Skip to content

Quarantine Management

Manage quarantined emails that have been flagged as spam or suspicious.

Overview

Mailborder's quarantine system holds suspicious emails for review instead of outright rejection, allowing:

  • Review before deletion - Verify spam detection accuracy
  • Recovery of false positives - Release legitimate emails
  • Investigation - Analyze spam patterns and threats
  • User self-service - End users can review their quarantine
  • Audit trail - Track what was quarantined and why

Quarantine Triggers

Emails are quarantined for:

  1. Spam score exceeds threshold (6.0-20.0 default)
  2. Virus detected with quarantine action
  3. Policy violations configured to quarantine
  4. GeoIP blocks from suspicious countries
  5. Failed authentication (SPF/DKIM/DMARC failures)
  6. Attachment restrictions blocked file types
  7. Manual rules administrator-defined

Quarantine vs Rejection

Action When to Use User Experience
Quarantine Uncertain about legitimacy Email held for review
Reject Obviously spam/malware Bounce to sender
Discard Confirmed spam Silent drop (no notification)

Quarantine Storage

Storage Location

Quarantine directory: 

ls -lh /var/spool/mailborder/quarantine/

Structure: 

/var/spool/mailborder/quarantine/
├── 2025/
│   ├── 01/
│   │   ├── 13/
│   │   │   ├── abc123-spam.eml
│   │   │   ├── def456-virus.eml
│   │   │   └── ghi789-policy.eml

File naming: 

<message-id>-<reason>.eml

Storage Limits

Configure quarantine limits: 

# Maximum age (days)
sudo mb-config set quarantine.retention_days 30

# Maximum size (MB)
sudo mb-config set quarantine.max_size_mb 10240  # 10 GB

# Maximum messages
sudo mb-config set quarantine.max_messages 100000

Check current usage: 

sudo mb-quarantine-stats --storage

Example output: 

Quarantine Storage Statistics
==============================
Location: /var/spool/mailborder/quarantine/

Current Usage:
  Messages: 5,234
  Total Size: 2.3 GB
  Oldest Message: 2024-12-15 (29 days)
  Newest Message: 2025-01-13 (today)

Limits:
  Max Messages: 100,000 (5.2% used)
  Max Size: 10 GB (23% used)
  Max Age: 30 days

Auto-Cleanup: Enabled (daily at 02:00)

Listing Quarantined Emails

Basic Listing

List recent quarantined emails: 

sudo mb-quarantine-list

Example output: 

Message ID                       Date       From                To                  Reason    Score
─────────────────────────────────────────────────────────────────────────────────────────────────────
abc123def456                     01-13 14:23  spam@bad.com       user@example.com    spam      12.5
def789ghi012                     01-13 14:15  phish@evil.net     admin@example.com   virus     N/A
ghi345jkl678                     01-13 13:58  sender@foreign.ru  sales@example.com   geoip     8.2
jkl901mno234                     01-13 13:42  sender@partner.com ceo@example.com     policy    3.5

With limit: 

sudo mb-quarantine-list --limit 50

Filtering

By date: 

sudo mb-quarantine-list --since "2025-01-01"
sudo mb-quarantine-list --since "2025-01-13 00:00:00" --until "2025-01-13 23:59:59"
sudo mb-quarantine-list --since "7 days ago"

By sender: 

sudo mb-quarantine-list --from sender@example.com
sudo mb-quarantine-list --from @spam-domain.com

By recipient: 

sudo mb-quarantine-list --to user@example.com
sudo mb-quarantine-list --to @example.com

By reason: 

sudo mb-quarantine-list --reason spam
sudo mb-quarantine-list --reason virus
sudo mb-quarantine-list --reason policy
sudo mb-quarantine-list --reason geoip

By spam score: 

sudo mb-quarantine-list --min-score 10.0
sudo mb-quarantine-list --score-range 6.0 10.0

Combined filters: 

sudo mb-quarantine-list --since "2025-01-10" --reason spam --min-score 15.0 --to admin@example.com

Search subject: 

sudo mb-quarantine-search --subject "invoice"
sudo mb-quarantine-search --subject "urgent" --reason spam

Search body: 

sudo mb-quarantine-search --body "click here"

Full text search: 

sudo mb-quarantine-search --fulltext "wire transfer"

Viewing Quarantined Emails

View Email Details

Show email information: 

sudo mb-quarantine-show abc123def456

Example output: 

