Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How can I see WHY a message was encrypted?

On our Postx box, I used to be able to see specifically what caused a message to become encrypted (for example a social security number). It would report what keyword(s) triggered the encryption.

We just replaced the Postx with an IronPort C150 (love it!) and I would like to be able to get the same info. I see that I can go to Monitor -> Content Filters to see which users had encrypted mail, then I can use Message tracking to see details including that the message WAS encrypted, however I would like to see the details of WHAT triggered the content filter.

Thank you.

2 REPLIES
New Member

Re: How can I see WHY a message was encrypted?

A way to see what triggered the filter (in your case encryption filter) is to set up one of the actions to your filter to duplicate quarantine, this would send a copy of the message to system quarantine and follow the rest of the path (other actions). This way a copy of the message is sent to the system quarantine and viewing the message in system quarantine would should what content of the message was matched by the filter.

Hope this helps!

-Kishore

New Member

Re: How can I see WHY a message was encrypted?

I have no experience with the Ironport encryption solutions at all but a possible solution might be to add a second action to your policy that writes the required info into an X- header.
if you enable logging for this header you will see the results in your log files.

I can imagine you do not want the information in the X-header to be public (which is the nature of X- headers).
There are two possible solutions for that.
1) Use numeric codes for the data in the X-header. Only you have the matching table to see what code points to what message filter or filer action.

2) Play around with policies and message filters. They are always executed in the same order (which I do not recall at the moment) if you make sure the first of the two does the detection and adds the header, you can use the second to strip the header out of the message.

Quite complex but possible for sure!

Good luck
Steven

133
Views
0
Helpful
2
Replies