You have to enable Anti Spam on the outgoing policies. There is allways the possibility that the particular mailmessage is not detected as SPAM. If so you have to define an outgoing filter to capture this message.
Keep in mind that the accuracy of anti-spam scanning out bound is not as accurate is scanning inbound. This is because we do not have an IP to validate against. Though IPAS performs content scanning we still attempt to utilize the source IP address as a component in the signatures, if possible. Since these would originate from an internal address we would be missing some data. This is not to say that scanning outbound will not work, but it is just not as accurate in most cases.
I think you best bet here is to try to capture the message in question , in something such as an archive. Ideally if this is the result of a system that is compromised you would want to isolate that system. Typically you would not want to allow individual systems direct access to the relaylist sendergroup, but instead only allow the mail server to relay through the appliance.
I must be missing something here. Doesn't the submitted evidence show the connection came from the original poster's 10.20.2.15?
If that's a single device, why not add it to a new sender group ahead of your RELAYLIST (presuming a standard HAT) but set to BLOCKED, and if the user complains then tell them they've just lost their relay privileges and will have to get their IT desktop support to find the cause before those privileges are restored.
If it's a whole mail system, find the admin team responsible for it and ask them what they're going to do for connectivity if you rate-limit their system. Do point out that rate-limiting does not respect the importance of the message or the sender. Tracking down the virus abusing their system is their problem, and all you can do give them samples to work on.
In either case a mail caused by viral infection is completely unacceptable because it could potentially spead the virus further.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...