Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 3 subscribers
  • Views 1671 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Antispam Expression Filter funktioniert nur sporadisch

Thomas Knauff

Hallo zusammen,

bei uns schlagen jede Menge emails mit Betreff "xxxxx.de Final Notice" auf.
Bei allen steht im Body u.A.: der Text "Domain Seo Service Registration" - da habe ich den mal in den Expression Filter eingetragen.

Es werden aber nicht alle emails die diesen Text enthalten in Quarantäne geschickt, mehr als 50% kommen einfach durch.

Wen ich eine von diesen zugestellten eMails dann an eine meiner "externen" eMail-Adressen schicke und von dort wieder zurück fängt die UTM die ab! Jetzt greift der Filter!

Kennt jemand das Problem ?

gruss

Thomas

 

UTM 9.601-5 auf SG 330



This thread was automatically locked due to age.
Parents
  • 0

    Moin,

     

    nein, das Problem kenne ich nicht. Falls sehr viel Spam aufkommt, könntest Du vielleicht versuchen, weitere RBLs hinzuzufügen:

     

    bl.spamcop.net
dnsbl-1.uceprotect.net
ix.dnsbl.manitu.net
    b.barracudacentral.org
zen.spamhaus.org
  • 0 in reply to ThorstenSult

    Auch Moin,

    danke für den Tipp - mein Problem ist eher das ich der Kiste nicht mehr traue. Wenn schon so was einfaches wie ein Expression Filter so erratisch unterwegs ist - wie läuft dann erst der Rest von dem Antivirusgedöns.....

  • 0 in reply to Thomas Knauff

    Ein Auszug des Livelogs wäre vielleicht mal interessant, wenn so eine E-Mail durchgeht. Das Verhalten, was Du beschreibst ist jedenfalls ziemlich ungewöhnlich. Möglicherweise liegt hier auch ein Konfigurationsfehler vor.

     

    Die Email Protection ist aus meiner Sicht ziemlich vertrauenswürdig, wenn sie richtig konfiguriert ist. Dazu gehören auch der SPF-Record, Domainkeys und DMARC. Wenn zu den Antivirenengines auch noch Sandstorm aktiv ist, hat man gute Chancen, dass Schadsoftware draußen bleibt. Vieles wird aber alleine schon durch das Hinzufügen von Extra RBLS aussortiert.

  • 0 in reply to ThorstenSult

    Hier mal zwei Log-Ausschnitte
    Hier wurde die eMail abgefangen


    2019:09:18-00:59:05 utm-2 exim-in[7262]: 2019-09-18 00:59:05 H=(shuiacreate.top) [93.190.217.186]:45336 Warning: xxxxx.de profile excludes greylisting: Skipping greylisting for this message
    2019:09:18-00:59:06 utm-2 exim-in[7262]: 2019-09-18 00:59:06 [93.190.217.186] F=<info@shuiacreate.top> R=<txxxxxxx@xxxxx.de> Verifying recipient address with callout
    2019:09:18-00:59:08 utm-2 exim-in[7262]: 2019-09-18 00:59:08 1iAMR9-0001t8-1e DKIM: d=shuiacreate.top s=default c=relaxed/relaxed a=rsa-sha256 t=1568761115 [verification succeeded]
    2019:09:18-00:59:08 utm-2 exim-in[7262]: 2019-09-18 00:59:08 1iAMR9-0001t8-1e ctasd reports 'Unknown' RefID:str=0001.0A090208.5D81653C.0035,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    2019:09:18-00:59:08 utm-2 exim-in[7262]: 2019-09-18 00:59:08 1iAMR9-0001t8-1e <= info@shuiacreate.top H=(shuiacreate.top) [93.190.217.186]:45336 P=esmtp S=18258 id=35e860f9271665595ddbb0a63a189107@ps0628.shuiacreate.top
    2019:09:18-00:59:08 utm-2 exim-in[7262]: 2019-09-18 00:59:08 SMTP connection from (shuiacreate.top) [93.190.217.186]:45336 closed by QUIT

    2019:09:18-00:59:20 utm-2 smtpd[7391]: SCANNER[7391]: 1iAMRM-0001vD-9f <= info@shuiacreate.top R=1iAMR9-0001t8-1e P=INPUT S=16735
    2019:09:18-00:59:20 utm-2 smtpd[7391]: SCANNER[7391]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="93.190.217.186" from="info@shuiacreate.top" to="txxxxxxx@xxxxx.de" subject="humandiagnosticsworldwide.com Final Notice" queueid="1iAMRM-0001vD-9f" size="16735" reason="exp" extra="Domain Seo Service Registration"
    2019:09:18-00:59:20 utm-2 smtpd[7391]: SCANNER[7391]: 1iAMR9-0001t8-1e => work R=SCANNER T=SCANNER
    2019:09:18-00:59:20 utm-2 smtpd[7391]: SCANNER[7391]: 1iAMR9-0001t8-1e Completed

     


    Hier ging sie durch
    2019:09:18-21:37:41 utm-2 exim-in[30441]: 2019-09-18 21:37:41 H=(topsawcare.top) [109.236.49.5]:60786 Warning: xxxxx.de profile excludes greylisting: Skipping greylisting for this message
    2019:09:18-21:37:41 utm-2 exim-in[30441]: 2019-09-18 21:37:41 [109.236.49.5] F=<info@topsawcare.top> R=<txxxxxxx@xxxxx.de> Verifying recipient address with callout
    2019:09:18-21:37:43 utm-2 exim-in[30441]: 2019-09-18 21:37:43 1iAflm-0007uz-1t DKIM: d=topsawcare.top s=default c=relaxed/relaxed a=rsa-sha256 t=1568835440 [verification succeeded]
    2019:09:18-21:37:43 utm-2 exim-in[30441]: 2019-09-18 21:37:43 1iAflm-0007uz-1t ctasd reports 'Unknown' RefID:str=0001.0A0C0215.5D828787.001D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    2019:09:18-21:37:43 utm-2 exim-in[30441]: 2019-09-18 21:37:43 1iAflm-0007uz-1t <= info@topsawcare.top H=(topsawcare.top) [109.236.49.5]:60786 P=esmtp S=17988 id=0de1c1a5a7944e93d618327667a08575@x9726.topsawcare.top
    2019:09:18-21:37:43 utm-2 exim-in[30441]: 2019-09-18 21:37:43 SMTP connection from (topsawcare.top) [109.236.49.5]:60786 closed by QUIT

    2019:09:18-21:37:50 utm-2 smtpd[30462]: SCANNER[30462]: 1iAflu-0007vK-AY <= info@topsawcare.top R=1iAflm-0007uz-1t P=INPUT S=16493
    2019:09:18-21:37:50 utm-2 smtpd[30462]: SCANNER[30462]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="109.236.49.5" from="info@topsawcare.top" to="txxxxxxx@xxxxx.de" subject="humasens.com Final Notice" queueid="1iAflu-0007vK-AY" size="16493"
    2019:09:18-21:37:50 utm-2 smtpd[30462]: SCANNER[30462]: 1iAflm-0007uz-1t => work R=SCANNER T=SCANNER
    2019:09:18-21:37:50 utm-2 smtpd[30462]: SCANNER[30462]: 1iAflm-0007uz-1t Completed

     

    Und ich kann nichts erkennen was da ggfs. nicht passt

Reply
  • 0 in reply to ThorstenSult

    Hier mal zwei Log-Ausschnitte
    Hier wurde die eMail abgefangen


    2019:09:18-00:59:05 utm-2 exim-in[7262]: 2019-09-18 00:59:05 H=(shuiacreate.top) [93.190.217.186]:45336 Warning: xxxxx.de profile excludes greylisting: Skipping greylisting for this message
    2019:09:18-00:59:06 utm-2 exim-in[7262]: 2019-09-18 00:59:06 [93.190.217.186] F=<info@shuiacreate.top> R=<txxxxxxx@xxxxx.de> Verifying recipient address with callout
    2019:09:18-00:59:08 utm-2 exim-in[7262]: 2019-09-18 00:59:08 1iAMR9-0001t8-1e DKIM: d=shuiacreate.top s=default c=relaxed/relaxed a=rsa-sha256 t=1568761115 [verification succeeded]
    2019:09:18-00:59:08 utm-2 exim-in[7262]: 2019-09-18 00:59:08 1iAMR9-0001t8-1e ctasd reports 'Unknown' RefID:str=0001.0A090208.5D81653C.0035,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    2019:09:18-00:59:08 utm-2 exim-in[7262]: 2019-09-18 00:59:08 1iAMR9-0001t8-1e <= info@shuiacreate.top H=(shuiacreate.top) [93.190.217.186]:45336 P=esmtp S=18258 id=35e860f9271665595ddbb0a63a189107@ps0628.shuiacreate.top
    2019:09:18-00:59:08 utm-2 exim-in[7262]: 2019-09-18 00:59:08 SMTP connection from (shuiacreate.top) [93.190.217.186]:45336 closed by QUIT

    2019:09:18-00:59:20 utm-2 smtpd[7391]: SCANNER[7391]: 1iAMRM-0001vD-9f <= info@shuiacreate.top R=1iAMR9-0001t8-1e P=INPUT S=16735
    2019:09:18-00:59:20 utm-2 smtpd[7391]: SCANNER[7391]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="93.190.217.186" from="info@shuiacreate.top" to="txxxxxxx@xxxxx.de" subject="humandiagnosticsworldwide.com Final Notice" queueid="1iAMRM-0001vD-9f" size="16735" reason="exp" extra="Domain Seo Service Registration"
    2019:09:18-00:59:20 utm-2 smtpd[7391]: SCANNER[7391]: 1iAMR9-0001t8-1e => work R=SCANNER T=SCANNER
    2019:09:18-00:59:20 utm-2 smtpd[7391]: SCANNER[7391]: 1iAMR9-0001t8-1e Completed

     


    Hier ging sie durch
    2019:09:18-21:37:41 utm-2 exim-in[30441]: 2019-09-18 21:37:41 H=(topsawcare.top) [109.236.49.5]:60786 Warning: xxxxx.de profile excludes greylisting: Skipping greylisting for this message
    2019:09:18-21:37:41 utm-2 exim-in[30441]: 2019-09-18 21:37:41 [109.236.49.5] F=<info@topsawcare.top> R=<txxxxxxx@xxxxx.de> Verifying recipient address with callout
    2019:09:18-21:37:43 utm-2 exim-in[30441]: 2019-09-18 21:37:43 1iAflm-0007uz-1t DKIM: d=topsawcare.top s=default c=relaxed/relaxed a=rsa-sha256 t=1568835440 [verification succeeded]
    2019:09:18-21:37:43 utm-2 exim-in[30441]: 2019-09-18 21:37:43 1iAflm-0007uz-1t ctasd reports 'Unknown' RefID:str=0001.0A0C0215.5D828787.001D,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    2019:09:18-21:37:43 utm-2 exim-in[30441]: 2019-09-18 21:37:43 1iAflm-0007uz-1t <= info@topsawcare.top H=(topsawcare.top) [109.236.49.5]:60786 P=esmtp S=17988 id=0de1c1a5a7944e93d618327667a08575@x9726.topsawcare.top
    2019:09:18-21:37:43 utm-2 exim-in[30441]: 2019-09-18 21:37:43 SMTP connection from (topsawcare.top) [109.236.49.5]:60786 closed by QUIT

    2019:09:18-21:37:50 utm-2 smtpd[30462]: SCANNER[30462]: 1iAflu-0007vK-AY <= info@topsawcare.top R=1iAflm-0007uz-1t P=INPUT S=16493
    2019:09:18-21:37:50 utm-2 smtpd[30462]: SCANNER[30462]: id="1000" severity="info" sys="SecureMail" sub="smtp" name="email passed" srcip="109.236.49.5" from="info@topsawcare.top" to="txxxxxxx@xxxxx.de" subject="humasens.com Final Notice" queueid="1iAflu-0007vK-AY" size="16493"
    2019:09:18-21:37:50 utm-2 smtpd[30462]: SCANNER[30462]: 1iAflm-0007uz-1t => work R=SCANNER T=SCANNER
    2019:09:18-21:37:50 utm-2 smtpd[30462]: SCANNER[30462]: 1iAflm-0007uz-1t Completed

     

    Und ich kann nichts erkennen was da ggfs. nicht passt

Children
  • 0 in reply to Thomas Knauff

    Ok, zeig nochmal bitte den Inhalt der E-Mail, die durchgegangen ist. Screenshot z.B.

  • 0 in reply to ThorstenSult

    ok - here we go:

     

    Textauschnitt per Cut & Paste:

    This important expiration notification notifies you about the expiration notice of your domain registration for xxxxxxx.com search engine optimization submission. The information in this expiration notification may contain legally privileged information from the notification processing department of the Domain Seo Service Registration to our search engine traffic generator. We do not register or renew domain names. We are selling traffic generator software tools. This information is intended for the use of the individual(s) named above.
    If you fail to complete your domain name registration xxxxxxxxx.com search engine optimization service by the expiration date, may the dismissal of this search engine optimization domain 

     

    Hier die Definition in der UTM: 

     

    Und genau die eMail habe ich dann an eine externe web.de Adresse geschickt und von dort wieder zurück - hier das Log

    2019:09:19-14:14:19 utm-2 exim-in[17527]: 2019-09-19 14:14:19 H=mout.web.de [212.227.15.3]:51673 Warning: xxxxx.de profile excludes greylisting: Skipping greylisting for this message
    2019:09:19-14:14:20 utm-2 exim-in[17527]: 2019-09-19 14:14:20 [212.227.15.3] F=<txxxxx@web.de> R=<txxxxxx@xxxxx.de> Verifying recipient address with callout
    2019:09:19-14:14:25 utm-2 exim-in[17527]: 2019-09-19 14:14:25 1iAvKK-0004Yh-39 DKIM: d=web.de s=dbaedf251592 c=relaxed/simple a=rsa-sha256 t=1568895259 [verification succeeded]
    2019:09:19-14:14:25 utm-2 exim-in[17527]: 2019-09-19 14:14:25 1iAvKK-0004Yh-39 ctasd reports 'Unknown' RefID:str=0001.0A0C0202.5D837121.0034,ss=1,re=0.000,recu=0.000,reip=0.000,cl=1,cld=1,fgs=0
    2019:09:19-14:14:25 utm-2 exim-in[17527]: 2019-09-19 14:14:25 1iAvKK-0004Yh-39 <= txxxxxx@web.de H=mout.web.de [212.227.15.3]:51673 P=esmtps X=TLSv1.2:DHE-RSA-AES128-GCM-SHA256:128 S=6212 id=trinity-4d166836-6442-48ec-9fd9-666d5265728e-1568895259421@msvc-mesg-web004
    2019:09:19-14:14:25 utm-2 exim-in[17527]: 2019-09-19 14:14:25 SMTP connection from mout.web.de [212.227.15.3]:51673 closed by QUIT

    2019:09:19-14:14:27 utm-2 smtpd[17342]: SCANNER[17342]: 1iAvKN-0004Vi-Kb <= txxxxxx@web.de R=1iAvKK-0004Yh-39 P=INPUT S=3542
    2019:09:19-14:14:27 utm-2 smtpd[17342]: SCANNER[17342]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="212.227.15.3" from="txxxxxxx@web.de" to="txxxxxx@xxxxx.de" subject="Re: WG: humasens.com Final Notice" queueid="1iAvKN-0004Vi-Kb" size="3542" reason="exp" extra="Domain Seo Service Registration"
    2019:09:19-14:14:27 utm-2 smtpd[17342]: SCANNER[17342]: 1iAvKK-0004Yh-39 => work R=SCANNER T=SCANNER
    2019:09:19-14:14:27 utm-2 smtpd[17342]: SCANNER[17342]: 1iAvKK-0004Yh-39 Completed

     

    in Quarantäne!

     

  • 0 in reply to Thomas Knauff

    Mhh, scheint tatsächlich ein Bug zu sein.

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?

Unfiltered HTML