How can I determine which word triggered a dictionary list in attachment?

Unanswered Question
May 9th, 2012

We have IronPort C160 and an outgoing message was blocked due to our language filters.  The logs indicate that an attached word document matches

dictionary-match("sexual_content_txt", 1).

Since the dictionary match is not in the actual body of the e-mail, the triggered phrase is not highlighted in our policy view in the web gui.  I can download the attachment and after reading it, I find no issues with it at all (its a legitimate policy from a VP to an Auditor).  I am going to release the email as was requested.  However I am just curious as to what in carnation is triggering the dictionary match.  Is there any way to find this out?  Sometimes there are some nonsense words that we do find from time to time and we remove them from the dictionaries.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
kstieers1 Wed, 05/09/2012 - 07:48

Keith,

Typically I see that when the attachment is too big.

Check the mail logs for the email in question and see if its choking there…

Ken

dlnash018 Wed, 05/09/2012 - 10:16

Keith,

I wrote a Perl script to solve this problem. It loads the patterns from an exported content dictionary, then reads stdin and attempts to match each line against the patterns, and prints the matches it finds. AsyncOS uses Python's "re" module under the hood, so Perl's regex interpreter isn't the best match, but it gets the job done. This script would be better written in Python, but I don't know Python.

There are a few caveats to using a script like this. First, IronPort doesn't document exactly what regex patterns underly their Smart Identifiers, so you won't be able to interpret these. Second, the "match whole words" and "case senstive" settings are not exported with a dictionary. If you want to respect them then you'll need to use something like command line options on your script to signal them. For me, it was sufficient to ignore the "match whole words" setting and to make all matches case insenstive.

++Don

exMSW4319 Sun, 05/27/2012 - 03:37

The GUI does show the offending phrase found by a content rule if the rule places the offending message in a quarantine, though I get the impression that Asyncos simply acts once the rule threshold is reached and does not test the remainder of the dictionary.

If memory serves, the filter will get the message first before any content rule so any test would also need to impose a temporary condition on the filter.

Actions

Login or Register to take actions

This Discussion

Posted May 9, 2012 at 6:11 AM
Stats:
Replies:3 Avg. Rating:
Views:1102 Votes:0
Shares:0

Related Content

Discussions Leaderboard