A Content Filtering rule does not trigger as expected on specific messages. The Message Audit Logs (MAL) indicate the rule is listed under Untested Verdicts, and the message flow direction (Inbound or Outbound) appears to be misclassified.

Symantec Messaging Gateway (SMG) determines mail flow direction primarily based on the SMTP configuration of the scanner host rather than the sender or recipient domains. If a message is arriving from an IP address not listed in the Outbound Mail Acceptance list, SMG classifies the transaction as Inbound. Conversely, if the sending IP is on that list, it is treated as Outbound.

When a Content Filtering policy is configured for one direction (e.g., Inbound) but the message is classified as the opposite (e.g., Outbound), the policy will not be tested against that message.

To resolve this issue, ensure the mail flow direction in the SMG configuration matches your actual environment routing:

1. Verify Message Classification: Check the Message Audit Log for the specific transaction to confirm if SMG sees it as Inbound or Outbound.
2. Check SMTP Acceptance Lists: Navigate to Administration > Configuration > Edit Host > SMTP tab.
   • Review the Outbound tab. Ensure the IP addresses of internal mail servers or proxies that relay outbound mail are correctly listed under Outbound Mail Acceptance.
   • If an internal IP is incorrectly listed here, incoming mail from that source may be wrongly classified as Outbound.
3. Align Policy Direction: Ensure the Content Filtering policy is applied to the correct direction. If the message must be processed as both Inbound and Outbound, the policy must be enabled for both directions.