Saving Content Filtering Preferences
Mar 4 21:06:44 pri=5 msg=”proxyWWW: Surf Sentinel 2.0 successfully initialized” type=mgmt Mar 4 21:06:44 pri=6 msg=”proxyWWW: Listening at port 2784.” type=mgmt
Mar 4 21:06:44 pri=6 msg=”proxyWWW: Reinitializing.” type=mgmt
Mar 4 21:06:44 pri=5 msg=”WWWadmin: Update of ‘URL Access Lists’.” type=mgmt src=192.168.71.243 srcport=2447 dst=192.168.71.77 dstport=443
Saving Content Filtering Access Control Lists
Mar 4 21:06:44 pri=5 msg=”WWWadmin: Update of ‘URL Access Lists’.” type=mgmt src=192.168.71.243 srcport=2447 dst=192.168.71.77 dstport=443
144 GB-OS 3.7 User’s Guide
Saving Content Filtering Local Content Lists
Mar 4 21:06:44 pri=5 msg=”WWWadmin: Update of ‘Local Content Lists’.” type=mgmt src=192.168.71.243 srcport=2460 dst=192.168.71.77 dstport=443
Mar 4 21:06:44 pri=6 msg=”proxyWWW: Reinitializing.” type=mgmt Block Message
Mar 4 21:06:44 pri=4 msg=”Block outbound, NAT” cat _ action=block cat _ site=”Adult/Sexually Explicit” dstname=www.playboy.com proto=http src=192.168.71.243 srcport=2399 nat=199.120.225.77 natport=2399
dst=209.247.228.201 dstport=80 rule=2 duration=22 sent=676 rcvd=44 pkts _ sent=3 pkts _ rcvd=1 op=GET arg=/ Accept Message
Mar 4 21:06:44 pri=5 msg=”Accept outbound, NAT” cat _ action=pass cat _ site=”Games” dstname=1118.ign.com proto=http src=192.168.71.95 srcport=1813 nat=199.120.225.77 natport=1813 dst=216.35.123.118 dstport=80 rule=2 duration=22 sent=1279 rcvd=450 pkts _ sent=5 pkts _ rcvd=5 op=GET arg=/event-ng/Type
Mail Sentinel (Email Proxy)
Email Delivered
Mar 4 21:06:44 pri=5 msg=”SMTP: Close” smtp _ action=pass virus=”none found” spam=unknown,2 rule=5 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=4711 dst=199.120.225.5 dstport=25 duration=2 sent=136 rcvd=1709
Email Rejected Due to Source or Destination of ACL
Mar 4 21:06:44 firewall.example.com id=firewall time=”2005-03-04 21:06:44” fw=”firewall” pri=4 msg=”SMTP: Rejected (rule)” smtp _ action=block rule=6 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=34813 dst=199.120.225.5 dstport=25 duration=2 sent=42 rcvd=67
Email Rejected Due to Exhaustion of ACLs (Reject by Default If No Match Is Found)
Mar 4 21:06:44 pri=4 msg=”SMTP: Rejected (rule)” smtp _ action=block rule=0 proto=smtp user=”user@example. net” srcuser=”[email protected]” src=199.120.225.254 srcport=2107 dst=199.120.225.5 dstport=25 duration=13 sent=70 rcvd=68
Email Rejected Due to Reverse DNS
Mar 4 21:06:44 pri=4 msg=”SMTP: Rejected (RDNS)” smtp _ action=block rule=1 proto=smtp user=”user@example. com” srcuser=”[email protected]” src=199.120.225.254 srcport=1696 dst=199.120.225.5 dstport=25 duration=10 sent=74 rcvd=60
Email Rejected Due to MAPS
Mar 4 21:06:44 pri=4 msg=”SMTP: Rejected (MAPS list.dsbl.org)” smtp _ action=block rule=2 proto=smtp user=”[email protected],[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=2327 dst=199.120.225.5 dstport=25 duration=4 sent=111 rcvd=107
Email Rejected Due to Invalid Recipient
Mar 4 21:06:44 pri=4 msg=”SMTP: Server returned, 550 Invalid recipient <[email protected]>” type=mgmt proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=4599 dst=199.120.225.5 dstport=25 duration=5
If there is no spam or virus scanning enabled for that email, you may see that message paired with one for an incomplete SMTP connection. This message occurs when the email data is stopped during transmission. The internal email server may have deter- mined that an email account does not exist, and cause the Mail Sentinel email proxy to terminate the SMTP data reception.
