This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Please help, spam is through the roof - this is a new problem just started this weekend.

I've been running Sophos UTM for years.

Did an update last week to 9.401-11.  I don't know if that is the cause, but from that moment, we are getting SPAM at intolerable levels.

I used to get one making it through the filter every week or so.  After updating, it is about 10 an hour getting through.  None of my RBL configuration has changed.

I'm also trying to report spam to Sophos but that is being blocked - as spam.



This thread was automatically locked due to age.
Parents
  • I'm not hearing/seeing this.  How are you trying to report spam?  Can you show us an example of this new spam?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 24 Hour Fitness <24HourFitness@bbizmktg.com>, The best gym + first month free.*

    MBA Wizard <unbesieged@e-drumsz.win>, You Could Find Success Using an MBA Degree.

    Slim ShapeUp <eskimo@go-ridez.win>, Eat THIS to shrink your belly AND lose flab 400% faster !

    Lawyers_Help <tyrannizer@e-teise.win>, See Attorney Offices Near to-You

    NBC  News. <parallelled@im-pott.win>, Do This Daily, See Your Member Strong again.

    Amazon Prime <fogrum@edu-com.win>, Amazon.com order #5645636  Will deliver today

    Online Degree_Finder <arabesquely@x-gmail.win>,  Find The Best. Online Degree Schools.

    Surveillance Pro <kincob@d-housez.win>,  Need Security Cameras For Your Home?

    Luxury  SUV Sale <lobular@red-netz.win>,  Get A 2016 Luxury SUV For Less

    News Update <indestructibility@tax-fin.win>,  Plug THIS IN and Power Your Entire Home

     Patricia Price <probably@a-light.win>, Build toys, furniture etc from wood  DIY plan included

  • It's difficult to see that those are spams. How about the complete headers and the complete body of the message for just one of those?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Sure, here's an example.  It is marked as suspected spam, but not confirmed spam.

    Received: from Squidward.Aquila.local (192.168.0.14) by Squidward.Aquila.local
     (192.168.0.14) with Microsoft SMTP Server (TLS) id 15.0.1156.6 via Mailbox
     Transport; Tue, 10 May 2016 08:49:30 -0400
    Received: from Squidward.Aquila.local (192.168.0.14) by Squidward.Aquila.local
     (192.168.0.14) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Tue, 10 May
     2016 08:49:30 -0400
    Received: from harwood.aquilatech.com (192.168.0.5) by Squidward.Aquila.local
     (192.168.0.14) with Microsoft SMTP Server (TLS) id 15.0.1156.6 via Frontend
     Transport; Tue, 10 May 2016 08:49:30 -0400
    Received: from [23.108.22.15] (port=57557 helo=go-ridez.win)
        by harwood.aquilatech.com with esmtp (Exim 4.82_1-5b7a7c0-XX)
        (envelope-from <eskimo@go-ridez.win>)
        id 1b076M-0002Hp-2C
        for ***@aquilatech.com; Tue, 10 May 2016 08:49:26 -0400
    X-CTCH-RefID: str=0001.0A020202.57314426.010A,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
    From: Slim ShapeUp <eskimo@go-ridez.win>
    Date: Tue, 10 May 2016 07:33:30 -0500
    MIME-Version: 1.0
    Subject: *Spam*  Eat THIS to shrink your belly AND lose flab 400% faster !
    To: <phil@aquilatech.com>
    Message-ID: <P7QCcXpoO6waOA6aZUkrmlU-g72ZARdisuAUTaXSrTA.6a3ecoxCWzVNhccc12Nc32hhqY645naWuMiOtlck9hc@go-ridez.win>
    Content-Type: multipart/alternative;
        boundary="------------98303696560955156249454"
    X-Spam-Flag: YES
    X-Aquila-Gateway: worf.aquilatech.com
    X-Spam-Result: Spam
    Return-Path: eskimo@go-ridez.win
    X-MS-Exchange-Organization-Network-Message-Id: 7f285f9d-f350-4b22-8bb3-08d378d1877a
    X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
    X-MS-Exchange-Organization-AuthSource: Squidward.Aquila.local
    X-MS-Exchange-Organization-AuthAs: Anonymous

Reply
  • Sure, here's an example.  It is marked as suspected spam, but not confirmed spam.

