Summary:

This technote discusses aspects of EMF that should be checked if messages are going through that should be blocked.

Symptom:

You have one or more policies that drop, return to sender, or quarantine messages, but messages that should be blocked are being passed by EMF.

Resolution:

1) Identify the From and To addresses of a suspect message, and use the EMF Find User function to determine what user and/or domain records were in effect for that message. In EMF:

• open EMF webadmin
• select the Directory menu item
• select Find User
• enter email address
• press Find

This will return the user or domain record that was used by EMF for the From or To address. Use Find User for the From and each To address. The policies used for the message are the ones in effect (Enabled) on the user and/or domain records returned by Find User. You should verify that the blocking policy in question is in effect where you think it's in effect.

2) Does the blocking policy make the proper checks? For example, if the policy checks against a wordlist, are the entire message and attachments being checked against the wordlist, or is just the subject of the message being checked?

3) Does the policy contain an exception recipient address list? In this case, if ANY ONE entry in the message's To, Cc, or Bcc fields matches an entry in the recipient exception list, the message is excepted FOR ALL recipients. This is not a bug, but the way EMF interprets exceptions. See related article Creating policy exceptions for users for more information.

4) If you are checking sender addresses, does the message's From field contain an entry on the block list? Spammers often spoof the From address, and sender address block lists have to be updated regularly.

5) Check the related article Content scanning overview - word and address lists to ensure your blocking word and address lists are properly constructed.

6) Did the message come in through EMF, or did it take an alternate network path?

Additional Info:

These steps can be applied not only for blocking policies, but anytime a policy disposition action is in question.