Incoming Log Search
The Incoming Log Search is a comprehensive search tool which allows you to filter on all incoming messages over the past 32 days. In this page you can also access Quarantined messages, those that are in the Incoming Delivery Queue as well as those that are Archived.
Quarantined messages are stored for 60 days, but for messages older than 32 days these will not be visible on the log search page. They can be found using one of the prions from SIEM Logging Integrations or using IMAP.
To access the Incoming Log Search, in the Admin, Domain or Email level Control Panel, select Incoming > Logs.
Using the Log Search you can:
- Perform powerful filtering to find the results you need including:
- Filtering on message size and the From, To and CC headers
- Filtering on the outgoing IP used for delivering or attempting to deliver the message and the location of the sending server (based on the IP address) - See Run Custom Log Search
- Perform various action on single or multiple messages - See Incoming Log Search
- Customise available actions on specific messages - Incoming Log Search
- Regenerate the index to search all archived message content - Regenerate Archive Message Content Index
- Export archived messages - Export Archived Messages
- Create and email a report of your log search results (and schedule at a specified frequency) - Create Email Scout Reports
Click on the classification link in the page description at the top of the log search to display the Classifications side-bar which shows more information on the classifications available:
In the Admin or Domain Level Control Panel, search incoming or outgoing logs by selecting Incoming > Logs or Outgoing > Logs
Query Rules Panel
The Query Rules panel allows you to customise your search filters. The default query rule for the Log Search is the Timestamp rule.
Use the shortcuts beneath the Timestamp filter to quickly select results from Yesterday, the Last week and Last month.
- Click on + New rule and select from the filter options available:
- The part of the message/metadata you are looking for - Select from the first dropdown in the Query Rules panel
- The type of match e.g. contains, does not start with etc. - Select from the second dropdown in the Query Rules panel
- The content you are trying to match
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Child of
- Equals
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- On
- Before
- After
- Between
- Previous
- Since last run
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Matches
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Is
- Is Not
- Anonymous Proxy
- Satellite provider
- Equals
- Does Not Equal
- Greater Than
- Less Than
- Greater Than Or Equals
- Less Than Or Equals
- Equals
- Does Not Equal
- Greater Than
- Less Than
- Greater Than Or Equals
- Less Than Or Equals
- Is One Of
- Is Not One Of
- Matches
- Does Not Match
- Good Mail
- Not Spam
- Allow listed
- False-positive
- Bad Mail
- Block listed
- False-negative
- Phish
- Virus
- Spam
- Locked
- Other
- Greylist
- Unsure
- Unknown
- Error
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Greater Than
- Less Than
- Greater Than Or Equals
- Less Than Or Equals
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Is One Of
- Is Not One Of
- Matches
- Does Not Match
- Accepted
- Auto Released
- Blackholed
- Delivered
- Delivery Failed
- Quarantine Removed
- Quarantine Expored
- Quarantined
- Queue Bounced
- Bounced
- Queue Expired
- Queue Removed
- Queued
- Queued Frozen
- Released
- Not Accepted
- Not Accepted
- Rejected
- On
- Before
- After
- Between
- Previous
- Matches
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Equals
- Does Not Equal
- Greater Than
- Less Than
- Greater Than Or Equals
- Less Than Or Equals
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Matches
- Does Not Match
- Matches
- Contains
- Does Not Contain
- Equals
- Does Not Equal
- Starts With
- Ends With
- Yes
- No
- Yes - Message is in archive
- No - Message is not in archive
- If you wish, you can use the Quick select shortcuts provided e.g. Accepted; Not accepted.
- Once you have added the rules, use the Customise dropdown to select the fields you want displayed in the search results.
- Sub Class - Why the message was given the Main Class that it was assigned to the message. For example, if the message was classed as Spam, the Sub Class may be DNSBL (DNS Block listed). See Message Classes for more details on Main Class, Sub Class and Extra Class combinations.
- Extra Class - The detail on why the Main Class and Sub Class were assigned to the message. For example, if the message was classed as Spam, the Sub Class may be DNSBL (DNS Block listed), so the Extra Class will provide the DNS Block list in question. See Message Classes for more details on Main Class, Sub Class and Extra Class combinations.
- Delivery Data - Shows the destination mail server's most recent response to the filtering server's attempt to deliver. For example, if a message is accepted by the filter but can't be found in the recipient's Inbox, this field will show if the message was delivered to the destination mail server or not. To see all delivery attempts that have been made for a message, see the Delivery Failure Details/Delivery Issue Log page.
- You may also choose to display a summary row at the bottom of the table
- None - this will disable the summary row so nothing will be displayed
- Total - this will display a row at the bottom of the table which will calculate the total of any columns containing number values such as Bytes Sent and Bytes Received
- Average - this will display a row at the bottom of the table which will calculate the average of any columns containing number values such as Bytes Sent and Bytes Received
- Use the Group results by: dropdown and select from the list if you want to group the results by category. For example, to group the results by sender, select Sender
- Once you have specified your filters, click on Show Results to run the search and display the results at the bottom of the page
The Query Rules are constructed of three parts:
Message Part | Match Type | Content |
---|---|---|
Message ID |
|
Text box; enter Message ID to search for |
Admin |
|
Text box; enter the Admin to search for and select from the drop-down |
Domain |
|
Text box; enter the domain to search for and select from the drop-down |
Filtering Host |
|
Text box; enter Filtering Host to search for |
Timestamp |
|
Date and time selector |
Sender |
|
Text box; enter Sender address to search for |
Recipient |
|
Text box; enter Recipient address to search for |
Sender Hostname |
|
Text box; enter Sender Hostname to search for |
Sender IP |
|
Text box; enter Sender IP to search for |
Sender Location |
|
Text box; begin typing a country to see a list of pre-populated locations or type: |
Bytes Received |
|
Text box; enter number of bytes to search for |
Bytes Sent |
|
Text box; enter number of bytes to search for |
Main Class |
|
Text box; begin typing a message class or click to see a pre-populated list of suggestions split into: |
Sub Class |
|
Text box; enter the Sub Class of a message to search for |
Extra Class |
|
Text box; enter Extra Class to search for |
Error Class |
|
Text box; enter Error Class to search for
false-positive A message that has been reported to the filtering system as a false positive (i.e. Trained as Not-Spam). This message which was caught as spam when it should not have been. false-negative A message that has been reported to the filtering system as a false negative (i.e. Trained as Spam). This message which was received as legitimate when it should not have been. |
From |
|
Text box; enter From address to search for |
To |
|
Text box; enter To address to search for |
CC |
|
Text box; enter CC addresses to search for |
Subject |
|
Text box; enter Subject to search for |
Original Message ID |
|
Text box; enter the Original Message ID to search for |
Status |
|
Text box; begin typing a message Status or click to see a pre-populated list of suggestions split into: |
Delivery Date |
|
Date and time selector |
Delivery IP |
|
Text box; enter Delivery IP address to search for |
Delivery Hostname |
|
Text box; enter Delivery Hostname to search for |
Delivery Port |
|
Text box; enter Delivery Port to search for |
Delivery Data |
|
Text box; enter Delivery Data to search for |
Delivery Interface |
|
Text box; enter Delivery Interface to search for |
In Archive |
|
Selectable buttons: |
The Status of a message tells you what stage the message has reached in the filtering process e.g. rejected, queued for delivery, quarantined etc. To search for messages with a specific status, use the Status rule and tick the checkboxes of the statuses you wish to include.
Quick select options differ depending on the query rule selected, so check the options below the rule to see what is available at that time.
There are many options available, with the most useful choices outside of the defaults being:
There are three options available for this:
Actions Available on Log Search Results
In the Search Results listed you can carry out a variety of actions.
