cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.2.0-616
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.2.0-203
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

1058
Views
0
Helpful
5
Replies
may-ye
Beginner

How can I see Reputation Filtering and Invalid Recipients log

In Overview > Incoming Mail Summary, I can see "Stopped by Reputation Filtering" and "Stopped as Invalid Recipients" have a lot of counts, Are messages blocked for these two reasons logged on IronPort?Which log file in Log Subscription has these two types of logs, or how can I view them?

 

1 ACCEPTED SOLUTION

Accepted Solutions
UdupiKrishna
Cisco Employee

If the default log subscription name isn't modified or deleted, mail_logs is you one stop shop to gather more information.

You can use something like grep "Rejected by" mail_logs to get more information on all emails that were rejected due to invalid recipients.

Ofcourse this output would provide MID which can then used to get the sender, recipient address.

 

Now for SBRS, filter the sender group name which has blocked/reject mail flow policy actions set. 

For e.g. with the default configuration, BLACKLIST is the sender group which covers negative/low SBRS score which has a BLOCKED mail flow policy tagged to it. So running grep "SG BLACKLIST" mail_logs will provide ICID which can used to confirm the actual IP addresses being blocked.

View solution in original post

5 REPLIES 5
UdupiKrishna
Cisco Employee

If the default log subscription name isn't modified or deleted, mail_logs is you one stop shop to gather more information.

You can use something like grep "Rejected by" mail_logs to get more information on all emails that were rejected due to invalid recipients.

Ofcourse this output would provide MID which can then used to get the sender, recipient address.

 

Now for SBRS, filter the sender group name which has blocked/reject mail flow policy actions set. 

For e.g. with the default configuration, BLACKLIST is the sender group which covers negative/low SBRS score which has a BLOCKED mail flow policy tagged to it. So running grep "SG BLACKLIST" mail_logs will provide ICID which can used to confirm the actual IP addresses being blocked.

FYI.. sendergroup might not be "BLACKLIST". As of 14.0 it has been renamed "BLOCKLIST"
Ken Stieers
VIP Advocate

If you want to use the message tracking interface to search for these, you need to make sure Rejected Connection Handling is on
In the GUI, go to Security Services/Message Tracking, and check that Rejected Connection Handling is enabled
Then you can use Mail Logs, or Message Tracking to search for them.

I remember that the default state is disable, so if it is not enabled, message Tracking cannot be queried through MID?

If I remember correctly, If its disabled, rejected connections will be in the logs, but won't be available in Message Tracking.
Create
Recognize Your Peers
Content for Community-Ad