Quarantine Report

Sophos UTM features an email quarantine containing all messages (SMTPClosed Simple Mail Transfer Protocol and POP3Closed Post Office Protocol version 3) that have been blocked and redirected to the quarantine for various reasons. This includes messages waiting for delivery as well as messages that are infected by malicious software, contain suspicious attachments, are identified as spam, or simply contain unwanted expressions.

To minimize the risk of messages being withheld that were quarantined mistakenly (so-called false positives), Sophos UTM sends a daily Quarantine Report to the users informing them of messages in their quarantine. If users have several email addresses configured, they will get an Quarantine Report to the primary email address. This also applies if a user has additional POP3 accounts configured in his User Portal, provided the POP3 proxy of Sophos UTM is in prefetch mode, which allows the prefetching of messages from a POP3 server and storing them in a local database. In a Quarantine Report users can click on any spam entry to release the message from the quarantine or to whitelist the sender for the future.

The following list contains some more information about the Quarantine Report:

  • Quarantine Reports are only sent to those users whose email address is part of a domain contained in any SMTP profile. This includes the specification in the Domains box on the SMTP > Routing tab as well as the specifications in the Domains box of any SMTP Profile.
  • If the POP3 prefetch option is disabled, quarantined messages sent to this account will not appear in the Quarantine Report. Instead, users will find the typical Sophos POP3 blocked message in their inbox. It is therefore not possible to release the message by means of the Quarantine Report or the User Portal. The only way to deliver such an email is to download it in zip format from the Mail Manager by an administrator.
  • On the Advanced tab, you define which types of quarantined mail can be released by users. By default, only spam emails can be released from the quarantine. Messages quarantined for other reasons, for example because they contain viruses or suspicious file attachments, can only be released from the quarantine by an administrator in the Mail Manager of Sophos UTM. In addition, users can also review all of their messages currently held in quarantine in the Sophos User Portal.
  • If a spam email has multiple recipients, as is the case with mailing lists, when any one recipient releases the email, it is released for that recipient only, provided the email address of the mailing list is configured on the system. Otherwise the email will be sent to all recipients simultaneously. For more information, see the Define internal mailing lists option on Email Protection > Quarantine Report > Exceptions.
  • Emails sent to an SMTP email address for which no user is configured in Sophos UTM can be released (but not whitelisted) from the Quarantine Report or in the Mail Manager by an administrator. However, as this user is not configured, no access to the User Portal is possible.
  • Spam emails sent to mailing lists cannot be whitelisted.
  • Some email clients do not encode the header of an email correctly, which may result in an awkward representation of the email in the daily Quarantine Report.