Messaging Gateway

Expand all | Collapse all

UNTESTED logs

  • 1.  UNTESTED logs

    Posted 07-24-2016 08:31 AM

    Hi,

    I have received this logs to the remote syslogs, the thing is I cannot define why there's a lot of content_xx under the logs:

    UTC|UID|UNTESTED

    <timestamp>scanner_host bmserver[767]: 1468742517|0a11033d-107ff700000003ae-db-578b3b71c702|UNTESTED|sample@abc.com|has_urls|dz_document|unscannable_pmc|content_500|content_100|content_600|content_200|content_1467378199437|content_1468480937180|content_1468149396293|content_1467290403757|content_300|content_1467315954241|content_520|content_521|content_1467029228427|content_400|content_1467028895494|user_allow|user_deny|freq_va|freq_dha|freq_sa|connection_class_0|connection_class_1|connection_class_2|connection_class_3|connection_class_4|connection_class_5|connection_class_6|connection_class_7|connection_class_8|connection_class_9|senderauth_batv_sign|senderauth_batv_fail|blockedlang|knownlang

     

    Can anyone can help me to explain this kind of logs.



  • 2.  RE: UNTESTED logs

    Posted 07-25-2016 05:34 AM

    Hi,

    Quite simple - "UNTESTED" means that these rules were not checked becasuse they overlap with others and have no impact.

    With other words, for this inbound mail all listed rules did not fire / were not applied.

    Regards

    Thomas



  • 3.  RE: UNTESTED logs



  • 4.  RE: UNTESTED logs

    Posted 07-25-2016 07:08 AM

    Hi,

    Please take a look at https://support.symantec.com/en_US/article.TECH232772.html

    It explains a few of the verdicts but not all:

    content_.... if you open one of your content rules within the url you will find the policy-number wich is applied or untested.

    has_urls ... as i see, currently not used

    dz_document ... as i see, currently not used

    unscannable_pmc ... unscannable but has potentially malicious content

    user_allow | user_deny ... Your good | bad senders list

    connection_class_x ... your local connection classification

    senderauth_batv_sign | fail ... bounce address tag validation signed or query failed

    knownlang | blockedlang ... if you check on used language and allow | block a certain one

    This list is not a complete one. Even i requested a full documentation noone at symantec could provide me a complete list.

    It took me several weeks to complete "my list" used for alerting and reporting.

    If you need a certain one more, just let me know.

    Regards

    Thomas

     



  • 5.  RE: UNTESTED logs

    Posted 07-25-2016 09:33 AM

    Dear Thomas.

     

    Thank you for this information, its a big help.

     

    Appreciated.

     

    Regards,