Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2002
Views
0
Helpful
5
Replies

message filter BCC all mail to test device missing half the mail

SanityCheck
Level 1
Level 1

‎12-13-2017 05:49 AM - edited ‎03-08-2019 07:29 PM

I've set up a message filter to bcc all mail to a secondary device for testing. I want to get all mail (including spam, viruses, spoofs, *everything*) preserved to test different approaches.

 

The message filter is set as follows:

if (true) {

bcc ("$EnvelopeRecipients", "$Subject", "$EnvelopeFrom", "[IP of test appliance]");
          }

 

This seems to be incorrect as the test appliance is only getting somewhere between a third to a little under half the emails the primary device is reporting for incoming mail. Is this the appropriate approach? What am I doing wrong?

 

 

Edit: Would the BCC copy generated by the message filter show up on the overview incoming mail graph? Is the number of incoming mail being inflated by these duplicates (hence a dramatic increase in "clean" messages but no apparent increase in spam)?

Labels:
0 Helpful
5 Replies 5

marc.luescherFRE
Spotlight
Spotlight

‎12-13-2017 06:05 AM

Is this filter set as the first one on the CLI level of your ESA ?

0 Helpful

SanityCheck
Level 1
Level 1
In response to marc.luescherFRE

‎12-13-2017 06:10 AM

Yes

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee

‎12-13-2017 07:08 AM

The filter appears to be correct and should match all emails since there are no specific conditions.

 

What are the emails you do not see processed by this filter?

 

Only emails missing this should be emails rejected at the connection level such as sending servers with poor reputation, invalid recipients rejected by LDAP, etc. 

 

Regards 

Libin Varghese 

0 Helpful

SanityCheck
Level 1
Level 1
In response to Libin Varghese

‎12-13-2017 08:42 AM

I don't have any particular messages which are not being sent through, just looking at the raw numbers recorded. The live ironport's overview graph of incoming mail shows more than double the number of incoming mail show by the test appliance.

Could it be that the BCC duplicates created by the message filter are counted separately for the incoming mail graph and overview summary?
0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to SanityCheck

‎12-13-2017 03:41 PM - edited ‎12-13-2017 03:43 PM

Since the bcc emails are generated by the ESA they should not be counted as incoming mail on the reports. 

 

However, emails with 3 recipients are counted as 3 emails in the report from what I recall.

 

Regards

Libin Varghese 

0 Helpful
Customers Also Viewed These Support Documents