Email Connection Incomplete
Mar 4 21:06:44 pri=4 msg=”SMTP: Incomplete” smtp _ action=block virus=”not found” spam=confirmed,96 rule=8 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=4599 dst=199.120.225.5 dstport=25 duration=5 sent=214 rcvd=2765
Email Confirmed Spam by Mail Sentinel Anti-Spam but Delivered
Mar 4 21:06:44 pri=4 msg=”SMTP: Close” smtp _ action=pass virus=”none found” spam=confirmed,99 rule=5 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=3260 dst=199.120.225.5 dstport=25 duration=4 sent=110 rcvd=3396
Email Confirmed Spam by Mail Sentinel Anti-Spam and Quarantined
Mar 4 21:06:44 pri=4 msg=”SMTP: Close” smtp _ action=quarantine virus=”none found” spam=confirmed,98 rule=3 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=4282 dst=199.120.225.5 dstport=25 duration=2 sent=110 rcvd=3549
Email Virus Found by Mail Sentinel Anti-Virus and Cured Then Delivered
Mar 4 21:06:44 pri=4 msg=”SMTP: Close” smtp _ action=block virus=Cured,”I-Worm.Bagle.au” spam=unknown,50 rule=5 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=4124 dst=199.120.225.5 dstport=25 duration=83 sent=82 rcvd=26436
Email Virus Found by Mail Sentinel Anti-Virus but Delivered
Mar 4 21:06:44 pri=4 msg=”SMTP: Close” smtp _ action=pass virus=”I-Worm.Bagle.as” spam=unknown,64 rule=5 server=192.168.71.1 proto=smtp user=”[email protected]” srcuser=”[email protected]” src=199.120.225.254 srcport=3364 dst=199.120.225.5 dstport=25 duration=10 sent=82 rcvd=31669
The Mail Sentinel email proxy adds additional SMTP X-headers to processed email. These headers can help diagnostic or track- ing processes. Some X-headers specifically track events of an email proxy that has enabled Mail Sentinel options. The “GB” prefix shows that this header was appended by a receiving GB-OS firewall.
Headers can include:
• X-GB-Received: from domain.example.com (192.168.71.9) by firewall.example.com (3.6.0)
• Lists the host that the email originated from, followed by the host name and IP address of the receiving firewall. • X-GB-From: [email protected]
• Lists the email address of the sender. (The originating domain and the domain in the sender’s email are not necessarily the same.)
• X-GB-To: [email protected]
• Lists the email address of the intended recipient. If an email has been cleared from quarantine, this header allows the email to be sent on to its final destination.
• X-GB-Mail-Format-Warning : Bad RFC2822 line length • Describes a badly-formatted email.
• X-GB-Rule : 5
• Lists the email proxy ACL that was matched. • X-GB-AS
• Lists the spam category assigned to the email (e.g. Confirmed or Suspect) and the score that caused the categorization. • May describe any error conditions that occurred during Mail Sentinel Anti-Spam processing, causing it to not process the email. These errors can include an expired Mail Sentinel Anti-Spam license or inability to contact the Mail Sentinel Anti-Spam license server.
• X-GB-AS-Summary
• Contains the Mail Sentinel Anti-Spam engine processing summary. • X-GB-AV
• Lists any viruses found; if they could be removed from the email, it will also say “cured”.
• May describe any error conditions that occurred during Mail Sentinel Anti-Virus processing, causing it to not process the email. These errors can include an expired Mail Sentinel Anti-Virus license or inability to contact the Mail Sentinel Anti-Vi- rus license server.
• X-GB-Quarantined
• Lists the email address that a quarantined email was sent to.
Note
For ease of identification, GTA recommends that the host name be a fully qualified domain name (FQDN), as in the example above. The firewall host name is entered in the HOST NAMEfield of the Basic Configuration/Network Information section.