Messaging Gateway

Hi,

I have received this logs to the remote syslogs, the thing is I cannot define why there's a lot of content_xx under the logs:

UTC|UID|UNTESTED

<timestamp>scanner_host bmserver[767]: 1468742517|0a11033d-107ff700000003ae-db-578b3b71c702|UNTESTED|sample@abc.com|has_urls|dz_document|unscannable_pmc|content_500|content_100|content_600|content_200|content_1467378199437|content_1468480937180|content_1468149396293|content_1467290403757|content_300|content_1467315954241|content_520|content_521|content_1467029228427|content_400|content_1467028895494|user_allow|user_deny|freq_va|freq_dha|freq_sa|connection_class_0|connection_class_1|connection_class_2|connection_class_3|connection_class_4|connection_class_5|connection_class_6|connection_class_7|connection_class_8|connection_class_9|senderauth_batv_sign|senderauth_batv_fail|blockedlang|knownlang

Can anyone can help me to explain this kind of logs.

Hi,

Quite simple - "UNTESTED" means that these rules were not checked becasuse they overlap with others and have no impact.

With other words, for this inbound mail all listed rules did not fire / were not applied.

Regards

Thomas

Hi Thomas,

Thank you for your reply.

I'm having hard time to understand what this content means. Do you have idea?

|has_urls|dz_document|unscannable_pmc|content_500|content_100|content_600|content_200|content_1467378199437|content_1468480937180|content_1468149396293|content_1467290403757|content_300|content_1467315954241|content_520|content_521|content_1467029228427|content_400|content_1467028895494|user_allow|user_deny|freq_va|freq_dha|freq_sa|connection_class_0|connection_class_1|connection_class_2|connection_class_3|connection_class_4|connection_class_5|connection_class_6|connection_class_7|connection_class_8|connection_class_9|senderauth_batv_sign|senderauth_batv_fail|blockedlang|knownlang

Regards,

Hi,

Please take a look at https://support.symantec.com/en_US/article.TECH232772.html

It explains a few of the verdicts but not all:

content_.... if you open one of your content rules within the url you will find the policy-number wich is applied or untested.

has_urls ... as i see, currently not used

dz_document ... as i see, currently not used

unscannable_pmc ... unscannable but has potentially malicious content

user_allow | user_deny ... Your good | bad senders list

connection_class_x ... your local connection classification

senderauth_batv_sign | fail ... bounce address tag validation signed or query failed

knownlang | blockedlang ... if you check on used language and allow | block a certain one

This list is not a complete one. Even i requested a full documentation noone at symantec could provide me a complete list.

It took me several weeks to complete "my list" used for alerting and reporting.

If you need a certain one more, just let me know.

Regards

Thomas

Dear Thomas.

Thank you for this information, its a big help.

Appreciated.

Regards,