A significant deterioration in mail flow is experienced when the Blank Subject and Sender content filtering rule is enabled in Symantec Mail Security for Microsoft Exchange (SMSMSE)

Symptoms

• Soon after enabling the rule mailflow slows significantly or in extreme cases stops.
• In clustered environments continuous failovers of the resource group may happen. 
• After disabling the Blank Subject and Sender mail flow resumes normally.
• The Windows Application Event log may display the following events:

 

Source: Symantec Mail Security Microsoft Exchange
Event ID 327
Description: The process SAVFMSESp.exe was forcibly terminated. Reason: SAVFMSECtrl process failed to communicate with SAVFMSESp process.

Source: Symantec Mail Security for Microsoft Exchange
Event ID 168
Description: The process SAVFMSESp.exe was restarted.
 

 

Conditions

• Blank subject and sender rule applies to internal messages store.

1. Open the SMSMSE console.
2. Navigate to Policies > Content Filtering Rules.
3. Right click Blank Subject and Sender rule and select Edit rule... .
4. If the checkbox Internal messages (store) is selected then this condition is met.

In the event that the sender is blank SMSMSE instead attempts to resolve the recipient address and consider this as the sender address.

The underlying problem is that SMSMSE is receiving X.400 addresses instead of SMTP addresses for email routing, and those X.400 addresses map to more than one SMTP address inside active directory.  In order to accurately apply content filtering rules with user conditions, if Exchange passes the sender or recipient properties to SMSMSE in X.400 format, SMSMSE must issue a query to Active Directory using LDAP to determine the SMTP address associated with the X.400 passed in order to determine if the email in question matches the user criteria of the content filtering rule.  If this query fails, the content filtering rule will be skipped.  If this query returns more than one SMTP address as being an alias of the X.400 addressed attached to the message, SMSMSE will initiate a resource intensive search of the Exchange information store to narrow the list of SMTP addresses down to one SMTP address. 

This issue is fixed in SMSMSE 6.5.5, upgrade to 6.5.5 or later to resolve this problem.

Workaround 

• Symantec recommends that the Blank Subject and Sender rule only be applied to messages in transport.  In a front end / back end configuration enable transport scanning on the front end with the Blank Subject and Sender rule enabled.  This ensures that messages with a Blank Subject and Sender are captured in transport thus eliminating the need to scan the Information Store.

• Disable scanning of Internal messages by the 'Blank Subject and Sender' rule.

1. Open the SMSMSE console.
2. Navigate to Policies > Content Filtering Rules.
3. Right click Blank Subject and Sender rule and select Edit rule... .
4. Uncheck the box next to Internal messages (store) and then click OK.
5. Click Deploy changes.