Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 3 subscribers
  • Views 8580 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Antispam failing to identify spam from .top gTLD

Bullfrog

We have started receiving a fairly significant amount of spam from domains using the .top gTLD. A fair number of them are quarantined, but many are also delivered to the internal mail server. Most of this spam is very obvious spam, most of it pornographic in nature. I have configured the Antispam features and this has been working well for about 1-1/2 years. This problem began about 3 weeks ago, but I have been unable to resolve the issue. Currently, I have enabled:

  • Reject invalid HELO or missing RDNS
  • Use BATV
  • Perform SPF Check

I have also added these Extra RBL Zones:

  • b.barracudacentral.org
  • zen.spamhaus.org
  • bl.mailspike.net
  • backscatter.spameatingmonkey.net
  • bl.spameatingmonkey.net
  • urired.spameatingmonkey.net
  • fresh.spameatingmonkey.net
  • bl.spamcop.net

We have Antispam set to Reject 'Confirmed Spam' and Quarantine 'Spam'. We are NOT using the Greylisting feature, because in general we found it to significantly delay the delivery of email, even domains that deliver email to us on a fairly regular basis.

Is it possible something is misconfigured? Or are the Sophos UTM Antispam features features failing to keep up with new spamming techniques? I would appreciate any suggestions. Thank you!

--

Jeremy



This thread was automatically locked due to age.
  • 0

    I'm not seeing this at my clients, Jeremy. The best I can offer is to drag a copy of an offending email, headers and all, into a blank email and send it to is-spam (at) labs.sophos.com.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Bob,

    Thanks for the suggestion. Interestingly, we began to notice a lot of odd behavior yesterday afternoon. Our VPN's were dropping, internet connectivity would be up for a minute or two, then drop out for 10-15 minutes. So, a little digging reflected that our ISP was not dropping the connections and was not experiencing any issues. The Sophos UTM GUI was behaving very strangely too. I would log in, but the Dashboard would never load. If I did get logged in, sometimes I could navigate to other pages, other times I couldn't. Finally, I just did a full shutdown of the UTM device (Sophos SG230) and left it powered off for a few minutes. After booting it back up, things seem to be operating normally again. So far, I don't believe any of the crazy spam has made it past the firewall either.

    So, maybe it was just the good old reboot that did the trick. I'm going to watch the spam for a few more days to make sure it doesn't act up again.

    Regards,

    Jeremy

  • 0 in reply to Bullfrog

    Excellent insight, Jeremy, I should've asked you to post the lines from the SMTP log file when such an email was passed.

    Cheers- Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0

    Hello Jeremy,

    I see the same SPAM activity with .top domains, and I read sophos did delete the capability of blocking tld domains for some reason.

    Tech support cannot fix this since the feature has been removed. (in my opinion, subject to change if they put it back in after 9.401-11.

    First of all, I would suggest trying, and adding bad.psky.me to your RBL list at the bottom preferably.  THEY are good at .top blocking, as is zen.spamhaus.org.

    That one fix will help a lot until they get a fix

    FYI, i added these subnets to known spammers, manually found by me, just in april.

    1..SPApr 89.248.173
    1..SPApr104.168.33
    1..SPApr107.172.15
    1..SPApr107.173.9
    1..SPApr109.236.87
    1..SPApr172.86.120
    1..SPApr172.86.182
    1..SPApr172.86.183
    1..SPApr172.86.80
    1..SPApr173.208.179
    1..SPApr173.208.196
    1..SPApr176.9.199
    1..SPApr176.9.245
    1..SPApr179.43.144
    1..SPApr179.43.159
    1..SPApr179.43.166
    1..SPApr179.43.170
    1..SPApr179.43.190
    1..SPApr179.43.191
    1..SPApr179.43.198
    1..SPApr179.43.199
    1..SPApr185.70.187
    1..SPApr191.96.111
    1..SPApr198.143.121
    1..SPApr198.143.144
    1..SPApr198.143.186
    1..SPApr216.107.144
    1..SPApr216.107.148
    1..SPApr216.150.74
    1..SPApr5.39.221
    1..SPApr63.246.137
    1..SPApr64.187.117
    1..SPApr64.187.227
    1..SPApr64.187.228
    1..SPApr64.187.238
    1..SPApr67.215.4
    1..SPApr67.222.144
    1..SPApr68.64.160
    1..SPApr68.64.168
    1..SPApr68.64.174
    1..SPApr69.4.85
    1..SPApr70.39.70
    1..SPApr70.39.81
    1..SPApr70.39.97
    1..SPApr72.9.145
    1..SPApr72.9.154
    1..SPApr72.9.155
    1..SPApr77.81.104
    1..SPApr77.81.106
    1..SPApr77.81.191
    ...search for these subnets and see if they're the same subnets you're having issues with.
    Inquiring minds want to know. 
    Good luck Mr. Phelps if you decide to accept this mission.

    FYI. i'm also getting .XYZ crap spams, search for .xyz in your mail manager 

    this is from the help on 9.401-11

    Sender Blacklist

    The envelope sender of incoming SMTP sessions will be matched against the addresses on this blacklist. If the envelope sender is found on the blacklist the message will be rejected in SMTP time. Settings in the Reject at SMTP time field do not affect this function.
    To add a new address pattern to the blacklist click the Plus icon in the Blacklisted Address Patterns box, enter (a part of) an address, and click Apply. You can use an asterisk (*) as a wildcard, e.g., *@abbeybnknational.com. A wildcard does not work in the domain or TLD part of an address.

Unfiltered HTML