Fortinet black logo

Log Reference

Log message dispositions and classifiers

Copy Link
Copy Doc ID a45c6ff5-b74f-11eb-b70b-00505692583a:47449
Download PDF

Log message dispositions and classifiers

Each history log contains one field called Classifier and another called Disposition.

The Classifier field displays which FortiMail scanner applies to the email message. For example, “Banned Word” means the email message was detected by the FortiMail banned word scanner. The Disposition field specifies the action taken by the FortiMail unit.

If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from the FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers.

The following tables map the numbers with English terms.

Note

When the classifier is “Attachment Filter”, a new field “atype” (attachment type) is also displayed. This field is for debug purpose only.

Classifiers

Hex number

Classifier

Hex Number

Classifier

0x00

Undefined

0x2A

Message Cryptography

0x01

User Safe

0x2B

Delivery Control

0x02

User Discard

0x2C

Encrypted Content

0x03

System Safe

0x2D

SPF Failure as Spam

0x04

System Discard

0x2E

Fragmented Email

0x05

RBL

0x2F

Email Contains Image

0x06

SURBL

0x30

Content Requires Encryption

0x07

FortiGuard AntiSpam

0x31

FortiGuard AntiSpam Black IP

0x08

FortiGuard AntiSpam-Safe

0x32

Session Remote

0x09

Bayesian

0x33

FortiGuard Phishing

0x0A

Heuristic

0x34

AntiVirus

0x0B

Dictionary Scanner

0x35

Sender Address Rate Control

0x0C

Banned Word

0x36

SMTP Auth Failure

0x0D

Deep Header

0x37

Access Control List Reject

0x0E

Forged IP (before v5.2 release)

0x38

Access Control List Discard

0x0F

Quarantine Control

0x39

Access Control List Bypass

0x10

Tagged virus (before v4.3 release)

0x3A

FortiGuard Antispam Webfilter

0x11

Attachment Filter(see note above)

0x3B

Newsletter Suspicious

0x12

Grey List

0x3C

TLS Streaming

0x13

Bypass Scan On Auth

0x3D

Policy Match

0x14

Disclaimer

0x3E

Dynamic Safe List

0x15

Defer Delivery

0x3F

Sender Verification

0x16

Session Domain

0x40

Behavior Analysis

0x17

Session Limits

0x41

FortiGuard Spam Outbreak

0x18

Session Safe

0x42

Newsletter

0x19

Session Block

0x43

DMARC

0x1A

Content Monitor and Filter

0x44

File Signature

0x1B

Content Monitor as Spam

0x45

Sandbox

0x1C

Attachment as Spam

0x46

Malware Outbreak

0x1D

Image Spam

0x47

DLP Filter

0x1E

Sender Reputation

0x48

DLP Treated as Spam

0x1F

Access Control List Relay Denied

0x49

DLP Requires Encryption

0x20

Safelist Word

0x4A

Access Control List Safe

0x21

Domain Safe

0x4B

Virus Outbreak

0x22

Domain Block

0x4C

FortiGuard Antispam Webfilter

0x23

SPF (not in use)

0x4D

Impersonation Analysis

0x24

Domain Key (not in use)

0x4E

Session Action

0x25

DKIM (not in use)

0x4F

SPF Sender Alignment

0x26

Recipient Verification

0x50

SPF Check

0x27

Bounce Verification

0x51

Sandbox URL

0x28

Endpoint Reputation

0x52

Sandbox No Result

0x29

SSL Profile Check

0x53

Content Modification

0x54

DKIM Failure

Note

When the classifier is “Attachment Filter”, a new field “atype” (attachment type) is also displayed. This field is for debug purpose only.

Dispositions

Hex number

Disposition

Hex Number

Disposition

0x00

Undefined

0x10000

Encrypt

0x01

Accept

0x20000

Decrypt

0x04

Reject

0x40000

Alternate Host

0x08

Add Header

0x80000

BCC

0x10

Modify Subject

0x100000

Archive

0x20

Quarantine

0x200000

Customized repackage

0x40

Insert Disclaimer

0x400000

Repackage

0x80

Block

0x800000

Notification

0x100

Replace

0x1000000

Sign

0x200

Delay

0x2000000

Defer

0x400

Forward

0x4000000

HTML to Text

0x800

Disclaimer Body

0x8000000

Sanitize HTML

0x1000

Disclaimer Header

0x10000000

Remove URLs

0x2000

Defer

0x20000000

Deliver to Original Host

0x4000

Quarantine to Review

0x40000000

Content Reconstruction

0x8000

Treat as Spam

0x80000000

URL Click Protection

0x100000000

Domain Quarantine

Note

The disposition field in a log message may contain one or more dispositions/actions.

