SMSMSE is reporting policy violations of rules that act on attachment names. However the original message contains no attachment that matches the criteria. The message is received intact correctly by the recipient.  This would not be expected if SMSMSE had quarantined the message (or part of it).

Conditions

• The part of the message on which the policy acted is the attachment.

In the Windows Application Event log a message similar to this is present:

Source:        Symantec Mail Security for Microsoft Exchange
Date:          10/26/2011 12:37:29 PM
Event ID:      291
Task Category: Content Enforcement Rules
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      SYMANTEC-01
Description:
The message "Your recent RueLaLa.com Order - #99999999" located in SMTP has violated the following policy settings:
    Scan: Auto-Protect
    Rule: Quarantine Triggered Attachment Names
The following actions were taken on it:
    The attachment "Your recent RueLaLa.com Order - #99999999" was Quarantined for the following reason(s):
        A Filtering Rule was violated.
 

Notice the text says "The attachment"

In the SMSMSE administration console in the Quarantine the Attachment Name field contains a value.  The following screenshot shows an example:

The quarantined messages are seen in the SMSMSE console located in Monitors -> Quarantine.

• The rule that acted on the message acts on the attachment name.

If the rule is a content filtering rule use the following steps to view it in the SMSMSE console:

1. Click on the Policies tab.
2. Click on Views|Content Enforcement|Content Filtering Rules.
3. The rules are listed in the main window.  If the rule is enabled and the Message Part column is Attachment Name then this condition is met.

 If the rule is the File Name Rule use the following steps to view it in the SMSMSE console:

1. Click on the Policies tab.
2. Click on Views|Content Enforcement|File Filtering Rules.
3. The rules are listed in the main window.  If the rule File Name Rule is enabled then this con

• The matchlist for the rule contains an item that matches the Subject of the original rule.

For example if the matchlist for the rule contains *.com and the Subject line of the original message is This is your Amazon.com order then this condition is met.

• Exchange is configured for journaling and set to deliver copies of messages to a Journal Mailbox within Exchange

See the following article for more information: Overview of journaling in Exchange 2007.

 When a Journal Report is sent to the Journaling Mailbox, the report is sent with an attachment containing the original email message. The name of the attachment is set to the subject line of the original message. SMSMSE is acting on the Journal Reports and quarantining the attachment of the Journal Report.

Upgrade to SMSMSE 6.5.7 or later.  Then use the following steps:

1. Configure SMSMSE not to scan Journal messages with content filtering rules.

a. Start regedit.
b. Create the following DWORD registry key and set the value to 1.

64-bit OS: HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\SMSMSE\<version>\Server\BypassCFForJournalMsg
32-bit OS: HKEY_LOCAL_MACHINE\SOFTWARE\Symantec\SMSMSE\<version>\Server\BypassCFForJournalMsg

where <version> is the version of SMSMSE installed.  The following is an example of SMSMSE 6.5 on 64 bit OS:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Symantec\SMSMSE\6.5\Server\BypassCFForJournalMsg

c. Close regedit.
d. Restart the Windows service Symantec Mail Security for Microsoft Exchange.

2. Configure SMSMSE content filtering rule for attachment names (if not already done).

NOTE: This step is only necessary if the policy that acted on the Journal messages is the File Filtering Rule.

a. Open the SMSMSE console.
b. Click Policies tab.
c. Click on Views|Content Enforcement|Content Filtering Rules.
d. Click Tasks|New rule....
e. Enter a descriptive name for the rule in the Name textbox. For example: Block e-mails by attachment name.
f. Under the Apply rule to select Inbound messages, Outbound messages, Internal messages (store).
g. In the Message Part to Scan drop-down select Attachment Name.
h. In the Match Type dropdown select Wild Cards.
i. In the Content drop down select Contains.
j. Click the Add match list... button and select the match list desired.  Typically this is the same matchlist that the File Filtering Rule is currently using.
k. Fill in the remaining rule options and then click the OK button to close the new rule.
l. Click the Deploy Changes button.

3. Disable the file filtering rule (if enabled).

a. Open the SMSMSE console.
b. Click Policies tab.
c. Click on Views|Content Enforcement|File Filtering Rules.
d. Click on the Status of the File Name Rule and select Disabled.
e. Click the Deploy Changes button.

Workaround

For version of SMSMSE prior to 6.5.7 use one of the following workarounds:

• Disable the content filtering rule.
• Remove the term causing the content filtering rule to trigger.
  
      1. Examine the Windows Application Event log entry Event ID 291 referring to the message in question and note the "Violating Terms(s)" value.
      2. Open the SMSMSE console.
      3. Navigate to Policies -> Content Filtering Rules.
      4. Edit the rule in question and remove the value noted in step 1.
      5. Click Ok then click Deploy Changes.