Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 2 subscribers
  • Views 7924 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Only Outbound email are quarantined.

JamesGreene

 Only outbound email is being quarantined, mostly when spam is sent to an invalid address (the "undeliverable" message is quarantined) or when spam is sent to users with out-of-office turned on.  Here's an example of the former:

 

Delivery has failed to these recipients or groups:

user@baptisthomes.org<mailto:user@baptisthomes.org>
The email address you entered couldn't be found. Please check the recipient's email address and try to resend the message. If the problem continues, please contact your email admin.

Diagnostic information for administrators:

Generating server: MailServer.baptisthomes.org

User@baptisthomes.org
Remote Server returned '550 5.1.10 RESOLVER.ADR.RecipientNotFound; Recipient not found by SMTP address lookup'

Original message headers:

Received: from mailserver.baptisthomes.org (192.168.120.70) by
 BHS-EX16-01.baptisthomes.org (192.168.120.70) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.544.27; Mon, 9 Jan 2017 07:07:54 -0500
Received: from bhutm9.baptisthomes.org (192.168.1.2) by
 mailserver.baptisthomes.org (192.168.120.70) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id
 15.1.544.27 via Frontend Transport; Mon, 9 Jan 2017 07:07:54 -0500
Received: from mta9.wanwul.us ([104.129.48.234]:48180 helo=wanwul.us)
        by bhutm9.baptisthomes.org with esmtp (Exim 4.82_1-5b7a7c0-XX)
        (envelope-from <wrinkly@wanwul.us>)
        id 1cQYjG-000416-0D
        for user@baptisthomes.org; Mon, 09 Jan 2017 07:07:45 -0500
Subject: Get a new Alarm Special + $100 Visa Gift Card Bonus from Protect Your Home
From: ADTAuthorizedDealer <riddled@mughal.wanwul.us>
To: <user@baptisthomes.org>
Date: Mon, 9 Jan 2017 04:06:38 -0800
Content-Type: multipart/related;
        boundary="0bb548aeb2531700ea09429c9d130813a"
MIME-Version: 1.0
Message-ID: <0.0.0.1A.1D26A70E1BC1278.1CD482@wanwul.us>
Return-Path: wrinkly@wanwul.us

Here's my current configuration:
  • I registered for the Barracuda RBL, and I have zen.spamhaus and bl.spamcop configured, as well as the two default RBL’s that Sophos uses.
  • I have confirmed spam set to be rejected at SMTP time, and all actions in the spam filter are to quarantine.
  • Everything is checked under advanced spam filtering, including strict RDNS Checks.
Thank you.



This thread was automatically locked due to age.
Parents
  • 0

    I don't understand, James.  Are you sending spams?  If the above bounce was quarantined, please show the related lines from the SMTP log.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    With all due respect, of course we're not sending spam.  I do not see an actual SMTP log file listed with the other log files, but I can see that the primary reason the email are blocked is coming from the "antispam engine" (94%)

  • 0 in reply to JamesGreene

    Sorry, James, no insult intended - I just couldn't "see" the issue you described.

    Just to confirm, you have a UTM and there is no "SMTP proxy" among the logs in 'Logging & Reporting >> View Log Files'?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Yes, I did find the proxy logs.  Here's what I have from around the time of the email sample that I sent to you. I can send the entire day, but it's too large for the window. Note that the original user name and email server name are included:

     

