZE_25K_PLUS 0.000000, BULK_EMAIL_SENDER 0.000000, DATE_TZ_NA 0.000000,
    DKIM_ALIGNS 0.000000, DKIM_SIGNATURE 0.000000, ECARD_WORD 0.000000,
    FROM_NAME_ONE_WORD 0.050000, HREF_LABEL_TEXT_NO_URI 0.000000,
    HREF_LABEL_TEXT_ONLY 0.000000, HTML_90_100 0.100000,
    HTML_BAD_EXTRAS 0.000000, KNOWN_MTA_TFX 0.000000, LEGITIMATE_SIGNS 0.000000,
    LINK_TO_IMAGE 0.000000, LIST_HEADER 0.000000, OBFUSCATION 0.000000,
    REPLYTO_FROM_DIFF_ADDY 0.100000, SINGLE_HREF_URI_IN_BODY 0.000000,
    STYLE_RATWARE_REF 0.000000, SUPERLONG_LINE 0.050000, SXL_IP_TFX_ESP 0.000000,
    SXL_IP_TFX_WM 0.000000, __ANY_URI 0.000000, __BODY_NO_MAILTO 0.000000,
    __CANPHARM_COPYRIGHT 0.000000, __COURIER_PHRASE 0.000000,
    __CP_NOT_1 0.000000, __CP_URI_IN_BODY 0.000000, __CT 0.000000,
    __CTYPE_HAS_BOUNDARY 0.000000, __CTYPE_MULTIPART 0.000000,
    __CTYPE_MULTIPART_ALT 0.000000, __DKIM_ALIGNS_1 0.000000,
    __DKIM_ALIGNS_2 0.000000, __DQ_NEG_HEUR 0.000000, __DQ_NEG_IP 0.000000,
    __FUR_HEADER 0.000000, __HAS_FROM 0.000000, __HAS_HTML 0.000000,
    __HAS_LIST_HEADER 0.000000, __HAS_LIST_ID 0.000000,
    __HAS_LIST_UNSUBSCRIBE 0.000000, __HAS_MSGID 0.000000,
    __HAS_REPLYTO 0.000000, __HREF_LABEL_TEXT 0.000000,
    __HTML_AHREF_TAG 0.000000, __HTML_BAD_END 0.000000,
    __HTML_BAD_START 0.000000, __HTML_STYLE_DEF_HIDDEN 0.000000,
    __HTML_TAG_CENTER 0.000000, __HTML_TAG_IMG_X2 0.000000,
    __HTML_TAG_TABLE 0.000000, __HTTPS_URI 0.000000, __IMG_THEN_TEXT 0.000000,
    __INT_PROD_COMP 0.000000, __LEGIT_LIST_HEADER 0.000000,
    __MEDS_PLAIN_MEDICATION 0.000000, __MEDS_PLAIN_RX 0.000000,
    __MIME_HTML 0.000000, __MIME_TEXT_H 0.000000, __MIME_TEXT_H1 0.000000,
    __MIME_TEXT_H2 0.000000, __MIME_TEXT_P 0.000000, __MIME_TEXT_P1 0.000000,
    __MIME_TEXT_P2 0.000000, __MIME_VERSION 0.000000,
    __MSGID_DOMAIN_NOT_IN_HDRS 0.000000, __MULTIPLE_URI_TEXT 0.000000,
    __PHISH_PHRASE_NL4 0.000000, __PHISH_SUBJ_PHRASE4 0.000000,
    __SANE_MSGID 0.000000, __STOCK_PHRASE_7 0.000000, __STYLE_RATWARE 0.000000,
    __STYLE_RATWARE_NEG 0.000000, __SUBJ_ALPHA_END 0.000000,
    __SUBJ_TRANSACTIONAL 0.000000, __SUBJ_TR_GEN 0.000000,
    __TAG_EXISTS_HTML 0.000000, __TO_MALFORMED_2 0.000000, __TO_NO_NAME 0.000000,
    __URI_IN_BODY 0.000000, __URI_IN_BODY_HTTP_X10 0.000000,
    __URI_NOT_IMG 0.000000, __URI_NO_MAILTO 0.000000, __URI_NS 0.000000,
    __URI_WITHOUT_PATH 0.000000, __URI_WITH_PATH 0.000000
X-SASI-Probability: 8%
X-SASI-RCODE: 200
X-SASI-Version: Antispam-Engine: 4.1.4, AntispamData: 2021.10.15.173315

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data