cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7811
Views
0
Helpful
2
Replies

View logs of incoming secure mail/mail and anything that is rejected?

anotthak8
Level 1
Level 1

Is it possible to view logs of incoming secure mail/mail connections and anything that is rejected? In the image below, I am viewing the message details from a certain domain that is unable to send secure email to us. There appears to be 3 messages stopped by reputation filtering/threat. I am unable to find these three messages. Any help or insight will be helpful. Thank you!

1 Accepted Solution

Accepted Solutions

Robert Sherwin
Cisco Employee
Cisco Employee

Sender Reputation Filtering...

Sender reputation filtering is the first layer of spam protection, allowing you to control the messages that come through the email gateway based on senders’ trustworthiness as determined by the Cisco SenderBase™ Reputation Service.

The appliance can accept messages from known or highly reputable senders — such as customers and partners — and deliver them directly to the end user without any content scanning. Messages from unknown or less reputable senders can be subjected to content scanning, such as anti-spam and anti-virus scanning, and you can also throttle the number of messages you are willing to accept from each sender. Email senders with the worst reputation can have their connections rejected or their messages bounced based on your preferences.

...

If you are pulling that from the Monitor > Incoming Mail reports on the GUI --- for the Sender Domain, does it give you a hyperlink to see the details of that sender profile?  That should provide you further information as to Sender IP Address... 

...

Other information that may be of assistance...


Within Email Security Appliance's Reporting, there is a 'Stopped by Reputation Filtering' counter. This covers any HAT setting that limits mail acceptance - message size, too many concurrent connections, etc. Some are temporary rejections, while others may result in a hard bounce. So, is is easiest to search based on the Sender IP when trying to identify the cause.

How to identify the specific cause of 'Stopped by Reputation Filtering'

There are two main methods to search for these details: Message Tracking or by using 'grep' from the CLI.


Tracking method:


If 'Save tracking information for rejected connections' is enabled for Message Tracking, you can use the Advanced search options to search by IP Address. You can check the Tracking settings from the Security Services tab. Message Tracking itself is accessed from the Monitor tab.

If a Secutrity Management Appliance is used for Centralized Reporting, this method also offers the advantage that all ESAs can be searched at once.


Grep method:


If 'Rejected Connection Handling' is not enabled or if no helpful results are found in Tracking, you can use the CLI command 'grep' to search the mail_logs. This method can be a bit slower, but is the most reliable. The 'grep' searches must be done on the specific ESA showing the 'Stopped by Reputation Filtering' matches. Start with searching for the IP address, for example:

grep 172.16.58.155 mail_logs

This will produce a list of all ICIDs (incoming connections) from this source IP. Here is an example:

Thu Apr 3 21:27:29 2014 Info: New SMTP ICID 13 interface Management (172.16.58.155) address 172.16.58.155 reverse dns host unknown verified no

Select ICIDs from around the time of the rejections to search against:

grep "ICID 13 " mail_logs

This will give all details related to that connection. You may see the rejection at this stage, if it occured during the connection phase. This example was rejected due to the Incoming Mail key having expired:

c680r01.csw> grep "ICID 54" mail_logs

Tue Apr 22 23:05:43 2014 Info: New SMTP ICID 54 interface Management (172.16.58.155) address 172.16.58.155 reverse dns host unknown verified no
Tue Apr 22 23:05:43 2014 Info: ICID 54 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS None
Tue Apr 22 23:05:43 2014 Info: ICID 54 from address 172.16.58.155 rejected due to evaluation license expiry
Tue Apr 22 23:05:43 2014 Info: ICID 54 close

However, if the rejection was at a later stage we will have to dig into specific messages. Here is an example with no rejections:

c680r01.csw> grep "ICID 13 " mail_logs

Thu Apr 3 21:27:29 2014 Info: New SMTP ICID 13 interface Management (172.16.58.155) address 172.16.58.155 reverse dns host unknown verified no
Thu Apr 3 21:27:29 2014 Info: ICID 13 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS None
Thu Apr 3 21:27:29 2014 Info: MID 51 ICID 13 From: <>
Thu Apr 3 21:27:29 2014 Info: MID 51 ICID 13 RID 0 To: <user@domain.com>
Thu Apr 3 21:27:31 2014 Info: ICID 13 close

So we would search on the the MID (message) using:

grep "MID 51 " mail_logs

If no errors are seen at either level, then the sample happened to be one of the accepted connections/emails. Choose another ICID from the initial search result and repeat the greps for ICID, then MID until the cause is found.

View solution in original post

2 Replies 2

Robert Sherwin
Cisco Employee
Cisco Employee

Sender Reputation Filtering...

Sender reputation filtering is the first layer of spam protection, allowing you to control the messages that come through the email gateway based on senders’ trustworthiness as determined by the Cisco SenderBase™ Reputation Service.

