Overview
When the administrator has enabled the distribution of quarantine digest reports to the email recipients, any user can approve or deny quarantined emails that were sent to them. This article outlines the steps to be taken by an administrator to determine which user approved or denied a given email from the quarantine store.
Prerequisites
- The directory paths given assume the latest version of MailEssentials, Version 21.6 Build 20200204.
Solution
To see who approved or denied emails from the Quarantine store using in the GFI MailEssentials Console, follow the instructions below:
- Find the Message-ID of the email(s) in question by either obtaining it from the headers of the message itself or by looking for it in the MailEssentials Dashboard > Logs > Details tab. Refer to this linked article for more information on Reading Email Headers to extract the Message ID
- Take note of the Message-ID and navigate to the following log file:
- ...GFI\MailEssentials\ActionServices\debuglogs\QuarQA.log or
- ...GFI\MailEssentials\ActionServices\debuglogs\QuarQA.bak
- This is the Debug log for the QASC (Quarantine Action Service Coordinator) Anti-Spam Engine action while saving an email in the Quarantine database.
- Open the debug log file in a text editor and search for the Message-ID obtained in step 1. Alongside the Message-ID, you will find the quarItemID, the Quarantine Item ID which is the unique identifier for items in the quarantine store.
- Take note of the quarItemID (the highlighted text before the Message-ID shown above) and navigate to the following log file:
...GFI\MailEssentials\wwwconf\debuglogs\QuarWeb.log
- Open QuarWeb.log in a text editor and search for the quarItemID obtained in step 4. Scroll up and you will see everything that was done on that particular quarantine item. Below log excerpt shows an email that was approved and delivered to the intended recipient:
-
"QuarWeb","Item Ids retrieved"
"QuarWeb","---------- SpamEmailView.aspx.cs PageInit----------"
"QuarWeb","---------- SpamEmailView.aspx.cs ----------"
"QuarWeb","PreviewEmailFromReport quarItemID:B81FA0AC-967C-4800-874E-A2389DF33903"
"QuarWeb","preview:ItemMsgID=<0fb196c2a9ed011c0a6734682ccd1646@ec2amaz-tedqdcp>"
"QuarWeb","preview:Getting email <B81FA0AC-967C-4800-874E-A2389DF33903> from quarantine..."
"QuarWeb","preview:Creating MIME message from stream..."
"QuarWeb","preview:MIME message is loaded successfully"
"QuarWeb","itemcontents:WriteHtmlData"
"QuarWeb","PreviewEmailFromReport quarItemID:B81FA0AC-967C-4800-874E-A2389DF33903"
"QuarWeb","preview:ItemMsgID=<0fb196c2a9ed011c0a6734682ccd1646@ec2amaz-tedqdcp>"
"QuarWeb","preview:Getting email <B81FA0AC-967C-4800-874E-A2389DF33903> from quarantine..."
"QuarWeb","preview:MIME message is loaded successfully"
"QuarWeb","preview:ContentType: text/html;charset="
"QuarWeb","Initialising License Key management. "
"QuarWeb","preview:Item <B81FA0AC-967C-4800-874E-A2389DF33903> is approved"
"QuarWeb","---------- approve.aspx.cs ----------"
"QuarWeb","---------- quarresult.aspx.cs ----------"
"QuarWeb","---------------------------------------------------" - Additional Note: Although this may be very helpful at times you will need to search for this information fairly quickly after the changes have been made due to the logs rolling over.
- Quar.log, located at ..GFI\MailEssentials\Backend\debuglogs\Quar.log, is the log file for the Quarantine action database access and maintenance and will include additional information on what happened to the quarantined item.
-
"Quar","GetItemData...OK"
"Quar","Approving Item: B81FA0AC-967C-4800-874E-A2389DF33903"
"Quar","GetItemData..."
"Quar","GetItemData...OK"
"Quar","GetQuarItemUsers B81FA0AC-967C-4800-874E-A2389DF33903"
"Quar","GetQuarItemUsers...OK 1"
"Quar","GetUserAddress 7c1d2e27-02e2-4094-bd00-089df3137aba"
"Quar","GetUserAddress administrator@ec2amaz-tedqdcp"
"Quar","From : administrator@ec2amaz-tedqdcp To: 1"
"Quar","Size: 1188"
"Quar","Message Written"
"Quar","DeleteQuarItem: B81FA0AC-967C-4800-874E-A2389DF33903"
"Quar","DeleteQuarItem...OK"
"Quar","DeleteQuarAllOwners: B81FA0AC-967C-4800-874E-A2389DF33903"
"Quar","DeleteQuarAllOwners...OK"
"Quar","Item Approved"
"Quar","Generate[Filter]: itemdtrec"
-
-