Views:
The following tables describe the actions Deep Discovery Email Inspector performs for the selected actions in a matched policy rule in each operating mode.

Actions and operation modes: Content filtering rules

Action
Operation Mode
MTA Mode
SPAN/TAP Mode
BCC Mode
Delete message
  • Deletes the email message from the mail queue
  • Does not apply subsequent policy rules in the same policy on the email message
  • Does not deliver the email message
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Change recipient
  • Delivers the email message to one or more recipients that you specify
  • Does not apply subsequent policy rules in the same policy on the email message
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Block and quarantine
  • Stores a copy in the quarantine area
  • Does not apply subsequent rules in the same policy on the email message until you resume the scanning process on the DetectionsQuarantine screen.
  • You can release a quarantined message using the web console
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Strip all attachments
  • Replaces suspicious attachments with a text file
  • If configured, tags the email message subject and inserts the X-header before delivery
  • Applies subsequent rules in the same policy on the email message.
Note
Note
Attachments and extracted URLs from attachments in detected email messages are not sent to Virtual Analyzer for analysis. Only extracted URLs from the message body and subject are sent to Virtual Analyzer for analysis.
  • Applies subsequent rules in the same policy on the email message.
  • Applies subsequent rules in the same policy on the email message.
Pass and tag
  • Applies subsequent rules in the same policy on the email message
  • If configured, tags the email message subject and inserts the X-header before delivery
  • Applies subsequent rules in the same policy on the email message
  • Applies subsequent rules in the same policy on the email message
Deliver directly
  • Does not apply subsequent policy rules in the same policy on the email message
  • Delivers the email message to the recipient (using the default SMTP server) or to the specified SMTP server
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Encrypt message
  • Encrypts messages after applying all other non-terminal actions
  • Applies subsequent rules in the same policy on the email message
  • Not applicable
  • Not applicable
Sanitize file
  • Removes active content (such as macros) from Microsoft Office files
  • Applies subsequent rules in the same policy on the email message
  • If configured, tags the email message subject and inserts the X-header before delivery
  • Applies subsequent rules in the same policy on the email message
  • Applies subsequent rules in the same policy on the email message
BCC
  • Sends a blind carbon copy (BCC) of the email message to the specified recipient
  • Not applicable
  • Not applicable
Send notification
  • Sends a notification to all message recipients and contact email addresses specified in the notification template
  • Sends a notification to all message recipients and contact email addresses specified in the notification template
  • Not applicable
Insert stamp
  • If configured, inserts the selected stamp in to the body of detected email messages
  • Not applicable
  • Not applicable

Actions and operation modes: Data loss prevention (DLP) rules

Action
Operation Mode
MTA Mode
SPAN/TAP Mode
BCC Mode
Delete message
  • Deletes the email message from the mail queue
  • Does not apply subsequent policy rules in the same policy on the email message
  • Does not deliver the email message
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Change recipient
  • Delivers the email message to one or more recipients that you specify
  • Does not apply subsequent policy rules in the same policy on the email message
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Block and quarantine
  • Stores a copy in the quarantine area
  • Does not apply subsequent rules in the same policy on the email message until you resume the scanning process on the DetectionsQuarantine screen.
  • You can release a quarantined message using the web console
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Strip all attachments
  • Replaces suspicious attachments with a text file
  • Applies subsequent rules in the same policy on the email message.
  • If configured, tags the email message subject and inserts the X-header before delivery
Note
Note
Attachments and extracted URLs from attachments in detected email messages are not sent to Virtual Analyzer for analysis. Only extracted URLs from the message body and subject are sent to Virtual Analyzer for analysis.
  • Applies subsequent rules in the same policy on the email message.
  • Applies subsequent rules in the same policy on the email message.
Pass and tag
  • Applies subsequent rules in the same policy on the email message
  • If configured, tags the email message subject and inserts the X-header before delivery
  • Applies subsequent rules in the same policy on the email message
  • Applies subsequent rules in the same policy on the email message
Deliver directly
  • Does not apply subsequent policy rules in the same policy on the email message
  • Delivers the email message to the recipient (using the default SMTP server) or to the specified SMTP server
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Encrypt message
  • Encrypts messages after applying all other non-terminal actions
  • Applies subsequent rules in the same policy on the email message
  • Not applicable
  • Not applicable
BCC
  • Sends a blind carbon copy (BCC) of the email message to the specified recipient
  • Not applicable
  • Not applicable
Send notification
  • Sends a notification to all message recipients and contact email addresses specified in the notification template
  • Sends a notification to all message recipients and contact email addresses specified in the notification template
  • Not applicable
Insert stamp
  • If configured, inserts the selected stamp in to the body of detected email messages
  • Not applicable
  • Not applicable

