Throttle M650 Quarantine Notifications

Similar Messages

• Multiple notification to AdminMailRecipients for single quarantined Active Sync Device

  We have Exchange 2010 SP3 RU 7 and we use Exchange active sync to access emails on mobile.
  We have default access configured as quarantined and a email get delivered to HelpDesk Team to review those quarantined device whenever a new device tries to configure emails.
  I have seen a problem that HelpDesk Team is getting multiple quarantine notification for a single device, while I don't think that device owner tried it more than once to activate. Please help me on this.  Below is the output of ActiveSyncOrganizationSetting
  [PS] C:\Windows\system32>Get-ActiveSyncOrganizationSettings | fl
  DefaultAccessLevel        : Quarantine
  UserMailInsert            : DO NOT SEND THIS MESSAGE TO HelpDesk.  YOU DO NOT NEED TO DO ANYTHING.  YOUR DEVICE WILL BE Reviewed then approved.
  AdminMailRecipients       : {[email protected]}
  OtaNotificationMailInsert :
  Name                      : Mobile Mailbox Settings
  OtherWellKnownObjects     : {}
  AdminDisplayName          :
  ExchangeVersion           : 0.10 (14.0.100.0)
  DistinguishedName         : CN=Mobile Mailbox Settings,CN=OrganizationName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=Domain,DC=local
  Identity                  : Mobile Mailbox Settings
  ObjectCategory            : domain.local/Configuration/Schema/ms-Exch-Mobile-Mailbox-Settings
  ObjectClass               : {top, msExchMobileMailboxSettings}
  OriginatingServer         : domaincontroller.domain.local
  IsValid                   : True

  Hi Sourabh Kumar Jha,
  According to the description, I know that only one user has this issue.
  Please try to re-configure ActiveSync for the specific user.
  Also try to re-set ActiveSyncOrganizationSettings via following command:
  Set-ActiveSyncOrganizationSettings –DefaultAccessLevel Quarantine -AdminMailRecipients [email protected] –UserMailInsert “Your mobile device is temporarily blocked from synchronizing with the server while permissions
  are verified.”
  Thanks
  Mavis Huang
  TechNet Community Support

• Exchange Server 2010 SP3 RU 8v2 & ActiveSync Device Quarantined Emails

  Hi there,
  We are using Exchange Server 2010 SP3 and I recently installed RU 8v2. We always had an ActiveSync Access Policy in place where the devices are quarantined until an Administrator goes in and approves or rejects this.
  Prior to installing RU 8v2, there used to be a link in the email sent to Administrators to click on to login to the ECP and approve this device. However, since the install of this update, there is no link in the emails now. It just informs you that you need
  to login to ECP and view the quarantined devices. Has this been removed in the RU?
  Thanks

  Hi,
  According to your post, I understand that quarantine notifications e-mail will not send to administrators after install Exchange 2010 SP3 RU8v2.
  If I misunderstand your concern, please do not hesitate to let me know.
  Please login ECP to double check the Allow/Block/Quarantine list rule configuration, for your reference:
  http://blogs.technet.com/b/exchange/archive/2010/11/15/3411539.aspx
  Besides, Exchange 2010 SP3 RU 9 has released on March 17, 2015. Please upgrade to latest version.
  Additional, this issue is related to ActiveSync. Please We recommend contact Mobility and ActiveSync Team so that you can get more professional suggestion.
  Please refer to:
  https://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=exchangesvrmobility
  Thanks
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Allen Wang
  TechNet Community Support

• Customise EOP Spam Notification End-User email address and email content

  Hi
  We are using EOP with our on-premise Exchange 2010 environment. 
  I am rolling out EOP and have the following two (simple) questions, regarding the Spam Notification email that is sent to end-users:
  1. Can we edit the email address that sends the Quarantine notification email? Or must the email come from [email protected]? 
  2. Can we customise the Quarantine email that is sent to the End-user (with our company logo)?
  From my experience and understanding, I believe the answer for both is NO, but my customer is adamant that editing the email address and customising the email content is possible.. Please advise.
  Thanks
  Ron

  The safelist/blocklist is tied to one email address. However, if you enable email alias consolidation done by LDAP and leveraging off of the Active Directory, then you may be able to achieve what you want.
  The safelist/blocklist comes into play with respect to anti-spam results. The email alias consolidation should occur much earlier.
  So, see if you can get email alias consolidation using LDAP/Active Directory working and it should address the safelist/blocklist thing.

