Analyze and manage Held Messages

Held messages are messages detained by Secure Exchange Gateway in accordance with your security policy. If a message has been held in a message area, you can analyze its content to determine how, when, and why it was held.

You can also handle held messages as required. You can delete or release a message, forward it, send a non-delivery reply to the sender, reprocess it through the content security policy, or export it to disk for further investigation.

How do I...

• Find and view a held message?

  1. Navigate to Messages > Find Held Messages to search for held messages.

     If you know the message area to which your message has been sent, you can also open it directly from the Held Messages table under the Messages menu. Select the message area you require. The Message Filter displays the details of the message area, listing all messages that are currently retained.

  2. Select the message(s) you want to view using the check boxes. The viewing and processing options are displayed.

  3. Click View. A new browser window opens to display the message's details.

     If you select more than one message, each selected message is displayed in a new window.

• Analyze a held message?

  You can analyze a held message using the following tabs on the message's details page:

  • Message

    The Message tab displays the Body text of the message and any attachments. You can display an alternative Body format if the message contains more than one format.

    Malicious emails may contain different information in different body types. For security reasons, HTML format bodies are displayed as text source. For security reasons, only extracted text is displayed in RTF format bodies.

  • Policy Summary

    The Policy Summary tab displays information about how the message interacted with your security policy.

    The upper area displays:

    • a policy route the message matched

    The Triggered Rules table is a list of the content rule(s) triggered by the message. In this table, any content rule(s) which, at least, have one disposal action set as ‘Hold’ are displayed in bold. (Note that some content rules allow users to set primary and secondary disposal actions. For example, ‘Deliver’ and also ‘Hold’.)

    The order of the content rules in the Triggered Rules table is based on a structure of the message, thus this order does not reflect the priority of the content rules within a policy route. For example, in the table, a content rule which caused the entire message to be held is listed above a content rule which caused the message’s attachment to be held.

    To view the details of a content rule, click . If you want to view details of a message part, or text analysis that has been performed by Secure Exchange Gateway, use the Structure or Text Analysis buttons.

  • Structure

    The Structure tab displays the components of the message, identified by Secure Exchange Gateway as it inspected its contents. You can also view information on how Secure Exchange Gateway acted on the components of the message.

    You cannot view message structure information for messages in the Problem Messages area.

    The Structure tab displays:

    • The component tree, showing each element of the message. The components are displayed in the left pane. You can select and view individual components of the message.

    • The Responses table, displaying the action taken by Secure Exchange Gateway on the selected component.

    • The Properties table, displaying a complete list of data types detected in the selected component and the corresponding values.

    The selected component is displayed in bold. Select the message identifier at the top of the component tree to view summary information for the entire message.

  • Text Analysis

    If a content rule has identified lexical expressions in a held message, you can view the results using the Text Analysis tab. The results include the phrases identified and where they were found in the message.

    The Text Analysis tab displays:

    • The component tree, showing text elements of the message. The components are displayed in the left pane. You can select each component individually.
    • The Text Analysis Results table, displaying the Rule that detected the phrase in the selected component, the Detection Type, the Phrase in the context of the message, its Weighting and overall Score.

    The selected component is displayed in bold. Select the message identifier at the top of the component tree to view summary information for the entire message.

  • Registered Data

    If the Check Registered Data content rule or the IG Global Policy is configured to hold messages when content registered with the Information Governance (IG) Server is detected, you can view the results using the Registered Data tab.

    The Registered Data tab displays:

    • The number of Exact and Partial matches to the registered document.
    • The Classification Level of the document matched, as set on the IG Server.
    • Which content Rule caused the message to be held.
    • Details of the document containing the registered content.
    • Extracts of Matches found in the document.

  • URLs

    The URLs tab displays any potentially harmful URLs or hyperlinks that have been detected in a message subject or body by a Sanitize Message content rule. These URLs have been detected against either suspicious or custom URL Lists defined in your policy references. See URL Lists for more information.

  • Events

    The Events tab displays Message Events associated with the selected message. Message events are policy or process-related events. Events are displayed with the date and time they were processed and a short description.

