Spam unknown sandbox/hold
This stemmed from a particular spam message we received. The spam was not caught by the filter(s) and was sent off to "Cyren" for analysis. In the time it took from that initial email to be sent to Cyren and then confirmed as spam, it had been 4 minutes. In those 4 minutes, we received multiple emails from that same sender, with the same subject, etc, which passed through the filters just as the first had done. Once Cyren responded back that the email was confirmed as spam, the UTM began blocking any future messages from that sender (as it should). The problem is that there were 4 minutes in which the emails from that sender were just passing right through, in which there could easily have been phishing attempts, viruses, etc. that would have potentially been sent on to users. Some of the addresses that received this spam email are actually distribution groups, so MANY people got it in one single emailing.
I propose that when any email is suspected as spam and submitted to Cyren for confirmation or denial, that all emails from that same sender (with that same subject or whatever) be placed on a hold or sandboxed, until Cyren gives its answer to then either un-pause or fully reject the rest of the messages, so the end users are not subjected to possible threats during the interim.