Log message dispositions and classifiers
Each history log contains one field called Classifier and another called Disposition.
The Classifier field displays which FortiMail scanner applies to the email message. For example, “Banned Word” means the email message was detected by the FortiMail banned word scanner. The Disposition field specifies the action taken by the FortiMail unit.
If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from the FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers.
The following tables map the numbers with English terms.
When the classifier is “Attachment Filter”, a new field “atype” (attachment type) is also displayed. This field is for debug purpose only. |
Classifiers
Hex number |
Classifier |
Hex Number |
Classifier |
---|---|---|---|
0x00 |
Undefined |
0x2A |
Message Cryptography |
0x01 |
User Safe |
0x2B |
Delivery Control |
0x02 |
User Discard |
0x2C |
Encrypted Content |
0x03 |
System Safe |
0x2D |
SPF Failure as Spam |
0x04 |
System Discard |
0x2E |
Fragmented Email |
0x05 |
RBL |
0x2F |
Email Contains Image |
0x06 |
SURBL |
0x30 |
Content Requires Encryption |
0x07 |
FortiGuard AntiSpam |
0x31 |
FortiGuard AntiSpam Black IP |
0x08 |
FortiGuard AntiSpam-Safe |
0x32 |
Session Remote |
0x09 |
Bayesian |
0x33 |
FortiGuard Phishing |
0x0A |
Heuristic |
0x34 |
AntiVirus |
0x0B |
Dictionary Scanner |
0x35 |
Sender Address Rate Control |
0x0C |
Banned Word |
0x36 |
SMTP Auth Failure |
0x0D |
Deep Header |
0x37 |
Access Control List Reject |
0x0E |
Forged IP (before v5.2 release) |
0x38 |
Access Control List Discard |
0x0F |
Quarantine Control |
0x39 |
Access Control List Bypass |
0x10 |
Tagged virus (before v4.3 release) |
0x3A |
FortiGuard Antispam Webfilter |
0x11 |
Attachment Filter(see note above) |
0x3B |
Newsletter Suspicious |
0x12 |
Grey List |
0x3C |
TLS Streaming |
0x13 |
Bypass Scan On Auth |
0x3D |
Policy Match |
0x14 |
Disclaimer |
0x3E |
Dynamic Safe List |
0x15 |
Defer Delivery |
0x3F |
Sender Verification |
0x16 |
Session Domain |
0x40 |
Behavior Analysis |
0x17 |
Session Limits |
0x41 |
FortiGuard Spam Outbreak |
0x18 |
Session Safe |
0x42 |
Newsletter |
0x19 |
Session Block |
0x43 |
DMARC |
0x1A |
Content Monitor and Filter |
0x44 |
File Signature |
0x1B |
Content Monitor as Spam |
0x45 |
Sandbox |
0x1C |
Attachment as Spam |
0x46 |
Malware Outbreak |
0x1D |
Image Spam |
0x47 |
DLP Filter |
0x1E |
Sender Reputation |
0x48 |
DLP Treated as Spam |
0x1F |
Access Control List Relay Denied |
0x49 |
DLP Requires Encryption |
0x20 |
Safelist Word |
0x4A |
Access Control List Safe |
0x21 |
Domain Safe |
0x4B |
Virus Outbreak |
0x22 |
Domain Block |
0x4C |
FortiGuard Antispam Webfilter |
0x23 |
SPF (not in use) |
0x4D |
Impersonation Analysis |
0x24 |
Domain Key (not in use) |
0x4E |
Session Action |
0x25 |
DKIM (not in use) |
0x4F |
SPF Sender Alignment |
0x26 |
Recipient Verification |
0x50 |
SPF Check |
0x27 |
Bounce Verification |
0x51 |
Sandbox URL |
0x28 |
Endpoint Reputation |
0x52 |
Sandbox No Result |
0x29 |
SSL Profile Check |
0x53 |
Content Modification |
|
|
0x54 |
DKIM Failure |
When the classifier is “Attachment Filter”, a new field “atype” (attachment type) is also displayed. This field is for debug purpose only. |
Dispositions
Hex number |
Disposition |
Hex Number |
Disposition |
---|---|---|---|
0x00 |
Undefined |
0x10000 |
Encrypt |
0x01 |
Accept |
0x20000 |
Decrypt |
0x04 |
Reject |
0x40000 |
Alternate Host |
0x08 |
Add Header |
0x80000 |
BCC |
0x10 |
Modify Subject |
0x100000 |
Archive |
0x20 |
Quarantine |
0x200000 |
Customized repackage |
0x40 |
Insert Disclaimer |
0x400000 |
Repackage |
0x80 |
Block |
0x800000 |
Notification |
0x100 |
Replace |
0x1000000 |
Sign |
0x200 |
Delay |
0x2000000 |
Defer |
0x400 |
Forward |
0x4000000 |
HTML to Text |
0x800 |
Disclaimer Body |
0x8000000 |
Sanitize HTML |
0x1000 |
Disclaimer Header |
0x10000000 |
Remove URLs |
0x2000 |
Defer |
0x20000000 |
Deliver to Original Host |
0x4000 |
Quarantine to Review |
0x40000000 |
Content Reconstruction |
0x8000 |
Treat as Spam |
0x80000000 |
URL Click Protection |
|
|
0x100000000 |
Domain Quarantine |
The disposition field in a log message may contain one or more dispositions/actions. |