cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
146
Views
0
Helpful
1
Replies
Beginner

Multiple Mail Headers with the Same Name: X-Agari-Policy-Matched

Duplicate header name;

 

X-Agari-Policy-Matched: Compromised_Senders

X-Agari-Policy-Matched: Untrusted Messages

X-Agari-Trust-Score: 1.0

 

I have a content filter that writes the header to the log;

 

Condition: No condition

Action: log-entry("Custom: X-Agari-Policy-Matched: $Header['X-Agari-Policy-Matched']")

 

Only one instance of the header is written to the log, the first one found: "Compromised_Senders" 

 

Content Filter Conditions do check multiple headers and trigger an action successfully but I want to see in tracking the values of all headers with that name. Similar thing occurs with header delete, if multiple, only one is deleted so you have to delete the same header multiple times in the event it may exists more than one time.

 

Any ideas or options?

 

Thank you.

1 REPLY 1
Cisco Employee

Re: Multiple Mail Headers with the Same Name: X-Agari-Policy-Matched

Hey Duane,

There is a possible way on the ESA using the GUI -> Log Subscription -> Edit Global Settings -> Headers to Log.
Now this part though, will not allow the customization of "Add Log Entry" by allowing extra text, but it logs the specified headers against the MID in a log line.

For example (don't mind my header text values :) )
I sent an email with multiple headers:
EHLO test.com
mail from:<matt@lee.com>
rcpt to:<mathewemailaccount@cisco.com>
data
X-Advert: that ship has sailed
X-Advert: sailed into the sea
X-Advert: under the sea
X-TestHeader: Test 1
X-TestHeader: test 2
From: Mathew
To: Mathew
Subject: Test

this is a test.
.


On the ESA mail_logs:
Tue Oct 22 15:29:11 2019 Info: Message done DCID 31567 MID 398776 to RID [0] [('x-advert', 'that ship has sailed'), ('x-advert', 'sailed into the sea'), ('x-advert', 'under the sea'), ('x-testheader', 'Test 1'), ('x-testheader', 'test 2')]


This is the only means I can think of to get this requirement.

Regards,
Mathew