Руководство По Устранению Ошибки для Cisco Cisco Content Security Management Appliance M390
When a message is released from quarantine,
where is that logged?
where is that logged?
Document ID: 118286
Contributed by Kevin Luu and Robert Sherwin, Cisco TAC Engineers.
Aug 14, 2014
Aug 14, 2014
Contents
Introduction
When a message is released from quarantine, where is that logged?
Related Information
When a message is released from quarantine, where is that logged?
Related Information
Introduction
This document describes how to view the mail logs in order to determine disposition of a message released
from quarantine on the Cisco Email Security Appliance (ESA) or Cisco Security Management Appliance
(SMA).
from quarantine on the Cisco Email Security Appliance (ESA) or Cisco Security Management Appliance
(SMA).
When a message is released from quarantine, where is that
logged?
logged?
On the ESA, when you release a message from the IronPort Spam Quarantine (ISQ), Policy quarantine, or
other custom quarantine, that action and associated event is reported in the IronPort Text Mail Logs
(mail_logs) file. The log entry is affiliated with the original MID.
other custom quarantine, that action and associated event is reported in the IronPort Text Mail Logs
(mail_logs) file. The log entry is affiliated with the original MID.
The best way to approach tracking this down is to get either the From, To, or Subject of the original message
that was quarantined. Next, search for it in the log to see if it was released from quarantine, and then see if the
end mail server accepted it or bounced it.
that was quarantined. Next, search for it in the log to see if it was released from quarantine, and then see if the
end mail server accepted it or bounced it.
Example, searching the mail logs for sender "spam@test.com":
> grep −i "spam@test.com" mail_logs
Wed Aug 13 12:59:36 2014 Info: MID 1357 ICID 10152 From: <spam@test.com>
Wed Aug 13 12:59:42 2014 Info: MID 1357 SPF: mailfrom identity spam@test.com None
Wed Aug 13 12:59:57 2014 Info: MID 1357 ready 185 bytes from <spam@test.com>
You will want to pay attention to the message ID (MID) and delivery connection ID (DCID).
We can see this particular MID was sent to the spam quarantine from the full mail_logs, or message tracking:
Wed Aug 13 12:59:29 2014 Info: New SMTP ICID 10152 interface Management
(192.168.0.199) address 75.111.22.123 reverse dns host spam.test.com verified yes
Wed Aug 13 12:59:29 2014 Info: ICID 10152 RELAY SG RELAY_SG match 75.111.22.123
SBRS not enabled
Wed Aug 13 12:59:36 2014 Info: Start MID 1357 ICID 10152
Wed Aug 13 12:59:36 2014 Info: MID 1357 ICID 10152 From: <spam@test.com>
Wed Aug 13 12:59:40 2014 Info: MID 1357 ICID 10152 RID 0 To: <end_user@domain.com>
Wed Aug 13 12:59:42 2014 Info: MID 1357 SPF: helo identity postmaster None
Wed Aug 13 12:59:42 2014 Info: MID 1357 SPF: mailfrom identity spam@test.com None
Wed Aug 13 12:59:57 2014 Info: MID 1357 SPF: pra identity None headers None