If I understood your mail, you are the recipient and you are behind the set of IronPorts. EUQ sends notification if configured in the policies to those recipients whenever there is quarantined email. In principle, if you have access to the quarantine which may or may not request for authentication depending how it is configured it should in principle show you at least some relevant info for each message if not the whole content.
It wouldn't be the first time I see crafted email to appear as sent by internal systems such as the EUQ. The EUQ do not ask for confirmation whether the sender is really sending a message or not but may need some feed back to release a quarantined message. EUQ messages to recipients list the quarantined messages and may offer release. Depending on the privileges you may or may not see details of the quearantined messages. If you may need some insight or details, please let me know, I would gladly help. I have several years of experience with IronPort. [email protected] From: Benoit Panizzon via mailop <[email protected]> To: <[email protected]> Date: Mon, 01 Jun 2026 03:02:27 -0400 Subject: [mailop] Cisco Ironport asking RECIPIENT if their customer is sending spam? Hi Gang I just got a very strange email: Received: from localhost by sma1.hc682-83.smtpi.com; 01 Jun 2026 00:42:37 +0530 Content-Type: text/html; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Message-Id: <f2f95b$9441932= mailto:[email protected] > From: =?utf-8?q?Cisco Reporting?= < mailto:[email protected] > Sender: mailto:[email protected] To: panizzon@XXXX Date: 01 Jun 2026 00:42:37 +0530 Subject: IronPort Spam Quarantine Notification In the email, there is a link leading to: https://dh657-euq1.smtpi.com/Message which again is operated by Cisco. Which shows an email (clearly a phishing email claiming to originate from DHL) in quarantine to my email address. On the top right I am greeted as a user, but when I try to log in for 'advanced remediation' I need to enter a password for my email address I don't know and there is no password recovery option. I found no way to display the email headers of that email in quarantine. As far as I know, I did not subscribe to such a service. But the sending email address: mailto:[email protected] has no MX but the IP points to cisco. So to me it looks like this is a fraudulent cisco customer trying to send me spam via the cisco infrastructure, cisco noticing this is spam and asking the RECIPIENT to confirm their customer is sending spam? But the actions don't make sense, I can only release the email (I suppose I would get it) or delete the email. There is no 'report as spam' button unless it is hidden behind the 'advanced' link which needs me to log-in with my alleged cisco account. I am inclined to consider this quarantine notification itself to be spam. Mit freundlichen Grüssen -Benoît Panizzon- -- I m p r o W a r e A G - Leiter Commerce Kunden ______________________________________________________ Zurlindenstrasse 29 Tel +41 61 826 93 00 CH-4133 Pratteln Fax +41 61 826 93 01 Schweiz Web http://www.imp.ch ______________________________________________________ _______________________________________________ mailop mailing list mailto:[email protected] https://list.mailop.org/listinfo/mailop Please report any mail abuse or violation to abuse(at)jolly(dash)security(dot)tech.
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
