cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2099
Views
0
Helpful
5
Replies

How can I see Reputation Filtering and Invalid Recipients log

may-ye
Level 1
Level 1

In Overview > Incoming Mail Summary, I can see "Stopped by Reputation Filtering" and "Stopped as Invalid Recipients" have a lot of counts, Are messages blocked for these two reasons logged on IronPort?Which log file in Log Subscription has these two types of logs, or how can I view them?

 

1 Accepted Solution

Accepted Solutions

UdupiKrishna
Cisco Employee
Cisco Employee

If the default log subscription name isn't modified or deleted, mail_logs is you one stop shop to gather more information.

You can use something like grep "Rejected by" mail_logs to get more information on all emails that were rejected due to invalid recipients.

Ofcourse this output would provide MID which can then used to get the sender, recipient address.

 

Now for SBRS, filter the sender group name which has blocked/reject mail flow policy actions set. 

For e.g. with the default configuration, BLACKLIST is the sender group which covers negative/low SBRS score which has a BLOCKED mail flow policy tagged to it. So running grep "SG BLACKLIST" mail_logs will provide ICID which can used to confirm the actual IP addresses being blocked.

View solution in original post

5 Replies 5

UdupiKrishna
Cisco Employee
Cisco Employee

If the default log subscription name isn't modified or deleted, mail_logs is you one stop shop to gather more information.

You can use something like grep "Rejected by" mail_logs to get more information on all emails that were rejected due to invalid recipients.

Ofcourse this output would provide MID which can then used to get the sender, recipient address.

 

Now for SBRS, filter the sender group name which has blocked/reject mail flow policy actions set. 

For e.g. with the default configuration, BLACKLIST is the sender group which covers negative/low SBRS score which has a BLOCKED mail flow policy tagged to it. So running grep "SG BLACKLIST" mail_logs will provide ICID which can used to confirm the actual IP addresses being blocked.

FYI.. sendergroup might not be "BLACKLIST". As of 14.0 it has been renamed "BLOCKLIST"

If you want to use the message tracking interface to search for these, you need to make sure Rejected Connection Handling is on
In the GUI, go to Security Services/Message Tracking, and check that Rejected Connection Handling is enabled
Then you can use Mail Logs, or Message Tracking to search for them.

I remember that the default state is disable, so if it is not enabled, message Tracking cannot be queried through MID?

If I remember correctly, If its disabled, rejected connections will be in the logs, but won't be available in Message Tracking.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: