GFI Support Home Sign in
Start a conversation
  1. GFI Support
  2. GFI Support - Spam Keyword Checking
  3. Articles

How to determine why the Keyword Filtering Content Filter blocked or allowed a message

Answer

If you are questioning why an email was blocked or allowed by the Keyword Filtering Content Filter and would like more information, you can find further details in the log file for that filter. Use the following procedure to find the log and information regarding your message within it, and then use the examples below to interpret why the message was either blocked or allowed:
  1. Find the message ID of the email in question by either gathering it from the headers of the message itself, or by looking for it in the MailEssentials Dashboard > Logs > Details tab
  2. Open the Content Checking.gfi_log file in notepad from  ..\GFI\MailEssentials\EmailSecurity\DebugLogs
    • This log is for the Keyword Filtering Module and corresponds to the Configuration > EmailSecurity > Content Filtering > Keyword Filtering in the interface and a number of the tb_contcheck tables in the avapicfg.mdb located at ...GFI\MailEssentials\EmailSecurity\Data.
  3. Do a search for the Message ID from the dashboard or the email headers.
    • Note: The bold lines are the important ones in the log files for determine what has happened and why
 

Email was allowed by the module:

>> ProcessMail
Message-ID [ <1784e5b75db479566ac1102_0ac93e53@gfitest.com>]
Preparing to scan mail...
Mail Direction = 0 : AV_MAILDIRECT_INBOUND
Email sender: [Your Credit Report"]"
Email subject: [What's Influencing Your Credit Score?]
>> LoadRules
Getting rule resolver class...
Getting the rules from the rule resolver class obtained...
Enumerating the rules...
Sorting the rules.
Done.
<< LoadRules = TRUE
Number of rules loaded : 0
No rules apply.
<< ProcessMail() = EMAA_ERR_SUCCESS
 
Note: If an email is allowed through, make sure the Mail Direction is one configured to be scanned and the rule that should have blocked it was checked. In the above example, Number of rules loaded shows no rules were enabled.
 

Email was blocked by the module:

>> ProcessMail
Message-ID [<0343fe98-afc4-4043-a949-38e936e12c7c@GFITest.GFITest.local>]
Preparing to scan mail...
Mail Direction = 0 : AV_MAILDIRECT_INBOUND
Email sender: []
Email subject: [Sex Videos]
>> LoadRules
Getting rule resolver class...
Getting the rules from the rule resolver class obtained...
Enumerating the rules...
>> ProcessRuleFromDB
Processing rule : [CONTENT POLICY: Block Profanities]
>> GetRuleAppliesToEmailInThisDirection [AV_MAILDIRECT_INBOUND]
Rule applies to direction : VALUEID_AC_CHECKINBOUND
Rule applies to direction : VALUEID_AC_CHECKOUTBOUND
<< GetRuleAppliesToEmailInThisDirection() == TRUE
Rule applies to this direction.
Getting Properties.
Enumerate the list [9]...
Get list count
Enumerate the list [10]...
Enumerate the list [10]...
<< ProcessRuleFromDB = TRUE
>> ProcessRuleFromDB
Processing rule : [CONTENT POLICY: Block Sexual Content]
>> GetRuleAppliesToEmailInThisDirection [AV_MAILDIRECT_INBOUND]
Rule applies to direction : VALUEID_AC_CHECKINBOUND
Rule applies to direction : VALUEID_AC_CHECKOUTBOUND
<< GetRuleAppliesToEmailInThisDirection() == TRUE
Rule applies to this direction.
Getting Properties.
Enumerate the list [35]...
Get list count
Enumerate the list [36]...
Enumerate the list [36]...
<< ProcessRuleFromDB = TRUE
Sorting the rules.
Done.
<< LoadRules = TRUE
Number of rules loaded : 2
Scanning mail item...
Debug at Sender Display Name []
Debug at Subject [Sex Videos]
>> CheckSubject
Debug Checking Subject [Sex Videos]
Subject [Sex Videos]
Checking for infringed Rules
Checked for infringed Rules
----- Checking new rule  [CONTENT POLICY: Block Sexual Content] -----
Check whole words only: [1]
Filling Word
Scan complete.
Subject test FAILED.
>> FormulateErrorReport_KeywordsInSubject
Short Description [Triggered rule CONTENT POLICY: Block Sexual Content"]"
Long Description [Words in subject triggered rule CONTENT POLICY: Block Sexual Content" (Words found: sex)]"
<< FormulateErrorReport_KeywordsInSubject
<< CheckSubject [FALSE]
>> CheckBodies
Number of bodies: [1]
Checking body [1] of [1]
GM hBodyInfringements count. [262465976]
Get body IStream...
Get IUnknown...
Charset is [us-ascii]
Stream Size [56] Type [2]
Body Type: [text/plain]
GM CSSourceType: [1201]
----- Checking new rule  [CONTENT POLICY: Block Sexual Content] -----
Check body for keywords.
Check whole words only: [1]
Filling Expression
Words and operators loaded correctly.
Source type: [1201]
Perform scan...
Scan complete.
Body test FAILED.
>> FormulateErrorReport_KeywordsInBody
Short Description [Triggered rule CONTENT POLICY: Block Sexual Content"]"
Long Description [Words in body triggered rule CONTENT POLICY: Block Sexual Content" (Words found: sex)]"
<< FormulateErrorReport_KeywordsInBody
<< CheckBodies [FALSE]
No rules defined which have check attachments for keywords enabled.
Finished scanning.
<< ProcessMail() = EMAA_ERR_DBACTION

In this example, the email would have been blocked due to BOTH the Subject and Body checks. The Short Description is what you would see in the Quarantine, while the Long Description is what you would need to find the specific word that was flagged. If there were multiple rules configured, these checks would be performed for each check.
  • NOTE: Check whole words only, when set to 0, would match the word "cum" within "document" for example, so it is recommended to always use Match Whole Words.  
Module is disabled:
Number of rules loaded : 0
No rules apply.
<< ProcessMail() = EMAA_ERR_SUCCESS
 
Note: There is no disabled message, simply no rules are checked.
Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted

Comments