Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 1 subscriber
  • Views 8671 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

False positive

most_ahdy
Dears,

      I have a strange problem that any mail send from only one internal specific mail address is reported as confirmed spam.
I have internal network with internal mail server with domain @something.com ,  and any mail sent by one specific mail aaa@something.com is reported as confirmed spam and this mail is quarantined by Astaro smtp proxy and when I release them they quarantined by Astaro pop3 proxy and I can not release them from mail manager.

please I need an explanation for this problem ASAP

Thanks,
Mostafa


This thread was automatically locked due to age.
  • 0
    It sounds like this matches a pattern in your 'Sender blacklist'.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Dear Bob,

           Thanks for your reply but I made a  search and I did not find any matched pattern,
    can you please provide me any other possible causes for this problems.
    And I want to release the quarantined mails in pop3 proxy through mail manager but I can't,
    Please there is a lot of important quarantined mails and I want to release it as these mails sent by my manager[:O] oooh GOD with me. [:)]

    Thanks,
    Mostafa
  • 0
    Mostafa, you should be able to view the emails in Mail Manager. After you've made any necessary responses to your boss, you can set things up to work correctly.  I'm on my iPhone at present, so I'll write about fixing your setup in a different post. 

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    You could add exceptions in both the SMTP and POP3 Proxies for your boss's email address - at least the emails should then go through.

    But, that doesn't tell us what the error might be.  What do you see in the POP3 and SMTP logs for one of the improperly-quarantined emails?

    I'm confused that an email released from your SMTP Quarantine would then be quarantined by the POP3 Proxy.  Normally, the SMTP Proxy is used to protect a mail server (usually internal), while the POP3 Proxy is used to protect internal clients of external mail servers.  If you've only recently made changes, perhaps you would want to explain.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Dear Bob,

          please find the below smtp log:
    2011:08:04-19:36:20 asg smtpd[22718]: SCANNER[22718]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="" from="" to="" subject="" queueid="1Qp0uC-0005uQ-Ek" size="29287" reason="as" extra="confirmed"

    2011:08:04-19:36:20 asg smtpd[22718]: SCANNER[22718]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="" from="" to="" subject="" queueid="1Qp0uC-0005uQ-EU" size="29287" reason="as" extra="confirmed"


    2011:08:04-19:36:20 asg smtpd[22718]: SCANNER[22718]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="" from="" to="" subject="" queueid="1Qp0uC-0005uQ-Ee" size="29287" reason="as" extra="confirmed"


    2011:08:04-19:36:20 asg smtpd[22718]: SCANNER[22718]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="" from="" to="" subject="" queueid="1Qp0uC-0005uQ-Eh" size="29287" reason="as" extra="confirmed"


    2011:08:04-19:36:20 asg smtpd[22718]: SCANNER[22718]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="" from="" to="" subject="" queueid="1Qp0uC-0005uQ-Eb" size="29287" reason="as" extra="confirmed"


    2011:08:04-19:36:20 asg smtpd[22718]: SCANNER[22718]: id="1001" severity="info" sys="SecureMail" sub="smtp" name="email quarantined" srcip="" from="" to="" subject="" queueid="1Qp0uC-0005uQ-EY" size="29287" reason="as" extra="confirmed"

    and this some from pop3 proxy log
    2011:08:02-12:28:28 asg pop3proxy[12997]: id="1101" severity="info" sys="SecureMail" sub="pop3" name="email quarantined" from="" to="" subject="" size="40365" srcip="0.0.0.0" dstip="" uid="fM(%22!:IX%22!X8W%22!G#E!!" ident="0/12997-1-1312277308" reason="as" extra="confirmed"

    2011:08:02-13:36:08 asg pop3proxy[16989]: id="1101" severity="info" sys="SecureMail" sub="pop3" name="email quarantined" from"" to="" subject="" size="38852" srcip="0.0.0.0" dstip="" uid="7;@!!->'%22!Pca%22!FjD%22!" ident="0/16989-25-1312281368" reason="as" extra="confirmed"

    "Is the output in red make any sense to you??
    About the POP3 proxy ; if I have internal mail server and do not use any external mail server should I disable POP3 proxy?

    I did not make any changes recently, I think that the solution of exception will be accepted to me temporarily , BUT the most important is how to release the quarantined mail in POP3 proxy?
  • 0
     if I have internal mail server and do not use any external mail server should I disable POP3 proxy?

    There's no reason to have the POP3 Proxy enabled for mail coming from an internal server protected by the SMTP Proxy.  I don't understand how you were able to configure this to cause mail to come from 0.0.0.0, but you definitely don't need that.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Hi, Bob,

       Thank you very much for your reply , but how can I release quarantined mail in pop3 proxy.

    Thanks,
    Mostafa Aly
  • 0
    how can I release quarantined mail in pop3 proxy
    As the Astaro administrator, you can release any quarantine items using the Mail Manager under Mail Security in WebAdmin.
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
  • 0
    Dear Scott

          I tried this, but the mails did not released and keep it self as POP3 quarantines, I want to know the reason.

    Thanks for your reply,
    Mostafa
  • 0
    Have you configured the pop3 server in the pop3 proxy?

    See an explanation for how the pop3 proxy handles quarantined items based on ability to find the server in the thread at https://community.sophos.com/products/unified-threat-management/astaroorg/f/56/t/48613
    __________________
    ACE v8/SCA v9.3

    ...still have a v5 install disk in a box somewhere.

    http://xkcd.com
    http://www.tedgoff.com/mb
    http://www.projectcartoon.com/cartoon/1
Cookie Information Banner