Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2109
Views
0
Helpful
4
Replies

ESA contents filter

Go to solution
Filip.Olsen
Level 1
Level 1

‎06-27-2019 06:37 AM

Some mails hits a content filter with 7 conditions -  in log i can only see the contens filter is hit , but not which conditions  - anyway to figure it out ?

Thanks

 

C190 & C170 in cluster version 10.0.3-004

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Paul Thomas Cyblue
Level 1
Level 1
In response to Filip.Olsen

‎07-03-2019 03:16 AM

Simple response - the URL Reputation

Better response - split your Content Filter conditions into separate Content Filters.
I may keep multiple Subject conditions together (but numerous would be done via a dictionary) due to relation to a specific topic / requirement.
But wouldn't mix and match different types of conditions that potentially depend on different features. As you have found, you'll have to looked at matched content or view the actual email to try and manually figure out which condition caused this.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Ken Stieers
VIP
VIP

‎06-27-2019 06:58 AM

You need to add your own log entries. It's an action you can add to your filter. I typically add the $Matchedcontent action variable with some description.
0 Helpful

Go to solution
Filip.Olsen
Level 1
Level 1
In response to Ken Stieers

‎06-28-2019 12:49 AM

Hi Ken

 

Thanks for quick response.

 

I tried that , but only getting this in my log :

 

Thu Jun 27 15:08:09 2019 Info: MID 5626913 interim AV verdict using Sophos CLEAN
Thu Jun 27 15:08:09 2019 Info: MID 5626913 antivirus negative 
Thu Jun 27 15:08:09 2019 Info: MID 5626913 Custom Log Entry: bit.ly, bit.ly, bit.ly, bit.ly, bit.ly, bit.ly
Thu Jun 27 15:08:09 2019 Info: MID 5626913 Outbreak Filters: verdict negative
Thu Jun 27 15:08:09 2019 Info: MID 5626912 interim AV verdict using Sophos CLEAN
Thu Jun 27 15:08:09 2019 Info: MID 5626912 antivirus negative 
Thu Jun 27 15:08:09 2019 Info: MID 5626912 Custom Log Entry: bit.ly, bit.ly, bit.ly, bit.ly, bit.ly, bit.ly
Thu Jun 27 15:08:09 2019 Info: MID 5626912 Outbreak Filters: verdict negative
Thu Jun 27 15:08:09 2019 Info: MID 5626913 quarantined to "Policy" (content filter:Indholds-filter)
Thu Jun 27 15:08:09 2019 Info: Message finished MID 5626913 done
Thu Jun 27 15:08:09 2019 Info: MID 5626912 quarantined to "Policy" (content filter:Indholds-filter)
Thu Jun 27 15:08:09 2019 Info: Message done DCID 5793400 MID 5626907 to RID [0] 
Thu Jun 27 15:08:09 2019 Info: MID 5626907 RID [0] Response 'Message accepted for delivery'
Thu Jun 27 15:08:09 2019 Info: Message finished MID 5626907 done
Thu Jun 27 15:08:09 2019 Info: Delivery start DCID 5793400 MID 5626909 to RID [0]
Thu Jun 27 15:08:09 2019 Info: Message finished MID 5626912 done



 

Contentfilter attached.

 

 

content.png
Preview file
20 KB
0 Helpful

Go to solution
Paul Thomas Cyblue
Level 1
Level 1
In response to Filip.Olsen

‎07-03-2019 03:16 AM

Simple response - the URL Reputation

Better response - split your Content Filter conditions into separate Content Filters.
I may keep multiple Subject conditions together (but numerous would be done via a dictionary) due to relation to a specific topic / requirement.
But wouldn't mix and match different types of conditions that potentially depend on different features. As you have found, you'll have to looked at matched content or view the actual email to try and manually figure out which condition caused this.
0 Helpful

Go to solution
Filip.Olsen
Level 1
Level 1
In response to Paul Thomas Cyblue

‎07-11-2019 11:40 PM

Thanks - im pretty sure that it is the url reputatation of the link inside the email - but im not able to see the score anywhere.

I will split it up as suggested :-)
0 Helpful
Top