Actions and operation modes: Antispam rules

Action
Operation Mode
MTA Mode
SPAN/TAP Mode
BCC Mode
Delete message
  • Deletes the email message from the mail queue
  • Does not apply subsequent policy rules in the same policy on the email message
  • Does not deliver the email message
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Change recipient
  • Delivers the email message to one or more recipients that you specify
  • Does not apply subsequent policy rules in the same policy on the email message
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Block and quarantine
  • Stores a copy in the quarantine area
  • Does not apply subsequent rules in the same policy on the email message until you resume the scanning process on the DetectionsQuarantine screen.
  • You can release a quarantined message using the web console
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Pass and tag
  • Applies subsequent rules in the same policy on the email message
  • If configured, tags the email message subject and inserts the X-header before delivery
  • Applies subsequent rules in the same policy on the email message
  • Applies subsequent rules in the same policy on the email message
Deliver directly
  • Does not apply subsequent policy rules in the same policy on the email message
  • Delivers the email message to the recipient (using the default SMTP server) or to the specified SMTP server
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
BCC
  • Sends a blind carbon copy (BCC) of the email message to the specified recipient
  • Not applicable
  • Not applicable
Send notification
  • Sends a notification to all message recipients and contact email addresses specified in the notification template
  • Sends a notification to all message recipients and contact email addresses specified in the notification template
  • Not applicable
Insert stamp
  • If configured, inserts the selected stamp in to the body of detected email messages
  • Not applicable
  • Not applicable

Actions and operation modes: Threat protection rules

Action
Operation Mode
MTA Mode
SPAN/TAP Mode
BCC Mode
Delete message
  • Deletes the email message from the mail queue
  • Does not deliver the email message
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Change recipient
  • Delivers the email message to one or more recipients that you specify
  • Does not apply subsequent policy rules in the same policy on the email message
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Block and quarantine
  • Stores a copy in the quarantine area
  • Does not deliver the email message
  • Stores a copy in the quarantine area
  • Stores a copy in the quarantine area
Strip attachments, redirect links to blocking page, and tag
  • Replaces suspicious attachments with a text file
  • Redirects suspicious links to a blocking page
  • If configured, tags the email message subject and inserts the X-header before delivery
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Strip attachments, redirect links to warning page, and tag
  • Replaces suspicious attachments with a text file
  • Redirects suspicious links to a warning page
  • If configured, tags the email message subject and inserts the X-header before delivery
  • Delivers the email message to the recipient
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Pass and tag
  • If configured, tags the email message subject and inserts the X-header before delivery
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Deliver directly
  • Does not apply subsequent policy rules in the same policy on the email message
  • Delivers the email message to the recipient using the specified SMTP server
  • Deletes the email message from the mail queue
  • Deletes the email message from the mail queue
Quarantine the original message when attachments cannot be stripped
  • If no strip attachment action is specified or no attachment exists, sends the message to the quarantine area
  • Not applicable
  • Not applicable
Quarantine a copy of the original message when stripping attachments or redirecting links
  • If a strip attachment action or a redirect link is specified, stores a copy in the quarantine area
  • Not applicable
  • Not applicable
Attempt to clean before stripping attachments
  • If a strip attachment action is specified, performs the clean attachment action
  • If the clean attachment action is not successful or no strip attachment action is selected, deletes the attachment
  • Not applicable
  • Not applicable
Send notification
  • Sends a notification to all message recipients and contact email addresses specified in the notification template
  • Sends a notification to all message recipients and contact email addresses specified in the notification template
  • Not applicable
BCC
  • Sends a blind carbon copy (BCC) of the email message to the specified recipient
  • Not applicable
  • Not applicable
Insert stamp
  • If configured, inserts the selected stamp in to the body of detected email messages
  • Not applicable
  • Not applicable
Note
Note
  • In policies, the terminal actions are Delete message, Change recipient, Block and quarantine, and Deliver directly. For policies with multiple rules, Deep Discovery Email Inspector applies only one terminal action on detected messages. After applying a terminal action on a message for a matched rule, Deep Discovery Email Inspector does not match the message against subsequent rules in the policy.
    For example, if a policy contains one content filtering rule, one antispam protection rule, and one threat protection rule, and Deep Discovery Email Inspector applies the Delete message action on a message based on the content filtering rule matched, Deep Discovery Email Inspector does not apply the antispam and threat protection rules on the message.
  • For policies with multiple rules, Deep Discovery Email Inspector applies all non-terminal actions on messages for matched rules before delivery or until a terminal action is applied.
    As an example, you configure a policy containing one or more content filtering rules, one or more data loss prevention (DLP) rules, one or more antispam rules, and one threat protection rule. If Deep Discovery Email Inspector applies the Strip all attachments action on a message based on the content filtering rule or DLP rule that is first matched, Deep Discovery Email Inspector will continue to scan the messages until a terminal action or all subsequent rules are applied (except Virtual Analyzer submission for attachments).
    If Deep Discovery Email Inspector does not apply a strip attachment action on a message based on one or more preceding rules matched, Deep Discovery Email Inspector will continue to scan the messages until a terminal action or all subsequent rules are applied (including Virtual Analyzer submission for attachments).
  • When applying multiple actions on a message, Deep Discovery Email Inspector applies the Encrypt message action as the last non-terminal action.
  • Deep Discovery Email Inspector performs the BCC action after applying all other terminal or non-terminal actions.