We are running Sophos UTM 9 on AWS marketplace and everything is up to date.
One of our users is getting a lot of spam a day, I had a look at the headers of the emails, the headers all look something below.
It seems that UTM marks it as possible spam but let it through, I am just wondering why it wasn't blocked?
X-PHP-Script: gsmartkids.com/index.php for 18.104.22.168
From: G-Smart Kids <firstname.lastname@example.org>
Reply-To: G-Smart Kids <email@example.com>
Date: Thu, 7 Oct 2021 09:14:34 -0400
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - custom25new.weblinkindia.net
X-AntiAbuse: Original Domain - xxxx.xxx.au
X-AntiAbuse: Originator/Caller UID/GID - [1055 993] / [47 12]
X-AntiAbuse: Sender Address Domain - gmail.com
X-Get-Message-Sender-Via: custom25new.weblinkindia.net: authenticated_id: gsmartkids/only user confirmed/virtual account not confirmed
X-Authenticated-Sender: custom25new.weblinkindia.net: gsmartkids
X-Spam-Report: Spam detection software, running on the system "ip-xxxxxxxxxx.xx-southeast-2.compute.xxxxxx",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
firstname.lastname@example.org for details.
Content preview: Dear TommyReilaMK Enquiry has been submitted with following
info : ?? [...]
Content analysis details: (11.0 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.8 BAYES_50 BODY: Bayes spam probability is 40 to 60%
0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
0.0 SPF_NONE SPF: sender does not publish an SPF Record
0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
0.0 HTML_MESSAGE BODY: HTML included in message
0.8 RDNS_NONE Delivered to internal network by a host with no rDNS
3.4 GOOG_REDIR_NORDNS Google redirect to obscure spamvertised website +
2.5 PHP_ORIG_SCRIPT Sent by bot & other signs
1.5 SPOOFED_FREEMAIL_NO_RDNS From SPOOFED_FREEMAIL and no rDNS
0.0 FILL_THIS_FORM Fill in a form with personal information
2.0 SPOOFED_FREEMAIL No description available.
0.6 SPOOF_GMAIL_MID From Gmail but it doesn't seem to be...
-0.6 TXREP TXREP: Score normalizing based on sender's reputation
Content-Type: multipart/alternative; boundary="B_3716526623_2008493348"
This thread was automatically locked due to age.