On 2026-06-01 at 09:02 +0200, Benoit Panizzon wrote: > So to me it looks like this is a fraudulent cisco customer trying to > send me spam via the cisco infrastructure, cisco noticing this is > spam and asking the RECIPIENT to confirm their customer is sending > spam? > > But the actions don't make sense, I can only release the email (I > suppose I would get it) or delete the email. There is no 'report as > spam' button unless it is hidden behind the 'advanced' link which > needs me to log-in with my alleged cisco account.
I have seen some anti-spam systems (from a different vendor) getting confused about inside vs outside. Both incoming and outgoing email flows go through the filtering system (as they should), it thinks an outgoing email is actually an incoming one, and thus sends the "quarantined message" notification to an external recipient. I suspect it may be comparing the MAIL FROM: or From: header with a list of internal domains. That this phishing likely spoofed. If it doesn't came from one of their domains, then you *must* be one of their users 😛 At least it is detecting that's a phishing... Regards _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
