Answer
If you are questioning why an email was blocked or allowed by the Advanced Content Filtering Content Filter and would like more information, you can find further details in the log file for that filter. Use the following procedure to find the log and information regarding your message within it, and then use the examples below to interpret why the message was either blocked or allowed:
- Find the message ID of the email in question by either gathering it from the headers of the message itself, or by looking for it in the MailEssentials Dashboard > Logs > Details tab
- Open the Advanced Filtering.gfi_log file in notepad from ..\GFI\MailEssentials\EmailSecurity\DebugLogs
- This log is for the Keyword Filtering Module and corresponds to the Configuration > EmailSecurity > Advanced Content Filtering > (Click on the Rule Name) in the interface and the tb_advancedfiltering table in the avapicfg.mdb located at ...GFI\MailEssentials\EmailSecurity\Data.
-
Do a search for the Message ID from the dashboard or the email headers.
- Note: The bolded lines are the important ones in the log files for determine what has happened and why
Email was allowed by the module:
ProcessMail - Message-ID [<6578D7954061634E9BB0A7445637132BEA7F3FEA@GFITEST.COM>] --->>
ProcessMail - Preparing to scan mail...
ProcessMail - Mail Direction = 0 : AV_MAILDIRECT_INBOUND
ProcessMail - Email subject: [TD Securities - FX Morning Commentary]
LoadRules >>
LoadRules - Getting the rules from the rule resolver class ...
LoadRules - Enumerating rules ...
PopulateRuleFromDB >>
PopulateRuleFromDB - Processing rule : [Delete @aexp.com email]
>> GetRuleAppliesToEmailInThisDirection [AV_MAILDIRECT_INBOUND]
GetRuleAppliesToEmailInThisDirection - Rule applies to direction : VALUEID_AC_CHECKINBOUND
<< GetRuleAppliesToEmailInThisDirection() == TRUE
PopulateRuleFromDB - Rule applies to this direction, getting rule properties
PopulateRuleFromDB = TRUE <<
LoadRules - Enumerating rules ... done
LoadRules = TRUE <<
ProcessMail - Number of rules loaded : 1
ProcessMail - Processing mail item ...
CheckMailItem >>
CheckMailItem - No rules defined which have check subject enabled
CheckMailItem - No rules defined which have check body enabled
CheckMailItem - No rules defined which have check attachments enabled
CheckHeaders >>
Checking for infringed Rules
Checked for infringed Rules
CheckHeaders - Checking rule [Delete @aexp.com email] ...
FindMatch >>
FindMatch = FALSE <<
FindMatch >>
FindMatch = FALSE <<
CheckHeaders = TRUE <<
CheckMailItem = TRUE <<
ProcessMail - Message-ID [<6578D7954061634E9BB0A7445637132BEA7F3FEA@EX7T2-CV05.TDBFG.COM>] [0] <<---
ProcessMail [EMAA_ERR_SUCCESS] <<
Note: If an email is allowed through, make sure the email direction (ProcessMail - Mail Direction) will be checked by the rule. Confirm all configured rules (ProcessMail - Number of rules loaded) were loaded and checked (Checking rule).
Email was blocked by the module:
ProcessMail - Message-ID [<53282CB8.5070805@gfitest.com>] --->>
ProcessMail - Preparing to scan mail...
ProcessMail - Mail Direction = 0 : AV_MAILDIRECT_INBOUND
ProcessMail - Email subject: [Sage Accounting Invoice #65829792]
LoadRules >>
LoadRules - Getting the rules from the rule resolver class ...
LoadRules - Enumerating rules ...
PopulateRuleFromDB >>
PopulateRuleFromDB - Processing rule : [Delete @aexp.com email]
>> GetRuleAppliesToEmailInThisDirection [AV_MAILDIRECT_INBOUND]
GetRuleAppliesToEmailInThisDirection - Rule applies to direction : VALUEID_AC_CHECKINBOUND
<< GetRuleAppliesToEmailInThisDirection() == TRUE
PopulateRuleFromDB - Rule applies to this direction, getting rule properties
PopulateRuleFromDB = TRUE <<
LoadRules - Enumerating rules ... done
LoadRules = TRUE <<
ProcessMail - Number of rules loaded : 1
ProcessMail - Processing mail item ...
CheckMailItem >>
CheckMailItem - No rules defined which have check subject enabled
CheckMailItem - No rules defined which have check body enabled
CheckMailItem - No rules defined which have check attachments enabled
CheckHeaders >>
Checking for infringed Rules
Checked for infringed Rules
CheckHeaders - Checking rule [Delete @aexp.com email] ...
FindMatch >>
FindMatch = FALSE <<
FindMatch >>
FindMatch = FALSE <<
FindMatch >>
FindMatch - match: [aexp.com]
FindMatch = TRUE <<
>> FormulateErrorReport_MatchInHeader
Short Description [Triggered rule Delete @aexp.com email"]"
Long Description [Match in header triggered rule Delete @aexp.com email" (Match found: aexp.com)]"
<< FormulateErrorReport_MatchInHeader
FindMatch >>
FindMatch = FALSE <<
FindMatch >>
FindMatch = FALSE <<
FindMatch >>
FindMatch = FALSE <<
CheckHeaders = FALSE <<
CheckMailItem = FALSE <<
ProcessMail - Message-ID [<53282CB8.5070805@sage.co.uk>] [27] <<---
ProcessMail [EMAA_ERR_DBACTION] <<
Note: This message had a single rule checked. This rule checked the headers for aexp.com, which it found ( FindMatch - match: [aexp.com]) and blocked (FindMatch = TRUE <<) The Long Error Report lets us know the exact reason the email was blocked, while the Short Description is what would be shown in the Quarantine.
Module is disabled:
ProcessMail - Preparing to scan mail...
ProcessMail - Mail Direction = 0 : AV_MAILDIRECT_INBOUND
ProcessMail - Email subject: [No Obligation Life Insurance Quotes in Seconds]
LoadRules >>
LoadRules - Getting the rules from the rule resolver class ...
LoadRules - Enumerating rules ...
LoadRules - Enumerating rules ... done
LoadRules = TRUE <<
ProcessMail - Number of rules loaded : 0
ProcessMail - Message-ID [<7403211825449740345232320684452@gfitest.info>] [0] <<---
ProcessMail [EMAA_ERR_SUCCESS] <<
Note: There is no disabled message, simply no checks are done due to no rules being enabled (loaded).