Sophos XG, UTM, Cyberoam and Central Email may be quarantining legitimate emails
Sophos is investigating reports from Sophos XG, UTM, Cyberoam and Central customers that legitimate email is being quarantined.
Note: This issue seems to be mostly affecting customers with British domains (co.uk, ltd.uk, .uk).
Applies to the following Sophos product(s) and version(s)
Sophos XG, UTM, Cyberoam and Centra Email
Current status
Some appliances are still reporting false positive SPAM detections due to cached lookups. Sophos has released a hotfix via a pattern update to clear the cache automatically on SG/XG appliances. This has now been released for all versions of the UTM and XG.
Note: If you are still experiencing false positive detections, the steps below will clear the cache manually for each affected product.
We also recommend reviewing the content of your quarantine to ensure that any erroneously quarantined emails are released. This can be done by either the administrator or by the end user if the respective product end user portal is enabled.
UTM –
To clear the cache manually, run the following commands as root:
/var/mdw/scripts/ctasd_inbound stop
/var/mdw/scripts/ctasd_outbound stop
mv /var/cache/ctasd /var/cache/ctasd.old
/var/mdw/scripts/ctasd_inbound start
/var/mdw/scripts/ctasd_outbound start
In order to review the quarantine and release any affected mail please refer to the Mail Manager section (Page 336) of the UTM Adminsitrator Guide
Mail Manager can be located under Email Protection > Mail Manager in the UTM user interface
Sophos XG Firewall:
To clear the cache manually, login as admin and run the following commands:
service antispam:stop -ds nosync
rm -rf /sdisk/as/*
rm -rf /sdisk/os/*
service antispam:start -ds nosync
In order to review the quarantine and release any affected mail please refer to the Sophos XG Firewall online help section.
SMTP Quarantine can be located under Email > SMTP Quarantine in the XG Firewall user interface
Cyberoam:
Affected customers please contact support.
In order to review the quarantine and release any affected mail please refer to page 41 of the Cyberoam OS Administration Guide
Sophos Email:
No action required to clear the cache. Services were restarted at noon on 8th May and no new mail should be affected by this issue after this time. In order to review the quarantine for Sophos Email and release any affected mail please refer to the Sophos Email online help
What to do
The issue with the live lookup data has been resolved however some cached data may still be causing problems. Any customers still experiencing issues with false positive detections should carry out the steps above for their impacted product.
If symptoms are still being experienced after carrying out these steps, please contact Sophos Support with a sample of the released email if possible.
Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.