Actions Available for Message Statuses
Key
The following icons indicate the action's availability per message status:
Key | Status | Description |
---|---|---|
Available | The action is available for all messages with this status | |
Available if additional criteria met | The action is available for any message with this status, so long as an additional criteria is met (see * for additional information) | |
Not Available | The action is not available for any message with this status |
Incoming
Status/Action | Add allow list filtering rule | Add block list filtering rule | Add sender to allow list | Block recipient | Block sender | Block sender and remove from quarantine | Change action for messages like this |
---|---|---|---|---|---|---|---|
auto-released | |||||||
blackholed | |||||||
bounced | |||||||
delivered | |||||||
delivery-failed | |||||||
not-accepted | |||||||
quarantined | |||||||
quarantine-expired | |||||||
quarantine-removed | |||||||
queued | |||||||
queue-frozen | |||||||
queue-bounced | |||||||
queue-removed | |||||||
queue-expired | |||||||
rejected | |||||||
released |
Status/Action | Delivery issue log | Download quarantined message | Export as .CSV | Recipient callout | Remove from queue and notify sender | Retry delivery from queue | Sender callout | Telnet SMTP test |
---|---|---|---|---|---|---|---|---|
auto-released | ||||||||
blackholed | ||||||||
bounced | ||||||||
delivered | ||||||||
delivery-failed | ||||||||
not-accepted | ||||||||
quarantined | ||||||||
quarantine-expired | ||||||||
quarantine-removed | ||||||||
queued | ||||||||
queue-frozen | ||||||||
queue-bounced | ||||||||
queue-removed | ||||||||
queue-expired | ||||||||
rejected | ||||||||
released |
Status/Action | Compose Reply | Download queued message | Remove from queue | View email |
---|---|---|---|---|
auto-released | * | |||
blackholed | * | |||
bounced | * | |||
delivered | * | |||
delivery-failed | * | |||
not-accepted | ||||
quarantined | ||||
quarantine-expired | ||||
quarantine-removed | ||||
queued | ||||
queue-frozen | ||||
queue-bounced | * | |||
queue-removed | * | |||
queue-expired | * | |||
rejected | ||||
released | * |
Status/Action | Release from quarantine | Release from quarantine | Release and train from quarantine | Remove from queue and train as spam | Train as spam |
---|---|---|---|---|---|
auto-released | |||||
blackholed | |||||
bounced | |||||
delivered | |||||
delivery-failed | |||||
not-accepted | |||||
quarantined | |||||
quarantine-expired | |||||
quarantine-removed | |||||
queued | |||||
queue-frozen | |||||
queue-bounced | |||||
queue-removed | |||||
queue-expired | |||||
rejected | |||||
released |
Status/Action | Delete archived message | Export message from archive | Redeliver archived message |
---|---|---|---|
auto-released | * | * | * |
blackholed | * | * | * |
bounced | * | * | * |
delivered | * | * | * |
delivery-failed | * | * | * |
not-accepted | |||
quarantined | |||
quarantine-expired | |||
quarantine-removed | |||
queued | * | * | * |
queue-frozen | * | * | * |
queue-bounced | * | * | * |
queue-removed | * | * | * |
queue-expired | * | * | * |
rejected | |||
released | * | * | * |
Some actions may not be available for Email Level Users.
