This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Updated from Astaro to Sophos UTM 9; Antispam performance is dismal

I upgraded from Astaro 8 to Sophos UTM 9, I'm using pretty much the same mail protection settings, but my spam messages per day went from 3 total to a few hundred. I'm drowning in annoying spam mail. I don't see a setting anywhere to change the "Spam Confidence Level", the only settings I see are to Quarantine Spam, and Blackhole "Confirmed Spam"; however this new version seems to be blocking a whole lot less than it used to.

Any advice?

This thread was automatically locked due to age.

Parents

0 SLGizmo over 11 years ago

I know this is an old thread but I am also still seeing a lot of spam coming through the system such as the following.

4:33:12 my.firewall exim-in[5260]: 2013-06-23 14:33:12 SMTP connection from [196.22.132.196]:49637 (TCP/IP connection count = 1)
2013:06:23-14:33:15 my.firewall exim-in[2358]: 2013-06-23 14:33:15 [196.22.132.196] F= R= Verifying recipient address with callout
2013:06:23-14:33:16 my.firewall exim-in[2358]: 2013-06-23 14:33:16 1Uqp6B-0000c2-1S ctasd reports 'Unknown' RefID:str=0001.0A090205.51C73FB8.0002,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2013:06:23-14:33:16 my.firewall exim-in[2358]: 2013-06-23 14:33:16 1Uqp6B-0000c2-1S Greylisting: Successful greylist retry from 196.22.132.196 (original host was 196.22.132.196/32)
2013:06:23-14:33:16 my.firewall exim-in[2358]: 2013-06-23 14:33:16 1Uqp6B-0000c2-1S keisha_emerson@theexpeditionproject.com H=dedi96.jnb1.host-h.net [196.22.132.196]:49637 P=esmtps X=TLSv1:AES256-SHA:256 S=1431 id=E1UqokO-0001LP-Po@dedi96.jnb1.host-h.net
2013:06:23-14:33:16 my.firewall exim-in[2358]: 2013-06-23 14:33:16 SMTP connection from dedi96.jnb1.host-h.net [196.22.132.196]:49637 closed by QUIT
2013:06:23-14:33:17 my.firewall smtpd[5223]: QMGR[5223]: 1Uqp6B-0000c2-1S moved to work queue
2013:06:23-14:33:20 my.firewall smtpd[2363]: SCANNER[2363]: 1Uqp6G-0000c7-C3 keisha_emerson@theexpeditionproject.com R=1Uqp6B-0000c2-1S P=INPUT S=142
2013:06:23-14:33:20 my.firewall smtpd[2363]: SCANNER[2363]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="196.22.132.196" from="keisha_emerson@theexpeditionproject.com" to="me@home.com" subject="check the result" queueid="1Uqp6G-0000c7-C3" size="142"
2013:06:23-14:33:20 my.firewall smtpd[2363]: SCANNER[2363]: 1Uqp6B-0000c2-1S => work R=SCANNER T=SCANNER
2013:06:23-14:33:20 my.firewall smtpd[2363]: SCANNER[2363]: 1Uqp6B-0000c2-1S Completed
2013:06:23-14:33:20 my.firewall exim-out[2371]: 2013-06-23 14:33:20 1Uqp6G-0000c7-C3 => me@home.com P= R=static_route_hostlist T=static_smtp H=10.1.4.18 [10.1.4.18]:25 X=TLSv1:AES128-SHA:128 C="250 2.6.0 [InternalId=15] Queued mail for delivery"
2013:06:23-14:33:20 my.firewall exim-out[2371]: 2013-06-23 14:33:20 1Uqp6G-0000c7-C3 Completed
2013:06:23-14:33:34 my.firewall smtpd[5174]: MASTER[5174]: (Re-)loading configuration from Confd
2013:06:23-14:33:34 my.firewall smtpd[5174]: MASTER[5174]: Past 07:00:00, QR status one set to 'sent'
2013:06:23-14:33:34 my.firewall smtpd[5174]: MASTER[5174]: Before 16:00:00, QR status two set to 'pending'
2013:06:23-14:33:34 my.firewall exim-in[5260]: 2013-06-23 14:33:34 pid 5260: SIGHUP received: re-exec daemon
2013:06:23-14:33:34 my.firewall exim-in[5260]: 2013-06-23 14:33:34 exim 4.76 daemon started: pid=5260, no queue runs, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)
Cancel
Vote Up 0 Vote Down

Cancel
0 William Warren over 11 years ago in reply to SLGizmo

I know this is an old thread but I am also still seeing a lot of spam coming through the system such as the following.