    srcip="104.129.48.234" from="wrinkly@wanwul.us" to="todd.swortzel@baptisthomes.org" subject="Get a new Alarm Special + $100 Visa Gift Card Bonus from Protect Your Home" queueid="1cQYjr-0003tP-0N" size="771094"
2017:01:09-07:07:47 bhutm9 smtpd[14967]: SCANNER[14967]: 1cQYjG-000416-0D => work R=SCANNER T=SCANNER
2017:01:09-07:07:47 bhutm9 smtpd[14967]: SCANNER[14967]: 1cQYjG-000416-0D Completed
2017:01:09-07:07:47 bhutm9 exim-out[15938]: 2017-01-09 07:07:47 1cQYjr-0003tP-0N => todd.swortzel@baptisthomes.org P=<wrinkly@wanwul.us> R=static_route_hostlist T=static_smtp H=192.168.120.70 [192.168.120.70]:25 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 C="250 2.6.0 <0.0.0.1A.1D26A70E1BC1278.1CD482@wanwul.us> [InternalId=6073083756617, Hostname=BHS-EX16-0"
2017:01:09-07:07:47 bhutm9 exim-out[15938]: 2017-01-09 07:07:47 1cQYjr-0003tP-0N Completed
2017:01:09-07:07:47 bhutm9 exim-in[5637]: 2017-01-09 07:07:47 SMTP connection from [192.168.120.70]:33496 (TCP/IP connection count = 3)
2017:01:09-07:07:47 bhutm9 exim-in[15942]: 2017-01-09 07:07:47 [192.168.120.70] F=<> R=<wrinkly@wanwul.us> Accepted: from relay
2017:01:09-07:07:47 bhutm9 exim-in[15942]: 2017-01-09 07:07:47 1cQYjr-000498-2D ctasd reports 'Confirmed' RefID:str=0001.0A020206.58737D13.0492,ss=4,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=264
2017:01:09-07:07:47 bhutm9 exim-in[15942]: 2017-01-09 07:07:47 1cQYjr-000498-2D <= <> H=(BHS-EX16-01.baptisthomes.org) [192.168.120.70]:33496 P=esmtps X=TLSv1.2:AES256-SHA256:256 S=778851 id=31aeb58a-d901-427e-8451-7bd3442eae37@BHS-EX16-01.baptisthomes.org
2017:01:09-07:07:48 bhutm9 exim-in[15942]: 2017-01-09 07:07:48 SMTP connection from (BHS-EX16-01.baptisthomes.org) [192.168.120.70]:33496 closed by QUIT
2017:01:09-07:07:49 bhutm9 smtpd[5602]: QMGR[5602]: 1cQYjr-000498-2D moved to work queue
2017:01:09-07:07:50 bhutm9 smtpd[14967]: SCANNER[14967]: 1cQYju-0003tP-D0 <=  R=1cQYjr-000498-2D P=INPUT S=777898
2017:01:09-07:07:50 bhutm9 smtpd[14967]: SCANNER[14967]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="192.168.120.70" from="" to="wrinkly@wanwul.us" subject="Undeliverable: Get a new Alarm Special + $100 Visa Gift Card Bonus from Protect Your Home" queueid="1cQYju-0003tP-D0" size="777898" reason="as" extra="confirmed"
2017:01:09-07:07:50 bhutm9 smtpd[14967]: SCANNER[14967]: 1cQYjr-000498-2D => work R=SCANNER T=SCANNER
2017:01:09-07:07:50 bhutm9 smtpd[14967]: SCANNER[14967]: 1cQYjr-000498-2D Completed
2017:01:09-07:07:50 bhutm9 exim-in[15449]: 2017-01-09 07:07:50 1cQYjU-00041B-0B <= vegan@wanwul.us H=mta9.wanwul.us (wanwul.us) [104.129.48.234]:55126 P=esmtp S=771738 id=0.0.0.D.1D26A70D803F624.211E9F@wanwul.us
2017:01:09-07:07:51 bhutm9 exim-in[15449]: 2017-01-09 07:07:51 H=mta9.wanwul.us (wanwul.us) [104.129.48.234]:55126 Warning: Exception matched: Skipping greylisting for this message
2017:01:09-07:07:51 bhutm9 exim-in[15449]: 2017-01-09 07:07:51 H=mta9.wanwul.us (wanwul.us) [104.129.48.234]:55126 Warning: Exception matched: Skipping AV for this message
2017:01:09-07:07:51 bhutm9 exim-in[15449]: 2017-01-09 07:07:51 H=mta9.wanwul.us (wanwul.us) [104.129.48.234]:55126 Warning: Exception matched: Skipping antispam for this message
2017:01:09-07:07:51 bhutm9 exim-in[15449]: 2017-01-09 07:07:51 H=mta9.wanwul.us (wanwul.us) [104.129.48.234]:55126 Warning: providencepoint.org profile excludes SANDBOX scan
2017:01:09-07:07:51 bhutm9 exim-in[15449]: 2017-01-09 07:07:51 [104.129.48.234] F=<lunger@wanwul.us> R=<bwinston@providencepoint.org> Verifying recipient address with callout
2017:01:09-07:07:51 bhutm9 smtpd[5602]: QMGR[5602]: 1cQYjU-00041B-0B moved to work queue
2017:01:09-07:07:52 bhutm9 smtpd[14967]: SCANNER[14967]: 1cQYjw-0003tP-Kw <= vegan@wanwul.us R=1cQYjU-00041B-0B P=INPUT S=771109
2017:01:09-07:07:52 bhutm9 smtpd[14967]: SCANNER[14967]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="104.129.48.234" from="vegan@wanwul.us" to="bulldog@providencepoint.org" subject="Protect Your Home and Family with a Free ADT Monitored System + Free Visa Gift Card" queueid="1cQYjw-0003tP-Kw" size="771109"
2017:01:09-07:07:52 bhutm9 smtpd[14967]: SCANNER[14967]: 1cQYjU-00041B-0B => work R=SCANNER T=SCANNER
2017:01:09-07:07:52 bhutm9 smtpd[14967]: SCANNER[14967]: 1cQYjU-00041B-0B Completed
2017:01:09-07:07:52 bhutm9 exim-in[5637]: 2017-01-09 07:07:52 SMTP connection from [72.166.183.114]:53094 (TCP/IP connection count = 3)
2017:01:09-07:07:52 bhutm9 exim-in[15949]: 2017-01-09 07:07:52 H=p1-183114.mail.williams-sonoma.com [72.166.183.114]:53094 Warning: Exception matched: Skipping greylisting for this message
