Determining why Spam Keyword Checking blocked or allowed a message

Overview

The Spam Keyword Checking Filter enables the identification of Spam emails based on a set of predefined keywords in the email being received, either in the subject or email body.

In this article, you will learn how to determine why the Spam Keyword Checking Anti-Spam filter blocked or allowed a message as part of the troubleshooting process.

Introduction

The Spam Keyword Checking filter can block emails that have specific words in the subject or body. The words found in the subject and the body of an email are compared with the keywords listed in the Keyword Checking table in the configuration database. The keywords are stored in binary format and can therefore only be updated from the configuration UI.

If a match is found the message gets blocked. The option ‘Match whole words only’, when enabled, would only match the keywords to full words, as opposed to being within words. So for example, if you were intending to block the word “Cialis”, and ‘Match whole words only’ was not enabled, it would block the word “specialist” even though it is only a substring in an otherwise legitimate word.

There will be scenarios where customers open support requests wanting to understand why the Spam Keyword Checking Anti-Spam filter blocked or allowed specific messages against their expectations. The next section outlines the troubleshooting process to determine the reason behind the actions taken by this filter.

Description

If you are questioning why an email was blocked or allowed by the Spam Keyword Checking filter and would like more information, the best place to start the troubleshooting process is to examine the debug logs.

Follow the below procedure to find the log file and information regarding the email message under review, and thereafter use the examples provided to interpret and determine why the message was either blocked or allowed:

Find the Message-ID of the email in question by either obtaining it from the headers of the message itself or by looking for it in the MailEssentials Dashboard > Logs > Details tab. Refer to this linked article for more information on Reading Email Headers to extract the Message-ID.
Navigate to ..\GFI\MailEssentials\AntiSpam\DebugLogs and locate the log file for the module. The debug log filename is ase_keyword_checking.gfi_log.txt
- This debug log file for the module corresponds to GFI MailEssentials > Anti-Spam > Anti-Spam Filters > Spam Keyword Checking on the configuration UI.
Open the debug log file in a text editor and search for the Message-ID obtained in step 1.
Refer to the scenarios below to determine the reasons behind the action taken by the module. Pay close attention to the lines in bold to understand what happened and why.

The debug log file will indicate whether Spam Keyword Checking is enabled and any actions taken by the filter while scanning emails. The module is disabled when both keyword checking options are disabled (i.e. message body and message subject) and in this case the log file will show:

"ase_keyword_checking","--------------------------------------------------------------------------"
"ase_keyword_checking",">> Init Message [<97e6b77a0cb18d68a354191620043785@ec2amaz-tedqdcp>]"
"ase_keyword_checking","Context Refreshed: Yes"
"ase_keyword_checking","Licensing check: Licensed"
"ase_keyword_checking","Going to try and create instance of StreamOnFile..."
"ase_keyword_checking","Going to try and create instance of StreamOnFile...SUCCESS"
"ase_keyword_checking",""
"ase_keyword_checking","File created, retrieving stream access"
"ase_keyword_checking",">> Load Config"
"ase_keyword_checking","Retrieving Keyword Checking setting. Executing query [SELECT * FROM antispam]"
"ase_keyword_checking","Body keyword check disabled: [0]"
"ase_keyword_checking","Subject keyword check disabled: [0]"
"ase_keyword_checking","Display name check disabled: [0]"
"ase_keyword_checking","<< Load Config"
"ase_keyword_checking","<< Init Message"
"ase_keyword_checking",">> Message Uninitialization"
"ase_keyword_checking","CKeyCheck::~CKeyCheck() >>"
"ase_keyword_checking","mlang count: 0"
"ase_keyword_checking","CKeyCheck::~CKeyCheck() <<"
"ase_keyword_checking","<< Message Uninitialization"
"ase_keyword_checking","--------------------------------------------------------------------------"

The following lines after the Message-ID confirm that at least one of the spam keyword checks (i.e. either message body or message subject or both) is enabled and has successfully loaded the configuration:

"ase_keyword_checking","--------------------------------------------------------------------------"
"ase_keyword_checking",">> Init Message [<7918a8a51ac14e2b6e0b11b47584890c@ec2amaz-tedqdcp>]"
"ase_keyword_checking","Context Refreshed: Yes"
"ase_keyword_checking","Licensing check: Licensed"
"ase_keyword_checking","Going to try and create instance of StreamOnFile..."
"ase_keyword_checking","Going to try and create instance of StreamOnFile...SUCCESS"
"ase_keyword_checking",""
"ase_keyword_checking","File created, retrieving stream access"
"ase_keyword_checking",">> Load Config"
"ase_keyword_checking","Retrieving Keyword Checking setting. Executing query [SELECT * FROM antispam]"
"ase_keyword_checking","Body keyword check enabled: [1]"
"ase_keyword_checking","Subject keyword check enabled: [1]"
"ase_keyword_checking","Display name check enabled: [1]"
"ase_keyword_checking","Loading body words"
"ase_keyword_checking","Creating word list"
"ase_keyword_checking","Accessing operators"
"ase_keyword_checking","Accessing words"
"ase_keyword_checking","Processing 279 entries"

