Video Screencast Help
Search Video Help Close Back
to help
Not able to make it to Vision this year? Get a sampling in the Best of Vision on Demand group.

Additional Capability to Process Messages in the Spam Quarantine

Updated: 06 Nov 2009 | 5 comments
jmock's picture
jmock
6 Agree
0 Disagree
+6 6 Votes
Login to vote
Status: In Review

We filter outbound mail for spam and quarantine any messages that are flagged as spam.  Messages caught in the quarantine in this manner normally require additional follow up or investigation.  Currently, you can only delete or release messages from the quarantine.  We would like to be able to export and/or forward messages from the quarantine. This would allow us to provide messages to our forensics team and/or offload storage of message that may need to be kept at the request of legal or some other function requiring storage for any extended period of time.

Idea Filed Under:
, , , , ,

Comments

Cricket17's picture
11
Aug
2009
1 Vote +1
Login to vote
Cricket17

Agree.

I've felt this way as well.  It also applies to an outbound Virus policy.   It would be nice if Symantec added "Create an Incident" to the action drop downs.

As a work around, you could use either  Forward the message to _____ , or  Send a notification ______ with include orginal message.
The problem with both of these is you tend to loose orginal header/routing information.

Kayuu23's picture
13
Aug
2009
2 Votes -2
Login to vote
Kayuu23
Symantec Employee
Accredited

Workaround

The problem with the forward option is that it forwards a copy of the message, and the original is delivered normally.

The solution is to route the message to a specific internal server where they can be retrieved from that MTA.

jmock's picture
14
Aug
2009
1 Vote +1
Login to vote
jmock

Reply to Workaround

So the recommend solution is to not use the quarantine built in to the product but forward all messages detected as spam to another server.  Not sure how this is a practical recommendation from Symantec but a typical response.

Cricket17's picture
18
Aug
2009
0 Votes 0
Login to vote
Cricket17

Replay to Workaround

Why would the original be delived normally, if the action was in a Suspect spam rule?

In Spam section, create a policy:

Title: Outbound Suspect Spam - Hold & Notify
Conditions:
    Apply to Outbound Messages
    If the following condition is met:  Message is Spam/Suspect Spam

Actions:
    Hold Message in Spam Quarantine
    Forward message to Spam_research@example.com

Or
    Hold Message in Spam Quarantine
    Send Notification "Outbound Spam"

Ian McShane's picture
06
Nov
2009
0 Votes 0
Login to vote
Ian McShane
Symantec Employee
Accredited

Review

Hi,

It sounds like the request is for a new Quarantine UI action "Reroute to:" which can take "%IP%:%port%" or an email address.
Is that correct?
Would this be the same as release, where the message is removed from quarantine?  
Or is this action going to need to leave a copy of the message in the quarantine?
Would the "re-routed" message be an attachment to a new message with a body of  "this was routed to you by %admin user%"?
Or would it be exactly like "release"?
Would the re-routed message need to be subject to the compliance rules in place or should it bypass them?

Thanks for you clarifications!

//ian 

Technical Support

Symantec.com

Store

Community Stats

Total Content Items
Members
269,993