Hello Ruveni,

a common way to do this is to create a new sendergroup in the HAT, use an ACCEPT or THROTTLED (recommended) policy for it, and add the IP address or hostname of the affected sender. Also make sure the new sendergroup is placed above the BLACKLIST sendergroup, otherwise the host will still be blocked (matching order is from top to bottom of the HAT).

Or, if you already have such a sendergroup above the BLACKLIST (except the WHITELIST, which you should not use because spam scanning is dissabled in there), you can add the host or IP there as well.

Important note: Domain names don't work in the HAT, it has to be an IP, IP range, or hostname

Hope that helps,

Andreas

Sometimes it is not straightforward to just let the mail pass thru' via a special policy or simply you should just let the remote host fix its reputation issue.

First, we have to make sure the incoming mta are really important to our own users and by allowing the mta to use a special policy it effective means there are more spam come thru', at least to the ironport engine. (the engine's content scanner can still drop/block/tag if you have configured it).

In our case, we have identified certain domains are legitimate sender but scores are low constantly. So we first define a mail flow policy that has "ACCEPT" behavior and has a much relaxed rate limit.

Secondly, we define a sender group to put all these domain or ip into the group.

In the HAT, we created the rule to link up the sendergroup with the policy and also we *disabled* the SBRS (sender base reputation score lookup). So practically we allow the senders to send without using reputation. Your ironport should also enable the anti-spam engine that further help identified spam mail, in case the sender ip does contain spam