Understanding Action Precedence in Symantec Messaging Gateway (SMG): Local Bad Sender Domains vs. Content Filtering
search cancel

Understanding Action Precedence in Symantec Messaging Gateway (SMG): Local Bad Sender Domains vs. Content Filtering

book

Article ID: 379534

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

When adding a domain to the "Local Bad Sender Domains" list with the "Delete message" action, Symantec Messaging Gateway (SMG) continues to process the message and perform additional actions like sending notifications and creating quarantine incidents.

The expectation was that the "Delete message" action would prevent further processing of the email.

Cause

Messaging Gateway processes messages which have been accepted by the system in two phases: the scan phase and the action phase. During the scan phase, all policies applicable for the policy group the message has been assigned to are processed and a list of actions accumulated for the message based on the policies which match the message. During the action phase, the action list is processed to remove all duplicate and conflicting actions until a final action list for the message is complete and then that list of actions are taken for the message.

While the "Delete message" action is configured in the "Local Bad Sender Domains" policy, SMG’s architecture allows additional filters, such as content filtering policies, to still process the message. This behavior is due to action precedence and how SMG handles verdict combinations from various filtering modules.

In this case, the Local Bad Sender Domain policy triggered the "Delete message" action, but content filtering policies simultaneously triggered actions such as "Create a quarantine incident" and "Send notification." These content filtering actions can override or delay the deletion of the message.

The Local Bad Sender Domains list allows SMG to take specific actions (like deleting the message) based on the sending domain after the connection has been established and the message accepted. However, it does not reject the connection outright or bypass other filtering modules. This distinction is key because only IP reputation filtering (e.g., Local Bad Sender IPs, Symantec Global Bad Sender) can reject a connection without further processing.

Messages flagged by Local Bad Sender Domains are accepted for scanning so that SMG can identify the domain. Even if "Delete message" is applied, additional verdicts from other filtering modules (such as content filtering) may still influence the message handling process.

When actions from different filtering modules apply to the same message, SMG combines them or allows one action to take precedence. For instance:

  • Delete message + Delay content results in the message being delayed before deletion.
  • Delete message + Event actions allows the delete action while still forwarding notifications or creating incidents.

Resolution

To prevent content filtering policies from taking additional actions on messages from bad domains, add the "Bypass all content filtering" action to the Local Bad Sender Domain policy. This ensures that messages from domains in the Local Bad Sender Domains list bypass content filtering and are deleted without triggering quarantine incidents or notifications.

Steps to resolve:

  1. In the SMG admin console, navigate to Protocols > Local Bad Sender Domains.
  2. Add the Bypass Content Filtering action alongside the "Delete message" action.
  3. Save the changes.

Additional Notes:

  • Information on action precedence and combinations can be found in the Action Combinations from Multiple Verdicts section of the SMG Administrator's Guide.
  • Consider reviewing other relevant policies that might trigger additional actions on flagged messages.

Additional Information