If Symantec DLP catches an email twice, is an additional incident created?
search cancel

If Symantec DLP catches an email twice, is an additional incident created?


Article ID: 159907


Updated On:


Data Loss Prevention Network Monitor Data Loss Prevention Network Prevent for Email Data Loss Prevention Enforce


Symantec DLP email anti-duplication feature: cached email msg-ids


Supported versions of DLP


When Symantec DLP receives an SMTP message it extracts the message ID and recipients from BOTH the SMTP envelope (which might contain BCC recipients hidden from end user) AND Email headers (TO and CC). 

If the message ID has been processed before, the list of recipients of the current and previous emails are checked.  If there are new recipients in the current email, the email is processed.   If there aren't any new recipients, the email is discarded.

If the SMTP message contains one or more recipients Network Monitor has not seen, Symantec DLP will inspect the message again.

There are some advanced settings that control duplication (System -> Overview -> Advanced tab of detection server):


The default value for Network Monitor is "true" to avoid duplicate incidents. If the value is set to false, multiple incidents will be created. This is important if the same message is being replayed for testing purposes. However, the default value for Network Prevent for Email is "false" to avoid duplicate incidents.


This is the interval in ms between when an SMTP message ID is seen, and when it is removed from the cache allowing a duplicate message to create an incident. So, if two copies of the same message are sent with longer than 60 seconds between them, they may create duplicate incidents regardless of the first setting.



Additional Information

As per the 16.0 Help Center page for "Advanced Settings" - this setting may need additional considerations for impacts to a Network Prevent for Email detection server.

In addition, the setting for "Incident Reconciliation" is more relevant to how SMTP messages are handled by Email Prevent.

This note is at the Help Center topic:

If Network Prevent for Email is not blocking messages correctly in a Gmail or Microsoft 365 environment, even though incidents are properly generated, set L7.discardDuplicateMessages to false. Also enable incident reconciliation. Enabling incident reconciliation.