Viewing information about email traffic processing events
July 10, 2024
ID 207772
Click the link in the upper part of the window to go to the Backup section and view the information about messages in Backup related to this event.
To view information about an email traffic processing event:
- In the main window of the application web interface, open the management console tree and select the Events section.
- Select the Mail traffic tab.
Email traffic processing event information is displayed as a table.
- Select the event for which you want to view information.
This opens a window containing information about the event.
The information window for an email traffic processing event contains the following tabs:
- General info
- Message scan result
- Attachments
- MIME parts
- Links
For large messages, information is displayed about no more than 50 first MIME parts, attachments, and links of the processed message. If the number of MIME parts, attachments, or links in a large message exceeds 50, some of the information is hidden and the corresponding notification is displayed. To view information about the rest of MIME parts, attachments, or links, click Show all in the notification.
Information about the scanning of an attachment, MIME part, or link may be missing from event details. This can happen for one of the following reasons:
- The event record was created before the functionality of logging the scan results for MIME parts, links, and attachments became available.
- The application is configured in such a way that information about the of scanning of MIME parts, links, and attachments is logged only for messages in which objects are detected (default behavior).
- The message does not contain links or attachments, or they could not be detected.
This tab displays the following data:
- Date and time is the date and time when the event occurred.
- Node is the IP address or port of the node where the message was processed.
- Sender email is the IP address of the message sender. The address is taken from the SMTP session (value of the
MAIL FROM
command). - Sender IP is the IP address of the message sender.
- Application message ID is the unique ID that the application assigns to the message.
- SMTP Message-ID is the ID assigned to the message at the mail server.
- To is the address of the message recipient. Contains addresses from the SMTP session (values of the
RCPT TO
command) that occur in theTo
MIME header. - CC is the address of the recipient of a copy of the message. Contains addresses from the SMTP session (values of the
RCPT TO
command) that occur in theCc
MIME header, but not in theTo
MIME header. - BCC is the address of the recipient of a blind copy of the message. The address is taken from the SMTP session. Contains addresses from the SMTP session (values of the
RCPT TO
command) that do not occur in either theTo
MIME header or theCc
MIME header. - Subject is the message subject.
- Rule name is the name of the rule which caused the message to be processed.
You can view rule details by clicking the link with the rule name.
- Action is the action taken on the message based on the results of scanning by application modules.
This tab displays the statuses that each scan module assigned to the message. For some statuses, the detection methods or the reason for assigning the status are displayed in the second line, separated by commas.
List of possible scan module statuses
This tab displays a table with information about the results of scanning message attachments.
The table contains the following information:
- File name is the name of the attachment.
- Index of attachment MIME part displays the location of the MIME part in the MIME part hierarchy of the message. Possible values:
0
for the root MIME part of the message.0.
<index of the current MIME part>
for a MIME part of the message that is a child of the root MIME part. The index of the current MIME part is a non-negative integer number.<index of parent MIME part>
.
<index of the current MIME part>
for a the MIME part that is not nested in the root MIME part.<index of MIME part>
.p
is the prologue of the MIME part of the message.<index of MIME part>
.e
is the epilogue of the MIME part of the message.
- Action on attachment is the action taken on the attachment based on the scan results.
- Anti-Virus is the Anti-Virus module scan result for the attachment.
- Content filtering is the Content Filtering scan result for the attachment.
- Hash is the algorithm used for calculating the hash of the attachment. If hashing is not enabled in the application settings, a dash is displayed instead.
- Size is the size of the attachment in bytes.
To view detailed information about attachment scan results, select the relevant record in the table. This opens a window with the following information:
- File name is the name of the attachment.
- File size (bytes) is the size of the attachment.
- Action is the action taken on the attachment based on the scan results. Possible values:
- None
- Disinfected
- Deleted
- Anti-Virus are Anti-Virus module scan details:
- Skip reason:
- File name
- Nesting level
If the attachment status is different from Not scanned, a dash is displayed.
- Document with a macro Possible values: Yes, No.
- Status:
- Not detected.
- Not scanned.
- Infected.
- Encrypted.
- Error.
- Detection method:
- Local databases.
- KSN.
- KPSN reputation.
- Threats is the list of detected threats.
- Deleted objects is the list of objects that were deleted as a result of processing the attachment. These can be objects from single-volume archives: ARJ, CAB, LHA, ZIP, RAR 5.0 and earlier. The archive must not be self-extracting.
- Disinfected objects is the list of objects that were disinfected as a result of processing the attachment. These can be objects from single-volume archives: ARJ, CAB, LHA, ZIP, RAR 5.0 and earlier. The archive must not be self-extracting.
- Skip reason:
- Content Filtering are details of the Content Filtering scan for the attachment.
- Status:
- Not detected.
- Not scanned.
- Error.
- Matched content.
- Triggered expressions is a list of expressions that were applied as a result of Content Filtering of the attachment.
- Status:
- Hash algorithm is the algorithm used for calculating the hash of the attachment. If hashing is not enabled in the application settings, a dash is displayed instead.
- Hash is the hash value of the attachment. The hash is calculated after the application applies all actions to the attachment. If hashing is not enabled in the application settings, a dash is displayed instead.
The tab displays a table with information about the following objects:
- All MIME parts, including attachments. Attachment information is the same as on the Attachments tab.
- 'Prologue' and 'Epilogue' are the prologue and epilogue of MIME parts of messages.
- 'Entire message' is the entire message. This string is displayed if the Anti-Virus module detected a threat when scanning the entire message, but no threats were detected when scanning individual MIME parts of the message.
The table contains the following information:
- File name is the name of the attachment, 'prologue', 'epilogue', 'entire message', or a dash if a name is not defined.
- MIME part index displays the location of the MIME part in the MIME part hierarchy of the message. Possible values:
0
for the root MIME part of the message.0.
<index of the current MIME part>
for a MIME part of the message that is a child of the root MIME part. The index of the current MIME part is a non-negative integer number.<index of parent MIME part>
.
<index of the current MIME part>
for a the MIME part that is not nested in the root MIME part.<index of MIME part>
.p
is the prologue of the MIME part of the message.<index of MIME part>
.e
is the epilogue of the MIME part of the message.
- Action on MIME part is the action applied to the MIME part based on the scan results.
- Anti-Virus is the Anti-Virus module scan result for the MIME part.
- Content filtering is the Content Filtering scan result for the MIME part.
- Hash is the name of the hashing algorithm. If hashing is not enabled in the application settings, a dash is displayed instead.
- Size is the size of the MIME part in bytes.
To view detailed information about MIME part scan results, select the relevant record in the table. This opens a window with the following information:
- File name is the name of the MIME part, if any.
- File size (bytes) is the size of the MIME part.
- Action is the action applied to the MIME part based on the scan results. Possible values:
- None
- Disinfected
- Deleted
- Anti-Virus are Anti-Virus module scan details:
- Skip reason:
- File name
- Nesting level
If the MIME part status is different from Not scanned, a dash is displayed.
- Document with a macro Possible values: Yes, No.
- Status:
- Not detected.
- Not scanned.
- Infected.
- Encrypted.
- Error.
- Detection method:
- Local databases.
- KSN.
- KPSN reputation.
- Threats is the list of detected threats.
- Deleted objects is the list of objects that were deleted as a result of processing the MIME part. These can be objects from single-volume archives: ARJ, CAB, LHA, ZIP, RAR 5.0 and earlier. The archive must not be self-extracting.
- Disinfected objects is the list of objects that were disinfected as a result of processing the MIME part. These can be objects from single-volume archives: ARJ, CAB, LHA, ZIP, RAR 5.0 and earlier. The archive must not be self-extracting.
- Skip reason:
- Content Filtering is the Content Filtering scan details for the MIME part.
- Status:
- Not detected.
- Not scanned.
- Error.
- Matched content.
- Triggered expressions is a list of expressions that were applied as a result of Content Filtering of the MIME part.
- Status:
- Hash algorithm is the algorithm used for calculating the hash of the MIME part. If hashing is not enabled in the application settings, a dash is displayed instead.
- Hash is the hash value of the MIME part. The hash is calculated after the application applies all actions to the MIME part. If hashing is not enabled in the application settings, a dash is displayed instead.
This tab displays a table with information about the results of scanning message links.
The table contains the following information:
- URL is the scanned link from the message. You cannot follow the link.
Hovering over the link displays the icon. Click the icon to copy the link.
- Link scanning is the result of the scan by the Link scanning module.
- Anti-Phishing is the result of the scan by the Anti-Phishing module.