2017:01:09-07:07:52 bhutm9 exim-in[15949]: 2017-01-09 07:07:52 H=p1-183114.mail.williams-sonoma.com [72.166.183.114]:53094 Warning: Exception matched: Skipping AV for this message
2017:01:09-07:07:52 bhutm9 exim-in[15949]: 2017-01-09 07:07:52 H=p1-183114.mail.williams-sonoma.com [72.166.183.114]:53094 Warning: Exception matched: Skipping antispam for this message
2017:01:09-07:07:52 bhutm9 exim-in[15949]: 2017-01-09 07:07:52 H=p1-183114.mail.williams-sonoma.com [72.166.183.114]:53094 Warning: providencepoint.org profile excludes SANDBOX scan
2017:01:09-07:07:52 bhutm9 exim-in[15949]: 2017-01-09 07:07:52 [72.166.183.114] F=<Williams-Sonoma@mail.williams-sonoma.com> R=<epelini@providencepoint.org> Verifying recipient address with callout
2017:01:09-07:07:52 bhutm9 exim-in[15949]: 2017-01-09 07:07:52 1cQYjw-00049F-2v <= Williams-Sonoma@mail.williams-sonoma.com H=p1-183114.mail.williams-sonoma.com [72.166.183.114]:53094 P=esmtp S=32675 id=100097.34892674149.201701091208519245227.0435107921@mail.williams-sonoma.com
2017:01:09-07:07:52 bhutm9 exim-in[15949]: 2017-01-09 07:07:52 SMTP connection from p1-183114.mail.williams-sonoma.com [72.166.183.114]:53094 closed by QUIT
2017:01:09-07:07:53 bhutm9 exim-out[15946]: 2017-01-09 07:07:53 1cQYjw-0003tP-Kw => bulldog@providencepoint.org P=<vegan@wanwul.us> R=static_route_hostlist T=static_smtp H=192.168.120.70 [192.168.120.70]:25 X=TLSv1.2:ECDHE-RSA-AES256-SHA384:256 C="250 2.6.0 <0.0.0.D.1D26A70D803F624.211E9F@wanwul.us> [InternalId=6073083756620, Hostname=BHS-EX16-01"
2017:01:09-07:07:53 bhutm9 exim-out[15946]: 2017-01-09 07:07:53 1cQYjw-0003tP-Kw Completed
2017:01:09-07:07:54 bhutm9 exim-in[15447]: 2017-01-09 07:07:54 1cQYjT-000419-2A <= osteoarthritis@wanwul.us H=mta9.wanwul.us (wanwul.us) [104.129.48.234]:53949 P=esmtp S=771761 id=0.0.0.4.1D26A70D37A0B8E.1B570F@wanwul.us
2017:01:09-07:07:54 bhutm9 exim-in[15447]: 2017-01-09 07:07:54 H=mta9.wanwul.us (wanwul.us) [104.129.48.234]:53949 Warning: Exception matched: Skipping greylisting for this message
2017:01:09-07:07:54 bhutm9 exim-in[15447]: 2017-01-09 07:07:54 H=mta9.wanwul.us (wanwul.us) [104.129.48.234]:53949 Warning: Exception matched: Skipping AV for this message
2017:01:09-07:07:54 bhutm9 exim-in[15447]: 2017-01-09 07:07:54 H=mta9.wanwul.us (wanwul.us) [104.129.48.234]:53949 Warning: Exception matched: Skipping antispam for this message
2017:01:09-07:07:54 bhutm9 exim-in[15447]: 2017-01-09 07:07:54 H=mta9.wanwul.us (wanwul.us) [104.129.48.234]:53949 Warning: providencepoint.org profile excludes SANDBOX scan
2017:01:09-07:07:54 bhutm9 exim-in[15447]: 2017-01-09 07:07:54 [104.129.48.234] F=<roller@wanwul.us> R=<dpetrie@providencepoint.org> Verifying recipient address with callout
2017:01:09-07:07:54 bhutm9 smtpd[5602]: QMGR[5602]: 1cQYjw-00049F-2v moved to work queue
  • 0 in reply to JamesGreene

    So, that email wasn't quarantined, James, because "Exception matched: Skipping antispam for this message."  Also, the user was confirmed as valid by callout.

    I'm just not understanding what the complaint is - I obviously read something in your initial post and misinterpreted it.  What am I missing?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    The original SPAM email was not quarantined (although it should have been, as I can confirm that the sender is listed with the RBL's I'm using).  The user listed is no longer in our system, and the email is invalid.  When the email bounces, it IS quarantined.  I've actually gotten these for out-of-office replies as well.

    Effectively, nothing is being filtered inbound, but outbound messages are, pretty much the opposite as to what we want.

  • 0 in reply to JamesGreene

    The logs don't show that anything was quarantined.  Again, note that the logs also show that there were exceptions in place for antivirus and anti-spam.  Until we can put an email header together with relevant log lines for an email that you wanted handled differently, we're dead in the water.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0 in reply to JamesGreene

    The logs don't show that anything was quarantined.  Again, note that the logs also show that there were exceptions in place for antivirus and anti-spam.  Until we can put an email header together with relevant log lines for an email that you wanted handled differently, we're dead in the water.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML