SMSMSE has the ability to send notification emails when an email or attachment is Quarantined.
Here is an example:
Location of the message: Administrator/Deleted Items
Sender of the message: [email protected]
Subject of the message: test
The message was Quarantined
This was done due to the following Symantec Mail Security settings:
Scan: Auto-Protect
Rule: Example Rule
Server Name: exchange2k3.exchange2003.internal
The notification email does not indicate which term caused the email Quarantined. If there are many items on the rule match list for the rule it may not be obvious.
SMSMSE 6.5.5 and later has added a new variable that outputs which match term caused the email or attachment to be Quarantined like this:
Violating term(s):
<term that matched>
This allows for easier identification of why an email was Quarantined. As an example if the notification text for the rule is this:
%location%%n%Sender of the message: %sender%%n%Subject of the message: %subject%%n%%n%The message was %action%%n%%n%This was done due to the following Symantec Mail Security settings:%n% Scan: %scan%%n% Rule: %rule% %n% Violating term(s): %violatingterm%
The notification text in the email is this:
Location of the message: Administrator/Deleted Items
Sender of the message: [email protected]
Subject of the message: test
The message was Quarantined
This was done due to the following Symantec Mail Security settings:
Scan: Auto-Protect
Rule: Example Rule
Violating term(s):
test
Server Name: exchange2k3.exchange2003.internal
Steps
New installations of SMSMSE 6.5.5 and higher contain the violating term by default.
Note: If you perform an in place upgrade and choose to save previous setting existing content filtering notification settings do not contain the %violatingterm% variable.
To modify or view the existing notification settings.
1. Open the SMSMSE Administration Console.
2. Select Policies.
3. Select Content Filtering Rules.
4. Right click the rule you would like to modify/view and select Edit Rule....
5. Select the Notifications tab.
6. Expand the notifications settings for the notification you would like to modify/view (administrators, internal senders or external senders) by clicking the up arrow next to the appropriate entry.
7. View or change the settings as desired.
Reference
SMSMSE also reports the term that triggered a content filtering rule in the Application Event log. Here is an example:
Event ID: 291
Source: Symantec Mail Security for Microsoft Exchange
Category: Content Enforcement Rules
Details: The message "<message subject>" located in Administrator/Sent Items has violated the following policy settings:
Scan: <scan type>
Rule: <rule name>
Violating term(s):
test
The following actions were taken on it:
The body of message "<message subject>" was <action> for the following reason(s):
A Filtering Rule was violated.