Skip to content


We analyze emails and separate them into categories.

In Anti-spam, you can choose actions to take in each category.

You can also choose Quarantine Settings.

Spam and bulk emails

Each email message is analyzed and given a spam score. The higher the score the more likely the message is to be spam.

Depending on their spam score, messages are split into the following categories:

  • Confirmed Spam: Messages conforming to known and verified spam patterns.
  • Bulk: Solicited messages sent using mass mailing, for example newsletters sent to a mailing list.
  • Suspected Spam: Messages that don't confirm to known and verified spam patterns, but have been identified as suspicious.

    You can adjust the suspected spam catch rate using the slider. As you slide towards higher levels, the detection becomes more aggressive. Sophos Central categorizes the suspected spam messages based on their level. For example, a message corresponding to an L3 spam level will be marked as "Suspected L3" in Message History.

    Improvements to the suspected spam slider might not be available for all customers yet.


For each category choose one of the following actions:

  • Quarantine: The message is held in quarantine. You can release quarantined messages when you're sure they're safe.
  • Deliver: The message is delivered to the next anti-spam feature for checking. It doesn't mean the message is sent to the user.
  • Delete: The message is deleted immediately.
  • Tag subject line: The message is tagged and delivered to the user. The tag appears at the start of the subject line in the message. You can customize the tag, using up to 30 characters.

You can also choose to send messages to End User Quarantine. See End User Quarantine.

You can submit messages to SophosLabs as "not malicious". This helps us improve our detection methods.

If a quarantined Malware/Virus or Malicious URLs message is released, the user receives a new email, with the original malicious email attached as a password-protected zip file. The new email contains the password to open the zip attachment.


If an email contains a link on the Internet Watch Foundation's criminal URL list, we're legally required to delete the email. We're also legally required not to display the link anywhere in Sophos Central, including Message History. See IWF: URL List.

We always delete these emails. We don't use the settings in your email security policies.

Default settings

The default settings are:

  • Malware/Virus: Delete
  • Malicious URLs: Quarantine
  • Confirmed Spam: Quarantine
  • Bulk: Quarantine
  • Suspected Spam: Tag subject line

We recommend you set each category to Quarantine, except Malware/Virus, which we recommend you set to Delete.

For security reasons, we'll quarantine any message with an excessively large body.

Quarantine Settings

If you select Quarantine for a message category, messages are held until you (or another Admin) delete or release them.

If you select Include in End User Quarantine, messages can be checked, released, or deleted by your users. See End User Quarantine.

Quarantine summary messages

You can choose to send a quarantine summary message to each protected mailbox.

The message contains a table containing quarantined messages since the last summary message was sent. You can schedule when quarantine summary messages are sent.

You can only send quarantine summary messages to users. You can't send them to aliases, distribution lists, or public folders.

Users can release or delete quarantined spam messages by clicking the appropriate link in the quarantine summary message.

Users can only read quarantined messages and won't be able to release or delete them unless you allow users to take action on these messages. They can perform Release, Release and Allow, Delete, and Delete and Block.

To schedule when quarantine summary messages are sent, do as follows:

  1. In your Email Security policy, go to Settings > Inbound > Anti-spam > Quarantine Settings.
  2. Turn on Send a quarantine summary email.
  3. Select the appropriate time zone for your region.
  4. Select the days on which you want the messages to be sent.


    All days are selected by default. Click a day to deselect it.

  5. Select the time slots to send the quarantine summary messages.


    You can select one or more time slots. If you want your Quarantine Summary messages delivered 24/7, then select all days of the week and all hours of the day. When a time slot is selected, click again to deselect it.

  6. Click Save.

Quarantine summary messages are sent during the 90 minutes following the defined time slot. We spread the sending of messages over time to manage server load.