Quarantine Entry: abc123def456
================================

Quarantine Info:
  Quarantined: 2025-01-13 14:23:45
  Reason: spam
  Spam Score: 12.5
  Virus: None detected

Email Headers:
  From: spam@bad.com
  To: user@example.com
  Subject: Amazing offer! Click now!
  Date: 2025-01-13 14:20:12
  Message-ID: <xyz789@bad.com>

Spam Indicators:
  BAYES_SPAM: 4.5
  URIBL_BLACK: 3.0
  MISSING_SUBJECT: 1.0
  HTML_ONLY: 2.0
  SUSPICIOUS_URL: 2.0

Authentication:
  SPF: FAIL
  DKIM: NONE
  DMARC: FAIL

Attachments: None

Actions Available:
  - Release (deliver to recipient)
  - Delete (permanent removal)
  - Report (mark as spam for training)
  - Extract (save to file)

Extract Email

Extract to file for analysis: 

sudo mb-quarantine-extract abc123def456 /tmp/email.eml

View with mail client: 

sudo mb-quarantine-extract abc123def456 /tmp/email.eml
thunderbird /tmp/email.eml

Extract attachments: 

sudo mb-quarantine-extract-attachments abc123def456 /tmp/attachments/

Example output: 

Extracting attachments from abc123def456...

Extracted:
  /tmp/attachments/document.pdf (245 KB)
  /tmp/attachments/invoice.xlsx (89 KB)

Total: 2 files, 334 KB

Releasing Emails

Manual Release

Release single email: 

sudo mb-quarantine-release abc123def456

Example output: 

Releasing quarantined email: abc123def456

From: sender@partner.com
To: user@example.com
Subject: Quarterly Report
Quarantine Reason: policy (attachment restriction)

Delivering to user@example.com... OK
Removing from quarantine... OK

Email successfully delivered.

Release with notification: 

sudo mb-quarantine-release abc123def456 --notify

Sends notification to recipient that delayed email has been delivered.

Release to Different Recipient

Forward quarantined email: 

sudo mb-quarantine-release abc123def456 --to admin@example.com

Release and Learn

Release false positive and train Bayesian filter: 

sudo mb-quarantine-release abc123def456 --learn-ham

This: 1. Delivers the email 2. Trains spam filters that it's legitimate 3. Adjusts future scoring

Bulk release from sender: 

sudo mb-quarantine-list --from trusted@partner.com --format ids | xargs -n1 sudo mb-quarantine-release --learn-ham

Deleting Quarantined Emails

Manual Deletion

Delete single email: 

sudo mb-quarantine-delete abc123def456

Example output: 

Deleting quarantined email: abc123def456

From: spam@bad.com
To: user@example.com
Quarantine Reason: spam (score: 12.5)

Confirm deletion? [y/N]: y

Removing from quarantine... OK
Email permanently deleted.

Delete without confirmation: 

sudo mb-quarantine-delete abc123def456 --force

Delete and Learn

Delete confirmed spam and train filters: 

sudo mb-quarantine-delete abc123def456 --learn-spam

Bulk delete from sender: 

sudo mb-quarantine-list --from @spam-domain.com --format ids | xargs -n1 sudo mb-quarantine-delete --learn-spam --force

Bulk Deletion

Delete by criteria: 

# Delete all spam over 15.0 score
sudo mb-quarantine-delete-bulk --min-score 15.0 --reason spam

# Delete old quarantine
sudo mb-quarantine-delete-bulk --older-than "30 days"

# Delete from specific sender
sudo mb-quarantine-delete-bulk --from @spam-domain.com

Example output: 

Bulk Quarantine Deletion
========================
Filter: spam score > 15.0

Found 234 matching messages

Confirm deletion of 234 messages? [y/N]: y

Deleting messages... [========================================] 234/234

Deleted: 234 messages
Failed: 0
Time: 12.3 seconds

Automatic Quarantine Management

Auto-Cleanup

Enable automatic cleanup: 

sudo mb-config set quarantine.auto_cleanup true
sudo mb-config set quarantine.cleanup_schedule "daily 02:00"

Cleanup rules: 

# Delete after 30 days
sudo mb-config set quarantine.retention_days 30

# Delete virus-infected immediately after 7 days
sudo mb-config set quarantine.virus_retention_days 7

# Delete high-score spam after 14 days
sudo mb-config set quarantine.high_spam_retention_days 14
sudo mb-config set quarantine.high_spam_threshold 15.0