• About An Email

  Dear Cisco Support Community
  I am new here and I have not made any arrangements for items from Cisco as am still learning about the service though I have created an account quite a while now.
  I have had an email sent to me in my Spam box in my yahoo account, I can't remember making a connection with Cisco via my Yahoo address but I know I have from my hotmail. If I did make this connection it may have been in my naivety to the internet at some earlier time.
  I received this email from IronPort Spam Quarantine Notification from JHSPH [email protected] telling me about some blocked mail and within the mail was a table with a linked email inside with this inside, [Outbound SPAM] zit
  Now why I ask for your help with this is because it was sent to my box, as am sure if I had a connection with Cisco in my Yahoo, it should come to my email, so am very confused and very internet security conscious, though I may not know everything I am doing security wise.
  So am asking for any directions concerning this.
  I will add two images concerning this here to.

  Hi Jeffrey,
  what I am supposing here is that a customer has set up antispam scanning for outbound messages (messages going from his domain to the Internet), and forgot to disable notification for detected spam, which is usually send to the recipient of a message. Obviously, notification only makes sense when the messages are inbound, i.e. coming to my corporate inbox, because that's what the spam quarantine is meant to be - to give people the possibility to review caught spam for any false negatives. But notification for outbound ecipient does not make sense, as like in your case, the recipient is outside the organisation and therefore has no access to the spam quarantine.
  That being said, you could either ignore those wrongly sent notifications, or contact the sender domain and tell them that they have notification for outbound spam still turned on, and that this causes a lot of confusion (you are definitely not being the only one getting those notifications, without having any connection with us or the sender).
  Hope that helps,
  Andreas

• User Safelist / blocklists and EMail aliases

  Ciao tutti,
  Here is a funny problem reported by one of my user who uses Blocklists a lot.
  Basically, the Good Mister has serveral email addresses :
  - Primary EMail : Good <dot> mister <at> email.com
  - Secondary Email : GMister <at> email.com
  All information is stored in Active Directory and I have an EMail alias consolidation query which displays all relevant email addresses of the user for Spam Quarantine notification.
  Here comes the problem :)
  When a sender in the blocklist sends an email to the secondary email address, the mail doesn't get blocked...
  Is this a normal behavior ?
  Would it be possible to have the blocklist applied to all email aliases of a user ?
  Thanks !
  Frédéric

  The safelist/blocklist is tied to one email address. However, if you enable email alias consolidation done by LDAP and leveraging off of the Active Directory, then you may be able to achieve what you want.
  The safelist/blocklist comes into play with respect to anti-spam results. The email alias consolidation should occur much earlier.
  So, see if you can get email alias consolidation using LDAP/Active Directory working and it should address the safelist/blocklist thing.

• Ironport Management appliance and smtp routes

  Hi Guys,
  I'm configuring M170 management appliance for two mail security Ironports (for centralized quarantine).
  while going through the configuration, i have found that there is SMTP route can be configured, why do i need to configure SMTP route under the management appliance?
  As i know it should be confgured on the Ironport email security appliances, but why on management? Do i need it?
  Thanks & Regards,
  Rami

  Hi,
  Thanks for your reply, just want to confirm, this is will be used even for end users Quarantine notification, correct?
  I mean that Management appliance will send quarantine notifications to end users by using this smtp route, am i right?
  Regards,
  Rami

• Quarantine message notifications

  Our company quarantines messages with specific attachments, size, etc. Is there a way to have the rule email the intended recipient immediately to let them know the message is being held in quarantine? 
  Thank you,
  Jon Marks

  You are welcome. I'm glad you got it back up.
  (1) You say you did the symbolic link. I will assume this is set correctly; it's very important that it is.
  (2) I don't know what you mean by "Been feeding the [email protected] for several weeks now, 700 emails each day at least." After the initial training period, SpamAssassin doesn't learn from mail it has already processed correctly. At this point, you only need to teach SpamAssassin when it is wrong. [email protected] should only be getting spam that is being passed as clean. Likewise, [email protected] should only be getting legitimate mail that is being flagged as junk. You are redirecting mail to both [email protected] and [email protected] ... right? SpamAssassin needs both.
  (3) Next, as I said before, you need to implement those "Frontline spam defense for Mac OS X Server." Once you have that done and issue "postfix reload" you can look at your SMTP log in Server Admin and watch as Postfix blocks one piece of junk mail after another. It's kind of cool.
  (4) Add some SARE rules:
  Visit http://www.rulesemporium.com/rules.htm and download the following rules:
  70sareadult.cf
  70saregenlsubj0.cf
  70sareheader0.cf
  70sarehtml0.cf
  70sareobfu0.cf
  70sareoem.cf
  70sarespoof.cf
  70sarestocks.cf
  70sareunsub.cf
  72sare_redirectpost
  Visit http://www.rulesemporium.com/other-rules.htm and download the following rules:
  backhair.cf
  bogus-virus-warnings.cf
  chickenpox.cf
  weeds.cf
  Copy these rules to /etc/mail/spamassassin/
  Then stop and restart mail services.
  There are other things you can do, and you'll find differing opinions about such things. In general, I think implementing the "Frontline spam defense for Mac OS X Server" and adding the SARE rules will help a lot. Good luck!

