09-09-2016 03:17 AM
Hi,
We have an incoming content filter that is used to quarantine suspicious mails, based on Attachment name, sender, and body content dictionaries, as well as a couple of other items.
These have grown over time, particularly with the recent macro malware runs, and we've now the situation where valid mails are being captured and the default logs are not showing us why.
If it's a straightforward phrase in the body, or a sender then it's displayed in the quarantine and I can remove the offending item, if it's in the attachment then nothing .
How do I find out the particular dictionary/filter entry that is causing the capture if it's not shown on the Quarantine GUI? It's not in CLI message logs either, which just details the name of the filter or dictionary, not the individual entry.
Any help appreciated, as we're currently capturing boarding passes for JSON content for absolutely no reason I can see - much to the disgust of users, although it's saving printer toner.
Thanks
Ed
Solved! Go to Solution.
09-09-2016 06:17 AM
Hi Ed,
The best way to accomplish this would be to add a filter action to add a lot entry.
Add log entry: $MatchedContent
The usage of the action variable is: Returns the content that triggered a scanning filter rule (including filter rules such as body-contains and content dictionaries).
This would work for body and attachment content matches, however sender recipient matches would need to be manually reviewed.
Thanks
Libin
09-09-2016 06:17 AM
Hi Ed,
The best way to accomplish this would be to add a filter action to add a lot entry.
Add log entry: $MatchedContent
The usage of the action variable is: Returns the content that triggered a scanning filter rule (including filter rules such as body-contains and content dictionaries).
This would work for body and attachment content matches, however sender recipient matches would need to be manually reviewed.
Thanks
Libin
09-12-2016 04:03 AM
Thank You Libin,
I'll look into this and let you know how it goes.
Regards,
Ed
09-13-2016 04:35 AM
Hi Again,
Thanks for that, it's not perfect as you said, but a lot better visibility than I had.
Regards,
Ed
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide