Email Received by Recipient With Text Replaced by Symantec Mail Security for Exchange (SMSMSE) Always Contains "Uknown Violation" for Substitution String %violatingterm%

Article:TECH167155  |  Created: 2011-08-15  |  Updated: 2013-10-27  |  Article URL http://www.symantec.com/docs/TECH167155
NOTE: If you are experiencing this particular known issue, we recommend that you Subscribe to receive email notification each time this article is updated. Subscribers will be the first to learn about any releases, status changes, workarounds or decisions made.
Article Type
Technical Solution


Issue



SMSMSE has a content filtering rule configured to use the substitution term %violatingterm%. The content filtering rule matches an email and replaces the text of the email.   The recipient of the email see an email with the words Unknown Violation instead of the expected information on which term was violated (see the following article about substitution terms: About alert and notification variables).

For example if the replacement text is configured with this:

Symantec Mail Security replaced Message Body with this text message. The
original text contained prohibited content and was quarantined because of "%violatingterm%"

the body of the email the recipient receives is this:

Symantec Mail Security replaced Message Body with this text message. The
original text contained prohibited content and was quarantined because of "Unknown Violation"

It is expected that the body of the email the recipient receives is this:

Symantec Mail Security replaced Message Body with this text message. The
original text contained prohibited content and was quarantined because of "Sell Enron"

Where the matchlist contained Sell Enron.

Conditions

  • Content filtering rule is configured to quarantine or delete message and replace with text.  And the replacement text contains the substitution term %violatingterm%.

1. Open the SMSMSE Administration console.
2. Click on the Policies menu item. Then click Views|Content Enforcement|Content Filtering Rules.
3. Right click on the applicable rule and select Edit rule....
4. Click on the Actions tab.
5. The value of the When a violation occurs dropdown is either:

Quarantine attachment/message body and replace with text
Delete attachment/message body and replace with text

6. And the textbox Replacement text contains the substitution term %violatingterm%.

  •  If configured to use the substitution term %violatingterm%, the notifications sent as a result of the configuration on the Notifications tab do replace %violatingterm% with the correct matchlist items.

See the following article for more information on configuring who to notify: Specifying who to notify if a content filtering rule is violated.

 


Environment



  • SMSMSE version 6.5.5 or higher.

Starting with 6.5.5 the substitution term %violatingterm% was introduced.


Solution



This issue is fixed in 6.5.8, please update to 6.5.8 to resolve this issue.

Workaround

Use a different substitution term or no substitution term.

In many instances it does not make sense for the recipient of a message to see which items caused a filtering violation.  For example if the rule is configured to block "Sell Enron" it may would not be good if the recipient saw the following email text:

Symantec Mail Security replaced Message Body with this text message. The
original text contained prohibited content and was quarantined because of "Sell Enron"

If a substitution term is desired typically %violation% may make sense.  This produces an email like the following:

Symantec Mail Security replaced Message Body with this text message. The
original text contained prohibited content and was quarantined with a Filtering violation

In this case %violation% was replaced with a Filtering violation.


Supplemental Materials

SourceETrack
Value2496356



Article URL http://www.symantec.com/docs/TECH167155


Terms of use for this information are found in Legal Notices