We're using our C150 to quarantine emails that arrive with some form of encryption (e.g. a password-protected .zip). When a matching email first arrives, it's correctly quarantined and sends an "Encrypted message detected" notification to the relevant recipient, as expected. However, after releasing the email to the recipient, another "Encrypted message detected" notification is sent related to the same email, even though the recipient receives the released version too. It's causing some people a bit of confusion to get this second notification at the same time they get the email it's complaining about.
We have the following setup under Mail Policies:Anti-Virus -> Anti-Virus Settings -> Encrypted Messages:
Action applied to message = Quarantine
Archive original message = No
Modify message subject = Prepend the text "[WARNING : MESSAGE ENCRYPTED]" (Interestingly, the first notification generated doesn't include this prepended text as part of the subject, but the second one does; not sure if this is a clue to what's happening)
Add custom header to message = No
Container notification = System Generated
Other Notification = Recipient + Others (admins)
Modify message recipient = No
Send message to alternate destination host = No
If anyone can shed some light on why this is happening or if you've seen it before, please let me know.
Re: Duplicate notifications for encrypted messages
Thanks for the tip. I've traced the logs as suggested, and they really only seem to confirm the symptoms. There's the initial message getting quarantined based on the encrypted content, followed by two notifications sent out (one to the affected user, and one to an admin email address.) Then, after release, there are two more notification messages generated based on the original message, and delivery of the released message. They all seem to relate back to the original message; in brief:
Fri Mar 26 10:55:59 2010 Info: MID 3222427 matched all recipients for per-recipient policy DEFAULT in the inbound table Fri Mar 26 10:55:59 2010 Info: MID 3222427 interim verdict using engine: CASE spam negative Fri Mar 26 10:55:59 2010 Info: MID 3222427 using engine: CASE spam negative Fri Mar 26 10:55:59 2010 Info: MID 3222427 interim AV verdict using McAfee ENCRYPTED Fri Mar 26 10:55:59 2010 Info: MID 3222427 interim AV verdict using Sophos ENCRYPTED Fri Mar 26 10:55:59 2010 Info: MID 3222427 antivirus encrypted
Fri Mar 26 10:55:59 2010 Info: MID 3222428 was generated based on MID 3222427 by antivirus ## Notification to user [...]
Fri Mar 26 10:55:59 2010 Info: MID 3222429 was generated based on MID 3222427 by antivirus ## Notification to admin
Fri Mar 26 10:55:59 2010 Info: MID 3222427 quarantined to "Virus" (a/v verdict:ENCRYPTED)
Fri Mar 26 11:00:26 2010 Info: MID 3222471 was generated based on MID 3222427 by antivirus ## Duplicate notification to user
Fri Mar 26 11:00:26 2010 Info: MID 3222472 was generated based on MID 3222427 by antivirus ## Duplicate notification to admin
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...