Video Screencast Help
Give us your opinion and win with Symantec! Please help us by taking this survey to tell us about your experience with Symantec Connect, so that we can continue to grow and improve.  Take the survey.

CA - Random Caputre Question

Created: 11 Nov 2013 • Updated: 07 Jan 2014 | 8 comments
This issue has been solved. See solution.

I was wondering if there was a way to change the way CA caputres emails.

Here is our problem.


I send an email to a distrubition list which has 20+ employees in our department and a couple outside clients are on the email as well.  This email is now marked as external outbound.

My manager reviews all the 20 internal employees on the email and now has the same 20 emails to review. I'm having a hard time to understand why this email will go to their ques since they

             - did not send the email

            - email did not come from outside in

The email should only be review by my reviewer since I was the author.Right ?

Our current config

- The 20 employees are mapped as an exception to the same reviewer. (The department has more then 20+ emoployees with differnt reviewers)

- ver. CA 9.02

- Random capure, Statistical

Operating Systems:

Comments 8 CommentsJump to latest comment

EV_Ajay's picture

Hi Voine.

You sent email to distribution list. Is those 20 internal employee is part of same DL ?

Because at the time of DA search the DL if we had setting then it also expand the DL and search of the user inside that DL. Hence i think that's why those email capture.

The email is reviewed by the person who has the permission to review the email.



Voine's picture

Yes all the employees are internal but the isuse here is not really the DL. The email is being marked correctly but I feel if an email is marked as external outbound it should only have to be reviewed by the author not by the author and recipents.

Kenneth Adams's picture

Hello, Vione;

CA Random Sampling takes the author as the primary determing factor in assigning messages to review sets, but it also takes recipients into account.  This is to ensure a sampling of all messages sent or received by any Monitored Employee meets your company's compliance standards.  The purpose is to ensure non-compliance messages are not passed from one internal, non-Monitored Employee to a Monitored Employee.

CA 9.0 and later versions deduplicate automatically during searches, but not during Random Sampling.  That said, I would expect to see only one instance of that message as being journaled unless the author and recipients are on different Exchange servers, with each Exchange server having its own journal mailbox.  In situations with multiple journal mailboxes, I would expect to see one instance of the message per journal mailbox associated with each recipient and the author.

Ken Adams

Backline Support for CA, DA, ACE, UCE, PSTD, ARMS, EVDC
US Support Region

Voine's picture

This issue happens during random sampling. The superviosr has about 10 of the same messages to review for each employee he reviews. I believe they are on the same exchange server and same jv since its the same department. Is there a way to remove the duplicates during random sampling ?

Kenneth Adams's picture

Unfortunately, Random Samling does not allow for removing duplicates.  Sorry.

I suspect there is something different about those messages, though.  Please ask the supervisor to look at the DiscoveredItemID of the duplicate messages and note the DiscoveredItemID for each message in a Notepad file.  The DiscoveredItemID will be displayed in the upper right above the preview pane and should change when the item selection changes in the list view pane.

Also ask the supervisor to open the original of each message by right clicking on each in the list view pane and selecting the View Original option.  That should open each message in an Outlook profile.  Once opened, access the message properties so the header information will be displayed.  Ask the supervisor to copy that header information and paste it into the Notepad file below it's DiscoveredItemID, then give you that file.  When you have that file, look first at the header information to see if the messages were processed by different mail gateway servers and / or different Exchange or Domino servers.  Also look for a ConversationID and, if you see one, look to see if it matches in all of the messages.

Finally, take the DiscoveredItemID values from the Notepad document and put them into the following SQL query, replacing the DII# references with those values and run the query against the CA Customer database.

SELECT * FROM tblIntDiscoveredItems WHERE DiscoveredItemID IN (DII1, DII2, DII3, DII4, DII5, DII6, DII7, DII8, DII9, DII10)

Look in the output of the query to see if the following column entries for each item match:
- KVSSavesetID
- VaultID
- Author
- Subject
- Recipients
- CaptureType
- CaptureDate

I would expect the KVSSavesetID entries to be different.  That's OK.  We just need to confirm they are different.  The other information should be the same for each column.  We just need to confirm that, also.

I suspect what is happening is that CA is capturing a copy of the message for each Monitored Employee in order to match the capture percentages for the message type and direction (i.e., Exchange Outbound).  Adjusting the sampling percentages may be needed in order to reduce the possibility of obtaining the duplicates.

Remember that CA's Random Sampling is looking to fill the Department's Review Set with enough messages of each type and direction to meet the set sampling percentages.  If those Monitored Employees are not getting enough messages of a certain type to allow for a broader selection, CA will include the multiple archived copies of the same message.  For example, if you have the sampling percentages set to 100% Exchange Outbound, then every e-mail sent to every Monitored Employee that is marked as Exchange Outbound will be captured for sampling.  Adjusting the sampling percentage to a lower value would be called for in order to allow for a greater selection of messages to sample - as opposed to all messages having to be sampled.

Ken Adams

Backline Support for CA, DA, ACE, UCE, PSTD, ARMS, EVDC
US Support Region

Voine's picture

How do you obtani the message headers ?

I right clicked each message in CA and selected copy item details to clipboard

This gave me the itemid, savesetit and the vault entry id. SaveSet and VaultEntryID was the same.

There are 18 of the same messages in the superviors queue. Why can't CA determine who the author is and only drop the message in that employee's queue. This is basically an internal email that is being reviewed.

Kenneth Adams's picture

CA does determine who the author is, but it also determines who the recipients are when there are internal recipients that are also Monitored Employees.  CA is designed to sample messages both from and to Monitored Employees, not just from Monitored Employees.

The supervisors should be able to bulk review those duplicate messages by looking at one to determine if it needs any action, then selecting each of the duplicates in the list view pane (hold the Ctrl key down and click on each of the others if they are not together or, if they are all together, clicking on the top instance, holding the Shift key and clicking on the bottom instance) and marking them all as reviewed or escalated or whatever status is appropriate - provided your internal compliance policies allow for bulk marking of identical items.

You may want to go to the Ideas section of this forum and enter an enhancement request to have a configuration option added to just sample messages based on author only, recipient only, or both.  If enough customers want this capability, it would be considered to be added to the product.

Ken Adams

Backline Support for CA, DA, ACE, UCE, PSTD, ARMS, EVDC
US Support Region

EV_Ajay's picture

Hi Voine,

Could you please let me know if this issue is resolved ? If you require any help please let me know.