Skip to content


We analyze emails and separate them into categories.

In Anti-spam, you can choose actions to take in each category.

You can also choose Quarantine Settings.

Spam and bulk emails

Each email message is analyzed and given a spam score. The higher the score the more likely the message is to be spam.

Depending on their spam score, messages are split into the following categories:

  • Confirmed Spam: Messages conforming to known and verified spam patterns.
  • Bulk: Solicited messages sent using mass mailing, for example newsletters sent to a mailing list.
  • Suspected Spam: Messages that don't confirm to known and verified spam patterns, but have been identified as suspicious.

    You can adjust the suspected spam catch rate using the slider. As you slide towards higher levels, the detection becomes more aggressive. Sophos Central categorizes the suspected spam messages based on their level. For example, a message corresponding to an L3 spam level will be marked as "Suspected L3" in Message History.

    Improvements to the suspected spam slider might not be available for all customers yet.

  • Disallowed Country: Messages originating from countries configured as disallowed in your Email Security policy.

  • Disallowed Language: Messages containing the languages configured as disallowed in your Email Security policy.


For each category choose one of the following actions:

  • Quarantine: The message is held in quarantine. You can release quarantined messages when you're sure they're safe.
  • Deliver: The message is delivered to the next anti-spam feature for checking. It doesn't mean the message is sent to the user.
  • Delete: The message is deleted immediately.
  • Tag subject line: The message is tagged and delivered to the user. The tag appears at the start of the subject line in the message. You can customize the tag, using up to 30 characters.

You can also choose to send messages to End User Quarantine. See End User Quarantine.

You can submit messages to SophosLabs as "not malicious". This helps us improve our detection methods.

If a quarantined Malware/Virus or Malicious URLs message is released, the user receives a new email, with the original malicious email attached as a password-protected zip file. The new email contains the password to open the zip attachment.


If an email contains a link on the Internet Watch Foundation's criminal URL list, we're legally required to delete the email. We're also legally required not to display the link anywhere in Sophos Central, including Message History. See IWF: URL List.

We always delete these emails. We don't use the settings in your email security policies.

Default settings

The default settings are:

  • Malware/Virus: Delete
  • Malicious URLs: Quarantine
  • Confirmed Spam: Quarantine
  • Bulk: Quarantine
  • Suspected Spam: Tag subject line

We recommend you set each category to Quarantine, except Malware/Virus, which we recommend you set to Delete.

For security reasons, we'll quarantine any message with an excessively large body.