After installing Symantec Mail Security for Microsoft Exchange (SMSMSE) and enabling the optional Premium Antispam component, the Windows Application Event Log records a large number of Event ID 381 or 382 entries. On older SMSMSE releases, the Event IDs for these messages are Event ID 342 and Event ID 343.
Source: Symantec Mail Security for Microsoft Exchange
Category: Premium AntiSpam
Description: Message classified as: Spam. Message Details: Connecting IP: x.x.x.x MAIL FROM: [email protected] RCPT TO: [email protected], Message-Id: <000d01c9d79b$30d7dc80$6700a8c0@name> Subject: Suspicious Subject Line. The message was rejected and the SMTP connection was terminated.
When configuring the Policies for Premium Antispam Actions, the "Log" checkbox has been selected. This option will write an event log entry for every spam message detected by SMSMSE. (This option is not checked by default). According to Symantec’s most recent State of Spam Report, more than 90% of global email traffic is spam. A busy mail server can expect to process thousands of spam messages daily. The large number of Event ID 342 entries (or Event ID 343, a record of Suspected Spam) shows SMSMSE working as designed. Spam information is best summarized and viewed through SMSMSE's reporting capabilities. Unless there is a specific reason to record in the Windows Application Event Log the details of each spam message processed, server resources should be conserved by configuring SMSMSE not to create a log entry for each spam message.
For more information on processing spam messages, please see "Chapter 7, Identifying spam" in the Symantec™ Mail Security for Microsoft® Exchange Implementation Guide. Information on SMSMSE's reporting features can be found in "Chapter 11, Logging events and generating reports."
Symantec releases a free State of Spam report once per month, highlighting volumes and recent trends in spam. Additional resources and blog entries regarding spam are available from Symantec Security Response.