SMSMSE is reporting policy violations of rules that act on attachment names. However the original message contains no attachment that matches the criteria. The message is received intact correctly by the recipient. This would not be expected if SMSMSE had quarantined the message (or part of it).
Conditions
In the Windows Application Event log a message similar to this is present:
Source: Symantec Mail Security for Microsoft Exchange
Date: 10/26/2011 12:37:29 PM
Event ID: 291
Task Category: Content Enforcement Rules
Level: Warning
Keywords: Classic
User: N/A
Computer: SYMANTEC-01
Description:
The message "Your recent RueLaLa.com Order - #99999999" located in SMTP has violated the following policy settings:
Scan: Auto-Protect
Rule: Quarantine Triggered Attachment Names
The following actions were taken on it:
The attachment "Your recent RueLaLa.com Order - #99999999" was Quarantined for the following reason(s):
A Filtering Rule was violated.
Notice the text says "The attachment"
In the SMSMSE administration console in the Quarantine the Attachment Name field contains a value. The following screenshot shows an example:
The quarantined messages are seen in the SMSMSE console located in Monitors -> Quarantine.
If the rule is a content filtering rule use the following steps to view it in the SMSMSE console:
1. Click on the Policies tab.
2. Click on Views|Content Enforcement|Content Filtering Rules.
3. The rules are listed in the main window. If the rule is enabled and the Message Part column is Attachment Name then this condition is met.
If the rule is the File Name Rule use the following steps to view it in the SMSMSE console:
1. Click on the Policies tab.
2. Click on Views|Content Enforcement|File Filtering Rules.
3. The rules are listed in the main window. If the rule File Name Rule is enabled then this con
For example if the matchlist for the rule contains *.com and the Subject line of the original message is This is your Amazon.com order then this condition is met.
See the following article for more information: Overview of journaling in Exchange 2007.
When a Journal Report is sent to the Journaling Mailbox, the report is sent with an attachment containing the original email message. The name of the attachment is set to the subject line of the original message. SMSMSE is acting on the Journal Reports and quarantining the attachment of the Journal Report.
Upgrade to SMSMSE 6.5.7 or later. Then use the following steps:
1. Configure SMSMSE not to scan Journal messages with content filtering rules.
a. Start regedit.
b. Create the following DWORD registry key and set the value to 1.
64-bit OS: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\SMSMSE\<version>\Server\BypassCFForJournalMsg
32-bit OS: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\<version>\Server\BypassCFForJournalMsg
where <version> is the version of SMSMSE installed. The following is an example of SMSMSE 6.5 on 64 bit OS:
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\SMSMSE\6.5\Server\BypassCFForJournalMsg
c. Close regedit.
d. Restart the Windows service Symantec Mail Security for Microsoft Exchange.
2. Configure SMSMSE content filtering rule for attachment names (if not already done).
NOTE: This step is only necessary if the policy that acted on the Journal messages is the File Filtering Rule.
a. Open the SMSMSE console.
b. Click Policies tab.
c. Click on Views|Content Enforcement|Content Filtering Rules.
d. Click Tasks|New rule....
e. Enter a descriptive name for the rule in the Name textbox. For example: Block e-mails by attachment name.
f. Under the Apply rule to select Inbound messages, Outbound messages, Internal messages (store).
g. In the Message Part to Scan drop-down select Attachment Name.
h. In the Match Type dropdown select Wild Cards.
i. In the Content drop down select Contains.
j. Click the Add match list... button and select the match list desired. Typically this is the same matchlist that the File Filtering Rule is currently using.
k. Fill in the remaining rule options and then click the OK button to close the new rule.
l. Click the Deploy Changes button.
3. Disable the file filtering rule (if enabled).
a. Open the SMSMSE console.
b. Click Policies tab.
c. Click on Views|Content Enforcement|File Filtering Rules.
d. Click on the Status of the File Name Rule and select Disabled.
e. Click the Deploy Changes button.
Workaround
For version of SMSMSE prior to 6.5.7 use one of the following workarounds: