Solved: ESA contents filter

Filip.Olsen · ‎06-27-2019

Some mails hits a content filter with 7 conditions - in log i can only see the contens filter is hit , but not which conditions - anyway to figure it out ?

Thanks

C190 & C170 in cluster version 10.0.3-004

Paul Thomas Cyblue · ‎07-03-2019

Simple response - the URL Reputation

Better response - split your Content Filter conditions into separate Content Filters.
I may keep multiple Subject conditions together (but numerous would be done via a dictionary) due to relation to a specific topic / requirement.
But wouldn't mix and match different types of conditions that potentially depend on different features. As you have found, you'll have to looked at matched content or view the actual email to try and manually figure out which condition caused this.

View solution in original post

Ken Stieers · ‎06-27-2019

You need to add your own log entries. It's an action you can add to your filter. I typically add the $Matchedcontent action variable with some description.

Filip.Olsen · ‎06-28-2019

Hi Ken

Thanks for quick response.

I tried that , but only getting this in my log :

Thu Jun 27 15:08:09 2019 Info: MID 5626913 interim AV verdict using Sophos CLEAN
Thu Jun 27 15:08:09 2019 Info: MID 5626913 antivirus negative 
Thu Jun 27 15:08:09 2019 Info: MID 5626913 Custom Log Entry: bit.ly, bit.ly, bit.ly, bit.ly, bit.ly, bit.ly
Thu Jun 27 15:08:09 2019 Info: MID 5626913 Outbreak Filters: verdict negative
Thu Jun 27 15:08:09 2019 Info: MID 5626912 interim AV verdict using Sophos CLEAN
Thu Jun 27 15:08:09 2019 Info: MID 5626912 antivirus negative 
Thu Jun 27 15:08:09 2019 Info: MID 5626912 Custom Log Entry: bit.ly, bit.ly, bit.ly, bit.ly, bit.ly, bit.ly
Thu Jun 27 15:08:09 2019 Info: MID 5626912 Outbreak Filters: verdict negative
Thu Jun 27 15:08:09 2019 Info: MID 5626913 quarantined to "Policy" (content filter:Indholds-filter)
Thu Jun 27 15:08:09 2019 Info: Message finished MID 5626913 done
Thu Jun 27 15:08:09 2019 Info: MID 5626912 quarantined to "Policy" (content filter:Indholds-filter)
Thu Jun 27 15:08:09 2019 Info: Message done DCID 5793400 MID 5626907 to RID [0] 
Thu Jun 27 15:08:09 2019 Info: MID 5626907 RID [0] Response 'Message accepted for delivery'
Thu Jun 27 15:08:09 2019 Info: Message finished MID 5626907 done
Thu Jun 27 15:08:09 2019 Info: Delivery start DCID 5793400 MID 5626909 to RID [0]
Thu Jun 27 15:08:09 2019 Info: Message finished MID 5626912 done

Contentfilter attached.

Paul Thomas Cyblue · ‎07-03-2019

Simple response - the URL Reputation

Better response - split your Content Filter conditions into separate Content Filters.
I may keep multiple Subject conditions together (but numerous would be done via a dictionary) due to relation to a specific topic / requirement.
But wouldn't mix and match different types of conditions that potentially depend on different features. As you have found, you'll have to looked at matched content or view the actual email to try and manually figure out which condition caused this.

Filip.Olsen · ‎07-11-2019

Thanks - im pretty sure that it is the url reputatation of the link inside the email - but im not able to see the score anywhere.

I will split it up as suggested :-)