Outgoing
Status/Action | Add allow list filtering rule | Add block list filtering rule | Add sender to allow list | Block recipient | Block sender | Block sender and remove from quarantine | Change action for messages like this |
---|---|---|---|---|---|---|---|
auto-released |
|
|
|||||
blackholed |
|
|
|||||
bounced |
|
|
|||||
delivered |
|
|
|||||
delivery-failed |
|
|
|||||
not-accepted |
|
|
|||||
quarantined |
|
|
|||||
quarantine-expired |
|
|
|||||
quarantine-removed |
|
|
|||||
queued |
|
|
|||||
queue-frozen |
|
|
|||||
queue-bounced |
|
|
|||||
queue-removed |
|
|
|||||
queue-expired |
|
|
|||||
rejected |
|
|
|||||
released |
|
|
|||||
secure-delivered |
|
|
- Add Allow list filtering rule - Add a custom incoming Allow list filtering rule. See Add an Incoming Allow list Filtering Rule
- Add Block list filtering rule - Add a custom incoming Block list filtering rule. See Add an Incoming Block list Filtering Rule
- Add Sender to Allow list - Add the sender to the Allow list, causing all future messages from this sender address to be accepted by the filter. See Manage Incoming Sender Allow list
- Block recipient - Add the recipient to the Block list, causing all future messages to this recipient address to be treated as spam. See Manage Recipient Block list
- Block Sender - Add the sender to the Block list, causing all future messages from this sender address to be treated as spam. See Manage Incoming Sender Block list
- Block sender and remove from quarantine - Remove the message from the quarantine and Block list the sender, causing all future messages from this sender address to be treated as spam. See Block Sender and Remove Quarantined Messages
- Change Action for messages like this - Incoming messages only - Add a custom action to incoming messages to change the response from Mail Assure, see Customise Actions
This action currently only appears if you have included the main class, sub class, and extra class columns in your search.
Status/Action | Audit Log | Delivery issue log | Download quarantined message | Export as .CSV | Recipient callout | Remove from queue and notify sender | Retry delivery from queue | Sender callout | Telnet SMTP test |
---|---|---|---|---|---|---|---|---|---|
auto-released | |||||||||
blackholed | |||||||||
bounced | |||||||||
delivered | |||||||||
delivery-failed | |||||||||
not-accepted | |||||||||
quarantined | |||||||||
quarantine-expired | |||||||||
quarantine-removed | |||||||||
queued | |||||||||
queue-frozen | |||||||||
queue-bounced | |||||||||
queue-removed | |||||||||
queue-expired | |||||||||
rejected | |||||||||
released | |||||||||
secure-delivered |
- Audit Log - See Private Portal Audit Logs
- Delivery issue log - See Delivery Failure Details/Delivery Issue Log
- Download Quarantined Message - Download the email(s) as .eml format in a .zip
- Export as .CSV - Download the current log results for the selected messages and columns in CSV format
- Recipient callout - Run a Network Tools > SMTP test to verify the recipient address is accepted on the destination server for the incoming domain. See What are recipient callouts/recipient verification?
- Remove from queue and notify sender - Delete the message(s) from queue and notify the sender of the email(s) that it has been rejected by the recipient
- Retry delivery from queue - Attempt to deliver the message from the queue
- Sender callout - Run a Network Tools > SMTP test to verify the sender address is accepted on the destination server for the incoming domain. See What are recipient callouts/recipient verification?
- Telnet SMTP Test - Run a Network Tools > SMTP test with the envelope sender and envelope recipient addresses of the selected message, to the destination server for the incoming domain
Status/Action | Compose Reply | Download queued message | Remove from queue | View email |
---|---|---|---|---|
auto-released | * | |||
blackholed | * | |||
bounced | * | |||
delivered | * | |||
delivery-failed | * | |||
not-accepted | ||||
quarantined | ||||
quarantine-expired | ||||
quarantine-removed | ||||
queued | ||||
queue-frozen | ||||
queue-bounced | * | |||
queue-removed | * | |||
queue-expired | * | |||
rejected | ||||
released | * | |||
secure-delivered | * |
- Compose reply - Reply to the sender of the message using the inbuilt using the Compose Email tool with the original message subject, and recipient prepopulated
- Download Queued Message - Download the email(s) as .eml format in a .zip
- Remove from queue - Delete the message(s) from queue
- View email - View the content of the email in the dashboard. See View Message Content
Status/Action | Release from quarantine | Remove from quarantine | Release and train from quarantine | Remove from queue and train as spam | Train as spam |
---|---|---|---|---|---|
auto-released | |||||
