Traffic Reporting Tool questions

jgassie_ironport · ‎11-29-2005

I have some questions regarding the Traffic Reporting Tool (aka Log Based Reporting Tool, www.ironportnation.com/tools).
The html report has interesting totals for Blocked, Spam, Virus, and Clean Messages. I'm trying to determine what exactly is being added together from the extracted CSV file to get those totals. Can anyone provide a simple explanation of which columns from the CSV files are added, for example, to retrieve the Blocked by Reputation totals? When I examine the CSV file and the columns, the figures don't seem to add up, or else I'm not clear on the meaning of some of the columns, so this would be excellent information to know...

Thanks..

kroeder_ironport · ‎12-01-2005

The log based reporting tool uses the following:

Blocked by Reputation is -- blocked/rejected connections due to SBRS multiplied by 1.6 (this number was the average number of messages per connection -- in reality this may actually be higher for spam as more spam has more recipients than most)

Messages themselves are the number of MIDs (message id) added to the work queue (requires at least one valid recipient), a message id is created per incoming policy. If only a default policy exists an incoming email will count as a single MID. However if you have two recipients each on a seperate incoming mail policy it will count as 2 MIDs.

Spam is of course a MID which is flagged as spam, likewise for Virus and Clean is neither flagged as Spam or Virus.

--

The MFM version which is the CSV based one will now be slightly different as v4.5.5 now uses "Recipient Messages" where each recipients is a message. Not the number of messages which get saved to the queue (as per the log based version)

Another caveat is that MFM only has raw counts of spam+ and virus+ so calculation of clean messages is an estimate since we dont know what count of spam+ were also virus+.

Hopefully this makes enough sense to help out,

Kevin

jgassie_ironport · ‎12-12-2005

Will this report be upgraded? The link is still disabled, even though 4.5.5 is available. The numbers from this tool don't compare well with the MFC reports or reports built into Ironport. I called Ironport support about the differences, and they said they won't support this reporting tool. This report generates totals for Blocked, Spam, Virus, and Clean... I'm trying to reconcile these numbers with numbers from Ironport reports, but they just don't match up.

For example, MFC reports total incoming msgs as 78938.
Ironport Summary reports total incoming msgs as 81272 (not matching MFC)
MFM reporting tool v1.2 lists
Blocked by Reputation as 259168, and Clean messages as 115470, values that are far greater than MFC or Ironport suggests for the same day.
Who can make heads or tails out of that mess? Of course, if MFM tool only reports estimates, it would seem clear that I should stay far away from the MFM reporting tool based on these results.

Another thing I'm trying to do is force certain messages into a category such as "Spam"... if I have a message filter that sends messages to a separate quarantine server (such as Brightmail Quarantine), I'd like to know how I can tag the message such that the reports consider it a spam message. Otherwise, I believe those messages end up considered as "Clean" as far as the reports go.