• Throttled with lies

  I'm the bad guy... at least according to Verizon's throttling policy for the remaining "unlimited" (haha!) data customers utilizing 3G.  And yes, it is throttling, "network optimization" doublespeak aside; a better term might be "bottom line optimization."  I understand the desire to not end up in the same situation that ATT/Cingular did, whom I left for Verizon because their connectivity became atrocious.  This action, however, is a step backward, disrecpectful of their most active users, and demonstrates a glaring lack of vision with regards to the ever-blossoming world of mobile data connectivity.  I'm technically knowledgeable and understand that 10 million users all maxing out their connections 24/7 is unsustainable with existing architecture, I get it, but that's not what's happening.  This action is nothing more than a means of forcing the remaining "unlimited" (again hah!) data users off of these grandfathered plans and onto the new tiered rate structure and ultimately is about $$$ and not equal opportunity bandwidth allocation.  And if bandwidth is at that much of a premium, then it's Verizon's fault for not appropriately scaling up to accomodate the incredible increase in data users driven by it's own push towards smartphones for everyone and the adoption of the iphone; not the fault of users that use more data than the average person.
  Verizon explains, as justification for this bandwidth throttling, that they are trying to protect the 95% of users who do not exceed 2gb/month by reigning in these "abusers" who use "inordinate" amounts of data because apparently Verizon's network is so weak that a mere 5% of its user base can completely ruin the experience of the other 95%.  But wait, this does not apply to 4G customers or anyone that's on the tiered billing plan.  So, if being an "abuser" and using "inordinate" amounts of data is OK as long as Verizon is making more money, then it's really not about bandwidth consumption is it, because those same heavy users are not being throttled... as long as Verizon makes more money.  My friend has a 4G phone that NEVER gets 4G connectivity because 3G is the best we have in our rural state, he also upgraded to this phone just prior to the elimination of the "unlimited" plans.  Yet he is not affected by the throttling.  We are both just over 7gb for our current billing cycle, my phone has been throttled and is now essentially unusable for the very things that it is marketed for; I can send texts, emails, view basic website but any sort of streaming is now out of the question for the remainder of my billing cycle?  Possible the next cycle as well?  Even many websites load painfully slowly because most sites are pretty graphic intensive in this day and age.  And so I am paying for a service that the service provider is now preventing me from utilizing as intended.  My friend, at the same level of data usage on an unlimited plan, is unaffected.  
  Also, with regards to "network intelligence" not being "throttling" because it only, well, throttles in areas that are "congested" that's not accurate.  I live in a low population bedroom town, a large percentage of which, I assure you, are not avid smartphone streamers and many of whom have landline broadband connections to their homes.  I would often get 900kpbs upwards to 2mbps regularly when streaming and do so without interruption or pausing to buffer in most cases.  Since my "throttling" the other day I cannot break 300kbps and anything I stream pauses every 60 seconds to buffer as I watch my bandwidth oscillate between 50kbps and, at a rare maximum, 300 kbps.  This is not a congested area.  I go to work in a more heavily-populated town, still 300 kpbs max.  I take lunch and go into the city, the largest and most populated city in our state, still 300, actually popped up to 350 in what I would consider the most congested portion of our state.  Where's the "network intelligence" Verizon?...
  7gb!  Wow, how can you possibly use that much data?!?  Is it really that hard to comprehend how someone could easily tear through that much data?  Utilizing the Netflix app alone, an app approved and available in the Market, this can be accomplished rather easily.  A rough average on an hour episode of streaming media is, ballpark, around what 300mb?  So, watching 7 one-hour episodes of a tv show streamed through Netflix would equate to around 2gb; you're now an "abuser" using "inordinate" amounts of data.  "Inordinate" apparently equating to watching two 1-hour tv shows/week streamed through your phone.  Given that the average American watches 5 hours of tv a day and spends even more time online, that usage estimate is actually conservative relative to the typical level of media consumption in the United States.
  If Verizon wants to used a tiered billing system as everyone is now, that's their perogative, however modifying plans previously labeled as "unlimited" in order to correct for a forecasting mistake made by Verizon itself is unacceptable.  Verizon, you should have allowed these plans to expire within their existing contract dates without meddling with individual users' bandwidth allocations; they would have all eventually gone away and you would have a lot fewer **bleep**-off customers.  I repeat, I have a phone that is now essentially unusable for the majority of functions that it is marketed for because of an inentional restriction against me as a customer by Verizon... yet I am expected, of course, to continue paying for the very service they are essentially blocking me from using because, while Verizon can modify the terms of any contract they see fit, I certainly cannot.  What if your cable provider, most of which utilize streaming video through digital cable boxes now, turned off your cable access for the rest of the month or only let you watch channels 1-10 because, sir, you've been watching far too much tv and it's preventing our other customers from viewing shows... mmhmm, that wouldn't upset any tv viewers now would it?
  Verizon, of course, knows that other providers do this as well and that I, of course, want to continue my media consumption, and so they have the upper hand.  I, like an increasing number of people, use my phone for everything.  I have no cable, no cable broadband, no landline phone, my phone is my connection to the world, partly because that's how I prefer it, partly because I can't afford to pay several different companies for access to the same thing.  I either fold and drop $300 on a new 4G phone and renew my contract with a tiered data plan and get financially raped and have to constantly stress about how much data I've used or I incurr a new monthly fee with, say, my cable provider to avoid having to pay out the nose to Verizon for access to the SAME content.
  Rant aside, the bottom line is this: Verizon is lying.  Let me say that again, Verizon is lying about the justification for this move.  It's not about equal oppotunity bandwidth, it's about Verizon realizing they can increase their revenue stream... otherwise, wouldn't those tiered folks be getting throttled as well if they "abuse" and use "inordinate" amounts of data?  Oh no, of course not, Verizon just bills them more.  This scenario is as ridiculous as charging $20/month for text messaging, which, by the way, is also data.
  Here's an idea Verizon.  Why not take some of piles of money you're making by fleecing customers with "abusive," "inordinate" fees and upgrade your network to accomodate the very scenario that you as a company have been promoting, if that is in fact the real issue at the core of this.  And maybe someone in your PR department will think really hard about demonizing your users in the future for using your product in the very manner it was intended and painting us as outside the law to the bulk of your client base.  This little to do with heavy data users and everything to do with $$$ and possibly the inability of Verizon to meet the service needs of a exponentially growing smartphone market that it helped to encourage.
  I have gone from highly recommending Verizon as a service provider to other folks to now being dissapointed and bitter from my experience.  All of this, of course, occurred without any notification to me or any kind of notice either on my online account management or in my electronic bill, as they also apparently stated would occurr.  More than likely this and the new tiered billing will lead to me seeking another form of connectivity and dropping my Verizon plan options to the absolute minimum across the board or switching phone providers simply because of how insultingly this has been framed, and I suspect I'm not alone... which results in less $$$ to Verizon.  Good job, guys.

