Tracking Service Overview
The tracking service of the Cisco Content Security Management appliance complements Email Security appliances. With the Security Management appliance, email administrators have a single place to track the status of messages that traverse any of their Email Security appliances.
The Security Management appliance makes it easy to find the status of messages that Email Security appliances process. Email administrators can quickly resolve help desk calls by determining the exact location of a message. With the Security Management appliance, an administrator can determine if a particular message was delivered, found to contain a virus, or placed in a spam quarantine — or if it is located somewhere else in the mail stream.
Instead of having to search through log files using grep or similar tools, you can use the flexible tracking interface of the Security Management appliance to locate messages. You can use a variety of search parameters in combination.
Tracking queries can include:
-
Envelope information: Find messages from particular envelope senders or recipients by entering the text strings to match.
-
Subject header: Match a text string in the subject line.
Warning
Do not use this type of search in environments where regulations prohibit such tracking.
-
Time frame: Find a message that was sent between specified dates and times.
-
Sender IP address or rejected connections: Search for messages from a particular IP address, or show rejected connections in the search results.
-
Attachment name: You can search for messages based on an attachment name. Messages that contain at least one attachment with the queried name will appear in the search results.
For performance reasons, the names of files within attachments such as OLE objects or archives such as .ZIP files are not tracked.
Some attachments may not be tracked. For performance reasons, scanning of attachment names occurs only as part of other scanning operations, for example message or content filtering, DLP, or disclaimer stamping. Attachment names are available only for messages that pass through body scanning while the attachment is still attached. Some examples when an attachment name will not appear include (but are not limited to): -
if the system only uses content filters, and a message is dropped or its attachment is stripped by anti-spam or anti-virus filters
-
if message splintering policies strip the attachment from some messages before body scanning occurs.
-
-
Event: Find messages that match specified events, such as messages flagged as virus positive, spam positive, or suspected spam, and messages that were delivered, hard bounced, soft bounced, or sent to the Virus Outbreak Quarantine.
-
Message ID: Find messages by identifying the SMTP “Message-ID:” header or the Cisco IronPort message ID (MID).
-
Email Security appliance (host): Narrow search criteria to particular Email Security appliances, or search across all managed appliances.