Understanding Mail Tracking

This screen is designed for you to track email messages that passed through Trend Micro Email Security, including blocked or delivered messages. Trend Micro Email Security maintains up to 90 days of mail tracking logs. The sliding window for mail tracking log search is 60 continuous days that may across calendar months.

Note:

The sliding window for mail tracking log search is 30 days in the Trend Micro Email Security Standard license.

For details about different license versions, see Available License Versions.

The Mail Tracking screen provides the following search criteria:
  • Period: The time range for your query.

    • Last 1 hour

    • Last 24 hours

    • Last 7 days

    • Last 14 days

    • Last 30 days

    • Custom range

  • Direction: The direction of messages.

    • Incoming

    • Outgoing

  • Recipient: The envelope recipient address.

  • Sender: The envelope sender address.

  • Email Header (To): The recipient address in the message header.

  • Email Header (From): The sender address in the message header.

    Note:

    Pay attention to the following when setting the preceding four address fields:

    • Specify an exact email address or use wildcards (*) to substitute any characters in a search. In the general format of an email address (local-part@domain), be aware that:

      • The local part must be a wildcard (*) or a character string that does not start with *, for example, *@example.com or test*@example.com.

      • The domain must be a wildcard (*) or a character string that does not end with *, for example, example@* or example@*.test.com.

      • If this field is left blank, *@* is used by default.

    • Use wildcards (*) strategically to expand or narrow your search results. For example, put a wildcard (*) in the domain part to search by a particular user account on all domains or in the local part to match all accounts on a particular domain.

  • Type: The type of email traffic that you want to query.

    • Accepted traffic: The messages that were allowed in by Trend Micro Email Security for further processing.

      If you select Accepted traffic as your search condition, a summary of email message traffic accepted by Trend Micro Email Security is displayed. For a message that has multiple recipients, the result will be organized as one recipient per entry.

    • Blocked traffic: The attempts to send messages that were stopped by connection-based filtering at the MTA connection level or by Trend Micro Email Security incoming security filtering.

      If you select Blocked traffic as your search condition, you can further select a block reason. A summary of email message traffic blocked by Trend Micro Email Security is displayed.

      Note:

      Content-based filtering is not included in this category.

  • Action: The last action taken on the message.

    • All: All the actions will be matched for your search.

    • Bounced: Trend Micro Email Security bounced the message back to the sender because the message was rejected by the downstream MTA.

    • Temporary delivery error: Trend Micro Email Security attempted to deliver the message to the downstream MTA but failed due to unexpected errors. This is a transient state of the message, and a message should not remain in this state for an extended period of time.

    • Deleted: Trend Micro Email Security deleted the entire email message according to the matched policy.

    • Delivered: Trend Micro Email Security delivered the message to the downstream MTA.

    • Expired: Trend Micro Email Security bounced the message back to the sender because the message had not been delivered successfully for a long time.

    • Quarantined: Trend Micro Email Security held the message in quarantine awaiting actions because the message triggered a certain policy rule. Quarantined messages can be reviewed and manually deleted or delivered.

    • Redirected: Trend Micro Email Security redirected the message to a different recipient according to the matched policy.

    • Submitted to sandbox: Trend Micro Email Security submitted the message to Virtual Analyzer for further analysis. This is a transient state of the message, and the state will change once the Virtual Analyzer analysis result is returned or Virtual Analyzer scan exception is triggered.

  • Subject: The email message subject.

    The Subject field supports the following:

    • Fuzzy match

      Type one or multiple keywords for a fuzzy match. If you type more than one keyword, all keywords will be matched based on a logical AND, which means the matched subject must contain every keyword. Wildcards (*) will be automatically added before and after each keyword for a fuzzy match.

    • Exact keyword or phrase match

      Enclose a keyword or phrase in quotes for an exact match. Only records that contain the exact keyword or phrase will be matched.

    For example, there are three email subjects:

    • Subject1: Hello world

    • Subject2: Hello new world

    • Subject3: "Hello"

    If you type Hello world in the Subject field, this is a fuzzy match, and Subject1 and Subject2 will be matched. If you type "Hello world", this is an exact match using quotes, and only Subject1 will be matched. If you want to search for Subject3, be aware that quotes are contained by the subject itself. In this particular case, use backslashes (\) as the escape characters and type \"Hello\" for search.

  • Message ID: The unique ID of an email message.

  • Upstream TLS: The version of the TLS protocol used by the upstream server to connect to Trend Micro Email Security.

    • All

    • TLS 1.0

    • TLS 1.1

    • TLS 1.2

    • TLS 1.3

    • None

  • Downstream TLS: The version of the TLS protocol used by Trend Micro Email Security to connect to the downstream server.

    • All

    • TLS 1.0

    • TLS 1.1

    • TLS 1.2

    • TLS 1.3

    • None

  • Downstream DANE: Whether DANE authentication is applied to TLS connections between Trend Micro Email Security and the downstream server.
    • All

    • Yes

    • No

  • Attachment SHA256 Hash: The SHA256 hash value of a message attachment. Specify a SHA256 hash value consisting of 64 hexadecimal characters or leave it blank.

    When a valid SHA256 hash value is specified, the Attachment Status field displays with the following options:

    • All: Query all messages containing the specified attachment. This is the default option.

    • Deleted: Query the messages with the specified attachment deleted.

    • Cleaned: Query the messages with the specified attachment cleaned for malware.

    • Bypassed: Query the messages with the specified attachment bypassed.

  • Timestamp: The time a message was received.

    Choose the ascending or descending order of time to sort the search results.

When you query mail tracking information, use the various criteria fields to restrict your searches. After a query is performed, Trend Micro Email Security provides a list of log records that satisfy the criteria. Select one or more records and click Export to CSV to export them to a CSV file.

The most efficient way to query mail tracking information is to provide both sender and recipient email addresses within a time range that you want to search. For an email message that has multiple recipients, the result will be organized as one recipient per entry.

If the message you are tracking cannot be located using this strategy, consider the following:

  • Expand the result set by omitting the recipient.

    If the sender is actually blocked by connection-based filtering, the Blocked traffic results that do not match the intended recipient might indicate this. Provide only the sender and time range for a larger result set.

  • Look for other intended recipients of the same message.

    If the sender IP address has a "bad" reputation, mail tracking information will only be kept for the first recipient in a list of recipients. Therefore, the remaining message recipient addresses will not be listed when querying this sender.

  • Expand the result set by omitting the sender.

    If the sender IP address has a "bad" reputation, omit the sender and provide only the recipient. If only the recipient email address is provided, all the messages that pertain to the recipient will be listed.