Got it. Then the paradigm of the EUQ shouldn't be sending anything to external parties. The ESA works generally as a MX and the SMA hosts the quarantines which is internal in most cases. The EUQ keeps messages that have been quarantined and sends a notification if configured to do so.
That, usually is the expected configuration but there can be a particular case where inside and outside may change depending on in and out perception. Since this seems (given the domains involved) is the Cloud Email Security Service. In this case, it depends on the customer whether it is managed (by Cisco) or self service managed by the customer. ces.cisco.com is the subdomain Cisco used for everything Cloud Email Service while smtpi.com is basically the domain they use to align their IP address forward and reverse resolution as a canonical domain. Re-reading the mail, I totally agree with you. Seems a customer who has little or no experience and even worse mixed up default email addresses ( mailto:[email protected] ) which is the one they use for managed services and serves as a palceholder on pre-configured fields when it is customer managed. That doesn't look like a potential bug being exploited. In principle the SMA assigne dor a customer usually should relay on the ESA although they have the capability to deliver email directly to the internet if firewalls enable it. I am not sure right now if they allow this or users should relay their SMA traffic via their ESA. From: Graeme Fowler via mailop <[email protected]> To: "mailop"<[email protected]> Date: Mon, 01 Jun 2026 20:46:05 -0400 Subject: Re: [mailop] Cisco Ironport asking RECIPIENT if their customer is sending spam? On 1 Jun 2026, at 18:21, J. Enrique Díaz Jolly via mailop < mailto:[email protected] > wrote: > If I understood your mail I don’t think you did. Unless I am very much mistaken, Benoit is logically *outside* the specific Ironport systems, which is why this is worthy of inspection. It is, most likely, a naive or inexperienced Cisco Ironport customer - or it’s a vulnerabilty being exploited. I very much suspect the former. Graeme _______________________________________________ mailop mailing list mailto:[email protected] https://list.mailop.org/listinfo/mailop Please report any mail abuse or violation to abuse(at)jolly(dash)security(dot)tech.
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
