Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Additional Capability to Process Messages in the Spam Quarantine

Created: 10 Aug 2009 • Updated: 06 Nov 2009 | 5 comments
jmock's picture
6 Agree
0 Disagree
+6 6 Votes
Login to vote
Status: In Review

We filter outbound mail for spam and quarantine any messages that are flagged as spam.  Messages caught in the quarantine in this manner normally require additional follow up or investigation.  Currently, you can only delete or release messages from the quarantine.  We would like to be able to export and/or forward messages from the quarantine. This would allow us to provide messages to our forensics team and/or offload storage of message that may need to be kept at the request of legal or some other function requiring storage for any extended period of time.

Comments 5 CommentsJump to latest comment

Cricket17's picture

I've felt this way as well.  It also applies to an outbound Virus policy.   It would be nice if Symantec added "Create an Incident" to the action drop downs.

As a work around, you could use either  Forward the message to _____ , or  Send a notification ______ with include orginal message.
The problem with both of these is you tend to loose orginal header/routing information.

+1
Login to vote
Kayuu23's picture

The problem with the forward option is that it forwards a copy of the message, and the original is delivered normally.

The solution is to route the message to a specific internal server where they can be retrieved from that MTA.

-2
Login to vote
jmock's picture

So the recommend solution is to not use the quarantine built in to the product but forward all messages detected as spam to another server.  Not sure how this is a practical recommendation from Symantec but a typical response.

+1
Login to vote
Cricket17's picture

Why would the original be delived normally, if the action was in a Suspect spam rule?

In Spam section, create a policy:

Title: Outbound Suspect Spam - Hold & Notify
Conditions:
    Apply to Outbound Messages
    If the following condition is met:  Message is Spam/Suspect Spam

Actions:
    Hold Message in Spam Quarantine
    Forward message to Spam_research@example.com

Or
    Hold Message in Spam Quarantine
    Send Notification "Outbound Spam"

0
Login to vote
Ian McShane's picture

Hi,

It sounds like the request is for a new Quarantine UI action "Reroute to:" which can take "%IP%:%port%" or an email address.
Is that correct?
Would this be the same as release, where the message is removed from quarantine?  
Or is this action going to need to leave a copy of the message in the quarantine?
Would the "re-routed" message be an attachment to a new message with a body of  "this was routed to you by %admin user%"?
Or would it be exactly like "release"?
Would the re-routed message need to be subject to the compliance rules in place or should it bypass them?

Thanks for you clarifications!

//ian 

0
Login to vote