blackholed | |||||
bounced | |||||
delivered | |||||
delivery-failed | |||||
not-accepted | |||||
quarantined |
|
|
|
||
quarantine-expired | |||||
quarantine-removed | |||||
queued | |||||
queue-frozen | |||||
queue-bounced | |||||
queue-removed | |||||
queue-expired | |||||
rejected | |||||
released | |||||
secure-delivered |
- Release from quarantine - Attempt delivery of the quarantined message(s). See Release Quarantined Messages
- Remove from quarantine - Delete the message(s) from quarantine storage. See Remove Messages from Quarantine
- Release and train from quarantine - Submit quarantined message(s) to be delivered, and flag for training as not spam. See Release and Train Quarantined Messages and Report messages as Spam or Not Spam/Train Messages
- Remove from queue and train as spam - Delete the message(s) from queue and Report messages as Spam or Not Spam/Train Messages
- Train as spam - Train the selected message as spam. See Report messages as Spam
- Download Quarantined Message - Download the email(s) as .eml format in a .zip
Status/Action | Delete archived message | Export message from archive | Redeliver archived message |
---|---|---|---|
auto-released | * | * | * |
blackholed | |||
bounced | |||
delivered | |||
delivery-failed | |||
not-accepted | |||
quarantined | |||
quarantine-expired | |||
quarantine-removed | |||
queued | * | * | * |
queue-frozen | * | * | * |
queue-bounced | * | * | * |
queue-removed | * | * | * |
queue-expired | * | * | * |
rejected | |||
released | * | * | * |
secure-delivered | * | * | * |
- Delete archived message - Hide the message in the archive, this will mean the selected message(s) are no longer visible to any user viewing the Archive
- Download archived message - Download a copy of the archived message(s) to your machine as .eml format in a .zip
- Export message from archive - Exports the archived message to your machine
- Redeliver archived message - Redeliver the archived message to the recipient(s). This is useful if the message cannot be found in the email inbox
Status/Action | Add and configure identity | Lock identity | Lock user |
---|---|---|---|
auto-released | * | * | |
blackholed | * | * | |
bounced | * | * | |
delivered | * | * | |
delivery-failed | * | * | |
not-accepted | * | * | |
quarantined | * | * | |
quarantine-expired | * | * | |
quarantine-removed | * | * | |
queued | * | * | |
queue-frozen | * | * | |
queue-bounced | * | * | |
queue-removed | * | * | |
queue-expired | * | * | |
rejected | * | * | |
released | * | * | |
secure-delivered | * | * |
- Add and configure identity - Add a new identity based on the message the action was taken against. See Manually Add Identities
- Lock Identity - If an identity is locked, they will not be able to relay any emails until it is unlocked manually. See Manage Identities
- Lock User - Locks the Outgoing User/Authentication method from authenticating outgoing mail. See Lock and Unlock an Outgoing User/Authentication Method
Some actions may not be available for Email Level Users.
Regenerate Archive Message Content Index
This is only to search within the Archived message body content. This is not needed for searching message metadata.
This process may take some time to complete.
If you want to be able to search all Incoming or Outgoing archived message content in your domain, click on the Regenerate Content Index button at the top of the Domain Level Log Search page. This is controlled by the Indexing Options section in the Archive Settings page at Domain Level only.
The index is regenerated and any messages archived since the last time the index was generated are added to the index - allowing you to search all archived message content for that domain.
Add Customised Action Using Log Search
- Once you have run your log search and the search results are listed, select the dropdown to the left of the message and select Change action for messages like this
- The Add a new custom action for emails dialog is displayed with the fields pre-populated according to the message
- Click Save
The new custom action is listed in the Incoming - Protection settings > Customise actions page accessible from the Admin and Domain Level Control Panels.
You can now use the dropdown to the left of the new action and select Find similar messages to redirect you to the Log Search where the query based on your rule is automatically run and matching results are listed.
Alternatively, you can set up custom actions manually on the Customise Actions page. However, using the log search, as described here, is quicker, easier and more versatile.
The custom action configuration requires the inclusion of a Sub class and Extra class to match message deliveries. The sub and extra classes can also be added in the query rules of the search prior to opening the custom actions window.