Email Message Tracking

Track any email message that passed through Deep Discovery Email Inspector, including blocked and delivered messages. Deep Discovery Email Inspector records message details, including the sender, recipients, and the taken policy action.

Message tracking logs indicate if an email message was received or sent by Deep Discovery Email Inspector. Message tracking logs also provide evidence about Deep Discovery Email Inspector investigating an email message.

Parent topic: Logs

Querying Message Tracking Logs

  1. Go to Logs > Message Tracking.
  2. Specify the search criteria.
    Note:

    No wildcards are supported. Deep Discovery Email Inspector uses fuzzy logic to match search results.

    Filter

    Description

    Period

    Select a predefined time range or specify a custom range.

    Recipients

    Specify a recipient email address. Only one address is allowed.

    Email header (To)

    Specify a primary recipient email address in the email header.

    Sender

    Specify the sender email address.

    Email header (From)

    Specify the author email address in the email header.

    Subject

    Specify the email message subject.

    Direction

    Specify the message direction.

    Message ID

    Specify the unique message ID.

    Example: 20160603021433.F0304120A7A@example.com

    Source IP

    Specify the MTA IP address nearest to the email sender. The source IP is the IP address of the attack source, compromised MTA, or a botnet with mail relay capabilities.

    A compromised MTA is usually a third-party open mail relay used by attackers to send malicious email messages or spam without detection.

    Risk level

    Select All or the email message risk level.

    Latest status

    Select any of the following check boxes:

    • Deleted: Messages that were deleted based on content filtering or threat protection rules, or from the Quarantine.

    • Delivered/Processing completed: Messages that were delivered. In BCC mode and SPAN/TAP mode, email messages with this status are discarded.

    • Delivery unsuccessful: Messages that could not be delivered. In BCC mode and SPAN/TAP mode, email messages are never delivered.

    • Quarantined: Messages that were quarantined in keeping with your Deep Discovery Email Inspector policies. In BCC mode and SPAN/TAP mode, email messages are never quarantined.

    • Queued for delivery: Messages that are pending delivery. In BCC mode and SPAN/TAP mode, email messages with this status are queued to be discarded.

    • Queued for sandbox analysis: Messages that are pending analysis.
  3. Click Query.

    Logs matching the search criteria appear in the table. The query results include message ID, recipients, sender, subject, risk level, latest status, and received timestamp.

    Note:

    You can clear the search criteria by clicking Clear filters.

  4. View the results.

    • Click the icon next to a row to view detailed information about the email message.

      Field

      Description

      Message details

      Source IP: Displays the MTA IP address nearest to the email message sender.

      Example: 123.123.123.123.

      Processing history
      View how Deep Discovery Email Inspector processed the email message. The following are the possible processing actions:
      • Action set to 'pass':

        • The Pass policy action was applied to the email message.

        • A copy of the email message was released by the user. This only applies if the Strip attachments, redirect links to blocking page, and tag and Strip attachments, redirect links to warning page, and tag policies were applied to the original email message.

      • Deleted: The email message was deleted based on content filtering or threat protection rules, or from the Quarantine.

      • Delivered: The email message was delivered.

      • Not analyzed: Virtual Analyzer was unable to complete the analysis for the reason specified.

      • Processing completed: Analysis was completed and the email message was discarded. This is the final status in BCC and SPAN/TAP mode.

      • Quarantined (reason): The email message was quarantined in keeping with your Deep Discovery Email Inspector policies. In BCC mode and SPAN/TAP mode, email messages are never quarantined.

      • Queued for delivery: The email message is pending delivery. In BCC mode and SPAN/TAP mode, email messages with this status are queued to be discarded.

      • Received: The email message was received by Deep Discovery Email Inspector.

      • Sent for analysis: The email message was sent to Virtual Analyzer for analysis.

      • Stripped: Attachments were stripped from the email message and it was passed for delivery.

      Action

      Do any of the following:

      Quarantined Message:

      • View in Quarantine

      • Release from Quarantine

      • View in Detected Messages

      Non-Quarantined Message, with high/medium/low risk level:

      View in Threat Messages

      No Risk Message:

      No Action Links
    Note:

    Deep Discovery Email Inspector sorts logs using UTC 0 time, even if the display is in local time.

  5. Perform additional actions.

    • Click Export to save the query results in a CSV file.

      Note:

      Only the first 50000 entries in the query results are included in the CSV file.

    • The panel at the bottom of the screen shows the total number of objects. If all objects cannot be displayed at the same time, use the pagination controls to view the objects that are hidden from view.