Skip to content


We analyze emails and separate them into categories.

In Anti-spam you can choose actions to take in each category.

You can also choose Quarantine Settings.

Spam and bulk emails

Each email message is analyzed and given a spam score. The higher the score the more likely the message is to be spam.

Depending on their spam score, messages are split into the following categories:

  • Confirmed Spam: Messages conforming to known and verified spam patterns.
  • Bulk: Solicited messages sent using mass mailing, for example newsletters sent to a mailing list.
  • Suspected Spam: Messages that don't confirm to known and verified spam patterns, but have been identified as suspicious.

    You can change the suspected spam catch rate using the slider.

    The lowest levels mark fewer emails as spam. As you move the slider towards the higher levels, detection becomes more aggressive. This marks more emails as spam, but increases the chances of false positives.

    We recommend you test different levels and choose the best level for your environment.


For each category choose one of the following actions:

  • Quarantine: The message is held in quarantine. You can release quarantined messages once you're sure they're safe.
  • Deliver: The message is delivered to the next anti-spam feature for checking. It doesn't mean the message is sent to the user.
  • Delete: The message is deleted immediately.
  • Tag subject line: The message is tagged and delivered to the user. The tag appears at the start of the subject line in the message. You can customize the tag, using up to 30 characters.

You can also choose to send messages to End User Quarantine. See End User Quarantine.

You can submit messages to SophosLabs as "not malicious". This helps us improve our detection methods.

If a quarantined Malware/Virus or Malicious URLs message is released, the user receives a new email, with the original malicious email attached as a password-protected zip file. The new email contains the password to open the zip attachment.


If an email contains a link on the Internet Watch Foundation's criminal URL list, we're legally required to delete the email. We're also legally required not to display the link anywhere in Sophos Central, including Message History. See IWF: URL List.

We always delete these emails. We don't use the settings in your email security policies.

Default settings

The default settings are:

  • Malware/Virus: Delete
  • Malicious URLs: Quarantine
  • Confirmed Spam: Quarantine
  • Bulk: Quarantine
  • Suspected Spam: Tag subject line

We recommend you set each category to Quarantine, except Malware/Virus, which we recommend you set to Delete.

For security reasons, we'll quarantine any message with an excessively large body.

Quarantine Settings

If you select Quarantine for a message category, messages are held until you (or another Admin) delete or release them.

If you select Include in End User Quarantine, messages can be checked, released, or deleted by your users. See End User Quarantine.

Quarantine summary messages

You can choose to send a quarantine summary message to each protected mailbox.

The message contains a table containing spam messages quarantined since the last summary message was sent. You can schedule the sending of summary messages.

You can only send quarantine summary messages to users. You can't send them to aliases, distribution lists, or public folders.

Users can release or delete quarantined spam messages by clicking the appropriate link in the quarantine summary message.

To set up quarantine summary messages do as follows:

  1. Turn on Send a quarantine summary email.
  2. Select when you want the messages sent.


    All days are selected by default. Click a day to deselect it.

  3. One time slot is shown by default. You can add up to three more by clicking Add another time. To delete a time slot, click the delete icon next to it.


    The default time slot can't be deleted.

Quarantine summary messages are sent during the 90 minutes following the defined time slot. We spread the sending of messages over time to manage server load.