Message History Report
The Message History report details the messages processed by Sophos Email Security for your protected mailboxes.
This option is only available if your license includes Sophos Email.
Go to Reports > Email Security Logs > Message History.
If you have domains connected with Sophos Gateway and Sophos Mailflow, click Category to select whether to see one type, or all.
You can select the period for which you want to view the message processing history. By default, the report displays the messages processed during the current day. If you change the date range, click the refresh icon to update the report. You can view the reports in Message History for only 30 days.
Report Details
Each row in the report shows one message that has passed through the gateway. If a message is sent to more than one recipient, there's only one row for that message.
For each message, the report shows:
- DIRECTION: Click the arrows to sort the rows.
- SENDER
- RECIPIENTS
- TYPE
- SUBJECT: Click the subject to go to Message Details for that message.
-
LAST STATUS: The most recent activity for the message.
The possible values for LAST STATUS can be as follows.
- Deleted: The message was deleted due to its content or your block list configuration. When you select Deleted, you can select a Reason for deletion.
- Quarantined: The message was marked as spam due to its content or your block list configuration. You can view quarantined messages on the Quarantined Messages page. See Quarantined Messages.
- Bounced: The message was returned to the sender, with a reason for not delivering it.
- Redirected: The message was not delivered to the original recipient. It was redirected to another email address.
- Processing: The message is still being processed. This applies to messages in the sandbox environment and messages queued for delivery.
- Accepted: The message was received successfully and is being processed by our system.
- Delivery Successful: The message was processed successfully and sent for delivery.
- Delivery Failed: The delivery of the message was attempted several times, but it couldn't be delivered, and the request timed out.
-
Queued for Delivery: The initial delivery attempt failed, and the message is re-queued for delivery.
We attempt to deliver inbound messages for up to 5 days and outbound messages for up to 1 day. Possible reasons for failure are the recipient mail server being offline, or issues retrieving the recipient's DNS records. Messages queued for delivery that are now in the processing phase show as Processing.
-
Processing Encryption: The message is still in the process of being push encrypted, or the push encrypted message is waiting to be delivered after the recipient sets their password.
- Encrypted Delivery: A message encrypted by Push Encryption was delivered.
- Portal Delivery: A message encrypted by Portal Encryption was delivered to the Sophos Secure Message portal.
- Returned to M365: A Sophos Mailflow email was successfully returned to Microsoft 365.
- Queued for return to M365: A Sophos Mailflow email was put in a queue to be returned to Microsoft 365.
- Failed to return to M365: A Sophos Mailflow email couldn't be returned to Microsoft 365.
- Clawback Successful: The message was retracted to post delivery quarantine after being successfully delivered to recipients.
- Clawback Initiated: The process to retract the message has been initiated.
- Clawback Failed: The message retraction failed.
- Clawback Released: The retraction request has been cancelled or released. The message will not be retracted.
-
DATE: The date of the most recent activity for the message.
- CATEGORY: The category of the message.
- SUB CATEGORY: More detailed categorization of the message.
If a message is suspicious, you can hover over the CATEGORY entry to see why it was quarantined or deleted.
Note
Whether a message is quarantined or deleted depends on the spam protection settings you've chosen, see Email Security policy.
Advanced Search
If you have Advanced Search, it's the default in Message History.
Click the Advanced Search input box. You can filter messages by the following:
- From: Sender. Supports partial strings. Not case sensitive.
- To: Recipient. Supports partial strings. Not case sensitive.
- Subject: Supports partial strings. Not case sensitive. Click the subject of a message to see its details. See Message Details.
- Message size: Greater than or less than a number of MB. This uses the MIME size of an email, which may be greater than the raw file size. See Calculating email attachment file sizes.
- Attachment: Type of attachment. Supports partial strings.
-
DSN code: Select a delivery status notification (DSN) code.
You can enter a whole DSN code, or select one of the following wildcards:
- 2.*.*: Successful delivery
- 4.*.*: Transient failure
- 5.*.*: Permanent failure
Note
- When we analyze senders and recipients of messages, we use their SMTP envelope sender and recipient addresses, not their from-header and to-header addresses.
- Special characters, including punctuation marks such as periods (.), commas (,), and hash symbols (#), as well as symbols, accent marks, ASCII control characters, and formatting characters, are ignored in the search criteria fields.
You can combine different search terms. They are applied with the AND
condition.
You can filter messages by Direction, Status, or Reason.
If you change the date range or filter the messages, you need to click the refresh icon to update the search results.
Search results
In your search results the parameters you selected appear in the search box. You can refine your search by clicking individual parameters to remove them. Your search results are updated immediately.
You can click the direction arrow to limit your search to inbound or outbound messages. The down arrow is for inbound messages, the up arrow for outbound messages. If you click a direction arrow your search results are updated immediately.
Message Details
To view Message Details, click a message's Subject.
The URLs tab is part of Advanced Search, which might not be available to all users yet.
You can click the following tabs for more information about the message.
- Details shows general information about the message and a history of events for the message. Event history is grouped by Recipients.
- Raw Header shows the header details.
