How to Configure Notification Emails to Contain Information About Which Match Term Caused an Email Quarantine

Article:HOWTO46669  |  Created: 2011-03-23  |  Updated: 2013-12-19  |  Article URL http://www.symantec.com/docs/HOWTO46669
Article Type
How To



  • Applies to build 6.5.5.255 and higher.


SMSMSE has the ability to send notification emails when an email or attachment is Quarantined.

 Here is an example:

Location of the message:  Administrator/Deleted Items 
Sender of the message: Administrator@exchange2003.internal 
Subject of the message:  test 
The message was Quarantined 
This was done due to the following Symantec Mail Security settings:     

  Scan: Auto-Protect     
  Rule: Example Rule   

Server Name: exchange2k3.exchange2003.internal 
  


The notification email does not indicate which term caused the email Quarantined.  If there are many items on the rule match list for the rule it may not be obvious.
 
SMSMSE 6.5.5 and later has added a new variable that outputs which match term caused the email or attachment to be Quarantined like this:

Violating term(s): 
        
<term that matched>

 

This allows for easier identification of why an email was Quarantined. As an example if the notification text for the rule is this:

%location%%n%Sender of the message: %sender%%n%Subject of the message:  %subject%%n%%n%The message was %action%%n%%n%This was done due to the following Symantec Mail Security settings:%n% Scan: %scan%%n% Rule: %rule% %n% Violating term(s): %violatingterm%


The notification text in the email is this:


Location of the message:  Administrator/Deleted Items 
Sender of the message: Administrator@exchange2003.internal 
Subject of the message:  test 
The message was Quarantined 
This was done due to the following Symantec Mail Security settings:     

  Scan: Auto-Protect     
  Rule: Example Rule   
  Violating term(s): 
         test     

Server Name: exchange2k3.exchange2003.internal 
  
 

Steps

New installations of SMSMSE 6.5.5 and higher contain the violating term by default.

Note: If you perform an in place upgrade and choose to save previous setting existing content filtering notification settings do not contain the %violatingterm% variable.


To modify or view the existing notification settings.

   1. Open the SMSMSE Administration Console.
   2. Select Policies.
   3. Select Content Filtering Rules.
   4. Right click the rule you would like to modify/view and select Edit Rule....
   5. Select the Notifications tab.
   6. Expand the notifications settings for the notification you would like to modify/view (administrators, internal senders or external senders) by clicking the up arrow next to the appropriate entry.
   7. View or change the settings as desired.
      

Reference

SMSMSE also reports the term that triggered a content filtering rule in the Application Event log. Here is an example:

Event ID: 291 
Source: Symantec Mail Security for Microsoft Exchange 
Category: Content Enforcement Rules 
Details: The message "<message subject>" located in Administrator/Sent Items has violated the following policy settings:   
Scan: <scan type>  
Rule: <rule name>  

Violating term(s): 
         test   


The following actions were taken on it:
     The body of message "<message subject>" was <action> for the following reason(s):
                                    A Filtering Rule was violated. 

 





Article URL http://www.symantec.com/docs/HOWTO46669


Terms of use for this information are found in Legal Notices