    Possible Message Event...	Indicates that the message has been...
    Successfully processed	Successfully processed by Secure Exchange Gateway.
    Received by MTA	Received for processing (inbound).
    Discarded	Discarded as a result of expiry or being non-delivered.
    Decrypted SMIME content	Decrypted as a result of an S/MIME Secure Multipurpose Internet Mail Extensions (S/MIME) is a specification for secure email messages that uses the X.509 format for digital certificates and uses various encryption algorithms such as 3DES. decryption action.
    Decrypted PGP content	Decrypted as a result of a PGP decryption action.
    Decrypted SMIME and PGP content	Decrypted as a result of both an S/MIME and PGP decryption action.
    Applied encryption endpoint delivery policy	Applied with encryption endpoint.
    Failed to apply encryption endpoint delivery policy	Unable to be delivered, due to no recipient key available.
    No encryption endpoint for recipients	Unable to be delivered, due to no encryption endpoint defined for recipient.
    Send a copy (Relay Server)	Copied and archived to a relay server.
    Send a copy (BCC)	Copied and emailed to a user-defined email address.
    Non-delivered	Non-delivered.
    Held	Held in a message area.
    Placed in problem message area	Detained because Secure Exchange Gateway has been unable to determine the message structure, or is unable to complete processing the message.
    Marked for relay to specific host	Designated for relay to a user-defined host.
    Split into multiple messages	Split as a result of policy.
    Split to apply encryption endpoint settings	Split as a result of applying an encryption endpoint.
    Reprocessed from message area	Reprocessed manually from a message area.
    Released from message area	Released from a message area.
    Forwarded from message area	Forwarded from a message area.
    Non-delivered from message area	Non-delivered from a message area.
    Marked for deletion from message area	Designated for deletion from a message area.
    Deleted from message area	Deleted from a message area.
    Expiry time set	Designated to expire from a message area, after a user-defined time period.
    Accepted for processing by SMTP outbound transport service	Accepted for outbound delivery.
    Delivered to destination SMTP server	Delivered to the recipient's SMTP server.
    Delivery failed to destination SMTP server	Unable to be delivered to the recipient's SMTP server.
    Notify sender about unreachable recipients	Unable to be delivered and the sender as been notified with a non-delivery email.
    Finished delivery attempts	Attempted to be delivered.
    Message discarded	Discarded by policy.
    PMM Delete	Deleted from a message area by a PMM user.
    PMM Release	Released from a message area by a PMM user.
    PMM Auto-release	Released from a PMM-enabled message area automatically.

    You cannot view event information for messages in the Problem Messages area.

  • Raw Message

    The Raw Message tab displays the message as raw SMTP data. This may be useful if you want to analyze the message header, body, or SMTP information, or you want to view message components quickly.

  • Images

    The Images tab displays thumbnails of images contained in the held message. Secure Exchange Gateway analyzes images and determines whether each image is acceptable or unacceptable.

    acceptable image

    unacceptable image

    If an image has been incorrectly categorized, click the thumbnail to change to either acceptable or unacceptable.

• Manage a held message?

  1. From the Held Messages table under the Messages menu, locate a required message. Alternatively, navigate to Messages > Find Held Messages and locate the message.

  2. Select a message (or messages) using the check boxes displayed in the message filter. The processing options are displayed.

     Click View to analyze the message(s) you have selected.

  • Release a held message?

    3. Click Release. The Confirm Release dialog box is displayed.

       Releasing a message does not guarantee that it reaches its intended recipient. If the message has triggered additional content rules (or routes) Secure Exchange Gateway honors any disposal actions associated with the existing policy.

    4. Select whether to Release modified message or Release original message.
    5. Select Delete the message after release. This removes the released message from the message area.

    6. Click Yes if you are sure you want to release the message.

       Exercise great caution when releasing messages from the Problem Messages area. These messages have not been analyzed according to your content security policy, and could be malicious.

  • Forward a held message?

    3. Click Forward. The Confirm Forward dialog box is displayed.
    4. Select the recipient of the forwarded message from the options: Original Sender, Original Recipients or Specific Recipients. If you select Specific Recipients, enter the email address (or addresses) you require, separated by semicolons.
    5. If required, enter a note in the message box to include with the original message.

    When a message is forwarded, a copy of the message is sent to the specified address.

    6. Select which version of the message you want to forward:
       • Forward modified message. For example, a held message may have been stripped of its attachments, appended with a disclaimer, or may have had its subject tagged by the security policy.
       • Forward original message. Forwards the message without applying modifications.
    7. Select Delete the message after forwarding. This removes the forwarded message from the message area.
    8. Click Yes if you are sure you want to forward the message.

  • Non-deliver a held message?

    3. Click Non-Deliver. The Confirm non-deliver dialog box is displayed.

    4. Enter a comment to include with the delivery-status notification, if appropriate. This notification is sent to the originator of the message. You may optionally add a reason for the non-delivery.

    5. Select Delete the message after non-deliver. This removes the message from the message area.

    6. Click Yes if you are sure you want to non-deliver the message.

       You cannot non-deliver a message from the Problem Messages area.

  • Reprocess a held message?

    3. Click Reprocess. The Confirm reprocess dialog box is displayed.
    4. Select Override policy route if you want Secure Exchange Gateway to reprocess the message(s) using a different policy route chosen from the drop-down menu. This provides a manual override to allow reprocessing to be achieved using an alternative policy route. Tell me more

       When using the message reprocess feature, by default Secure Exchange Gateway reprocesses a message through the same policy route that it previously used to process the message. Selecting Override policy route allows you to override the policy selection and instead use an explicit policy route from the drop-down menu.

       Creating a reprocess-only policy route

       As Secure Exchange Gateway allows you to select a different policy route for reprocessing messages, it is possible to create special policy routes for reprocessing mail only. However, you should never use these policy routes for normal message processing.

       To set up a reprocess-only policy route, you should create two address lists that contain both sender and recipient addresses of two email addresses that would never send and receive emails.

       For example:

       1. Create the special-route-sender address list with a single address of xxx@xxx.xxx and a special-route-recipient address list with an address of yyy@yyy.yyy.
       2. Create a new policy route that uses these defined sender and recipient address lists. This policy route now appears in the Override policy route drop-down menu.

       Once you deploy policy, the new policy route is available to reprocess mail. However, you should never use this policy route for normal traffic.

    5. Select whether you want Secure Exchange Gateway to reprocess the modified or original message(s):

       • Reprocess modified message(s). This reprocesses modified message(s). For example, redacted messages or messages with attachments or headers removed.
       • Reprocess original message(s). This reprocesses the original message(s), before Secure Exchange Gateway made any modifications to it.
    6. Select Delete the message after reprocess. This removes the reprocessed message from the message area by deleting it.

    7. Click Reprocess if you are sure you want to reprocess the message.

       If you reprocess a message, Secure Exchange Gateway sends a copy of the message to the analysis queue for reprocessing, using the current content security policy. Secure Exchange Gateway recalculates the appropriate policy route based on the sender and recipient, or uses the policy route you selected for Override policy route in step 4.

  • Set an expiry time for a held message?

    3. Click Set expiry. The Set when to expire messages dialog box is displayed.

    4. Do one of the following:

       1. Select Expire in: and enter the number of days you want the message to remain in the message area. For example, if the message is to expire tomorrow, enter 1.

       2. Select Never expire to ensure that the message remains in the message area indefinitely.

    5. Click OK to confirm the expiry time setting.

  • Export a held message?

    3. Click Export. The Export dialog box is displayed.

    4. Complete the browser options and save the message to the appropriate location on your computer.

    The default name of the exported message file is the message identifier and the extension corresponding to the file type. For example, qfk457Vp6x026442.qa If you export a message from the Problem Message area, you will download a file called attachment.zp, which contains the message files.

• Manage multiple held messages?

  You can process multiple held messages together, using a batch operation.

  1. From the Held Messages table under the Messages menu, locate a required message. Alternatively, navigate to Messages > Find Held Messages and locate the message.

  2. Select the messages using the check boxes displayed in the message filter. The processing options are displayed.

     Click Add Batch.

  3. Select the operation you want to apply and configure the details.

     Click Add batch. The batch operation is added to the queue of current batch operations.