Jump to content


Best Practice

ESS Quarantine Deferred

This topic has been archived. This means that you cannot reply to this topic.
3 replies to this topic

#1 Mike Jephtha

Mike Jephtha
  • Members
  • 4 posts

Posted 16 February 2017 - 07:58 AM

Hi - I'm relatively new to the service and want to get to grips with the day-to-day admin that seems to be required.


As a single administrator without any other IT personnel, I am having to manually clear 'deferred' or 'suspicious' messages that are actually important and from genuine senders (both internal and external).


What I'm concerned with is - who does this process when I am not here? No emails go to quarantine at the moment - is this something I should setup along with individual users so they can clear their own?  Any guidance notes on what should be done?

many thanks

#2 Michelle Exner

Michelle Exner

    BSF / BESS Moderator

  • Moderators
  • 409 posts

Posted 16 February 2017 - 11:37 AM   Best Answer


You are going through a lot of work needlessly.

The Email Security Service (ESS) is a pass through service that keeps a history of the last 30 days of activity.

Mail that is DEFERRED is going to be retried by the sending server which will show up in the log at a later time (depending on the senders retry interval)

ESS does not accept messages, scan then and then deliver them.

ESS accepts a connection from the sender, connects to the recipients server and monitor the traffic for spam and virus content.

If ESS sees something in the traffic that is a spam or virus it stops the data transfer to the destination server but still continues to accept the entire message and shows it in the log as blocked or quarantined. ESS then sends a REJECT code to the sending server and closes the connection.

If ESS sees something in the traffic that is suspicious or that needs additional processing (virus scanning for example) then again we stop the data transfer to the destination server but still accept the full message from the sender and at the end of data returns a DEFER code to the sender so they retry the message.


Incoming mail that shows as DEFERRED in the logs will be retried by legitimate senders and usually delivered the next time through the system

For example if you are using Advanced Threat Detection (ATD) an a message with a large attachment comes in we may not be able to complete the scanning of the attachment in real time so the message is deferred while the scanning continues in the background. The sender retries that message (again a new line in the logs) and the attachment that was previously scanned is instantly resolved and the mail either delivered or blocked depending on the results of the previous scan.

The same goes for suspicious mail. Someone who sends a mass mailing to thousands of our users across multiple domains is often seen as a potential spammer. We defer their mail as suspicious. if they retry the mail we will allow it though that filter and continue with our normal scanning and either deliver or block the mail based on the scanning results.

If you access your message log and search for the subject of the deferred mail you are manually delivering you should see it normally delivered later on.

Hope this helps explain the service.

Michelle Exner
Product Lead Support Engineer
Barracuda Email Security
(408) 342-5300

#3 Mike Jephtha

Mike Jephtha
  • Members
  • 4 posts

Posted 17 February 2017 - 06:45 AM

That's great, thanks for the explanation Michael.  I think I just need to kick back and relax!


Appreciate your help  :)

#4 Alessandra Ross

Alessandra Ross
  • Members
  • 1 posts

Posted 16 August 2018 - 01:24 AM

I am a user of a <a href="http://guidesforemailsecurity.com/security software</a> and i love it.