search cancel

Multiple incidents for a single Email message ID

book

Article ID: 228150

calendar_today

Updated On:

Products

Data Loss Prevention Discover Suite

Issue/Introduction

In this scenario, you found that there were multiple incidents for a single email message ID in a load balanced environment:

Possible use case: I sent an email to my @gmail.com. @hotmail.com and @uoit.net, this email only triggered one policy but 3 incidents generated in the console and as a sender, then I received 3 email block notifications. Seems like the number of incidents are depending on the number of different recipient domains.

Environment

Release : 15.8

Component : Email Prevent

Cause

After investing the incident, you will likely see that the incidents report on 3 different detection servers. DLP has an ignore rule on each detection server that happens when the same messageID comes in multiple times within a timeframe. However, if the email passes through multiple servers, they are not in communication with each other and would not know. 

 

Assuming the upstream Mail Server is Exchange, in order for 3 different detection servers to receive the same message, it would have had to be sent 3 times from Exchange, and load balanced 3 times across 3 DLP servers. DLP is like a proxy just waiting for a connection upstream, it does not actively pursue connections upstream, it only initiates connections downstream once a connection is made from the load balancer. So in our case, we see the incident 3 times across 3 detection servers, which can only mean the message was sent (at least) 3 times. The DLP Detection servers do not communicate with each other, so each connection is considered unique. Each of the DLP detection servers have no way of knowing two other detectors received the same email, or portions of email.
 

Resolution

This is an issue caused by upstream Mail Server sending multiple email (or email parts) and getting load balanced prior to arriving at DLP. 
 

Attachments