Well, depends on the configuration and there shouldn't be any reason to confuse inside and outside unless there is an omission on the configuration where SMTP relays are defined. Even in cloud ambients, it is pretty straightforward. Even on cloud configurations, it is clear for an IronPort what is to be considered internal and what it is to be considered as external.
On the other hand, IronPorts mostly considers RFC5321.MailFrom for routing the same as the RFC5321.To; the RFC5322.From and RFC5322.To are just analysed for filtering spam and some other purposes such as some policy enforcement, SPF, DMARC etc. From: Ángel via mailop <[email protected]> To: <[email protected]> Date: Mon, 01 Jun 2026 22:00:33 -0400 Subject: Re: [mailop] Cisco Ironport asking RECIPIENT if their customer is sending spam? On 2026-06-01 at 09:02 +0200, Benoit Panizzon wrote: > So to me it looks like this is a fraudulent cisco customer trying to > send me spam via the cisco infrastructure, cisco noticing this is > spam and asking the RECIPIENT to confirm their customer is sending > spam? > > But the actions don't make sense, I can only release the email (I > suppose I would get it) or delete the email. There is no 'report as > spam' button unless it is hidden behind the 'advanced' link which > needs me to log-in with my alleged cisco account. I have seen some anti-spam systems (from a different vendor) getting confused about inside vs outside. Both incoming and outgoing email flows go through the filtering system (as they should), it thinks an outgoing email is actually an incoming one, and thus sends the "quarantined message" notification to an external recipient. I suspect it may be comparing the MAIL FROM: or From: header with a list of internal domains. That this phishing likely spoofed. If it doesn't came from one of their domains, then you *must* be one of their users 😛 At least it is detecting that's a phishing... Regards _______________________________________________ mailop mailing list mailto:[email protected] https://list.mailop.org/listinfo/mailop Please report any mail abuse or violation to abuse(at)jolly(dash)security(dot)tech.
_______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