Manual cleanup: 

sudo mb-quarantine-cleanup

Example output: 

Quarantine Cleanup
==================

Scanning quarantine...
  Total messages: 5,234

Cleanup actions:
  Messages > 30 days old: 1,234 → DELETE
  Virus messages > 7 days: 45 → DELETE
  Spam score > 15.0, > 14 days: 567 → DELETE

Total to delete: 1,846

Proceed? [y/N]: y

Deleting... [========================================] 1,846/1,846

Cleanup complete.
  Deleted: 1,846 messages
  Freed: 892 MB
  Remaining: 3,388 messages (1.4 GB)

Auto-Release Rules

Auto-release after delay (for greylisting-style quarantine): 

sudo mb-quarantine-rule add auto-release-low \
  --condition "score < 8.0" \
  --condition "age > 30 minutes" \
  --action release

Auto-release with authentication: 

sudo mb-quarantine-rule add auto-release-auth \
  --condition "spf pass" \
  --condition "dkim pass" \
  --condition "score < 10.0" \
  --condition "age > 1 hour" \
  --action release

User Self-Service (Web Interface)

Enable User Quarantine Access

Configure user access: 

sudo mb-config set quarantine.user_access true
sudo mb-config set quarantine.user_self_release true  # Allow users to release
sudo mb-config set quarantine.user_delete true  # Allow users to delete

Access control: 

# Users can only see their own quarantine
sudo mb-config set quarantine.user_filter_own true

# Or allow users to see domain-wide quarantine
sudo mb-config set quarantine.user_filter_domain true

Web Interface Features

Users can access via: https://mailborder.example.com/quarantine

Features: - View quarantined emails addressed to them - Search and filter quarantine - Preview email content (sanitized) - Release false positives - Delete confirmed spam - Report spam/ham for training - Set personal whitelist/blacklist

Email Notifications

Notify users of quarantined mail: 

sudo mb-config set quarantine.notify_users true
sudo mb-config set quarantine.notify_frequency daily  # or realtime, hourly
sudo mb-config set quarantine.notify_schedule "09:00"

Notification example: 

Subject: Mailborder Quarantine Report - 5 messages

You have 5 emails in quarantine:

1. From: sender@example.com
   Subject: Invoice for services
   Date: 2025-01-13 14:23
   Reason: Attachment blocked (.exe)
   [Release] [Delete]

2. From: newsletter@company.com
   Subject: Weekly update
   Date: 2025-01-13 10:15
   Reason: Spam score 7.2
   [Release] [Delete]

...

View full quarantine: https://mailborder.example.com/quarantine

Disable notifications for specific users: 

sudo mb-quarantine-notify disable user@example.com

Quarantine Reports

Daily Reports

Configure daily quarantine reports: 

sudo mb-config set quarantine.daily_report true
sudo mb-config set quarantine.report_email admin@example.com
sudo mb-config set quarantine.report_schedule "08:00"

Manual report: 

sudo mb-quarantine-report --daily

Example report: 

Mailborder Quarantine Report
=============================
Date: 2025-01-13
Period: Last 24 hours

Summary:
  New quarantined: 234
  Released: 45
  Deleted: 189
  Current total: 5,234

By Reason:
  Spam (score > 6.0): 189 (80.8%)
  Virus detected: 12 (5.1%)
  Policy violations: 23 (9.8%)
  GeoIP blocks: 10 (4.3%)

Top Senders (quarantined):
  1. spam@bad.com - 45 messages
  2. phish@evil.net - 34 messages
  3. bulk@sender.com - 28 messages

Top Recipients (quarantined):
  1. admin@example.com - 67 messages
  2. sales@example.com - 34 messages
  3. info@example.com - 29 messages

Recommended Actions:
  - Blacklist spam@bad.com (45 messages)
  - Review policy for sales@example.com (34 false positives?)
  - Check spam threshold (high volume)

Statistics

View quarantine statistics: 

sudo mb-quarantine-stats

Example output: 

Quarantine Statistics
=====================

Last 24 hours:
  Quarantined: 234
  Released: 45 (19.2%)
  Deleted: 189 (80.8%)
  Auto-released: 12 (5.1%)

Last 7 days:
  Quarantined: 1,567
  Released: 312 (19.9%)
  Deleted: 1,145 (73.1%)
  Expired: 110 (7.0%)

Current:
  Total messages: 5,234
  Total size: 2.3 GB
  Oldest: 29 days

Average quarantine time:
  Released messages: 3.2 hours
  Deleted messages: 12.5 days

False positive rate: 19.9% (based on releases)

By reason: 

sudo mb-quarantine-stats --by-reason

By user: 

sudo mb-quarantine-stats --by-user

Integration with Spam Learning

Bayesian Training

Learn from quarantine actions: 

# Automatic learning on release/delete
sudo mb-config set quarantine.auto_learn true

This automatically trains spam filters: - Released emails → learn as HAM (legitimate) - Deleted emails → learn as SPAM

Manual training from quarantine: 

# Train on all released emails
sudo mb-quarantine-list --action released --since "7 days ago" --format ids | \
  xargs -I {} sudo mb-quarantine-extract {} - | sudo sa-learn --ham

# Train on all deleted spam
sudo mb-quarantine-list --action deleted --reason spam --since "7 days ago" --format ids | \
  xargs -I {} sudo mb-quarantine-extract {} - | sudo sa-learn --spam

Feedback Loop

Improve spam detection based on quarantine patterns: 

sudo mb-quarantine-analyze --period "30 days"

Example output: 

Quarantine Analysis (Last 30 days)
===================================

False Positive Indicators:
  - Emails from @partner-domain.com (78% released)
    → Recommendation: Whitelist domain

  - Emails with "invoice" in subject (62% released)
    → Recommendation: Lower spam score for invoice keywords

  - Emails with .pdf attachments (45% released)
    → Recommendation: Review attachment policy

True Positive Patterns:
  - Emails from .ru domains (98% deleted)
    → Currently handled correctly

  - Emails with shortened URLs (95% deleted)
    → Currently handled correctly

Threshold Recommendations:
  - Current: 6.0
  - Suggested: 6.5 (reduce false positives by 15%)
  - Trade-off: 3% more spam may pass

Troubleshooting

Quarantine Not Working

Check quarantine directory: 

ls -lh /var/spool/mailborder/quarantine/
sudo mb-quarantine-test

Check permissions: 

sudo chown -R mailborder:mailborder /var/spool/mailborder/quarantine/
sudo chmod 750 /var/spool/mailborder/quarantine/

Check configuration: 

sudo mb-config get quarantine.enabled
sudo mb-config get spam.threshold.quarantine

Quarantine Full

Check storage: 

df -h /var/spool/mailborder/quarantine/
sudo mb-quarantine-stats --storage

Increase limits or cleanup: 

sudo mb-config set quarantine.max_size_mb 20480  # 20 GB
sudo mb-quarantine-cleanup --force

Can't Release Email

Check email exists: 

sudo mb-quarantine-list | grep abc123

Check for corruption: 

sudo mb-quarantine-verify abc123def456

Force extraction and manual delivery: 

sudo mb-quarantine-extract abc123def456 /tmp/email.eml
sudo sendmail user@example.com < /tmp/email.eml
sudo mb-quarantine-delete abc123def456

Performance Issues

Large quarantine: 

sudo mb-quarantine-stats --storage
# If > 50,000 messages, consider more aggressive cleanup

Optimize quarantine database: 

sudo mb-quarantine-optimize

Archive old quarantine: 

sudo mb-quarantine-archive --older-than "90 days" --destination /backup/quarantine/

Best Practices

Retention Policy

  1. Spam: 14-30 days (time to identify false positives)
  2. Virus: 7 days (rarely need longer)
  3. Policy violations: 30-90 days (may need investigation)
  4. High-score spam (>15.0): 7 days (likely junk)

Review Frequency

  1. Daily: Check for obvious false positives
  2. Weekly: Review statistics and patterns
  3. Monthly: Analyze for threshold adjustments

User Communication

  1. Enable notifications - Users should know about quarantine
  2. Provide self-service - Reduce admin workload
  3. Training - Teach users to recognize spam
  4. Feedback - Encourage reporting false positives/negatives

Performance Optimization

  1. Regular cleanup - Don't let quarantine grow unbounded
  2. Reasonable retention - 30 days is usually sufficient
  3. Archive old data - Move to cold storage if needed for audit
  4. Monitor disk space - Alert before quarantine fills disk

Security

  1. Sanitize previews - Strip active content when showing to users
  2. Access control - Users see only their own quarantine
  3. Audit trail - Log all release/delete actions
  4. Encrypt storage - Consider encrypting quarantine directory

See Also