One of my users attempted to forward an email from their gmail account to their work address which is protected by the ESG. The message was blocked by the ESG with the reason ZeroHour Intent.
The first curious thing is they got a notification in gmail that the message wasn't delivered - 554 rejected due to spam URL in content. It didn't appear to be an NDR from the barracuda appliance, it looked like it was a message generated within the users gmail account. I haven't see this before, is this expected? My appliance is configured to not send NDRs. If this is expected it kind of defeats the purpose of not sending NDRs to spammers. Again, it was blocked by the ESG (I see it logged and was able to deliver it).
The next curious thing is the users gmail address is whitelisted on our system yet was still blocked. I'm guessing due to the ZeroHour Intent?
The third curious thing is regarding the URL in question - when I do a content filter lookup of the URL it comes back with Business as the result. Why would the ESG see it as ZeroHour Intent but the WSG sees it as a legit business URL?
As always, thanks for any helpful info