This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Is it possible to create an exception for the "Sender blacklist" ?

Hi,

because of a recent spam attack, one of my customers faced, I blocked their own Domain with the "Sender Blacklist" option. In general this works because the smtp-proxy does not block (probably because of the allowed relay settings) mails where the senderaddress is from the customers maildomain. The result is, that only mails from unknown hosts are blocked.

But in this case, the customer gets inbound emails from two other trusted mailsystems, that should be allowed to send mails with the customers domain. Because of this, I wanted to create an exception. But it seems, that this is not possible... I thought I can use a "antispam checking" exception for bypassing the sender blacklist....

Any ideas? What´s about the expression blocking? To what part of the mail is it applied? Can I use this to match the sender address or domain?



This thread was automatically locked due to age.
  • Same problem here - I tried an exception for the sending IP address and an other one for the sending from name - nothing worked. The smtp log shows that the exception is recognized but the mail is still dropped.

    2016:01:29-22:23:09 verw-asg320-01-1 exim-in[2298]: 2016-01-29 22:23:09 SMTP connection from [192.168.200.1]:56529 (TCP/IP connection count = 1)
    2016:01:29-22:23:09 verw-asg320-01-1 exim-in[13238]: 2016-01-29 22:23:09 H=myhost.mydomain.de (myhost) [192.168.200.1]:56529 Warning: Exception matched: Skipping greylisting for this message
    2016:01:29-22:23:09 verw-asg320-01-1 exim-in[13238]: 2016-01-29 22:23:09 H=myhost.mydomain.de (myhost) [192.168.200.1]:56529 Warning: Exception matched: Skipping antispam for this message
    2016:01:29-22:23:09 verw-asg320-01-1 exim-in[13238]: 2016-01-29 22:23:09 H=myhost.mydomain.de (myhost) [192.168.200.1]:56529 Warning: mydomain.de profile excludes AV scan: Skipping SMTP inline AV scan for this message
    2016:01:29-22:23:09 verw-asg320-01-1 exim-in[13238]: 2016-01-29 22:23:09 id="1003" severity="info" sys="SecureMail" sub="smtp" name="email rejected" srcip="192.168.200.1" from="monitor@mydomain.de" to="me@mydomain.de" size="-1" reason="sender_blacklist" extra="monitor@mydomain.de blacklisted"
    2016:01:29-22:23:09 verw-asg320-01-1 exim-in[13238]: 2016-01-29 22:23:09 H=myhost.mydomain.de (myhost) [192.168.200.1]:56529 F=<monitor@mydomain.de> rejected RCPT <me@mydomain.de>: Access denied (sender blacklisted)
    2016:01:29-22:23:09 verw-asg320-01-1 exim-in[13238]: 2016-01-29 22:23:09 SMTP connection from myhost.mydomain.de (myhost) [192.168.200.1]:56529 closed by DROP in ACL

    Version is 9.317-5

    Regards
    Manfred

  • Hello Manfred,

    I think the utm recognizes the exception for the Antivirus scan only:

    "mydomain.de profile excludes AV scan: Skipping SMTP inline AV scan for this message"

    For me it seems, that this simple function is not implemented so far:
    feature.astaro.com/.../6996061-email-exceptions-to-anti-spam-sender-blacklist


    Regards
    Sebastian
  • Guys, do you have SPF configured?

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No SPF record for our domain (yet...). But should't the exception work anyway?

    Regatds
    Manfred
  • SPF is not that hard to configure and should work for this, Manfred. I don't think using Sender Blacklist and trying to create an Exception for your mail server will consistently give the desired result, but I've not tried it.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Yes a SPF Record maybe a solution for your own domain, but there could also be disadvantages. For the implementation it´s necessary to consider all systems, that should be allowed to send email with your domain names. You even have to think about forwardings and newsletters etc.... I think it should be carefully planned.

    But for me the questions is, how the spf check is weighted the sophos spam calculation algorithm. Spammers also learned to create spf records. E.g.: If the spf record for a spammers domain is present and fits to the sending system, are all other spam checks are disabled then? Because if i activate the spf check I dont want to receive mails from spammers, that adapted the feature....

    Is there some more detailed information available regarding the spam filtering algorithm?


    Best Regards
  • There is no weighting. The algorithm is simple - apply the checks one after the other, if none fails and the mail content is not graded a spam by ctasd's lookup, it is delivered. SPF is one of the SMTP-time checks that occurs before the content is received and (educated guess) after RBLs, the Sender Blacklist and rDNS.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • We do have SPF records configured for our domains but it won't block e-mail from other hosts.
    So we have set our own domain (*@ourdomain.nl) in the sender blacklist and need one trusted host to be able to send email from our domain to internal people.

    I have learned that an exception is not possible at this time but i have figured out a work-around:
    1) Create a NAT/Firewall rule for this trusted host and forward it to the mail server ie: Exchange Server
    2) On Exchange configure this trusted IP for relaying.
    This has worked for us as a workaround but the exeption feature would be helpful.
  • Hi Patrick,

    did you configure the spf settings correctly and did you activate the spf check in the Antispam-->Advanced Antispam Features Settings? If this didn´t work propably you should open a support case....
  • Hi Roesch4alc,

    Yes we have correct SPF records for our e-mail domain. Also i saw many other people with the same feature request. I hope that Sophos will add an exception possibility for this security option.
    Because i have a workaround i posted it to this thread.

    Grtz Patrick