Cisco Cisco Email Security Appliance C650 Guía Del Usuario
9-82
User Guide for AsyncOS 9.7 for Cisco Email Security Appliances
Chapter 9 Using Message Filters to Enforce Email Policies
Attachment Scanning
Viewing the Verdict Score of a Particular Message
To see the verdict score for a particular message, you can view the mail logs. The mail logs display the
image name or file name, the score for a particular message attachment. In addition, the log displays
information about whether the images in a file were scannable or unscannable. Note that information in
the log describes the result for each message attachment, rather than each image. For example, if the
message had a zip attachment that contained a JPEG image, the log entry would contain the name of the
zip file rather than the name of the JPEG. Also, if the zip file included multiple images then the log entry
would include the maximum score of all the images. The unscannable notation indicates whether any of
the images were unscannable.
image name or file name, the score for a particular message attachment. In addition, the log displays
information about whether the images in a file were scannable or unscannable. Note that information in
the log describes the result for each message attachment, rather than each image. For example, if the
message had a zip attachment that contained a JPEG image, the log entry would contain the name of the
zip file rather than the name of the JPEG. Also, if the zip file included multiple images then the log entry
would include the maximum score of all the images. The unscannable notation indicates whether any of
the images were unscannable.
The log does not contain information about how the scores translate to a particular verdict (clean, suspect
or inappropriate). However, because you can use mail logs to track the delivery of specific messages,
you can determine by the actions performed on the messages whether the mail contained inappropriate
or suspect images.
or inappropriate). However, because you can use mail logs to track the delivery of specific messages,
you can determine by the actions performed on the messages whether the mail contained inappropriate
or suspect images.
For example, the following mail log shows attachments dropped by message filter rules as a result of
Image Analysis scanning:
Image Analysis scanning:
Configuring the Message Filter to Perform Actions Based on Image Analysis
Results
Results
Once you enable image analysis, you must create a message filter to perform different actions for
different message verdicts. For example, you may wish to deliver messages with a clean verdict, but
quarantine messages that are determined to have inappropriate content.
different message verdicts. For example, you may wish to deliver messages with a clean verdict, but
quarantine messages that are determined to have inappropriate content.
Note
Cisco recommends you do not drop or bounce messages with inappropriate or suspect verdicts. Instead,
send copies of violations to a quarantine for later review and better understanding of trend analysis.
send copies of violations to a quarantine for later review and better understanding of trend analysis.
The following filter shows messages tagged if the content is inappropriate or suspect:
Thu Apr 3 08:17:56 2009 Debug: MID 154 IronPort Image Analysis: image 'Unscannable.jpg'
is unscannable.
Thu Apr 3 08:17:56 2009 Info: MID 154 IronPort Image Analysis: attachment
'Unscannable.jpg' score 0 unscannable
Thu Apr 3 08:17:56 2009 Info: MID 6 rewritten to MID 7 by
drop-attachments-where-image-verdict filter 'f-001'
Thu Apr 3 08:17:56 2009 Info: Message finished MID 6 done
image_analysis: if image-verdict == "inappropriate" {
strip-header("Subject");
insert-header("Subject", "[inappropriate image] $Subject");
}