Same spam email from same source address is treated differently by SMG – it was detected as a spam and deleted for all recipients except ones that belongs to different local domains.

SMG 10.8 10.9

Recipient domain can influence the total SPAM score. This is because the Spamhunter module—which includes URL scanning, heuristics, regular expression header and body hash testing filters—takes multiple factors into account when determining the score for a message. It is entirely possible for a message sent to one domain to have a higher SPAM score than the same message sent to another domain, depending on various criteria such as recipient domain reputation and email content relevance.

In the case of the specific email in question, while it appears to be SPAM, the SMG did not categorize it as such. This outcome suggests that the calculated spam score for these messages was below the configured threshold, which may have been influenced by certain characteristics such as the recipient domain.

To address this issue effectively, the recommended action is to perform Missed Spam Submissions to Broadcom for analysis and potential filter adjustments.

Submit false negatives (missed spam) or false positives (legitimate email) to Symantec Security Response

• Recipient domain can influence the total SPAM score. This is because the Spamhunter module—which includes URL scanning, heuristics, regular expression header and body hash testing filters—takes multiple factors into account when determining the score for a message. It is entirely possible for a message sent to one domain to have a higher SPAM score than the same message sent to another domain, depending on various criteria such as recipient domain reputation and email content relevance.
• Symantec does not disclose which specific spam rule(s) triggered on an email. This is a deliberate decision to protect the integrity of our spam detection technology and prevent bad actors from reverse engineering the filtering mechanisms to circumvent detection. 
• For missed spam messages, the original email must be submitted as an "message/rfc5322" email attachment within 24 hours of receipt. 
• For customers who enable customer-specific spam rules and configure message submission permissions, the status of spam submissions can be tracked under the Status > Submission > Submission Detail page in the SMG interface.