Showing results for 
Search instead for 
Did you mean: 
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.0-698
Cloud Gateway Email Status Portal Support & Downloads
Email and Web Manager: 14.0.0-404
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in:
Encryption Bug Search
Encryption Plug-in:
Cloud Mailbox Notification Service
Outlook Add-in(s): More info


How can I determine which word triggered a dictionary list in attachment?

We have IronPort C160 and an outgoing message was blocked due to our language filters.  The logs indicate that an attached word document matches

dictionary-match("sexual_content_txt", 1).

Since the dictionary match is not in the actual body of the e-mail, the triggered phrase is not highlighted in our policy view in the web gui.  I can download the attachment and after reading it, I find no issues with it at all (its a legitimate policy from a VP to an Auditor).  I am going to release the email as was requested.  However I am just curious as to what in carnation is triggering the dictionary match.  Is there any way to find this out?  Sometimes there are some nonsense words that we do find from time to time and we remove them from the dictionaries.

Ken Stieers


Typically I see that when the attachment is too big.

Check the mail logs for the email in question and see if its choking there…


Donald Nash


I wrote a Perl script to solve this problem. It loads the patterns from an exported content dictionary, then reads stdin and attempts to match each line against the patterns, and prints the matches it finds. AsyncOS uses Python's "re" module under the hood, so Perl's regex interpreter isn't the best match, but it gets the job done. This script would be better written in Python, but I don't know Python.

There are a few caveats to using a script like this. First, IronPort doesn't document exactly what regex patterns underly their Smart Identifiers, so you won't be able to interpret these. Second, the "match whole words" and "case senstive" settings are not exported with a dictionary. If you want to respect them then you'll need to use something like command line options on your script to signal them. For me, it was sufficient to ignore the "match whole words" setting and to make all matches case insenstive.



The GUI does show the offending phrase found by a content rule if the rule places the offending message in a quarantine, though I get the impression that Asyncos simply acts once the rule threshold is reached and does not test the remainder of the dictionary.

If memory serves, the filter will get the message first before any content rule so any test would also need to impose a temporary condition on the filter.

Content for Community-Ad