Messaging Gateway

 View Only
Expand all | Collapse all

Cannot release message, returns (goes back) to quarantine

  • 1.  Cannot release message, returns (goes back) to quarantine

    Posted Aug 21, 2009 04:48 AM
    Hi,

    Our client is having some problems releasing a single message out of the network. Whenever he tries to release the message, it just goes back to quarantine.
    It contains a spreadsheet attachment most likely to contain numbers and such (I cannot see it due to constraints of the contract)
    I checked the content compliance and it doesn't seem to violate anything. Besides, when an admin releases a message, shouldn't it be released/sent already?
    The From, To and Original subject contain the exact same thing.
    imagebrowser image

    Note: Title is written so that searching for this would be easier. :D


  • 2.  RE: Cannot release message, returns (goes back) to quarantine

    Posted Aug 22, 2009 10:17 PM
    Hello mon_raralio

    Based on the screenshot,  the message triggers some Content Compliance rule.
    Search for the initial mail under the 'Message Audit Logs (Status -> Message Audit Logs) and open the detailed view (click on the To address).  You should see the comliance name under the 'Verdict' section. 

    As I presume the released mail is re-quarantined, try disabling the initially triggered Policy before releasing the mail from the Quarantine.  Re-enable the rule after releasing the mail.

    As you have mentioned that the mail has a spreadsheet attachement, you could also review the following Symantec document:
    http://service1.symantec.com/SUPPORT/ent-gate.nsf/docid/2007122613225354

    Cheers.




  • 3.  RE: Cannot release message, returns (goes back) to quarantine

    Posted Aug 23, 2009 09:56 AM
    Thanks fsg, I'll try this come work day. :D
    I'll keep you posted.


  • 4.  RE: Cannot release message, returns (goes back) to quarantine

    Posted Aug 24, 2009 04:57 AM
    Hi,

    Our client did as suggested to compress the file in zip format before sending. It was still quarantined and one of the tested policy is for keywords (sexual, racial, forgot the last one) which I doubt was contained in the document. If the email was released, will it still proceed with the other untested policies which was also listed in the email as untested?

    There is also an existing policy to allow all word documents in the server.

    (Upgrading is out of the question)


  • 5.  RE: Cannot release message, returns (goes back) to quarantine

    Posted Aug 25, 2009 09:00 AM
    Hi mon_raralio

    The triggered policies put another spin on the situation, also raise a few questions.
     - are the triggered content policies / dictionaries used custom or default ones ?
     - do you have the client's permission to view the email and attachment ? (based on the entry above the mail and attachment was not reviewed)
     - is the MS Word version used known ?
     - is the quarantined mail (shown in the screen-shot) containing the same MS Word attachment (or there are various documents) ?
     - are these emails from the same sender ?

    Some testing could also eliminate possibilities:
     - find out the MS Word version used in creating the attached files.
     - create a 'clean' test word document and send it through the SBG, check the result in the Message Audit Logs
     - narrow down the quarantined mail instances (if there are various)

    If the information cannot be posted, I suggest providing sample emails to Symantec (via a support case) for testing.

    Cheers


  • 6.  RE: Cannot release message, returns (goes back) to quarantine

    Posted Aug 25, 2009 09:32 AM

    The triggered policies put another spin on the situation, also raise a few questions.
     - are the triggered content policies / dictionaries used custom or default ones ? We only used some of the default policies, and have a few words in the custom words list. And the person I talked to said that it doesn't have any 'bad' words.
     - do you have the client's permission to view the email and attachment ? (based on the entry above the mail and attachment was not reviewed) No, I can't have access to that file. I also suggested that it could be a number violation, but that filter was disabled.
     - is the MS Word version used known ? It is an Excel Spread sheet. Version 2k3
     - is the quarantined mail (shown in the screen-shot) containing the same MS Word attachment (or there are various documents) ? Same Excel attachment. Tried zipping it too.
     - are these emails from the same sender ? Yes, same sender - sort of. The email was from a user which was then forwarded by an admin just to test it out.

    Some testing could also eliminate possibilities:
     - find out the MS Word version used in creating the attached files.
     - create a 'clean' test word document and send it through the SBG, check the result in the Message Audit Logs - I'll try and have them do this.
     - narrow down the quarantined mail instances (if there are various) - Just this one.

    If the information cannot be posted, I suggest providing sample emails to Symantec (via a support case) for testing. - The email attachment is of utmost confidentiality. :(

    Cheers.



  • 7.  RE: Cannot release message, returns (goes back) to quarantine

    Posted Aug 26, 2009 10:42 PM
    The client did a test with a blank xls file. It went through with no problems.
    We'll try and review the enabled policies. Apparently, there is also a problem with the zip files.


  • 8.  RE: Cannot release message, returns (goes back) to quarantine

    Posted Aug 27, 2009 05:24 AM
    Finally got a chance to view the file. It did contain some "sexual" keywords.
    Still don't understand why it returns to the quarantine despite the admin releasing the email.
    Replaced those words with a more "friendly" synonym and it got through.

    BTW, @fsg, the client does not want to disable the policy even for a short time so I can't do what your first post suggested.


  • 9.  RE: Cannot release message, returns (goes back) to quarantine

    Posted Aug 28, 2009 07:29 PM
    Well mon_raralio, based on the last few posts,  it seams that the SBG does just whit it supposed to. (quarantines the mail, based on the 'sexual' keywords).

    As for why the admin could not release the mail from quarantine,  you should look at the Control Center configuration - is the downstream server used, or it is releasing the mail back into the mail-flow.  It should not re-quarantine it though - if I remember correctly - will verify the theory once I have access to the SBG.

    Cheers



  • 10.  RE: Cannot release message, returns (goes back) to quarantine

    Posted Aug 30, 2009 08:49 PM
    fsg: I'm not sure, but I think once the mail has been released, it should be out of SBG and on its way. But as it is, it just returns to quarantine like there is a loop in the message flow. If only we can mark a message as released and have another rule for that.