Email Message Tracking

Procedure

1. Go to Logs → Message Tracking.
2. Specify the search criteria.

   Note No wildcards are supported. Deep Discovery Email Inspector uses fuzzy logic to match search results.

   Filter	Description
   Period	Select a predefined time range or specify a custom range.
   Recipients	Specify a recipient email address. Only one address is allowed.
   Email header (To)	Specify a primary recipient email address in the email header.
   Sender	Specify the sender email address.
   Email header (From)	Specify the author email address in the email header.
   Subject	Specify the email message subject.
   Direction	Specify the message direction.
   Message ID	Specify the unique message ID. Example: 20160603021433.F0304120A7A@example.com
   Source IP	Specify the MTA IP address nearest to the email sender. The source IP is the IP address of the attack source, compromised MTA, or a botnet with mail relay capabilities. A compromised MTA is usually a third-party open mail relay used by attackers to send malicious email messages or spam without detection.
   Risk level	Select All or the email message risk level.
   TLS (Upstream)	Select a TLS version for inbound SMTP traffic.
   TLS (Downstream)	Select a TLS version for outbound SMTP traffic.
   Latest status	Select any of the following check boxes: Deleted: Messages that were deleted based on content filtering or threat protection rules, or from the Quarantine. Delivered/Processing completed: Messages that were delivered. In BCC mode and SPAN/TAP mode, email messages with this status are discarded. Delivery unsuccessful: Messages that could not be delivered. In BCC mode and SPAN/TAP mode, email messages are never delivered. Recipient changed: Messages with the recipient changed. Quarantined: Messages that were quarantined in keeping with your Deep Discovery Email Inspector policies. In BCC mode and SPAN/TAP mode, email messages are never quarantined. Queued for delivery: Messages that are pending delivery. In BCC mode and SPAN/TAP mode, email messages with this status are queued to be discarded. Queued for sandbox analysis: Messages that are pending analysis.

3. Click Query.
   Logs matching the search criteria appear in the table. The query results include message ID, recipients, sender, subject, risk level, latest status, and received timestamp.

   Note You can clear the search criteria by clicking Clear filters.

4. View the results.
   • Click the icon next to a row to view detailed information about the email message.

     Field	Description
     Message details	This field displays the following information: Source IP: Displays the MTA IP address nearest to the email message sender. Example: 123.123.123.123. Sender IP: Displays the sender IP address Direction: Displays the SMTP traffic direction TLS (Upstream): Displays the TLS version for the inbound SMTP traffic TLS (Downstream): Displays the TLS version for the outboud SMTP traffic
     Processing history	View how Deep Discovery Email Inspector processed the email message. The following are the possible processing actions: Action set to 'pass': The Pass policy action was applied to the email message. A copy of the email message was released by the user. This only applies if the Strip attachments, redirect links to blocking page, and tag and Strip attachments, redirect links to warning page, and tag policies were applied to the original email message. Deleted: The email message was deleted based on content filtering or threat protection rules, or from the Quarantine. Delivered: The email message was delivered. Not analyzed: Virtual Analyzer was unable to complete the analysis for the reason specified. Processing completed: Analysis was completed and the email message was discarded. This is the final status in BCC and SPAN/TAP mode. Quarantined (reason): The email message was quarantined in keeping with your Deep Discovery Email Inspector policies. In BCC mode and SPAN/TAP mode, email messages are never quarantined. Queued for delivery: The email message is pending delivery. In BCC mode and SPAN/TAP mode, email messages with this status are queued to be discarded. Received: The email message was received by Deep Discovery Email Inspector. Recipient changed: The recipient for the email message has been changed. Sent for analysis: The email message was sent to Virtual Analyzer for analysis. Stripped: Attachments were stripped from the email message and it was passed for delivery.
     Action	Do any of the following: Quarantined Message: View in Quarantine Release from Quarantine View in Detected Messages Non-Quarantined Message, with high/medium/low risk level: View in Threat Messages No Risk Detected Message: No Action Links

   Note Deep Discovery Email Inspector sorts logs using UTC 0 time, even if the display is in local time.

5. Perform additional actions.
   • Click Export to save the query results in a CSV file.

     Note Only the first 50000 entries in the query results are included in the CSV file.

   • The panel at the bottom of the screen shows the total number of objects. If all objects cannot be displayed at the same time, use the pagination controls to view the objects that are hidden from view.