Log message dispositions and classifiers

Each history log contains one field called Classifier and another called Disposition.

The Classifier field displays which FortiMail scanner applies to the email message. For example, “Banned Word” means the email message was detected by the FortiMail banned word scanner. The Disposition field specifies the action taken by the FortiMail unit.

If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from the FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers.

The following tables map the numbers with English terms.

Note

When the classifier is “Attachment Filter”, a new field “atype” (attachment type) is also displayed. This field is for debug purpose only.

Classifiers

Hex number

Classifier

Hex Number

Classifier

0x00

Undefined

0x2A

Message Cryptography

0x01

User Safe

0x2B

Delivery Control

0x02

User Discard

0x2C

Encrypted Content

0x03

System Safe

0x2D

SPF Failure as Spam

0x04

System Discard

0x2E

Fragmented Email

0x05

RBL

0x2F

Email Contains Image

0x06

SURBL

0x30

Content Requires Encryption

0x07

FortiGuard AntiSpam

0x31

FortiGuard AntiSpam Black IP

0x08

FortiGuard AntiSpam-Safe

0x32

Session Remote

0x09

Bayesian

0x33

FortiGuard Phishing

0x0A

Heuristic

0x34

AntiVirus

0x0B

Dictionary Scanner

0x35

Sender Address Rate Control

0x0C

Banned Word

0x36

SMTP Auth Failure

0x0D

Deep Header

0x37

Access Control List Reject

0x0E

Forged IP (before v5.2 release)

0x38

Access Control List Discard

0x0F

Quarantine Control

0x39

Access Control List Bypass

0x10

Tagged virus (before v4.3 release)

0x3A

FortiGuard Antispam Webfilter

0x11

Attachment Filter(see note above)

0x3B

Newsletter Suspicious

0x12

Grey List

0x3C

TLS Streaming

0x13

Bypass Scan On Auth

0x3D

Policy Match

0x14

Disclaimer

0x3E

Dynamic Safe List

0x15

Defer Delivery

0x3F

Sender Verification

0x16

Session Domain

0x40

Behavior Analysis

0x17

Session Limits

0x41

FortiGuard Spam Outbreak

0x18

Session Safe

0x42

Newsletter

0x19

Session Block

0x43

DMARC

0x1A

Content Monitor and Filter

0x44

File Signature

0x1B

Content Monitor as Spam

0x45

Sandbox

0x1C

Attachment as Spam

0x46

Malware Outbreak

0x1D

Image Spam

0x47

DLP Filter

0x1E

Sender Reputation

0x48

DLP Treated as Spam

0x1F

Access Control List Relay Denied

0x49

DLP Requires Encryption

0x20

Safelist Word

0x4A

Access Control List Safe

0x21

Domain Safe

0x4B

Virus Outbreak

0x22

Domain Block

0x4C

FortiGuard Antispam Webfilter

0x23

SPF (not in use)

0x4D

Impersonation Analysis

0x24

Domain Key (not in use)

0x4E

Session Action

0x25

DKIM (not in use)

0x4F

SPF Sender Alignment

0x26

Recipient Verification

0x50

SPF Check

0x27

Bounce Verification

0x51

Sandbox URL

0x28

Endpoint Reputation

0x52

Sandbox No Result

0x29

SSL Profile Check

0x53

Content Modification

0x54

DKIM Failure

Note

When the classifier is “Attachment Filter”, a new field “atype” (attachment type) is also displayed. This field is for debug purpose only.

Dispositions

Hex number

Disposition

Hex Number

Disposition

0x00

Undefined

0x10000

Encrypt

0x01

Accept

0x20000

Decrypt

0x04

Reject

0x40000

Alternate Host

0x08

Add Header

0x80000

BCC

0x10

Modify Subject

0x100000

Archive

0x20

Quarantine

0x200000

Customized repackage

0x40

Insert Disclaimer

0x400000

Repackage

0x80

Block

0x800000

Notification

0x100

Replace

0x1000000

Sign

0x200

Delay

0x2000000

Defer

0x400

Forward

0x4000000

HTML to Text

0x800

Disclaimer Body

0x8000000

Sanitize HTML

0x1000

Disclaimer Header

0x10000000

Remove URLs

0x2000

Defer

0x20000000

Deliver to Original Host

0x4000

Quarantine to Review

0x40000000

Content Reconstruction

0x8000

Treat as Spam

0x80000000

URL Click Protection

0x100000000

Domain Quarantine

Note

The disposition field in a log message may contain one or more dispositions/actions.