4:33:12 my.firewall exim-in[5260]: 2013-06-23 14:33:12 SMTP connection from [196.22.132.196]:49637 (TCP/IP connection count = 1)
2013:06:23-14:33:15 my.firewall exim-in[2358]: 2013-06-23 14:33:15 [196.22.132.196] F= R= Verifying recipient address with callout
2013:06:23-14:33:16 my.firewall exim-in[2358]: 2013-06-23 14:33:16 1Uqp6B-0000c2-1S ctasd reports 'Unknown' RefID:str=0001.0A090205.51C73FB8.0002,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2013:06:23-14:33:16 my.firewall exim-in[2358]: 2013-06-23 14:33:16 1Uqp6B-0000c2-1S Greylisting: Successful greylist retry from 196.22.132.196 (original host was 196.22.132.196/32)
2013:06:23-14:33:16 my.firewall exim-in[2358]: 2013-06-23 14:33:16 1Uqp6B-0000c2-1S keisha_emerson@theexpeditionproject.com H=dedi96.jnb1.host-h.net [196.22.132.196]:49637 P=esmtps X=TLSv1:AES256-SHA:256 S=1431 id=E1UqokO-0001LP-Po@dedi96.jnb1.host-h.net
2013:06:23-14:33:16 my.firewall exim-in[2358]: 2013-06-23 14:33:16 SMTP connection from dedi96.jnb1.host-h.net [196.22.132.196]:49637 closed by QUIT
2013:06:23-14:33:17 my.firewall smtpd[5223]: QMGR[5223]: 1Uqp6B-0000c2-1S moved to work queue
2013:06:23-14:33:20 my.firewall smtpd[2363]: SCANNER[2363]: 1Uqp6G-0000c7-C3 keisha_emerson@theexpeditionproject.com R=1Uqp6B-0000c2-1S P=INPUT S=142
2013:06:23-14:33:20 my.firewall smtpd[2363]: SCANNER[2363]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="196.22.132.196" from="keisha_emerson@theexpeditionproject.com" to="me@home.com" subject="check the result" queueid="1Uqp6G-0000c7-C3" size="142"
2013:06:23-14:33:20 my.firewall smtpd[2363]: SCANNER[2363]: 1Uqp6B-0000c2-1S => work R=SCANNER T=SCANNER
2013:06:23-14:33:20 my.firewall smtpd[2363]: SCANNER[2363]: 1Uqp6B-0000c2-1S Completed
2013:06:23-14:33:20 my.firewall exim-out[2371]: 2013-06-23 14:33:20 1Uqp6G-0000c7-C3 => me@home.com P= R=static_route_hostlist T=static_smtp H=10.1.4.18 [10.1.4.18]:25 X=TLSv1:AES128-SHA:128 C="250 2.6.0 [InternalId=15] Queued mail for delivery"
2013:06:23-14:33:20 my.firewall exim-out[2371]: 2013-06-23 14:33:20 1Uqp6G-0000c7-C3 Completed
2013:06:23-14:33:34 my.firewall smtpd[5174]: MASTER[5174]: (Re-)loading configuration from Confd
2013:06:23-14:33:34 my.firewall smtpd[5174]: MASTER[5174]: Past 07:00:00, QR status one set to 'sent'
2013:06:23-14:33:34 my.firewall smtpd[5174]: MASTER[5174]: Before 16:00:00, QR status two set to 'pending'
2013:06:23-14:33:34 my.firewall exim-in[5260]: 2013-06-23 14:33:34 pid 5260: SIGHUP received: re-exec daemon
2013:06:23-14:33:34 my.firewall exim-in[5260]: 2013-06-23 14:33:34 exim 4.76 daemon started: pid=5260, no queue runs, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)

what dns servers are you using for the utm?

