Phone Lines icon GFI Support Home Start a conversation Sign in
Start a conversation
  1. GFI MailEssentials
  2. GFI MailEssentials - Keyword Filtering
  3. Articles

Determining why Keyword Filtering blocked or allowed a message

Overview

Keyword Filtering is one of the Content Filtering plug-ins that enables administrators to block emails based on keywords in the email body or subject as well as any attachments that are in the email.

In this article, you will learn how to determine why the Keyword Filtering plug-in blocked or allowed a message as part of the troubleshooting process.

Introduction

Content Filtering engines allow MailEssentials to scan the content of emails and attachments, and block emails containing content matching any configured content filtering r

The Keyword Filtering plug-in works by blocking emails based on keywords or keyword combinations in the email body or subject as well as any attachments that are in the email. However, there may be scenarios where customers open support requests wanting to understand why the plug-in blocked or allowed specific messages against their expectations.

The next steps outline the troubleshooting process to determine the reason behind the actions taken by the Keyword Filtering plug-in.

Refer to this linked article to understand how Keyword Filtering works: Understanding Keyword Filtering

Description

If you are questioning why an email was blocked or allowed by the Keyword Filtering Content Filter and would like more information, you can find further details in the log file for the filter.
Follow the below procedure to find the log file and information regarding the message under review, and thereafter use the examples below to interpret and determine why the message was either blocked or allowed:
  1. Find the Message-ID of the email in question by either gathering it from the headers of the message itself, or by looking for it in the MailEssentials Dashboard > Logs > Details tab. Refer to this linked article for more information on Reading Email Headers to extract the Message ID
  2. Navigate to ..GFI\MailEssentials\EmailSecurity\DebugLogs\ and locate the debug log file for the Keyword Filtering module. The log file name is Content Checking.gfi_log.txt
    • This is the debug log for the Keyword Filtering Module and corresponds to the GFI MailEssentials > Content Filtering > Keyword Filtering on the configuration UI as well as a number of the tb_contcheck tables in the avapicfg.mdb located at ..GFI\MailEssentials\EmailSecurity\Data.
  3. Open the debug log file in a text editor and search for the Message-ID obtained in step 1.
  4. Refer to the scenarios below to determine the reasons behind the action taken by the Keyword FIlter module. Pay close attention to the lines in bold to understand what happened and why.

Scenario 1: Email was allowed by the module

>> ProcessMail
Message-ID [ <1784e5b75db479566ac1102_0ac93e53@gfitest.com>]
Preparing to scan mail...
Mail Direction = 0 : AV_MAILDIRECT_INBOUND
Email sender: [Your Credit Report"]"
Email subject: [What's Influencing Your Credit Score?]
>> LoadRules
Getting rule resolver class...
Getting the rules from the rule resolver class obtained...
Enumerating the rules...
Sorting the rules.
Done.
<< LoadRules = TRUE
Number of rules loaded : 0
No rules apply.
<< ProcessMail() = EMAA_ERR_SUCCESS
Note: If an email is allowed through, make sure the Mail Direction is one configured to be scanned, and the rule that should have blocked it was checked. In the above example, Number of rules loaded shows 0 implying that no keyword filtering rules were enabled.

 

Scenario 2: Email was blocked by the module 
>> ProcessMail
Message-ID [<0343fe98-afc4-4043-a949-38e936e12c7c@GFITest.GFITest.local>]
Preparing to scan mail...
Mail Direction = 0 : AV_MAILDIRECT_INBOUND
Email sender: []
Email subject: [Sex Videos]
>> LoadRules
Getting rule resolver class...
Getting the rules from the rule resolver class obtained...
Enumerating the rules...
>> ProcessRuleFromDB
Processing rule : [CONTENT POLICY: Block Profanities]
>> GetRuleAppliesToEmailInThisDirection [AV_MAILDIRECT_INBOUND]
Rule applies to direction : VALUEID_AC_CHECKINBOUND
Rule applies to direction : VALUEID_AC_CHECKOUTBOUND
<< GetRuleAppliesToEmailInThisDirection() == TRUE
Rule applies to this direction.
Getting Properties.
Enumerate the list [9]...
Get list count
Enumerate the list [10]...
Enumerate the list [10]...
<< ProcessRuleFromDB = TRUE
>> ProcessRuleFromDB
Processing rule : [CONTENT POLICY: Block Sexual Content]
>> GetRuleAppliesToEmailInThisDirection [AV_MAILDIRECT_INBOUND]
Rule applies to direction : VALUEID_AC_CHECKINBOUND
Rule applies to direction : VALUEID_AC_CHECKOUTBOUND
<< GetRuleAppliesToEmailInThisDirection() == TRUE
Rule applies to this direction.
Getting Properties.
Enumerate the list [35]...
Get list count
Enumerate the list [36]...
Enumerate the list [36]...
<< ProcessRuleFromDB = TRUE
Sorting the rules.
Done.
<< LoadRules = TRUE
Number of rules loaded : 2
Scanning mail item...
Debug at Sender Display Name []
Debug at Subject [Sex Videos]
>> CheckSubject
Debug Checking Subject [Sex Videos]
Subject [Sex Videos]
Checking for infringed Rules
Checked for infringed Rules
----- Checking new rule  [CONTENT POLICY: Block Sexual Content] -----
Check whole words only: [1]
Filling Word
Scan complete.
Subject test FAILED.
>> FormulateErrorReport_KeywordsInSubject
Short Description [Triggered rule CONTENT POLICY: Block Sexual Content"]"
Long Description [Words in subject triggered rule CONTENT POLICY: Block Sexual Content" (Words found: sex)]"
<< FormulateErrorReport_KeywordsInSubject
<< CheckSubject [FALSE]
>> CheckBodies
Number of bodies: [1]
Checking body [1] of [1]
GM hBodyInfringements count. [262465976]
Get body IStream...
Get IUnknown...
Charset is [us-ascii]
Stream Size [56] Type [2]
Body Type: [text/plain]
GM CSSourceType: [1201]
----- Checking new rule  [CONTENT POLICY: Block Sexual Content] -----
Check body for keywords.
Check whole words only: [1]
Filling Expression
Words and operators loaded correctly.
Source type: [1201]
Perform scan...
Scan complete.
Body test FAILED.
>> FormulateErrorReport_KeywordsInBody
Short Description [Triggered rule CONTENT POLICY: Block Sexual Content"]"
Long Description [Words in body triggered rule CONTENT POLICY: Block Sexual Content" (Words found: sex)]"
<< FormulateErrorReport_KeywordsInBody
<< CheckBodies [FALSE]
No rules defined which have check attachments for keywords enabled.
Finished scanning.
<< ProcessMail() = EMAA_ERR_DBACTION
In this example, the email would have been blocked due to BOTH the Subject and Body checks. The Short Description is what you would see in the Quarantine, while the Long Description is what you would need to find the specific word that was flagged. If there were multiple rules configured, these checks would be performed for each check.
Note: Match whole words only, when unchecked, would match the word "cum" within "document" for example, so it is recommended to always enable Match whole words only.

Scenario 3: Module is disabled

The Keyword Filtering module is disabled by disabling or deleting all the keyword filtering policies or rules. The following will be logged in this scenario: 
Number of rules loaded : 0
No rules apply.
<< ProcessMail() = EMAA_ERR_SUCCESS
Note: The debug logs will not indicate explicitly that the module is disabled; instead it will show that no rules are loaded and all messages will be allowed through.
 

Related Articles

Back to top

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments