ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

NPE analyzing duplicate emails

book

Article ID: 226381

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite Data Loss Prevention Data Loss Prevention Network Email

Issue/Introduction

DLP Network Prevent for Email Server is analyzing the duplicate emails from Messaging Backbone even NPE advance setting L7.discardDuplicateMessagesis is set to FALSE to avoid duplicate incidents.

Environment

Release: 15.x

Component: DLP Network Prevent for Email

Resolution

Enable incident reconciliation on the Enforce Server computer on Windows

  1. On the computer that hosts the Enforce Server, log on as Admin.
  2. Change directory to C:\Program Files\Symantec\DataLossPrevention\EnforceServer\15.7\Protect\config.
  3. Open the IncidentPersister.properties file.
  4. Change persister.enable.incident.reconciliation=false to equal true -> persister.enable.incident.reconciliation=true
  5. Restart the Symantec Data Loss Prevention services as appropriate for your version of Windows services on the server computer.

 

Additional Information

Incident reconciliation should be enabled if the upstream MTA splits emails, whether that is based on domain or internal vs external recipient or other criteria. Setting discardDuplicateMessages to FALSE (which is default for NPE) makes sure that when these split emails are received we do detection on all parts of them, where as incident reconciliation caches the incidents from SMTP and merges incidents from split emails. It is commomn in cloud based MTAs like O365 and Gmail, but some other MTAs seem to do this as well.