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 William Warren over 11 years ago in reply to SLGizmo

I know this is an old thread but I am also still seeing a lot of spam coming through the system such as the following.

4:33:12 my.firewall exim-in[5260]: 2013-06-23 14:33:12 SMTP connection from [196.22.132.196]:49637 (TCP/IP connection count = 1)
2013:06:23-14:33:15 my.firewall exim-in[2358]: 2013-06-23 14:33:15 [196.22.132.196] F= R= Verifying recipient address with callout
2013:06:23-14:33:16 my.firewall exim-in[2358]: 2013-06-23 14:33:16 1Uqp6B-0000c2-1S ctasd reports 'Unknown' RefID:str=0001.0A090205.51C73FB8.0002,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
2013:06:23-14:33:16 my.firewall exim-in[2358]: 2013-06-23 14:33:16 1Uqp6B-0000c2-1S Greylisting: Successful greylist retry from 196.22.132.196 (original host was 196.22.132.196/32)
2013:06:23-14:33:16 my.firewall exim-in[2358]: 2013-06-23 14:33:16 1Uqp6B-0000c2-1S keisha_emerson@theexpeditionproject.com H=dedi96.jnb1.host-h.net [196.22.132.196]:49637 P=esmtps X=TLSv1:AES256-SHA:256 S=1431 id=E1UqokO-0001LP-Po@dedi96.jnb1.host-h.net
2013:06:23-14:33:16 my.firewall exim-in[2358]: 2013-06-23 14:33:16 SMTP connection from dedi96.jnb1.host-h.net [196.22.132.196]:49637 closed by QUIT
2013:06:23-14:33:17 my.firewall smtpd[5223]: QMGR[5223]: 1Uqp6B-0000c2-1S moved to work queue
2013:06:23-14:33:20 my.firewall smtpd[2363]: SCANNER[2363]: 1Uqp6G-0000c7-C3 keisha_emerson@theexpeditionproject.com R=1Uqp6B-0000c2-1S P=INPUT S=142
2013:06:23-14:33:20 my.firewall smtpd[2363]: SCANNER[2363]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="196.22.132.196" from="keisha_emerson@theexpeditionproject.com" to="me@home.com" subject="check the result" queueid="1Uqp6G-0000c7-C3" size="142"
2013:06:23-14:33:20 my.firewall smtpd[2363]: SCANNER[2363]: 1Uqp6B-0000c2-1S => work R=SCANNER T=SCANNER
2013:06:23-14:33:20 my.firewall smtpd[2363]: SCANNER[2363]: 1Uqp6B-0000c2-1S Completed
2013:06:23-14:33:20 my.firewall exim-out[2371]: 2013-06-23 14:33:20 1Uqp6G-0000c7-C3 => me@home.com P= R=static_route_hostlist T=static_smtp H=10.1.4.18 [10.1.4.18]:25 X=TLSv1:AES128-SHA:128 C="250 2.6.0 [InternalId=15] Queued mail for delivery"
2013:06:23-14:33:20 my.firewall exim-out[2371]: 2013-06-23 14:33:20 1Uqp6G-0000c7-C3 Completed
2013:06:23-14:33:34 my.firewall smtpd[5174]: MASTER[5174]: (Re-)loading configuration from Confd
2013:06:23-14:33:34 my.firewall smtpd[5174]: MASTER[5174]: Past 07:00:00, QR status one set to 'sent'
2013:06:23-14:33:34 my.firewall smtpd[5174]: MASTER[5174]: Before 16:00:00, QR status two set to 'pending'
2013:06:23-14:33:34 my.firewall exim-in[5260]: 2013-06-23 14:33:34 pid 5260: SIGHUP received: re-exec daemon
2013:06:23-14:33:34 my.firewall exim-in[5260]: 2013-06-23 14:33:34 exim 4.76 daemon started: pid=5260, no queue runs, listening for SMTP on port 25 (IPv6 and IPv4) port 587 (IPv6 and IPv4) and for SMTPS on port 465 (IPv6 and IPv4)

what dns servers are you using for the utm?

Owner: Emmanuel Technology Consulting

http://etc-md.com

Former Sophos SG(Astaro) advocate/researcher/Silver Partner

PfSense w/Suricata, ntopng,

Other addons to follow
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data