DLP configured to modify the E-mail headers so that the E-mails can get processed through a secondary E-mail security application which will block or allow the E-mail according to the “Email header”.

This helps the customer to check the email and send it through if the user (Sender) provides appropriate justification.

The issue is, some of the E-mail headers does not get modified and hence doesn’t get blocked ( put into the queue ) by the E-mail security application. But the incident snapshot shows the E-mail header to be modified.

The following message can be seen repeatedly in "RequestProcessor0.log" :

***********************************************************************************************

To: <[email protected]>

From: <[email protected]>

Subject: Message

Content-Type: text/plain; charset="UTF-8"

Content-Transfer-Encoding: 8bit

Message-ID: <mailbox-10866-1338369538-296887@example>

MIME-Version: 1.0

X-CFilter-Loop: Reflected

X-CFilter-Loop: Reflected

X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.6.7580,1.0.260,0.0.0000

 definitions=2012-05-30_02:2012-05-21,2012-05-30,1970-01-01 signatures=0

X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=3

 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx

 scancount=1 engine=6.0.2-1203120001 definitions=main-1205300036

************************************************************************************

************************************************************************************

FINE: RPT(2c): [Response] com.vontu.mta.prevent.SerializedSmtpPreventResponse@example

May 28, 2012 12:34:51 PM com.vontu.mta.rp.ResponseProcessor _finishMessageTransferWithoutAnyModifications

FINE: RPT(2c): Completing message w/o modification

May 28, 2012 12:34:51 PM com.vontu.mta.rp.ResponseProcessor respond

FINE: RPT(2c): Passed message through due to timeout

*************************************************************************************

The looped messages are going through the mail system multiple times before they start timing out and cause other emails to also go through unmodified.

Every time the message “Completing message w/o modification” and “Passed message through due to timeout” show up in the logs, it is always during the processing of these looped messages to the  [email protected] account.

The logs are full of messages to  [email protected] looping in the mail infrastructure and eventually causes a timeout during processing by the next-hop MTA.

The issue can be resolved by redirecting the e-mails from [email protected].

Customer needs to engage their email team to find out why a message to an internal user is going through the Email Prevent server and/or figure out how to prevent the messages from looping.

Note : White-listing the sender in DLP does not prevent it from looping through their mail system and causing the problem, the customer need to fix the loop.