    Received: from Squidward.Aquila.local (192.168.0.14) by Squidward.Aquila.local
     (192.168.0.14) with Microsoft SMTP Server (TLS) id 15.0.1156.6 via Mailbox
     Transport; Tue, 10 May 2016 08:49:30 -0400
    Received: from Squidward.Aquila.local (192.168.0.14) by Squidward.Aquila.local
     (192.168.0.14) with Microsoft SMTP Server (TLS) id 15.0.1156.6; Tue, 10 May
     2016 08:49:30 -0400
    Received: from harwood.aquilatech.com (192.168.0.5) by Squidward.Aquila.local
     (192.168.0.14) with Microsoft SMTP Server (TLS) id 15.0.1156.6 via Frontend
     Transport; Tue, 10 May 2016 08:49:30 -0400
    Received: from [23.108.22.15] (port=57557 helo=go-ridez.win)
        by harwood.aquilatech.com with esmtp (Exim 4.82_1-5b7a7c0-XX)
        (envelope-from <eskimo@go-ridez.win>)
        id 1b076M-0002Hp-2C
        for ***@aquilatech.com; Tue, 10 May 2016 08:49:26 -0400
    X-CTCH-RefID: str=0001.0A020202.57314426.010A,ss=3,sh,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
    From: Slim ShapeUp <eskimo@go-ridez.win>
    Date: Tue, 10 May 2016 07:33:30 -0500
    MIME-Version: 1.0
    Subject: *Spam*  Eat THIS to shrink your belly AND lose flab 400% faster !
    To: <phil@aquilatech.com>
    Message-ID: <P7QCcXpoO6waOA6aZUkrmlU-g72ZARdisuAUTaXSrTA.6a3ecoxCWzVNhccc12Nc32hhqY645naWuMiOtlck9hc@go-ridez.win>
    Content-Type: multipart/alternative;
        boundary="------------98303696560955156249454"
    X-Spam-Flag: YES
    X-Aquila-Gateway: worf.aquilatech.com
    X-Spam-Result: Spam
    Return-Path: eskimo@go-ridez.win
    X-MS-Exchange-Organization-Network-Message-Id: 7f285f9d-f350-4b22-8bb3-08d378d1877a
    X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
    X-MS-Exchange-Organization-AuthSource: Squidward.Aquila.local
    X-MS-Exchange-Organization-AuthAs: Anonymous

Children
  • Something is SERIOUSLY wrong here.

    Here's an example.

     2016-05-15 19:00
    69.94.147.10
    purser@eu-clubz.win
    xxx@aquilatech.com
    Delivered -> 192.168.0.14 (192.168.0.14)
     
    21kB
    4 s
    Attention Retirees: If you have an IRA or 401k you need to read this
    2016-05-15 19:00
    69.94.147.10
    islander@eu-clubz.win
    xxxl@aquilatech.com
    Rejected: RBL (zen.spamhaus.org)
     
    1kB
     

    Here, you see 69.94.147.10, a spammer who hits me about 3 times a MINUTE, all day long.

    In one line, it is blocked by RBL zen.spamhaus.or.  In the SAME SECOND another spam from the same address is fine, accepted and delivered.

    Clearly there is a major bug in the RBL handling.

  • I created a firewall rule to reject all incoming traffic from 69.94.0.0/16.

    The rule is completely ignored and the 69.94.147.* spammers get through UTM.  There's not even an entry in the firewall log.

    What's going on here!????  This is destroying my network.

  • Instead of a firewall rule, you need a blackhole DNAT.  See #2 in Rulz for an explanation.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA