Mail Being blocked as SPAM

Hello,

yesterday i had the same Problem

Mails from co.uk are marked as SPAM (confirmed)

I created an exception rule for *@*.co.uk. So we can recieve the Mails from our businesspartner.

I also talked with the german Sophos Support and telled that mails are blocked and that my suggestion is that this might come from a bad Pattern.

Firmware : 9.601-5

Pattern: 161489

Greetings

I can confirm this behaviour, most of emails blocked/classified as spam are coming from .co.uk domains

Didn't work for me either .

Major nightmare as the mails are all going to quarantine, and we are having to release these manually as some clients are getting 1750 mails a day, i cant get the client to release them as no member of staff is trusted to look through all the directors emails (GDPR), and certainly we are not letting directors lose on the UTM (I just clicked everything but nothing worked story...)

HELP !!!!!

Has it worked for you?

renaming the cache directory/file seems to be be critical part

Should restarting the complete unit not clear the cache though  ..? Does anyone know ?

I had files in the /var/cache/ctasd directory dating back to 2015 - the unit has been rebooted multiple times since then so don't think it would have worked. I wasn't in a position to reboot the unit at the moment due to having another site connected over it. 

restarting doesnt help - you need rename/remove the actual cache directory

Is there a document admins can use to access the UTM using Putty SSH for example to step them through the operations required ?

EDIT to say this does appear to have worked on both boxes we were seeing issues on (looks like the second box was a single false positive)

This appears to have worked on one of our boxes, mail flow now appears to be working ok. Have tried on another box and it still appears to be overblocking....go figure!

I'm sure https://community.sophos.com/kb/en-us/134082 will be updated once the renaming details filter through to Sophos Support.

There is also more info on reddit https://reddit.com/r/sophos/comments/blss4i/sophos_advisory_sophos_xg_utm_and_central_email/

Daniel,

In the meantime I managed to get through to Sophos Support on the phone and after the tech had a look at my Mail Manager and took some sample e-mails to send to the lab, he then restarted bot services but without renaming the cache folder.

I then showed him your fix and he told me it wouldn't make a difference and that he was going to escalate my case further up the Sophos tree!

It looks like some of you have had success with the fix so I'm not sure why Sophos didn't try it.

Steven

Daniel,

In the meantime I managed to get through to Sophos Support on the phone and after the tech had a look at my Mail Manager and took some sample e-mails to send to the lab, he then restarted bot services but without renaming the cache folder.

I then showed him your fix and he told me it wouldn't make a difference and that he was going to escalate my case further up the Sophos tree!

It looks like some of you have had success with the fix so I'm not sure why Sophos didn't try it.

Steven

I restarted our UTM this morning after looking at the KB that said the issue was resolved.  Also updated the FW.  Made no difference.

At the moment we are running with no Spam filtering - it's impossible to manually manage.  We have also made this change for clients - they have business to run (as do we).

I've finally had a response to the ticket I raised earlier so told them I've already fixed it. Not sure why he didn't try it as it works perfectly as it obviously flushes out the badly cached data.

Hi Daniel,

I see that Sophos have eventually caught up with you and amended their Advisory accordingly.

One question though. We are running a High Availability solution (Hot Standby). Do I run these commands on the primary appliance only, or would they need carried out on both appliances?

Many thanks,

John P

Daniel,

Yes, your fix is now on their Advisory

I have ran the commands and can confirm that they work although I had to run them twice as the first time I wasn't quick enough and by the time I had ran the command to rename the cache and then the command to restart the inbound I got an error saying inbound service was already restarted.

Ran through each command again a second time and I am now receiving Test e-mails from a hotmail.co.uk account that were previously Undeliverables.

Thanks again

WORKING AGAIN !!!

we used the following

https://community.sophos.com/kb/en-us/133645

then

https://community.sophos.com/kb/en-us/134082

using the following 

/var/mdw/scripts/ctasd_inbound stop
/var/mdw/scripts/ctasd_outbound stop
mv /var/cache/ctasd /var/cache/ctasd.old
/var/mdw/scripts/ctasd_inbound start
/var/mdw/scripts/ctasd_outbound start

Trying it on other clients now.

Good luck everyone ..

I just went through the steps on our own UTM.  Seems to have worked as emails are no longer appended with *SPAM*.

About to test on another client.

Thanks. Finally reset and appears fixed.

I missed the first link and was having trouble accessing the root as was trying to access it directly from Putty.

https://community.sophos.com/kb/en-us/133645 is important if you are unfamiliar with SSH access

Typically, I got through to support again just after I had completed the exercise and wasn't totally sure it was sorted.

Sorted!!

We ran the amended commands as per the Sophos Advisory and legitimate e-mails are no longer being wrongfully categorised as SPAM.

As we run a pair of UTM Appliances in an Active-Passive configuration, I was advised by Sophos Support to also run the commands on the standby appliance. I did this using the HA_UTILS SSH command via a Putty session.

We are in a fortunate position whereby our inbound e-mails are scanned by a pair of Cisco Ironport Mail Appliances before being forwarded to the UTM Appliances for further processing. This multi-vendor approach indeed saved us a lot of grief. Most inbound SPAM is detected and blocked by the Ironports and the UTM picks off the remaining few that make it through. Without this extra layer of defence, our situation would have been a whole lot worse.

Regards,

John P