Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1834
Views
0
Helpful
5
Replies

How can I see Reputation Filtering and Invalid Recipients log

Go to solution
may-ye
Beginner
Beginner

‎04-13-2022 05:51 AM

In Overview > Incoming Mail Summary, I can see "Stopped by Reputation Filtering" and "Stopped as Invalid Recipients" have a lot of counts, Are messages blocked for these two reasons logged on IronPort?Which log file in Log Subscription has these two types of logs, or how can I view them?

 

Labels:
Preview file
351 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎04-13-2022 06:16 AM

If the default log subscription name isn't modified or deleted, mail_logs is you one stop shop to gather more information.

You can use something like grep "Rejected by" mail_logs to get more information on all emails that were rejected due to invalid recipients.

Ofcourse this output would provide MID which can then used to get the sender, recipient address.

 

Now for SBRS, filter the sender group name which has blocked/reject mail flow policy actions set. 

For e.g. with the default configuration, BLACKLIST is the sender group which covers negative/low SBRS score which has a BLOCKED mail flow policy tagged to it. So running grep "SG BLACKLIST" mail_logs will provide ICID which can used to confirm the actual IP addresses being blocked.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
UdupiKrishna
Cisco Employee
Cisco Employee

‎04-13-2022 06:16 AM

If the default log subscription name isn't modified or deleted, mail_logs is you one stop shop to gather more information.

You can use something like grep "Rejected by" mail_logs to get more information on all emails that were rejected due to invalid recipients.

Ofcourse this output would provide MID which can then used to get the sender, recipient address.

 

Now for SBRS, filter the sender group name which has blocked/reject mail flow policy actions set. 

For e.g. with the default configuration, BLACKLIST is the sender group which covers negative/low SBRS score which has a BLOCKED mail flow policy tagged to it. So running grep "SG BLACKLIST" mail_logs will provide ICID which can used to confirm the actual IP addresses being blocked.

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to UdupiKrishna

‎04-13-2022 06:31 AM

FYI.. sendergroup might not be "BLACKLIST". As of 14.0 it has been renamed "BLOCKLIST"
0 Helpful

Go to solution
Ken Stieers
VIP
VIP

‎04-13-2022 06:35 AM

If you want to use the message tracking interface to search for these, you need to make sure Rejected Connection Handling is on
In the GUI, go to Security Services/Message Tracking, and check that Rejected Connection Handling is enabled
Then you can use Mail Logs, or Message Tracking to search for them.

0 Helpful

Go to solution
may-ye
Beginner
Beginner
In response to Ken Stieers

‎04-13-2022 06:38 AM

I remember that the default state is disable, so if it is not enabled, message Tracking cannot be queried through MID?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to may-ye

‎04-13-2022 07:04 AM

If I remember correctly, If its disabled, rejected connections will be in the logs, but won't be available in Message Tracking.
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents