Correct, theses emails are not from internal addresses. These two options are not available in ESET Mail Security 4.3.
I have tried adding the domains of the sender addresses of the spam mails to the blockedsenders-file. In addition I added a rule that moves all emails that do not contain an @ in the sender address to the spam folder (check for NOT(@)), because one of the emails that got through had web37p4 as sender address.
How can it be that emails do not show up in the ESET Mail Security Spam Log? Because they are in the approvedsenders-List?