How Can I Track Emails Coming In To Sonicwall Email Security?

How Can I track emails coming in to Sonicwall Email Security?

Tracking emails.

You can trace a particular email and find out if it ever hit the sonicwall device and or it was rejected, deleted, Junked or bounced.

Any email that hits the Email security device irrespective of being rejected, deleted, bounced, junked, gets recorded in a log file called “Mfe”

Please follow the following steps to get to the log:

 

Login into the device as “admin”

Go to Manage | System Setup | Server | Advanced |download system/Log files: Logs: Mfe (select from the drop down as shown below)

It will display logs with dates on it as the file name.

Select the date which you want to track emails for and do a search on the email.

You can search using the sender’s or recipients email address or subject of the email.

Image

The log entries would show the message locationMessage threatSender’s IPdate and time sent to, along with other information.

To view it in readable format, open the log file in MS excel.

Message Location category:

  • ju= Junk box
  • rj = rejected
  • dv = delivered
  • qu = queued
  • bo = bounced

Message Threat Category:

  • ddha = Definate directory harvest attack
  • dspm= Definate Spam
  • lspm = Likely Spam
  • dvir = Definate Virus
  • lvir = Likely Virus
  • dphi= Definate Phishing
  • lphi = Likely Phishing
  • good = good email (no Threat)
  • Plyt = Policy Threat

Example of 1 email’s Mfe log entry:

5     px    i     ju   dspm   192.168.6.110_    —-  ————–    —————   —–    —-  ——-p—-      ————      200911160004590086296      testmail@sonicwall.com  –  testaccount@test.com    testaccount@test.com    “John Smith”      Your credit balance is over its limit     3289  emailsecurity     192.168.1.10      25    collab      –     –     rules:rules:Score=-31.26      518d52eee664842c  en_US      <000d01ca6655$931ac960$6400a8c0@withoj2>  192.168.6.110    

Conclusion:

  • Version= 5
  • Inbound/outboud = i
  • Msg/Location= ju
  • MsgThreat= dspm
  • GotfromIP = 192.168.6.110
  • MlfUniqueId = 200911160004590086296
  • EnvRcptTo = testmail@sonicwall.com
  • EnvMailFrom = testaccount@test.com
  • HdrFromAddr = testaccount@test.com
  • HdrSubject = your credit balance is over its limit
  • MsgSizeInBytes= 3289
  • NqMlfHost = emailsecurity
  • NextHopServer = 192.168.1.10
  • NextHopPort = 25
  • Categories = collab
  • Reason = rules:rules:Score=-31.26
  • SecuritySecret = 518d52eee664842c
  • MsgLanguage = en_US (English- US)
  • Message-ID = <000d01ca6655$931ac960$6400a8c0@withoj2>
  • FirstTouchIP = 192.168.6.110


Easysoftonic