Product Support | Talos Support | Cisco Support | Reference + | Current Release |
---|---|---|---|---|
Gateway | Reputation Lookup | Open a support case | Secure Email Guided Setup | |
Cloud Gateway | Email Status Portal | Support & Downloads | docs.ces.cisco.com | |
Email and Web Manager | Web & Email Reputation | Worldwide Contacts | Product Naming Quick Reference | |
Encryption | Bug Search | |||
Cloud Mailbox | Notification Service |
In Overview > Incoming Mail Summary, I can see "Stopped by Reputation Filtering" and "Stopped as Invalid Recipients" have a lot of counts, Are messages blocked for these two reasons logged on IronPort?Which log file in Log Subscription has these two types of logs, or how can I view them?
Solved! Go to Solution.
If the default log subscription name isn't modified or deleted, mail_logs is you one stop shop to gather more information.
You can use something like grep "Rejected by" mail_logs to get more information on all emails that were rejected due to invalid recipients.
Ofcourse this output would provide MID which can then used to get the sender, recipient address.
Now for SBRS, filter the sender group name which has blocked/reject mail flow policy actions set.
For e.g. with the default configuration, BLACKLIST is the sender group which covers negative/low SBRS score which has a BLOCKED mail flow policy tagged to it. So running grep "SG BLACKLIST" mail_logs will provide ICID which can used to confirm the actual IP addresses being blocked.
If the default log subscription name isn't modified or deleted, mail_logs is you one stop shop to gather more information.
You can use something like grep "Rejected by" mail_logs to get more information on all emails that were rejected due to invalid recipients.
Ofcourse this output would provide MID which can then used to get the sender, recipient address.
Now for SBRS, filter the sender group name which has blocked/reject mail flow policy actions set.
For e.g. with the default configuration, BLACKLIST is the sender group which covers negative/low SBRS score which has a BLOCKED mail flow policy tagged to it. So running grep "SG BLACKLIST" mail_logs will provide ICID which can used to confirm the actual IP addresses being blocked.
I remember that the default state is disable, so if it is not enabled, message Tracking cannot be queried through MID?