Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 1400 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Strange XG 18 Mail Log Entries

Fabio Marziani

I don't understand the two entries below:
1) mschravenriemer@yahoo.de (whe dont'know who is) send a message dropped by firewall (nothing strange).

2) firewall@ourdomain.it send a message to mschravenriemer@yahoo.de with subject malware detected.
    This is very strange.
    firewall@ourdomain.it is the mail address used by XG to send notification, but it should send to an internal address not to external address.
    The mail server isn't an open relay.
    The frontend mail server has not recived the message.



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to emmosophos

    As stated before I don't know nor recognize mschravenriemer@yahoo.de.
    As suggested I have checked the log but I don't have found nothing interesting (as far as I know).

    I don't know what option in XG allow send mail notification to spammer.
    I don't know even if this option exists.
    If exists is not well configured; it sends information to spammer/attacker.

    The information in the log are
    For message sent from firewall:

    2021-01-26 06:12:49
    Emailusergpid="0"
    messageid="18035"
    log_type="Anti-Spam"
    log_component="SMTP"
    log_subtype="Allowed"
    status=""
    fw_rule_id="N/A"
    user=""
    policy_name="None"
    sender="firewall@marziani.it"
    recipient="mschravenriemer@yahoo.de"
    subject="Malware detected!"
    message_id="3wpqgP-iGq7Jv-54"
    email_size="15877"
    action="DELIVERED"
    reason="Email has been delivered to recipient(s)."
    host="marziani.it"
    domain=""
    src_ip=""
    src_country=""
    dst_ip=""
    dst_country=""
    protocol="TCP"
    src_port="0"
    dst_port="0"
    bytes_sent="0"
    bytes_received="0"
    quarantine_reason="Other"
    src_zone=""
    dst_zone=""
    app_name=""

    For initial message:
    2021-01-26 06:12:31
    Emailusergpid="0"
    messageid="18035"
    log_type="Anti-Spam"
    log_component="SMTP"
    log_subtype="Allowed"
    status=""
    fw_rule_id="N/A"
    user=""
    policy_name="None"
    sender="mschravenriemer@yahoo.de"
    recipient="fabio@marziani.it"
    subject=": Fwd: Wire Transfer Payment"
    message_id="1l4GeQ-0000Wk-ET-1611637951"
    email_size="1899852"
    action="QUEUED"
    reason="Email has been accepted by Device and queued for scanning."
    host="yahoo.de"
    domain=""
    src_ip="74.6.128.84"
    src_country="USA"
    dst_ip=""
    dst_country=""
    protocol="TCP"
    src_port="34423"
    dst_port="0"
    bytes_sent="0"
    bytes_received="0"
    quarantine_reason="Other"
    src_zone="WAN"
    dst_zone=""
    app_name=""