Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 2 answers
  • Subscribers 26 subscribers
  • Views 619 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

outbound Email qurantined for one of three domains

Madni Malik

hi,

i have XG430 XG430 (SFOS 17.5.14 MR-14-1), it is MTA mode. i am scanning three domains from it. email server is placed in DMZ.
today all of sudden one domain users trying to send email to anyone outside domain then email is quratined. when i relase from quarantine
then email is sent.

email header showing following:

X-Sophos-OBS: success
X-CTCH-PVer: 0000001
X-CTCH-Spam: Confirmed
X-CTCH-VOD: Unknown
X-CTCH-Flags: 8
X-CTCH-RefID: str=0001.0A673444.6112AB36.001A,ss=4,sh,re=0.000,recu=0.000,reip=0.000,cl=4,cld=1,fgs=8
X-CTCH-Score: 0.000
X-CTCH-ScoreCust: 0.000
X-CTCH-Rules:


ip of domain is not blacklisted. how can i figure out that why email is qurantined??

please advise how to dig it out.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi ,

    Thank you for reaching out to Sophos Community.

    You can filter out smtpd_main.log events with sender/recipient address.

    or you can also filter out quarantined logs under 'Mail logs' and hover the mouse on Status to get the reason.

  • 0 in reply to FormerMember

    hello Yash,

    i have created an email policy and add my 4 domain in it, having only issue with 1 domain. firewall is configured in MTA mode.

    i have checked that policy is marking outbound email for that domain as spam, what might be the reason of that.  as users were facing issue so i created a ticket and support guy told me that due to bulk email from that domain might be this is maked as spam, for outbound email he created a by pass antispam policy for that domain , by doing this now outbound emails are getting though, 

    can i verify that my bypass policy is wokring??? can i cross check from logs???

    now facing issue with few inbound emails, due to spam reason they are qurantined, what i m doing, from qurantine email i donwload that email and submit sample to not-spam@labs.sophos.com

    is this the right way i am doing. 

  • FormerMember
    0 FormerMember in reply to Madni Malik

    You can either check the email log event in the log viewer & check its conntrack details or may also check smtpd_main.log events to get detailed information.

    Madni Malik said:
    now facing issue with few inbound emails, due to spam reason they are qurantined, what i m doing, from qurantine email i donwload that email and submit sample to not-spam@labs.sophos.com

    This is the correct way to submit samples to Sophos Labs team.

    Submit samples of phishing, spam, or false-positive emails to Sophos Labs

  • 0 in reply to FormerMember

    can you please guide me how and what shoudl i see in conntrack??? how can i digout information from smtpd_main.log in my case. as there is lot of information in smtpd_main.log.  can you please help me in get understanading of smtpd_main.log and  troubleshooing emails related issue. sophos mark emails as spam, but i m not able to get the detail what mark it as spam?due to keyword or what?

  • 0 in reply to Madni Malik

    few domain email are quatatined. i have to release them manually. i have checked those email domain reputation is not bad nor their ip is blacklisted. it is very hectic, i have to release email manually there are chances that some spam email is also released.how can i get rid of it without adding that domain in anti-spam bypass policy.