Quarantine Management

The quarantine can be found by clicking the My Organization tab. It contains a trace of messages blocked by our Content-level filtering rules. By default, messages are kept in the quarantine for 14 days. This can be changed by editing the General Parameters.

IN THIS ARTICLE
Information Display Spam Score
Icons Monitoring the Quarantine

Information Display

Here are the various quarantine column headers and what they mean :

COLUMN NAME DETAILS
S The Status of the email. By default this field is empty. Other possible statuses are:
  • R = Released
  • D = Deleted
From The sender's address. Cumulus can show the SMTP-From address, From Name, Content-From address, and Reply-to (in that order)
To The recipient's address. Cumulus can show the SMTP-From address, From Name, and Content-From address (in that order)
Subject Clicking the subject will show the email content. Hovering the subject will give a preview of message content
Date Date/time the message was sent. Messages sent today only display the time. By default, the quarantine is sorted by date, showing most recent messages first
Score Details of what caused the message to be blocked

Spam score

The Score column is meant to help you decide if the message is legitimate or not. It is made up of a numerical Score value along with a visual indicator. The indicator could either be a coloured dot or one (or more) icon.

We first need to clear up what the numerical Score value means. The Score is generated by our Content filtering rules based on features they identify in the email. Each rule that hits will apply its corresponding score value and, at the end of the Content filtering phase, the scores are totalled into a final Score value that is displayed in the quarantine. In more practical terms, you will tend to find messages with scores between -9.9 and 14.9. Any message with a score of 15.0 or more will be destroyed and won't show in the quarantine (but can be found in the Communication Logs)

  • What does the Score mean? It's the probability that the message is undesirable. The higher the Score, the more indicators we have that the message is spam. 
  • At what value of Score do we start blocking emails? 4.0
  • Why are emails with negative scores blocked? The score is only part of the picture and other features may mark an email as spam. You can get clues as to what feature blocked an email by looking at the associated icons.

The Score is often accompanied by a coloured dot. This dot ranges in colour from bright green to bright red. The higher the score, the closer that dot will be to a bright red. If the email has no coloured dot next to the score, this means that the message was blocked due to a reason other than just the Content features. For this, we will look at the icons.

Icons

Sometimes, just considering a message's features isn't enough to reliably block dangerous emails. It's for this reason that we have many more verifications being done during the Content filtering phase than just looking at the email's features. If a message was blocked due to one of these other verifications, the corresponding icon will show up in the Score column.

ICON MEANING
The message was blocked because it has characteristics of a phishing email.
The message was blocked because it contains at least one banned file.
The message appears to be Greymail, i.e. part of a massive commercial sollicitation. This tag is not sufficient to block an email.

The message was blocked because the DMARC verification failed on the content-from domain. These emails are also tagged as Phishing.

Monitoring the Quarantine

Initial Monitoring After Activation

In the first week or two after service activation, it's normal to spend more time monitoring the quarantine. A once-per-day check is normal.

During this period, look for False Positives and correct them quickly. It's normal to personalize the filtering to your needs.

If you find a blocked message you need to troubleshoot:

Most legitimate emails will have a score of 5 or less. We recommend sorting emails by score by clicking on  Score and only verifying emails with a low score.

Long-Term Monitoring

Once service has been active for several weeks, it's normal to monitor the quarantine less often. A once-per-week check is normal. Some administrators check even less often. At this point, most administrators will start using the quarantine on a case-by-case basis.

The quarantine can be likened to a garbage: most of its contents are rubbish. As you would not constantly filter through all your garbage, don't waste your time deleting all the spam messages from your quarantine as the quarantine will clean itself out automatically.