  Spot on _ BULLS EYE!!  You aren't alone. I want to validate your rant.  Verizon went out of their way to sell me the same $59.99 unlimited broadband 4 yrs ago and have now been hassling me and twisting my arm with every aggravating phone call I make to complain.  I have had the throttling removed three times.  This time they said we can't remove it but change your plan and you'll be at full speed immediately.  I am sick and tired of the lying.  They all can't even tell the same story.  Just last week I was told by more than one employee that my device must be bad because they don't throttle. 
  Occupy Verizon would be good - How do you get these ****** to PAY - Are their any Attorneys out there - I know they originally sold THOUSANDS of those plans.  I'm ******!!!!!!
  A Corporation that tells lies and different stories from its employees has to be held Accountable - Financially
  Give me back my $59.99 per month times 48 months and its still not enough for the hell they have put me through.  My computer has been slowed to the point my mail center timed out and was unable to download important PDF Contracts.  HELLO!!! Verizon - Thats money out of MY Bottom line. Get it?   THX

• Forefront for Exchange 2010 - no mails in quarantine or incidents list

  I have a client with Forefront 2010 installed on their exchange 2010 server. I see 45 messages that have been blocked as spam in the dashboard - 43 connection, 1 smtp and 1 content.
  The client wants to know which messages are being blocked and which aren't, however when I open up the incidents and quarantine pages there is nothing there.
  They have the antispam configuration set to stamp headers and continue for SCL5 to 9 and it seems to me that things should be in the quarantine.
  I have all the logging options turned on and I've followed the other technet threads about this issue but none of those solutions seem to work on this machine.
  If anyone has any ideas I would really appreciate it!

