Duplicate notifications for encrypted messages

dan.smith10 · ‎03-29-2010

Hi all,

We're using our C150 to quarantine emails that arrive with some form of encryption (e.g. a password-protected .zip). When a matching email first arrives, it's correctly quarantined and sends an "Encrypted message detected" notification to the relevant recipient, as expected. However, after releasing the email to the recipient, another "Encrypted message detected" notification is sent related to the same email, even though the recipient receives the released version too. It's causing some people a bit of confusion to get this second notification at the same time they get the email it's complaining about.

We have the following setup under Mail Policies:Anti-Virus -> Anti-Virus Settings -> Encrypted Messages:

Action applied to message = Quarantine

Archive original message = No

Modify message subject = Prepend the text "[WARNING : MESSAGE ENCRYPTED]" (Interestingly, the first notification generated doesn't include this prepended text as part of the subject, but the second one does; not sure if this is a clue to what's happening)

Under Advanced:

Add custom header to message = No

Container notification = System Generated

Other Notification = Recipient + Others (admins)

Modify message recipient = No

Send message to alternate destination host = No

If anyone can shed some light on why this is happening or if you've seen it before, please let me know.

Kind regards,

Dan

steven_geerts · ‎04-06-2010

Hello Dan,

i suggest you try to find out what is happening by analysing your log data.

normally you can trace in there what policies and filters are triggered by a certain message, hopefully there is useful info te be found there.

good luck,

Steven

dan.smith10 · ‎04-08-2010

Hi Steven,

Thanks for the tip. I've traced the logs as suggested, and they really only seem to confirm the symptoms. There's the initial message getting quarantined based on the encrypted content, followed by two notifications sent out (one to the affected user, and one to an admin email address.) Then, after release, there are two more notification messages generated based on the original message, and delivery of the released message. They all seem to relate back to the original message; in brief:

Initial arrival:

Fri Mar 26 10:55:59 2010 Info: MID 3222427 matched all recipients for per-recipient policy DEFAULT in the inbound table
Fri Mar 26 10:55:59 2010 Info: MID 3222427 interim verdict using engine: CASE spam negative
Fri Mar 26 10:55:59 2010 Info: MID 3222427 using engine: CASE spam negative
Fri Mar 26 10:55:59 2010 Info: MID 3222427 interim AV verdict using McAfee ENCRYPTED
Fri Mar 26 10:55:59 2010 Info: MID 3222427 interim AV verdict using Sophos ENCRYPTED
Fri Mar 26 10:55:59 2010 Info: MID 3222427 antivirus encrypted

[...]

Fri Mar 26 10:55:59 2010 Info: MID 3222428 was generated based on MID 3222427 by antivirus ## Notification to user
[...]

Fri Mar 26 10:55:59 2010 Info: MID 3222429 was generated based on MID 3222427 by antivirus ## Notification to admin

[...]

Fri Mar 26 10:55:59 2010 Info: MID 3222427 quarantined to "Virus" (a/v verdict:ENCRYPTED)

After release:

Fri Mar 26 11:00:26 2010 Info: MID 3222471 was generated based on MID 3222427 by antivirus ## Duplicate notification to user

[...]

Fri Mar 26 11:00:26 2010 Info: MID 3222472 was generated based on MID 3222427 by antivirus ## Duplicate notification to admin

[...]

Fri Mar 26 11:00:29 2010 Info: Message finished MID 3222471 done
[...]

Fri Mar 26 11:00:30 2010 Info: Message finished MID 3222427 done ## Original mail that is being released
[...]

Fri Mar 26 11:00:30 2010 Info: Message finished MID 3222472 done

Nothing I've omitted to save space seems to indicate anything other than regular delivery behaviour.

cheers,

-dan