cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3541
Views
0
Helpful
3
Replies

How can I determine which word triggered a dictionary list in attachment?

keithsauer507
Level 5
Level 5

We have IronPort C160 and an outgoing message was blocked due to our language filters.  The logs indicate that an attached word document matches

dictionary-match("sexual_content_txt", 1).

Since the dictionary match is not in the actual body of the e-mail, the triggered phrase is not highlighted in our policy view in the web gui.  I can download the attachment and after reading it, I find no issues with it at all (its a legitimate policy from a VP to an Auditor).  I am going to release the email as was requested.  However I am just curious as to what in carnation is triggering the dictionary match.  Is there any way to find this out?  Sometimes there are some nonsense words that we do find from time to time and we remove them from the dictionaries.

3 Replies 3

Keith,

Typically I see that when the attachment is too big.

Check the mail logs for the email in question and see if its choking there…

Ken

Donald Nash
Level 3
Level 3

Keith,

I wrote a Perl script to solve this problem. It loads the patterns from an exported content dictionary, then reads stdin and attempts to match each line against the patterns, and prints the matches it finds. AsyncOS uses Python's "re" module under the hood, so Perl's regex interpreter isn't the best match, but it gets the job done. This script would be better written in Python, but I don't know Python.

There are a few caveats to using a script like this. First, IronPort doesn't document exactly what regex patterns underly their Smart Identifiers, so you won't be able to interpret these. Second, the "match whole words" and "case senstive" settings are not exported with a dictionary. If you want to respect them then you'll need to use something like command line options on your script to signal them. For me, it was sufficient to ignore the "match whole words" setting and to make all matches case insenstive.

++Don

exMSW4319
Level 3
Level 3

The GUI does show the offending phrase found by a content rule if the rule places the offending message in a quarantine, though I get the impression that Asyncos simply acts once the rule threshold is reached and does not test the remainder of the dictionary.

If memory serves, the filter will get the message first before any content rule so any test would also need to impose a temporary condition on the filter.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: