B ESA Admin Guide Chapter 011101
B ESA Admin Guide Chapter 011101
B ESA Admin Guide Chapter 011101
Note You cannot use message tracking to read the content of messages.
Note Message tracking data is preserved only for messages that are processed after you enable this feature.
Tracking Messages
1
Tracking Messages
Searching for Messages
• If you are setting up Centralized Tracking: Set up your Security Management appliance to support
centralized message tracking for this Email Security appliance. See the Cisco Content Security
Management Appliance User Guide.
Option Description
Centralized Tracking Use a Security Management appliance to track messages for multiple Email Security appliances
including this one.
Step 5 (Optional) Select the check box to save information for rejected connections.
For best performance, leave this setting disabled.
What to do next
If you selected Local Tracking:
• Choose who can access content related to DLP violations. See Controlling Access to Sensitive Information
in Message Tracking.
• (Optional) Adjust the disk space allocation for storing messages. See Managing Disk Space.
Tracking Messages
2
Tracking Messages
Searching for Messages
Option Description
Envelope Sender Select Begins With, Is, or Contains, then enter an email address, username,
or domain of a message sender to find.
You can enter any character(s). No validation of your entry is performed.
Envelope Recipient Select Begins With, Is, or Contains, and enter an email address, username,
or domain of a message recipient to find.
You can enter any character(s). No validation of your entry is performed.
Subject Select Begins With, Is, or Contains, and enter a text string to search for in
the message subject line.
Warning: Do not use this type of search in environments where regulations
prohibit such tracking.
Advanced options:
Sender IP Address/ Domain / Network Specify the IP address, domain, or network owner of a remote host.
Owner
You can search within rejected connections only or search all messages.
Attachment Select Begins With, Is, or Contains, and enter an ASCII or Unicode text string
for one attachment to find. Leading and trailing spaces are not stripped from
the text you enter.
You can search for messages by attachment filenames only if you have
performed:
• Body scan using a message filter
• Body scan using a content filter
• Advanced Malware Protection (AMP) scan.
For more information about identifying files based on SHA-256 hash, see
Identifying Files by SHA-256 Hash.
Message Event Select one or more message processing events. For example, you can search
for messages that have been delivered, quarantined, or hard bounced.
Message events are added with an “OR” operator: Selecting multiple events
finds messages that match any of the conditions you specify.
Tracking Messages
3
Tracking Messages
Working with Message Tracking Search Results
Option Description
Message ID Header Enter a text string for the SMTP Message-ID header.
This RFC 822 message header uniquely identifies each email message. It is
inserted in the message when the message is first created.
Cisco IronPort MID Enter a message number to search for. An IronPort MID uniquely identifies
each email message on the Email Security appliance.
Cisco IronPort Host Select an Email Security appliance to restrict the search to messages processed
by that appliance, or select all appliances.
What to do next
Related Topics
• Working with Message Tracking Search Results , on page 4
Tracking Messages
4
Tracking Messages
Message Tracking Details
• View more details for a message by clicking Show Details in the row for that message. A new browser
window opens with the message details.
• For quarantined messages, you can click a link in the message tracking search results to view details
such as the reason the message was quarantined.
Note If you clicked a link in a report page to view message details in Message Tracking, and the set of results is
not what you expected, this can occur if reporting and tracking were not both simultaneously and continuously
enabled during the time period you are reviewing.
Related Topics
• Message Tracking Details , on page 5
Received Time Time that the Email Security appliance received the message.
Dates and times are displayed using the local time configured on the
Email Security appliance.
Envelope Recipients If your deployment uses the alias table for alias expansion, the search
finds the expanded recipient addresses rather than the original envelope
addresses. For more information about Alias Tables, see “Creating
Alias Tables” in the “Configuring Routing and Delivery Features”
chapter .
In all other cases, message tracking queries find the original envelope
recipient addresses.
SMTP Auth User ID SMTP authenticated username of the sender, if the sender used SMTP
authentication to send the message. Otherwise, the value is “N/A.”
Tracking Messages
5
Tracking Messages
Message Tracking Details
Item Description
Reverse DNS Hostname Name of the sending host, as verified by reverse DNS (PTR) lookup.
SBRS Score SenderBase reputation score. The range is from 10 (likely a trustworthy
sender) to -10 (apparent spammer). A score of “None” indicates that
there was no information about this host at the time the message was
processed.
For more information about SBRS, see Sender Reputation Filtering
Summary information The Summary tab displays status events logged during the processing
of the message.
(If one of the tabs below is displayed,
this information is displayed in a tab. Entries include information about Mail Policy processing, such as
Summary information always Anti-Spam and Anti-Virus scanning, and other events such as message
displays.) splitting and custom log entries added by a content or message filter.
If the message was delivered, the details of the delivery are displayed
here.
The last recorded event is highlighted in the processing details.
Tracking Messages
6
Tracking Messages
Checking Message Tracking Data Availability
Item Description
DLP Matched Content tab This tab displays only for messages that were caught by DLP policies.
This tab includes information about the match, as well as the sensitive
content that triggered the DLP policy match.
You must configure the appliance to display this information. See
Displaying Sensitive DLP Data in Message Tracking.
To control access to this tab, see Controlling Access to Sensitive
Information in Message Tracking.
URL Details tab This tab displays only for messages caught by URL Reputation and
URL Category content filters and by outbreak filters.
This tab displays the following information:
• The reputation score or category associated with the URL
• The action performed on the URL (rewrite, defang, or redirect)
• If a message contains multiple URLs, which URL has triggered
the filter action.
You must configure the appliance to display this information. See
Displaying URL Details in Message Tracking.
To control access to this tab, see Controlling Access to Sensitive
Information in Message Tracking.
Related Topics
• Searching for Messages , on page 2
Step 1
Step 2 Select Monitor > Message Tracking.
Step 3 Look for Data in time range: in the upper right corner of the Search box.
Step 4 Click the value shown for Data in time range:.
What to do next
Related Topics
• About Message Tracking and Upgrades , on page 8
Tracking Messages
7
Tracking Messages
About Message Tracking and Upgrades
Tracking Messages
8