cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1155
Views
0
Helpful
1
Replies

Multiple Mail Headers with the Same Name: X-Agari-Policy-Matched

Duane Gullett
Level 1
Level 1

Duplicate header name;

 

X-Agari-Policy-Matched: Compromised_Senders

X-Agari-Policy-Matched: Untrusted Messages

X-Agari-Trust-Score: 1.0

 

I have a content filter that writes the header to the log;

 

Condition: No condition

Action: log-entry("Custom: X-Agari-Policy-Matched: $Header['X-Agari-Policy-Matched']")

 

Only one instance of the header is written to the log, the first one found: "Compromised_Senders" 

 

Content Filter Conditions do check multiple headers and trigger an action successfully but I want to see in tracking the values of all headers with that name. Similar thing occurs with header delete, if multiple, only one is deleted so you have to delete the same header multiple times in the event it may exists more than one time.

 

Any ideas or options?

 

Thank you.

1 Reply 1

Mathew Huynh
Cisco Employee
Cisco Employee
Hey Duane,

There is a possible way on the ESA using the GUI -> Log Subscription -> Edit Global Settings -> Headers to Log.
Now this part though, will not allow the customization of "Add Log Entry" by allowing extra text, but it logs the specified headers against the MID in a log line.

For example (don't mind my header text values :) )
I sent an email with multiple headers:
EHLO test.com
mail from:<matt@lee.com>
rcpt to:<mathewemailaccount@cisco.com>
data
X-Advert: that ship has sailed
X-Advert: sailed into the sea
X-Advert: under the sea
X-TestHeader: Test 1
X-TestHeader: test 2
From: Mathew
To: Mathew
Subject: Test

this is a test.
.


On the ESA mail_logs:
Tue Oct 22 15:29:11 2019 Info: Message done DCID 31567 MID 398776 to RID [0] [('x-advert', 'that ship has sailed'), ('x-advert', 'sailed into the sea'), ('x-advert', 'under the sea'), ('x-testheader', 'Test 1'), ('x-testheader', 'test 2')]


This is the only means I can think of to get this requirement.

Regards,
Mathew
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: