Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 3 subscribers
  • Views 18268 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Outgoing e-mail classified as Spam Confirmed

J.Janssens

Hi.


I have a user whose outgoing e-mails are marked as Spam (Confirmed) even though I've been releasing his e-mails and reporting them as false positives. We're talking about really innocent e-mails here: no attachments, just plain text. Because it says 'confirmed' I'm curious where the 'confirmed' comes from. Does it mean he's blacklisted somewhere and, if so, based on sender address or on IP? Probably IP, because if every single mail he sends would be blocked, I guess I would've had more complaints.


Thanks for your advice.

J. Janssens



This thread was automatically locked due to age.
Parents
  • 0
    Hi, and welcome to the UTM Community!

    The spam is "Confirmed" because it looks like something ctasd (CommTouch AntiSpam Daemon) has been told that its content is too similar to known spams.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Thank you for your reply Bob.

    That doesn't make much sense though: I looked at the content of his last blocked message and the content was the following:

    "Hello Mr. X,
    Can You give me information about status of work with PC Y, which was prepared yesterday?
    Thank You
    Best Regards
    Z"

    This is a direct quote, except for X, Y and Z of course.

    But anyway: this happens to a lot of his e-mails with the same kind of innocent content. Mails containing single sentences like "Thank you for your invitation. I'll be there." get blocked. I really don't see what can trigger the spam filter. I understand even less why it only happens to this specific user and to none of his colleagues. The only difference - it might be relevant - is that he doesn't work in the office but travels the world. He has a connection to Exchange over an Edge server, not through VPN, so his sender IP changes daily.

    --------------------

    J. Janssens

    Sophos Certified Architect
    Sophos Certified Engineer
    Sophos Certified Sales Consultant
    Gold Partner

  • 0 in reply to J.Janssens
    Please show the SMTP log file lines related to this email.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
  • 0 in reply to BAlfson

    Hi Bob. Thanks again for your reply.

    2016:02:06-09:29:53 DOMAIN-UTM01 exim-in[22254]: 2016-02-06 09:29:53 [192.168.10.1] F=<my.user@mydomain.com> R=<someone@otherdomain.com> Accepted: from relay
    2016:02:06-09:29:54 DOMAIN-UTM01 exim-in[22254]: 2016-02-06 09:29:54 1aRyFd-0005mw-2S ctasd reports 'Confirmed' RefID:str=0001.0A0C0202.56B5AF02.001A,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=12
    2016:02:06-09:29:54 DOMAIN-UTM01 exim-in[22254]: 2016-02-06 09:29:54 1aRyFd-0005mw-2S <= my.user@mydomain.com H=exchange.mydomain.local (mail.mydomain.com) [192.168.10.1]:10226 P=esmtps X=TLSv1:AES128-SHA:128 S=133939 id=003701d160b8$90a7a590$b1f6f0b0$@mydomain.com
    2016:02:06-09:29:54 DOMAIN-UTM01 exim-in[22254]: 2016-02-06 09:29:54 SMTP connection from exchange.mydomain.local (mail.mydomain.com) [192.168.10.1]:10226 closed by QUIT
    2016:02:06-09:29:55 DOMAIN-UTM01 exim-in[22248]: 2016-02-06 09:29:55 server_login authenticator failed for (192.168.0.100) [99.99.99.99]:60243: 535 Incorrect authentication data (set_id=postfix)
    2016:02:06-09:29:55 DOMAIN-UTM01 exim-in[22248]: 2016-02-06 09:29:55 SMTP connection from (192.168.0.100) [99.99.99.99]:60243 lost (error: Connection reset by peer)
    2016:02:06-09:29:55 DOMAIN-UTM01 smtpd[7298]: QMGR[7298]: 1aRyFd-0005mw-2S moved to work queue
    2016:02:06-09:29:56 DOMAIN-UTM01 exim-in[7303]: 2016-02-06 09:29:56 SMTP connection from [99.99.99.99]:62565 (TCP/IP connection count = 1)
    2016:02:06-09:30:00 DOMAIN-UTM01 smtpd[22272]: SCANNER[22272]: 1aRyFk-0005nE-5k <= my.user@mydomain.com R=1aRyFd-0005mw-2S P=INPUT S=132431
    2016:02:06-09:30:00 DOMAIN-UTM01 exim-out[22283]: 2016-02-06 09:30:00 Start queue run: pid=22283
    2016:02:06-09:30:00 DOMAIN-UTM01 exim-out[22283]: 2016-02-06 09:30:00 End queue run: pid=22283
    2016:02:06-09:30:00 DOMAIN-UTM01 exim-in[22265]: 2016-02-06 09:30:00 server_login authenticator failed for (192.168.0.100) [99.99.99.99]:62565: 535 Incorrect authentication data (set_id=postgres)
    2016:02:06-09:30:00 DOMAIN-UTM01 smtpd[22272]: SCANNER[22272]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="192.168.10.1" from="my.user@mydomain.com" to="someone@otherdomain.com" subject="Re: Adobe PDF Problem/ Outlook" queueid="1aRyFk-0005nE-5k" size="132431" reason="as" extra="confirmed"
    2016:02:06-09:30:00 DOMAIN-UTM01 smtpd[22272]: SCANNER[22272]: 1aRyFd-0005mw-2S Sending 'Message delivery incomplete' notification to my.user@mydomain.com
    2016:02:06-09:30:00 DOMAIN-UTM01 exim-out[22287]: 2016-02-06 09:30:00 SMTP connection from MailerDaemon
    2016:02:06-09:30:00 DOMAIN-UTM01 exim-out[22287]: 2016-02-06 09:30:00 1aRyFk-0005nT-29 <= <> R=1aRyFd-0005mw-2S U=MailerDaemon P=local-bsmtp S=947
    2016:02:06-09:30:00 DOMAIN-UTM01 smtpd[22272]: SCANNER[22272]: 1aRyFd-0005mw-2S => work R=SCANNER T=SCANNER
    2016:02:06-09:30:00 DOMAIN-UTM01 smtpd[22272]: SCANNER[22272]: 1aRyFd-0005mw-2S Completed


    Hope I have everything relevant and not too much irrelevant. Obviously I anonymized the data.

    Edit: OK, this logging looks terrible in my post, however hard I try to format it... looks a lot smaller and less complicated if pasted into Notepad++ or so.



    --------------------

    J. Janssens

    Sophos Certified Architect
    Sophos Certified Engineer
    Sophos Certified Sales Consultant
    Gold Partner

  • 0 in reply to J.Janssens
    "ctasd reports 'Confirmed'" - I suggest that he add a signature block in the device he's using to write emails and that he get into the habit of leaving an empty line after the greeting, the body and the closing of his messages. The alternative would be to whitelist his emails for anti-spam, but that would seem reckless to me unless he owns the company and can order you to do that.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi Bob. Thank again.

    The big mystery to me is still the same: why is it marked as "spam confirmed"? I can't force my users to write properly structured e-mails. Also, any algorithm assuming spam solely based on that would generate much more victims than just this single user. He's not the only one writing one-word e-mails sometimes.

    This particular user is one of the three owners of that company, so if I don't find a better solution I will be forced to whitelist him indeed - which would be a very bad alternative solution just like you said. From his business point of view, e-mails getting lost are worse of course.

    --------------------

    J. Janssens

    Sophos Certified Architect
    Sophos Certified Engineer
    Sophos Certified Sales Consultant
    Gold Partner

  • 0 in reply to J.Janssens
    For every email where the DATA is received, ctasd calculates a string that represents the form and content of the message. This is sent to a CommTouch (now CYREN) server in the cloud where it is compared to known-spam strings. The report is either that it's not spam, bulk or confirmed. I usually send bulk to the Quarantine and confirmed is rejected.

    Again, the simplest way for your owner to fix this would be simply to configure his email client in his phone to add a signature block automatically.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    I'll come back to this thread when he has blocked email again, so I can be sure about the content (as I released it already). I'm pretty sure that his blocked e-mails come from Outlook and not from his phone; and that he as an automated signature block (from CodeTwo) like all the other users.

    Which brings me back to my biggest question: why him and none of the other 2000 users ?

    Enjoy the weekend!

    --------------------

    J. Janssens

    Sophos Certified Architect
    Sophos Certified Engineer
    Sophos Certified Sales Consultant
    Gold Partner

Unfiltered HTML