Hi
> If I understood your mail, you are the recipient and you are behind
> the set of IronPorts. EUQ sends notification if configured in the
> policies to those recipients whenever there is quarantined email. In
> principle, if you have access to the quarantine which may or may not
> request for authentication depending how it is configured it should
> in principle show you at least some relevant info for each message if
> not the whole content.
I, as the recipient, do not use the Services of Cisco Ironport.
I received a notification about a phishing email sent over Cisco
Ironport to me was being quarantined and asked to access the quaratine
to choose between the two actions to 'release' or 'delete' the email.
The Email was being displayed, but no headers so no way to determine
how it was transmitted. On the top right I could see that I apparently
have an account on which I would be able to log in and choose further
actions. Following that Link I was presented a log-in page where I
could log in with my email address and password, a password unknown to
me and no option to recover the password.
So to me it looks like either the credentials of a cisco ironport
customer were compromised to use phishing emails, their filter
correctly notices this was malicious but instead of notifying the
account owner or the cisco abuse desk sent a quarantine notice to the
intended target of those phishing emails - or something different got
completely wrong.
> It wouldn't be the first time I see crafted email to appear as sent
> by internal systems such as the EUQ.
Souce looks legitime to me.
Received: from esa2.hc682-83.smtpi.com (esa2.hc682-83.smtpi.com [23.90.103.73])
by mail.woody.ch (Postfix) with ESMTP id E56B43F682
for <panizzon@****>; Sun, 31 May 2026 22:28:59 +0200 (CEST)
Message-Id: <[email protected]>
From: =?utf-8?q?Cisco Reporting?= <[email protected]>
Sender: [email protected]
To: panizzon@***
Date: 01 Jun 2026 00:42:37 +0530
Subject: IronPort Spam Quarantine Notification
Link to quarantined email points to: https://dh657-euq1.smtpi.com/
which also points to an IP address belonging to Cisco.
> The EUQ do not ask for confirmation whether the sender is really
> sending a message or not but may need some feed back to release a
> quarantined message.
Why should I as the recipient of a phishing email sent by a Cisco
customer get asked if I want to release that email?
> EUQ messages to recipients list the quarantined messages and may
> offer release. Depending on the privileges you may or may not see
> details of the quearantined messages.
Probably I would have needed to know my password to see further
details. I was presented basic email headers and the content, but no
full headers by which I could have determined the original source ip.
> If you may need some insight or details, please let me know, I would
> gladly help. I have several years of experience with IronPort.
> [email protected]
Mit freundlichen Grüssen
-Benoît Panizzon-
--
I m p r o W a r e A G - Leiter Commerce Kunden
______________________________________________________
Zurlindenstrasse 29 Tel +41 61 826 93 00
CH-4133 Pratteln Fax +41 61 826 93 01
Schweiz Web http://www.imp.ch
______________________________________________________
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
