5.2. Email History

Overview

Audit > Email History shows information about processing details and email related events in the system.

No auto refresh

Due to usability reasons the Email history list is not updated automatically. Click the Refresh icon to update.

images/download/attachments/5715897/image-20200326-142439.png

N/A Scan result

The N/A Scan result value means that MetaDefender Core was not involved in the processing of this entry.

Such cases are:

  • Notifications for blocked emails

  • Released from quarantine

  • Forwarded from quarantine

  • Delivered for external quarantining

Empty Rule

The empty Rule value means that the email was not received from outside, but was generated from within Email Gateway Security.

Such cases are:

  • Notifications for blocked emails

  • Email alerts

  • Quarantine reports

Filtering

The list of emails can be filtered by the:

  1. Date,

  2. Sender,

  3. Recipient,

  4. Subject,

  5. Status

  6. Scan verdict

  7. Whether the email has attachments or not,

  8. Rule priority,

  9. Classifications (see 5.11. Email classifications) and

  10. Tags (see 5.12. Email tags).

Multiple values

For the status, classifications and tags filters multiple values can be specified.

Time window

For the date filter a time window can be specified.

images/download/attachments/5715897/image-20201210-072732.png

Email details

Clicking an Email history list entry displays public details about the processing of the specific email.

images/download/attachments/5715897/image-20201210-072942.png

The [Show result] link points to the scan details on the MetaDefender Core instance where the actual scanning took place.

Broken scan details links

The [Show result] link utilizes the Core address as specified under Settings > Server profiles. If Core is specified with an address that is not reachable on the machine where the actual browsing of the web management console happens, then the browser will report error.

Example

Core and Email Gateway Security are installed on the same machine and Core is referenced with the URI http://127.0.0.1:8008 on Email Gateway Security. If Email Gateway Security's web management console is browsed from any other machine, then (most probably) the [Show result] link will be broken.

For details see 4.6. Server profiles.

Classifications

To reflect the risk level of a certain email, Email Gateway Security applies classifications. For details see 5.11. Email classifications.

Priority

The priority of the email is displayed in the list and in the Email details view. The following icons represent each priority:

  1. High:

  2. Low:

For details see 4.4. Policy.

Processing history

The processing history section of the email details contains information about the processing of the email.

images/download/attachments/5715897/image-20201210-073103.png

The following type of entries are listed:

Type

Description

Example

StatusChange

Added when a status change occurs. If the status change was manually initiated, the message contains the name of the user that executed the REST call.

LOCAL/admin changed status from Failed to Pending

ScanFailed

Added when a scan failure occurs.

Scan failed on url https://localhost:8008 (Reason: Core unavailable)

SendDetails

Added when sending an email

Sending email to smtp://127.0.0.1:25

SendSucceeded

Added when sending an email succeeded

SMTP send succeeded to smtp://127.0.0.1:25

SendFailed

Added when a send failure occurs.

SMTP send failed to smtps://localhost:587 (Response: No connection could be made because the target machine actively refused it 127.0.0.1:587)

ModifyFailed

Added when an email cannot be modified/sanitized (e.g. parsing error).

 

ForkEmail

Occurs when an email is forked (e.g. different policy rules apply to different recipients, partial send failure for certain recipients).

 

DuplicateEmail

Occurs when email content is duplicated (e.g. original copy is moved to quarantine, quarantined original copy is forwarded).

 

ScanVerdict

Added when we receive a scan verdict for a file related to the email.

email/[body].txt: No Threat Detected

VaultUpload

Added when uploading an attachment to MetaDefender Vault

Attachment 'LargeAttachment' was uploaded to Vault

ModifyEmail

This event is added when all email modifications are complete and the email is ready to be sent.

Modification/Sanitization of email completed

Cleanup

Scheduled

Configure scheduled Email History cleanup under Settings > Data Retention / Email history cleanup schedule.

images/download/attachments/5715897/image-20200526-152728.png

On-demand

To clean-up Email History on demand click the broom icon and select the time window of the cleanup.

images/download/attachments/5715897/image-20200327-120511.png images/download/attachments/5715897/image-20200327-120532.png

Operations

Bulk email operations

Use the checkbox in front of each row to select entries (or use the checkbox in the header row to select all visible items).

Only visible selected

Only visible elements are selected. Elements that are not visible (due to pagination, search or filtering) are not selected even by the select all checkbox.

Only Failed or Reprocessing can be selected

Only emails that are in the Failed or Reprocessing status can be selected cause these are the only emails where bulk operations (Retry email, Delete email, Download email) are applicable.

For other entries the original email is not kept, hence the operations would not work.

To understand what can make an email to be failed see the section Processing status values.

images/download/attachments/5715897/image-20200327-120701.png

Operations that applicable to all selected

Only those operations are available that are applicable to all emails that are selected.

For example if both Failed and Reprocessing mails are in the selection, then the Retry email function will be available.

images/download/attachments/5715897/image-20200527-110301.png

Export to CSV

Clicking the Export to CSV button will export the history list (according to the actual filter conditions) to a CSV file.

images/download/attachments/5715897/image-20200330-101841.png

Data range

The currently active filter conditions apply to the exported list.

All filtered data gets exported, even if the list expands to multiple pages.

Differentiating forked emails

In some cases there are seemingly duplicate entries in Email history. Such cases are when an email is:

  • Released from quarantine,

  • Forwarded from quarantine,

  • Delivered for external quarantining.

These cases are marked in Email history with the following icons in the history list:

images/download/attachments/5715897/image-20200327-114314.png

Processing status values

Workflow statuses

Emails with statuses listed below are progressing through the MetaDefender Email Gateway Security workflow.

Pending

Email is queued waiting to be processed.

Processing

Email is currently being processed.

Sending

Email has been processed and is being delivered to the SMTP relay server.

Completed

This status is deprecated since 4.4.0. It was replaced by Sent and Blocked

Email has been successfully processed and sent forward or blocked.

Sent

Email has been successfully processed and forwarded.

Blocked

Email has been blocked.

Temporary failure statuses

Emails with statuses listed below are in automatic retry sequence.

Reprocessing

MetaDefender Email Gateway Security has failed to process the email and it is currently pending a retry.

Possible causes

  • MetaDefender Core server down/not responding

  • Archive engine is not active on MetaDefender Core images/download/attachments/5715897/image-20200330-103449.png

  • Enable archive handling is not enabled for the rules on MetaDefender Core (that are defined in the Core server policies that are in use by the rules on MetaDefender Email Gateway Security) images/download/attachments/5715897/image-20200330-103536.png images/download/attachments/5715897/image-20200330-103321.png

Resending

MetaDefender Email Gateway Security has failed to forward the email to the SMTP relay server and is currently pending retry.

Possible causes

  • SMTP relay server down/not responding

  • SMTP relay server rejects the email

Permanent failure statuses

Emails with statuses listed below require user interaction, since retry sequence is exhausted.

Failed

Email has exceeded the retry count and cannot be processed/delivered.

Possible causes

  • Exhausted temporary processing failures (see 4.3. Settings) lead to this permanent failure status.

Possible actions

  • Manually retry/delete email from the MetaDefender Email Gateway Security web interface.

Forbidden

No policy rule is found matching the email and requires manual delivery

Possible actions

  • Manually retry/delete email from the MetaDefender Email Gateway Security web interface.

Other statuses

Quarantined

Email is located in quarantine.

Possible actions

  • Manually deliver/delete/forward email from the MetaDefender Email Gateway Security web interface.

Deleted

Emails with this status has been manually deleted by a user.