Sharing Data with Sophos
When this option is enabled, statistical reports are sent to Sophos every five minutes. These reports contain information about the status of your system, the Sophos version, and key mail traffic statistics. These reports, which are based upon log file data, do not contain actual message content, or content that identifies specific mail users.
Each report contains the following entries:
- Report-Version: The version of the report format.
- Report-TimeZone: The system time zone in +-hhmm format, indicating the relationship to Greenwich mean time (GMT).
- Report-Time: The GMT time at which the report was generated.
- Report-Last-Run-Time: The GMT time at which the last run began.
- First-Message-Scanned: The local time of the first message included in the report.
- Last-Message-Scanned: The local time of the last message included in the report.
- System-Product: The product for which the report is generated (in this case, PureMessage for Unix).
- System-Version: The version number of the product.
- System-SerialNo: The PureMessage serial number associated with the installation.
- System-Id: A string uniquely identifying this installation of the product. The string consists of the product serial number and the location ID.
- Version-PureMessage-AntiSpam-Data: The version of the AntiSpam-Data package.
- Version-PureMessage-AntiSpam-Engine: The version of the AntiSpam-Engine package.
- Version-PureMessage-AntiSpam-Utils: The version of the AntiSpam-Utils package.
- Version-PureMessage-Sophos-Data: The version of the Sophos-Data package.
- Version-PureMessage-Sophos-Engine: The version of the Sophos-Engine package.
- Version-PureMessage-Sophos-SAVI: The version of the Sophos-savi package.
- Version-PureMessage-Blocklist: The version of the Blocklist package.
- Version-PureMessage-Blocklist-Daemon: The version of the Blocklist-Daemon package.
- Version-PureMessage-Blocklist-Data: The version of the Blocklist-Data package.
- Blocker-Status: The status of the MTA-level IP blocker. This is displayed as disabled, enabled or not installed. If IP blocking is enabled, this entry will also indicate whether dynamic and HELO checks have been enabled as well.
Sender IP Information
Each report also contains a one-line entry for each sender IP address. Each line indicates the number of messages that match each of the following criteria:
- IPBlocker: total connections
- IPBlocker: connections rejected
- IPBlocker: connections accepted
- MTA: total messages
- total messages scanned for spam
- messages detected as spam
- total messages scanned for viruses
- total messages with virus detected
- total messages with suspicious attachments
- virus names detected in e-mail from this IP
SophosLabs spam analysts can use this mail traffic data to compile statistics about sender reputation, and create more comprehensive block lists.
The reports also include SXL-related data. SXL is the infrastructure that Sophos uses to submit real-time, DNS-based queries to SophosLabs regarding IP addresses, URIs within messages, and image fingerprints. Queries are triggered when the anti-spam engine has been unable to determine if a message is spam. These real-time lookups are enabled by default and provide minimal latency between the time that Sophos makes new anti-spam data available and when it is available for use by the anti-spam engine. The following data is included in each statistical report:
- frequency of anti-spam rule hits in messages that were determined to be spam or not spam
- number of messages processed
- number of messages determined to be spam before and after SXL queries
- number of messages that didn't generate SXL queries because there was no server response
- total CPU time as compared to the time spent waiting for DNS responses.
- frequency of the various types of SXL queries (IP, URI, checksum, etc)
- per-server statistics on latency, query count, query sizes, timeouts, and errors for Sophos SXL servers receiving and sending data