Scenario 1: Email was allowed by the module

"ase_keyword_checking","--------------------------------------------------------------------------"
"ase_keyword_checking",">> Init Message [<7918a8a51ac14e2b6e0b11b47584890c@ec2amaz-tedqdcp>]"
"ase_keyword_checking","Context Refreshed: Yes"
"ase_keyword_checking","Licensing check: Licensed"
"ase_keyword_checking","Going to try and create instance of StreamOnFile..."
"ase_keyword_checking","Going to try and create instance of StreamOnFile...SUCCESS"
"ase_keyword_checking",""
"ase_keyword_checking","File created, retrieving stream access"
"ase_keyword_checking",">> Load Config"
"ase_keyword_checking","Retrieving Keyword Checking setting. Executing query [SELECT * FROM antispam]"
"ase_keyword_checking","Body keyword check enabled: [1]"
"ase_keyword_checking","Subject keyword check enabled: [1]"
"ase_keyword_checking","Display name check enabled: [1]"
"ase_keyword_checking","Loading body words"
"ase_keyword_checking","Creating word list"
"ase_keyword_checking","Accessing operators"
"ase_keyword_checking","Accessing words"
"ase_keyword_checking","Processing 279 entries"
...
"ase_keyword_checking","Word list done"
"ase_keyword_checking","ID: 8238de3b07e97d3f6025f48a32e9a454"
"ase_keyword_checking","Successfully created subject word list [0]"
"ase_keyword_checking","<< Load Config"
"ase_keyword_checking","<< Init Message"
"ase_keyword_checking",">> Process Message"
"ase_keyword_checking",">> ScanSubject"
"ase_keyword_checking","Subject scanned successfully [0]"
"ase_keyword_checking","<< ScanSubject"
"ase_keyword_checking",">> ScanDisplayName"
"ase_keyword_checking","Display name scanned successfully [0]"
"ase_keyword_checking","<< ScanDisplayName"
"ase_keyword_checking",">> ScanTextBody"
"ase_keyword_checking","IStream scanned successfully [0]"
"ase_keyword_checking","<< ScanTextBody"
"ase_keyword_checking",">> ScanHTMLBody"
"ase_keyword_checking","IStream scanned successfully [0]"
"ase_keyword_checking","<< ScanHTMLBody"
"ase_keyword_checking","<< Process Message"
"ase_keyword_checking","--------------------------------------------------------------------------"

Note: If a specific keyword needs to be blocked, add it to the Spam Keyword list in the configuration.

Back to top

Scenario 2: Email was blocked by the module

"ase_keyword_checking","--------------------------------------------------------------------------"
"ase_keyword_checking",">> Init Message [<0fb196c2a9ed011c0a6734682ccd1646@ec2amaz-tedqdcp>]"
"ase_keyword_checking","Context Refreshed: Yes"
"ase_keyword_checking","Licensing check: Licensed"
...
"ase_keyword_checking","ID: d66f443cfa61d1c1f16e8f79c382c367"
"ase_keyword_checking","Successfully created body word list [0]"
"ase_keyword_checking","Loading subject words"
"ase_keyword_checking","Creating word list"
"ase_keyword_checking","Accessing operators"
"ase_keyword_checking","Accessing words"
"ase_keyword_checking","Processing 283 entries"
"ase_keyword_checking","Entried processed - un-accessing strings"
"ase_keyword_checking","Un-accessing operators"
"ase_keyword_checking","Word list done"
"ase_keyword_checking","ID: 8238de3b07e97d3f6025f48a32e9a454"
"ase_keyword_checking","Successfully created subject word list [0]"
"ase_keyword_checking","<< Load Config"
"ase_keyword_checking","<< Init Message"
"ase_keyword_checking",">> Process Message"
"ase_keyword_checking",">> ScanSubject"
"ase_keyword_checking","Subject scanned successfully [1]"
"ase_keyword_checking",">> CollectResults"
"ase_keyword_checking","<< CollectResults"
"ase_keyword_checking","<< ScanSubject"
"ase_keyword_checking","Found word(s) in subject"
"ase_keyword_checking","Found 4 words: [100% risk free check out risk free]"
"ase_keyword_checking","Setting actions data ..."
"ase_keyword_checking","Spam detected, Stopping ASE Chain [2]..."
"ase_keyword_checking","<< Process Message"

Note: If a keyword is incorrectly identified, make sure to check the "Match whole words only" checkbox is enabled. Alternatively, you can whitelist the sender or remove the keyword from the filter configuration.

Back to top

Choose files or drag and drop files

Tags:

Was this article helpful?

Yes

Priyanka Bhotika
Posted
Updated

Comments

Please sign in to comment