  Hi,
  Firstly, please make sure if you have enabled the anti-spam filtering engine of FPE. If yes, please refer to the blog below:
  Exchange Content Filter settings are ignored
  Besides, please make sure you have installed all the released hotfix rollups for FPE. Please also make sure that you have enabled "Enable content filtering incident logging" in Advanced Options of Global settings.
  You can deliver quarantined items to specified recipients and set emial notification.
  In addition, only an Administrator can access/manage the quarantine of FPE.
  Please also ensure that you haven't configured FPE to automatically purge quarantined in a short time.
  FPE content filter uses the Cloudmark™ Antispam engine to analyze each e-mail message and stamp it with a SCL.
  When the setting 5 – 9 is selected, all messages with a rating of 5 or higher are treated as suspected spam. 
  Messages with an SCL rating of -1 and 0 will be treated as non-spam. You have the option to Quarantine or Stamp header and continue processing mail with an SCL rating in the 5 – 9 range.
  If the issue persists, you can adjust the SCL setting to a lower value to see if the issue persists.
  The links below would be helpful to you:
  Configuring content filtering
  Configuring e-mail notifications
  How to Manage Quarantined Files in Forefront Protection 2010 for Exchange Server
  (FPE)
  Best regards,
  Susie

• Authentication on external quarantine for group members

  Hi there,
  we're using LDAP as end-user authentication method to our external quarantine box (M670, 7.2.1-036).
  How does the authentication works, if a message to a distribution list ("[email protected]") is identified as positive spam ? I think there is no password for "dl", since this is a Active Directory mail-enabled group. How can a group member release/delete these quarantined messages, when "New Message Table" is not used in spam notifications?
  Thomas

  Hi,
  a message sent to a distribution list flagged as Spam needs to be released/deleted by each single recipient.  If the list of new Spam messages is not listed in the Spam digest, then the user needs to login to the ISQ using the LDAP authentication credentials to access the ISQ directly. 
  Best regards,
  Enrico

• Duplicate notifications for encrypted messages

  Hi all,
  We're using our C150 to quarantine emails that arrive with some form of encryption (e.g. a password-protected .zip).  When a matching email first arrives, it's correctly quarantined and sends an "Encrypted message detected" notification to the relevant recipient, as expected.  However, after releasing the email to the recipient, another "Encrypted message detected" notification is sent related to the same email, even though the recipient receives the released version too.  It's causing some people a bit of confusion to get this second notification at the same time they get the email it's complaining about.
  We have the following setup under Mail Policies:Anti-Virus -> Anti-Virus Settings -> Encrypted Messages:
  Action applied to message = Quarantine
  Archive original message = No
  Modify message subject = Prepend the text "[WARNING :  MESSAGE ENCRYPTED]"  (Interestingly, the first notification generated doesn't include this prepended text as part of the subject, but the second one does; not sure if this is a clue to what's happening)
  Under Advanced:
  Add custom header to message = No
  Container notification = System Generated
  Other Notification = Recipient + Others (admins)
  Modify message recipient = No
  Send message to alternate destination host = No
  If anyone can shed some light on why this is happening or if you've seen it before, please let me know.
  Kind regards,
  Dan

