Mail sent from an address which is in a HAT group with "Relay" behaviour specified will be treated as outgoing - so have the Outgoing mail policy applied.  You presumably don't have media attachements blocked on your outgoing policy. Quarantines aren't necessarily exclusive to Inbound or Outbound - it depends upon the rules you've set up, so you could be putting both inbound and outbound mail into the same quarantine.  If you go into the quarantine and look at a message it will tell you the reason it's there.  As long as your inbound and outbound content filters have different names you should be able to see whether it was quarantined as inbound or outbound.  Of course some of those mesages which you see as having a "from address of someone@MyCompany.com " could be spoofed senders - try doing some message tracking on one of them and looking for the IP address it came from to check if it was really outgoing or not.. ... View more

I have recently been looking in to something which sounds very similar Looking at the Incoming Mail report (by IP) I was seeing (IP address and domain info obfuscated): Sender IP Address Hostname DNS Verified SBRS Last Sender Group Total Attempted Stopped by Reputation Filtering  Stopped as Invalid Recipients Spam Detected Virus Detected Stopped by Content Filter Total Threat Marketing Clean 10.x.x.x No Domain Information No -- 0 22.3k 22.3k 0 0 0 0 22.3k 0 0 But this an outgoing exchange server on a relay policy so 1 - shouldn't be seeing mail blocked 2 - should be generating a lot of clean outbound traffic. 3 - should probably be on the "outgoing senders" report rather than the "incoming mail" report anyway.  Which it is... Sender IP Address Hostname Spam Detected Virus Detected Stopped by Content Filter Total Threat Clean Total Messages 10.x.x.x unknown domain 0 0 158 158 28.7k 28.8k We'd also had no reports of mail delay or non-delivery, and this was happening on a Saturday, when we wouldn't have been expecting large quantities of mail from this source. Eventually tracked this down to a period when the DNS servers hosting the records for the domain which sends mail on this IP were not responding - log entries typically like: Sat Jun 16 12:12:45 2012 Info: ICID 141750117 RELAY SG VOLUME_RELAYSERVERS match 10.x.x.x SBRS rfc1918 Sat Jun 16 12:12:45 2012 Warning: Received an invalid DNS Response: '' to IP looking up Sat Jun 16 12:12:45 2012 Info: ICID 141750117 Address: <sender@senderdomain> sender rejected, envelope sender domain could not be resolved Sat Jun 16 12:12:45 2012 Info: ICID 141750117 close The repeated retrying of the same messages over a period of around 10 hours added up to the 22.3k rejections. It looks like in this instance the failure is being recorded under "Incoming Mail" instead of "Outgoing Senders" despite the IP being in a relay sender group. Hope this helps - maybe a few clues for what to look for in your logs if nothing else. ... View more