Why spam quarantine shows me less messages (121 messages) than in overview incoming mail summary (spam detected - 160 messages)?

Other - are removed?

There could be multiple reasons for this. It depends upon your configuration. Here are the reasons to just to list a few -

1. In some mail policies you might have set Spam positive to drop and in some others you might have set to qurantine

2. If you have the end user quarantine, your end users might have released few

3. Some of the messages in the Spam quarantine might have expired.

etc.,

Without knowing your configuration we cannot telll. But the bottom line is the report shows all the caught spam number, but what all gets quarantine depends upon your configuration.

Hope this helps you.

Regards
Karthik

Dear Alibek,

Please note that the numbers in incoming mail summary will depend on the number of recipients of the messages. For  example, if there is a spam with two recipients, the number of spam detected will be increased by two.

Since reputation filtering can help to throttle/block incoming emails from hosts with bad email reputation, it can help to minimize the loading on ESA as welll as the spam quarantined for each users (less time required to scroll through the long spam summary and less spam quarantine storage required).

If you want to know the envelope sender and recipient information, you can turn on 'HAT delayed rejections' opton under CLI command 'listenerconfig->setup'. you can then log down the envelope sender and recipient addresses in mail logs and search them from GUI message tracking for rejected messages.

Please note that reputation filtering will not drop any messages, ESA only rejects the connection immediately (the sender gateway should retry later and/or send a bounce message to original sender), or rejects the messages after X recipients per hour.

You can also choose to write a content filter to take action on bad reputation hosts ("Reputation Score" filter condition) and in HAT mail flow policies, you configure ACCEPTED/THROTTLED mail flow policy for BLACKLIST sender group.

Cheers,

Tommy

if i add user to Sender Verification Exception table, reputation filter won't check this user or not?

Hello Alibek,

If you add a sender to the sender verification exemption table, it will still be filtered with SBRS.

As the connecting SMTP host/IP which handles that domain will still be checked for SBRS to match whichever mail flow policy.

As per the ironport email pipeline

Connecting Host will be checked for SBRS first

Matched against mail flow policy by sendergroup (which uses SBRS to put different senders into the respective groups)

To allow senders to not be scanned by reputation filtering, you will need to setup an alternate sender group and define the connection SMTP hostname/IP into it.

If the legitimate sender has a very poor reputation that matches the blacklist, it will be rejected as per the mail flow policy on the blacklist.

It is always necessary to create a temporary sendergroup to use the accepted mail flow policy and define the sending SMTP hostname or IP into the group if they have a poor reputation but you still want to accept their emails.

I hope this helps!

Matthew