First off, I want to mention what a great community you have here. We've had our appliance for a month now, and all the configuration questions we had so far were easily found in this forum. With that said, I was wondering if someone can assist us with understanding how Content Filters work on an Incoming Relay.
Currently we have 2 filters configured on our IronPort. The first filter is a single condition that will drop messages based on SBRS being <= 4.0. This works fine with us as we are dropping connections when they are received by the ironport, and this filter just basically drops emails where the CASE filter determine that there was no spam found.
Our second filter is the one we are having trouble with. We want our second filter to put emails in the Ironport Spam Quarantine when the SBRS score is between -4.0 and 1.0, and ONLY if the email has been received by the incoming relay. Currently our filter looks like this using the "only when all conditions are met" test case:
1) When the remote-ip is our internal relay (we only have one)
2) When the SBRS score is <= -1.0
3) When the SBRS score is > -4.0
Insert header X-Ironport-Quarantine value Quarantine.
This filter does not appear to be working for us, and I assume its because when the email is parsed by the incoming relay, the "remote-ip" in our condition testing no longer takes the form of our incoming relay, but ip address it parsed from the header. Can someone confirm if my assumption is correct, and recommend a possible solution for us?