- Attachments shows the name and size of attachments.
-
URLs shows any URLs in the message.
We calculate attachment size using the email's MIME-encoding. We don't use the size of the raw files. This means attachment file sizes are often reported as larger than the actual file. See Calculating email attachment file sizes.
For inbound and outbound "Spam" emails, depending on our message analysis, you'll see either Report as Spam or Report as Not Spam. Click either of these options to send the message to SophosLabs and help improve our spam detection.
Blocking
In Message History, you can click Block Sender or Block Domain to add the sender's email address or the domain to you block list.
You can select Block IP Address to add the IP address to the Inbound Allow/Block list. You can also add email addresses and domains to the blocklist.
Warning
Be careful if you block an IP address. You can accidentally block a whole service. For example if you block the IP address used by Microsoft 365, you won't receive messages from any Microsoft 365 users.
For more information see Inbound Allow/Block.
Recover deleted messages
You must be a Super Admin to perform this feature.
Outbound messages flagged as spam are deleted. This is because servers downgrade the reputation of Sophos Email delivery IP addresses when they receive spam from Sophos Email. If the Super Admin wants to check whether deleted messages were false positives, they can recover and quarantine them for further inspection. This applies for inbound and outbound messages.
You can recover and send the deleted messages to quarantine in Message History. The only deleted messages you can recover and send back to quarantine are as follows:
-
Inbound messages flagged as malware:
- Virus
- Intelix threat (unscannable)
- Intelix threat (malicious)
-
Outbound messages flagged as spam
Click the subject of a message to view its message details, then click Deleted to start message recovery. You can select Recover for all recipients to recover the message for all recipients, then click Recover.
Note
Messages recovered to quarantine must undergo a thorough evaluation before they’re released so that the security of the recipient isn’t compromised.
It may take a few minutes to recover the message to quarantine. When it's recovered to quarantine, you must thoroughly assess the message by using techniques such as submitting the message to Intelix for scanning. You can download the attachments to inspect them for malicious content. You can read the message content to determine whether it's spam. See Quarantined Messages.
Releasing outbound spam harms the reputation of delivery IP addresses of Sophos Email. A compromised reputation may result in delays or rejection of messages for all customers. So, an hourly rate limit is applied to the recovery of deleted outbound spam. In an hour, you can recover a maximum of five messages, each of which may have been addressed to one or more recipients.
Suspected spam messages
This feature might not be available for all customers yet.
Inbound messages are scanned for spam, and then messages are categorized based on scan results. When Sophos Central identifies a suspicious message, it marks it as 'Suspected' and adds its spam level.
Sophos Central categorizes the suspected spam messages based on their level. For example, a message corresponding to an L3 spam level will be marked as "Suspected L3" in Message History.
The action will depend on the adjustments you made on the slider. For example, you set the slider to 'L3' and the action to 'Quarantine'. In that case, suspected spam messages from L1 to L3 will be quarantined, and those from L4 to L5 will be delivered to the recipient.
You can filter the messages by suspected spam level. You can also click the subject of a message to view more details and its suspected spam level. The suspected spam level you configured using the catch rate slider is shown in Reason, and the suspected spam level Sophos Central validated is shown in Sub Category.
Multiple recipients
If a message is sent to multiple recipients, in Details you can do the following:
- Scroll through the SMTP Recipients and Header Recipients.
- You can see a list of recipients with their latest delivery status. You can also search events by recipient email address or domain. You can expand a message to see all the events associated with it.
- Filter the messages by clicking the links under Status Summary.
Using on-demand clawback
You can manually claw back messages determined to be objectionable from M365 mailboxes of recipients to post delivery quarantine.
The on-demand clawback feature is also supported for distribution lists and email aliases. After a successful on-demand clawback for distribution lists, the status will remain Clawback Initiated.
You can perform on-demand clawback using the following methods:
-
Message History: You can choose the messages you want to claw back by selecting the checkbox next to each message. You can also go to the next page and select messages from there.
Tip
- You can use Advanced Search to narrow down your message selection.
- You can select the checkbox beside the DIRECTION column to select all messages at once, because only inbound messages can be clawed back.
- You can filter for delivered messages because only messages delivered successfully can be clawed back.
After selecting the messages, click Initiate clawback to retract messages from M365 mailboxes.
-
Message Details: In Message History, you can click the subject of a message you want to claw back and then view its message details.
After selecting the messages, click Initiate clawback to retract messages from M365 mailboxes of one or more recipients. Select the recipients from whom you want to claw back the delivered message.
Click View Report to view the post delivery summary report on these clawed-back messages. See Post delivery summary report.
Note
- You can claw back a message only if it's delivered to a M365 mailbox whose domain is connected for post delivery protection.
- It may take up to 10 minutes to claw back a message from a M365 mailbox.
- A message released from post delivery quarantine can't be clawed back again.
After a successful on-demand clawback, the messages are quarantined. You can check the messages through the post delivery quarantine list and release them if they're non-malicious or legitimate. See Quarantined Messages.
The Clawback API can be used to claw back messages from a recipient's inbox. For more information, see Email Management API.