Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1398 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange XG 18 Mail Log Entries

Fabio Marziani

I don't understand the two entries below:
1) mschravenriemer@yahoo.de (whe dont'know who is) send a message dropped by firewall (nothing strange).

2) firewall@ourdomain.it send a message to mschravenriemer@yahoo.de with subject malware detected.
    This is very strange.
    firewall@ourdomain.it is the mail address used by XG to send notification, but it should send to an internal address not to external address.
    The mail server isn't an open relay.
    The frontend mail server has not recived the message.



This thread was automatically locked due to age.
  • 0

    Hello Fabio,

    Thank you for contacting the Sophos Community!

    Do you see anything in the logs for SMTP? /log/smtpd_main.log 

    Regards,

  • 0 in reply to emmosophos

    As stated before I don't know nor recognize mschravenriemer@yahoo.de.
    As suggested I have checked the log but I don't have found nothing interesting (as far as I know).

    I don't know what option in XG allow send mail notification to spammer.
    I don't know even if this option exists.
    If exists is not well configured; it sends information to spammer/attacker.

    The information in the log are
    For message sent from firewall:

    2021-01-26 06:12:49
    Emailusergpid="0"
    messageid="18035"
    log_type="Anti-Spam"
    log_component="SMTP"
    log_subtype="Allowed"
    status=""
    fw_rule_id="N/A"
    user=""
    policy_name="None"
    sender="firewall@marziani.it"
    recipient="mschravenriemer@yahoo.de"
    subject="Malware detected!"
    message_id="3wpqgP-iGq7Jv-54"
    email_size="15877"
    action="DELIVERED"
    reason="Email has been delivered to recipient(s)."
    host="marziani.it"
    domain=""
    src_ip=""
    src_country=""
    dst_ip=""
    dst_country=""
    protocol="TCP"
    src_port="0"
    dst_port="0"
    bytes_sent="0"
    bytes_received="0"
    quarantine_reason="Other"
    src_zone=""
    dst_zone=""
    app_name=""

    For initial message:
    2021-01-26 06:12:31
    Emailusergpid="0"
    messageid="18035"
    log_type="Anti-Spam"
    log_component="SMTP"
    log_subtype="Allowed"
    status=""
    fw_rule_id="N/A"
    user=""
    policy_name="None"
    sender="mschravenriemer@yahoo.de"
    recipient="fabio@marziani.it"
    subject=": Fwd: Wire Transfer Payment"
    message_id="1l4GeQ-0000Wk-ET-1611637951"
    email_size="1899852"
    action="QUEUED"
    reason="Email has been accepted by Device and queued for scanning."
    host="yahoo.de"
    domain=""
    src_ip="74.6.128.84"
    src_country="USA"
    dst_ip=""
    dst_country=""
    protocol="TCP"
    src_port="34423"
    dst_port="0"
    bytes_sent="0"
    bytes_received="0"
    quarantine_reason="Other"
    src_zone="WAN"
    dst_zone=""
    app_name=""

  • 0

    Go to:
    Email > Policies & Exceptions
    Select your [Default scan policy]

    Do you have the [Notify snder] option enabled under the Malware protection section?

    Like this:

  • 0 in reply to Peter-Paul Gras

    Your esponse is very good; it explain everything.

    I will have to study more Sophos XG.

    Ps: I have immediatly disabled the notify sender after your response.