The appliance can accept messages from known or highly reputable senders — such as customers and partners — and deliver them directly to the end user without any content scanning. Messages from unknown or less reputable senders can be subjected to content scanning, such as anti-spam and anti-virus scanning, and you can also throttle the number of messages you are willing to accept from each sender. Email senders with the worst reputation can have their connections rejected or their messages bounced based on your preferences.

...

If you are pulling that from the Monitor > Incoming Mail reports on the GUI --- for the Sender Domain, does it give you a hyperlink to see the details of that sender profile?  That should provide you further information as to Sender IP Address... 

...

Other information that may be of assistance...


Within Email Security Appliance's Reporting, there is a 'Stopped by Reputation Filtering' counter. This covers any HAT setting that limits mail acceptance - message size, too many concurrent connections, etc. Some are temporary rejections, while others may result in a hard bounce. So, is is easiest to search based on the Sender IP when trying to identify the cause.

How to identify the specific cause of 'Stopped by Reputation Filtering'

There are two main methods to search for these details: Message Tracking or by using 'grep' from the CLI.


Tracking method:


If 'Save tracking information for rejected connections' is enabled for Message Tracking, you can use the Advanced search options to search by IP Address. You can check the Tracking settings from the Security Services tab. Message Tracking itself is accessed from the Monitor tab.

If a Secutrity Management Appliance is used for Centralized Reporting, this method also offers the advantage that all ESAs can be searched at once.


Grep method:


If 'Rejected Connection Handling' is not enabled or if no helpful results are found in Tracking, you can use the CLI command 'grep' to search the mail_logs. This method can be a bit slower, but is the most reliable. The 'grep' searches must be done on the specific ESA showing the 'Stopped by Reputation Filtering' matches. Start with searching for the IP address, for example:

grep 172.16.58.155 mail_logs

This will produce a list of all ICIDs (incoming connections) from this source IP. Here is an example:

Thu Apr 3 21:27:29 2014 Info: New SMTP ICID 13 interface Management (172.16.58.155) address 172.16.58.155 reverse dns host unknown verified no

Select ICIDs from around the time of the rejections to search against:

grep "ICID 13 " mail_logs

This will give all details related to that connection. You may see the rejection at this stage, if it occured during the connection phase. This example was rejected due to the Incoming Mail key having expired:

c680r01.csw> grep "ICID 54" mail_logs

Tue Apr 22 23:05:43 2014 Info: New SMTP ICID 54 interface Management (172.16.58.155) address 172.16.58.155 reverse dns host unknown verified no
Tue Apr 22 23:05:43 2014 Info: ICID 54 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS None
Tue Apr 22 23:05:43 2014 Info: ICID 54 from address 172.16.58.155 rejected due to evaluation license expiry
Tue Apr 22 23:05:43 2014 Info: ICID 54 close

However, if the rejection was at a later stage we will have to dig into specific messages. Here is an example with no rejections:

c680r01.csw> grep "ICID 13 " mail_logs

Thu Apr 3 21:27:29 2014 Info: New SMTP ICID 13 interface Management (172.16.58.155) address 172.16.58.155 reverse dns host unknown verified no
Thu Apr 3 21:27:29 2014 Info: ICID 13 ACCEPT SG UNKNOWNLIST match sbrs[none] SBRS None
Thu Apr 3 21:27:29 2014 Info: MID 51 ICID 13 From: <>
Thu Apr 3 21:27:29 2014 Info: MID 51 ICID 13 RID 0 To: <user@domain.com>
Thu Apr 3 21:27:31 2014 Info: ICID 13 close

So we would search on the the MID (message) using:

grep "MID 51 " mail_logs

If no errors are seen at either level, then the sample happened to be one of the accepted connections/emails. Choose another ICID from the initial search result and repeat the greps for ICID, then MID until the cause is found.

Robert, Thank you for the prompt response. I am looking at it from the SMA and it does give me a hyper link. We currently do not have "save tracking information for rejected connections". However, in the SMA, I can still search by sender IP address and "search rejected connections only" with 6 rejected connection results which stated "Sender rejected. Envelope sender domain could not be resolved." I am guessing the senders reverse DNS host could not be verified? 

I am a little confused as to why "search rejected connections only" for the sender IP address would only show 6 rejected connection but the sender profile for the domain shows that 0% was rejected under connections by category. (See attached image)

So the 'Stopped by Reputation Filtering' references the settings in the HAT. If our HAT setting for Mail Flow Policies -> Blocked is at the default 10MB, the number of messages that exceed 10MB in the 'Stopped by Reputation Filtering' could include this blocked policy? Also, how does the HAT setting differ from default inbound mail policy? I am able to send a 12MB email from my Gmail account.

Thank you!