This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Antispam failing to identify spam from .top gTLD

We have started receiving a fairly significant amount of spam from domains using the .top gTLD. A fair number of them are quarantined, but many are also delivered to the internal mail server. Most of this spam is very obvious spam, most of it pornographic in nature. I have configured the Antispam features and this has been working well for about 1-1/2 years. This problem began about 3 weeks ago, but I have been unable to resolve the issue. Currently, I have enabled:

  • Reject invalid HELO or missing RDNS
  • Use BATV
  • Perform SPF Check

I have also added these Extra RBL Zones:

  • b.barracudacentral.org
  • zen.spamhaus.org
  • bl.mailspike.net
  • backscatter.spameatingmonkey.net
  • bl.spameatingmonkey.net
  • urired.spameatingmonkey.net
  • fresh.spameatingmonkey.net
  • bl.spamcop.net

We have Antispam set to Reject 'Confirmed Spam' and Quarantine 'Spam'. We are NOT using the Greylisting feature, because in general we found it to significantly delay the delivery of email, even domains that deliver email to us on a fairly regular basis.

Is it possible something is misconfigured? Or are the Sophos UTM Antispam features features failing to keep up with new spamming techniques? I would appreciate any suggestions. Thank you!

--

Jeremy



This thread was automatically locked due to age.
Parents
  • I'm not seeing this at my clients, Jeremy. The best I can offer is to drag a copy of an offending email, headers and all, into a blank email and send it to is-spam (at) labs.sophos.com.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I'm not seeing this at my clients, Jeremy. The best I can offer is to drag a copy of an offending email, headers and all, into a blank email and send it to is-spam (at) labs.sophos.com.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Bob,

    Thanks for the suggestion. Interestingly, we began to notice a lot of odd behavior yesterday afternoon. Our VPN's were dropping, internet connectivity would be up for a minute or two, then drop out for 10-15 minutes. So, a little digging reflected that our ISP was not dropping the connections and was not experiencing any issues. The Sophos UTM GUI was behaving very strangely too. I would log in, but the Dashboard would never load. If I did get logged in, sometimes I could navigate to other pages, other times I couldn't. Finally, I just did a full shutdown of the UTM device (Sophos SG230) and left it powered off for a few minutes. After booting it back up, things seem to be operating normally again. So far, I don't believe any of the crazy spam has made it past the firewall either.

    So, maybe it was just the good old reboot that did the trick. I'm going to watch the spam for a few more days to make sure it doesn't act up again.

    Regards,

    Jeremy

  • Excellent insight, Jeremy, I should've asked you to post the lines from the SMTP log file when such an email was passed.

    Cheers- Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA