Verdict and action combinations

book

Article ID: 179501

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

 

Resolution

Verdict and action combinations

Symantec Brightmail Gateway offers the ability to combine multiple actions for different verdicts on the same message. This capability provides advantages over a model in which only one verdict for a message can result in actions. For example, suppose a spam message also contains a virus and your policies specify quarantining of spam messages and cleaning of viruses. Instead of cleaning the virus and delivering the spam to user inboxes, Symantec Brightmail Gateway cleans the virus and holds the cleaned spam message in Spam Quarantine. Or, if your policies specify modification of the subject line of spam messages and cleaning of viruses, Symantec Brightmail Gateway cleans the virus from the message and modifies the subject line.

Other types of messages can be affected by more than one filtering policy. A message can meet the criteria for two different content filtering policies. Or, the same spam message could contain a virus and meet the criteria for several content filtering policies. Symantec Brightmail Gateway combines the various filtering policies to determine which actions should be taken on the message.

In order to implement multiple actions, Symantec Brightmail Gateway includes sophisticated processing logic that automatically resolves potential conflicts between actions. In general, there is no need to worry about how actions will combine between your filtering policies. However, because a particular message can match multiple filtering policies, the resulting actions may not match your expectations. This section explains the basics of how actions from different policies can combine.

What happens to a message depends on the particular combination of actions applied to that message by the one or more policies that affect the message. In other words, actions combine with each other (or not, in some cases) based solely on action types. The kind of policy that called for the action has no impact on processing. The order in which actions are listed in the Control Center has no impact on processing.

For example, you create a content filtering policy to take action on messages that contain two or more words from your Profanity custom dictionary in the subject, body, or attachments of the message. You only use this policy for your Sales group. The action that you specify for these messages is Delete message. Your default virus policy specifies the action Clean the message, and your default spam policy specifies the action Modify the subject line, placing [SPAM] before the subject line text. Your Sales group uses the default virus and spam policies. A spam message addressed to a member of your Sales group arrives containing three words from your Profanity dictionary and also containing a virus. What happens to that message?

Because one of the actions specified is Delete message, Symantec Brightmail Gateway deletes the message and does not apply the other actions. In most cases, the Delete message action prevents other actions from occurring. However, what if the content filtering policy did not apply because the message contained only one word from your Profanity dictionary? In that case, the message is cleaned and delivered to the user's inbox with [SPAM] prepended to the subject line.

Many types of actions from different policies can be combined for the same message.

See Limits on combining actions.