|Email Plug-in (Reporting):||1.1.0-114|
|Email Plug-in (Encryption):||1.2.1-118|
In the SPAM threshold settings, what are the 'default' values equal to? I'm currently sitting at 89 for Suspected and 100 for Positive and still seeing false positives for Outgoing SPAM.
If I set the Outgoing policy to quarantine detected SPAM, who gets the notification? The recipient, an external to our organization user?
The defaults are 50/ Suspect and 90/Spam.
Notification is not enabled by default, you will have to setup a content filter to be notified.
If you are trying to stop all messages from being delivered, I'd recommend a content filter with an action of "drop" applied to a new mail policy that includes the problem senders. Then place that mail policy before the default policy.
Thanks for the 50/Suspect and 90/Spam defaults.
I'm not asking how to enable notifications, I'm asking for outbound e-mails, WHO do the notifications go to?
On incoming traffic, Notifications go to the recipients, internal users.
On Outgoing, does it go to the Sender? The Recipient in most situations will be an external user.
For outgoing mail there will be no spam notifications unless you set them up.
Go to Outgoing Mail Policies, check the AntiSpam action on default mail policy. On mine I show an action of "quarantine" for "positively identified spam" .
Check Suspect Spam
Check Marketing Mail
Repeat for your other outgoing mail policies
Then check your Quarantine Notification Settings
Notifications will be sent only those people who has received new spam emails in their end user quarantine.
I hope this helps.
In the example above, the recipient will not get notified. The sender of the positive spam will...
For outbound email, when Outgoing Mail Policy is configured to quarantine messages with Anti-Spam engine, the notification (once enabled in the Quarantine settings and scheduled to be sent) will reach the recipient's inbox.
I believe you understand that if the external user cannot access the Web UI (Quarantine) on your ESA (due to firewall rules, for intance), then delivering the ISQ notification to the external user will be in vain.
I hope this helps. If so, please consider masking this question as anwered.
So reading all of this, I think it may be better to just bounce detected SPAM to the Sender on the Outgoing mail flow. In most situations this is an internal sender. I do have some domains being forwarded from one system to another via outbound policies but I think I could write content filters to get around those.
Basically I just want to scan outbound e-mails (due to compromised accounts) and I want my internal users to be notified when mail they are sending is stopped.
I would think it would make more sense in a general configuration to notify senders on outgoing mail that is detected as SPAM. Any chance of getting this changed or added as a configurable parameter?
I personaly don't like notifying users (internal nor external) but it is your call. If you believe they will understand the notification and take correct actions it may worth trying.
You could, for instance, insert a header (for outbound messages) and during anti-spam scanning. Then later, in the content filters, you can check for the existence of that header and that will trigger a notification action, to whoever you want (sender, recipient, both, admins and so on).
I would advise you test this with specifc users, or test users before putting on production.
I hope this helps.
In my environment I like to notify my internal users (18k) if I stopped their e-mail for any reason. I agree I don't want to notify external users of issues tha they can't resolve anyway.
I still think by default, outgoing mail that is detected/quarantined as SPAM should notify the SENDER. In most situations that will be an internal user. It could even just go to the same Quarantine that the internal users already have access to. I use LDAP calls with our Active Directory to give internal users access to the SPAM quarantine.