  Hi Steven,
  Thanks for the tip.  I've traced the logs as suggested, and they really only seem to confirm the symptoms.  There's the initial message getting quarantined based on the encrypted content, followed by two notifications sent out (one to the affected user, and one to an admin email address.)  Then, after release, there are two more notification messages generated based on the original message, and delivery of the released message.  They all seem to relate back to the original message; in brief:
  Initial arrival:
  Fri Mar 26 10:55:59 2010 Info: MID 3222427 matched all recipients for per-recipient policy DEFAULT in the inbound table
  Fri Mar 26 10:55:59 2010 Info: MID 3222427 interim verdict using engine: CASE spam negative
  Fri Mar 26 10:55:59 2010 Info: MID 3222427 using engine: CASE spam negative
  Fri Mar 26 10:55:59 2010 Info: MID 3222427 interim AV verdict using McAfee ENCRYPTED
  Fri Mar 26 10:55:59 2010 Info: MID 3222427 interim AV verdict using Sophos ENCRYPTED
  Fri Mar 26 10:55:59 2010 Info: MID 3222427 antivirus encrypted
  Fri Mar 26 10:55:59 2010 Info: MID 3222428 was generated based on MID 3222427 by antivirus ## Notification to user
  Fri Mar 26 10:55:59 2010 Info: MID 3222429 was generated based on MID 3222427 by antivirus ## Notification to admin
  Fri Mar 26 10:55:59 2010 Info: MID 3222427 quarantined to "Virus" (a/v verdict:ENCRYPTED)
  After release:
  Fri Mar 26 11:00:26 2010 Info: MID 3222471 was generated based on MID 3222427 by antivirus ## Duplicate notification to user
  Fri Mar 26 11:00:26 2010 Info: MID 3222472 was generated based on MID 3222427 by antivirus ## Duplicate notification to admin
  Fri Mar 26 11:00:29 2010 Info: Message finished MID 3222471 done
  Fri Mar 26 11:00:30 2010 Info: Message finished MID 3222427 done ## Original mail that is being released
  Fri Mar 26 11:00:30 2010 Info: Message finished MID 3222472 done
  Nothing I've omitted to save space seems to indicate anything other than regular delivery behaviour.
  cheers,
  -dan

• Proxy user getting to the SPAM Quarantine

  I have finally setup the spam quarantine after a year of use. My problem is I have several resources that get email and a several users that monitor those resources. How do I allow them to see the quarantined email of another account?
  Thanks

  If you are sending out spam notifications this is already working. The original recipient(s) will simply get a notification which contains a link to the spam quarantine. This link contains an authentication token so that they do not need to enter a username or password to view the mail in the quarantine.

• ActiveSync quarantine message to distribution list of approvers suddenly stopped

  Hi,
  We're running Exchange 2010 SP3 RU8v2.  Our ActiveSync config requires approval so all new devices are quarantined.  Using the ECP, we have a specific group defined to receive notifications which has not changed since it was first set.  About
  a week ago it stopped.  I did some testing with my mailbox by clearing my EAS devices to force it into quarantine.  Prior to that I also added myself to the DL that gets the alerts.  What I found is that the message that is typically sent ends
  up in my Drafts folder.  It is showing as from "Microsoft Outlook" to the DL in question.  If I attempt to send that message it fails:
  Subject: Undeliverable: A device that belongs to [email protected] has been quarantined. Exchange ActiveSync will be blocked until you take action.
  Delivery has failed to these recipients or groups:
  [Approver DL]
  You can't send a message on behalf of this user unless you have permission to do so. Please make sure you're sending on behalf of the correct sender, or request the necessary permission. If the problem continues, please contact your helpdesk.
  I found some online pages that talk about the object MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e, which has the Exchange servers group on the ACL and all hubs are a member of this group.  There are no denies.
  The only real change to the environment was that last week a new combination hub/CAS was added, which is on the DL above.  However, after several tests, looking at the full header of the NDR messages, all of the hubs have been used at least once, so
  I don't think it is related to one specific hub.
  What else should I be checking?
  Thanks in advance.
  JC

  Power that new HUB/CAS server down and retest.
  Cheers,
  Rhoderick
  Microsoft Senior Exchange PFE
  Blog:
  http://blogs.technet.com/rmilne 
  Twitter:   LinkedIn:
    Facebook:
    XING:
  Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

• End user spam notifications

  We have stand-alone EOP with on-prem Exchange. We have not created any user accounts in Office 365 yet (we are getting around to it later). Will end users receive spam notifications when a message goes to the quarantine if they do not have a user account
  in Office 365 yet?

  We had this happen for several of our customers as well. Ended up speaking with a Microsoft technician who wasn't able to provide me with a way to roll back the changes, but I was able to use the following steps to get content filter settings back to how
  they were:
  - Navigate to Exchange Admin Center > Compliance Management > Auditing
  - Click "Run the admin audit log report"
  - Run the audit dating back to when EOP was initially configured
  - Find the entry matching the cmdlet of "Set-HostedContentFilterPolicy"
  - Select and note the parameters for this entry
  - Now, navigate to Protection > Content Filter and manually reconfigure the settings matching the parameters of the audit.
  Unfortunately, I was unable to find a way to easily roll-back these settings or use the parameters in PowerShell. It's possible, but the commands would have to be retyped for each item and it would take more time than simply reconfiguring the settings.