If Symantec DLP catches an email twice, is an additional incident created?


Article ID: 159907


Updated On:


Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Enforce


Symantec DLP email anti-duplication feature: cached email msg-ids


Relevant versions: Symantec DLP 10.x and beyond

When Symantec DLP receives an SMTP message it extracts the message id and recipients from BOTH the SMTP envelope (which might contain BCC recipients hidden from end user) AND Email headers (TO and CC). 

If the message id has been processed before, the list of recipients of the current and previous emails are checked.  If there are new recipients in the current email, the email is processed.   If there aren't any new recipients, the email is discarded.

NOTE: This is only true for Network Monitor. Duplicate messages are not removed in SMTP Prevent as it may be advisable to block every single copy of it.

If the SMTP message contains one or more recipients Network Monitor has not seen, Symantec DLP will inspect the message again.

There are some advanced settings that control duplication (System -> Overview -> Advanced tab of detection server):


This must be set to "true" (default for Network Monitor) to avoid duplicate incidents. If the value is set to false, multiple incidents will be created. This is important if the same message is being replayed for testing purposes.


This is the interval in ms between when an SMTP message ID is seen, and when it is removed from the cache allowing a duplicate message to create an incident. So, if two copies of the same message are sent with longer than 60 seconds between them, they may create duplicate incidents irregardless of the first setting.