Message History Report
This option is only available if your license includes Sophos Email.
The Message History report provides an overview of email activity for your protected mailboxes.
Go to Reports > Email Security Logs > Message History.
The report provides a history of both processed messages and messages that were rejected because the mailbox wasn't found. The report includes the following tabs:
-
Processed: Messages that were successfully processed by Sophos Email Security.
If you have domains connected with Sophos Gateway and Sophos Mailflow, click Category to select whether to see one type or all.
-
Rejected: Messages that were rejected because the mailbox wasn't found.
You can select the period for which you want to view the message processing history or rejection log report. By default, the report displays the messages processed or rejected during the current day. If you change the date range or apply filters, click the Refresh icon to update the report.
You can view the reports in Message History for 30 days.
EMS mode
If you're subscribed to Sophos EMS, Sophos EMS scans journal copies of the emails and the original email wasn't intercepted. As a result, the emails statuses shown in the Message History report are only for reporting purposes. They don't reflect the true emails statuses of the delivered emails. For more information on Sophos EMS, see Sophos EMS (Email Monitoring System).
Report "Processed"
The Processed report shows messages that have been processed by Sophos Email. If a message is sent to more than one recipient, there's only one row for that message.
For each processed message, the report shows the following details:
- Direction: Inbound or Outbound. Click the arrows to sort the rows.
- Sender: The email address of the sender.
- Recipients: The email addresses of the recipients.
- Type: The type of message, either Gateway or Mailflow.
- Subject: Click the subject to go to Message Details for that message.
- Last Status: The most recent activity for the message. See Last Status.
- Date: The date of the most recent activity for the message.
- Category: The category of the message. See Category.
- Sub Category: More detailed categorization of the message.
If a message is suspicious, you can hover over the Category entry to see why it was quarantined or deleted.
Quarantine summary emails sent to your users don't appear in this report.
Note
Whether a message is quarantined or deleted depends on the spam protection settings you've chosen, see Email Security policy.
You can schedule the Processed report as a custom report. Save as Custom Report lets you save the Processed report using the "Message History" template on the Reports page.
For more information on saving or scheduling reports, see Email reports.
Last Status
The possible values for Last Status can be as follows.
- Deleted: The message was deleted due to its content or your block list configuration. When you select Deleted, you can select a Reason for deletion.
- Quarantined: The message was marked as spam due to its content or your block list configuration. You can view quarantined messages on the Quarantined Messages page. See Quarantined Messages.
- Bounced: The message was returned to the sender, with a reason for not delivering it.
- Redirected: The message wasn't delivered to the original recipient. It was redirected to another email address.
- Processing: The message is still being processed. This applies to messages in the sandbox environment and messages queued for delivery.
- Accepted: The message was received successfully and is being processed by our system.
- Delivery Successful: The message was processed successfully and sent for delivery.
- Delivery Failed: The delivery of the message was attempted several times, but it couldn't be delivered, and the request timed out.
-
Queued for Delivery: The initial delivery attempt failed, and the message is re-queued for delivery.
We attempt to deliver inbound messages for up to 5 days and outbound messages for up to 1 day. Possible reasons for failure are the recipient mail server being offline, or issues retrieving the recipient's DNS records. Messages queued for delivery that are now in the processing phase show as Processing.
-
Processing Encryption: The message is still in the process of being push encrypted, or the push encrypted message is waiting to be delivered after the recipient sets their password.
- Encrypted Delivery: A message encrypted by Push Encryption was delivered.
- Portal Delivery: A message encrypted by Portal Encryption was delivered to the Sophos Secure Message portal.
- Returned to M365: A Sophos Mailflow email was successfully returned to Microsoft 365.
- Queued for return to M365: A Sophos Mailflow email was put in a queue to be returned to Microsoft 365.
- Failed to return to M365: A Sophos Mailflow email couldn't be returned to Microsoft 365.
- Clawback Successful: The message was successfully clawed back to post-delivery quarantine after being delivered to recipients.
- Clawback Initiated: The process to claw back the message has been initiated.
- Clawback Failed: The attempt to claw back the message failed.
- Clawback Released: The clawback request has been canceled or released. The message won't be clawed back.
Category
The possible values for Category and their subcategories are as follows.
- Realtime blocked: The message was blocked in real-time.
-
Enterprise blocked: The message was blocked by enterprise-level security policies.
- Admin blocked: The message was blocked by an administrator setting.
- User blocked: The message was blocked by a user setting.
-
Malware: The message contains malware.
-
Unscannable: The message couldn't be scanned for threats.
- Excessive URLs: The message contains an unusually high number of URLs.
-
Intelix threat: The message is flagged as a potential threat based on Intelix analysis.
- Malicious: The message contains malicious content or includes links to it.
- Intelix unscannable: The message couldn't be scanned by Intelix.
- Suspicious: The message is flagged as suspicious but not confirmed as malicious.
-
URL/QR Code: The message contains URLs or QR codes that link to harmful or unsafe websites.
- Malicious URL (High risk): The URL is identified as high risk based on the reputation of the source.
-
Malicious URL (Criminal): The URL is linked to criminal activity or intent.
Note
If an email contains a link on the Internet Watch Foundation's criminal URL list, we're legally required to delete the email. We're also legally required not to display the link anywhere in Sophos Central, including Message History. See IWF: URL List.
We always delete these emails. We don't use the settings in your Email Security policies.
-
QR Code (High risk): The QR code is identified as high risk based on the reputation of the linked website.
- QR Code (Criminal): The QR code is linked to a website involved in criminal activity or intent.
- Clean QR code: The QR code is linked to a website that passed all security checks and showed no signs of malicious behavior.
-
Impersonation: The message impersonated a trusted sender.
- Brand: The message spoofed a well-known brand or organization.
- Internal VIP: The message targeted a high-profile individual within your organization.
- External VIP: The message targeted a trusted external contact, such as a vendor, customer, or partner.
- General: The message is considered impersonation but doesn't match a specific VIP or brand. It's flagged based on machine learning or anti-phishing heuristics.
Tip
Click the subject of a message flagged as impersonation to view more details. You can check if the message is from an internal or external VIP, multiple VIPs, or flagged as aggressive mode.
-
Spam: The message is flagged as unsolicited bulk email, also known as junk email.
- Suspected L<x>: The message is flagged as suspected spam at a level that can be from L1 to L5. For more information on the suspected spam levels, see Anti-spam.
- Confirmed: The message was identified as spam because it contains known and verified spam patterns.
- Disallowed Country: The message originated from a country disallowed by your policy.
- Disallowed Language: The message contains content in a language disallowed by your policy.
- BATV: The message failed the Bounce Address Tag Validation (BATV) check because it lacked a valid bounce address tag, which is required to verify legitimate bounce messages. This may indicate a forged return address, often seen in spam or backscatter attacks.
-
Bulk: The message was sent to a large group of recipients, such as newsletters, mailing lists, or other forms of solicited email.
-
Authentication failure: The message failed the DMARC, SPF, or DKIM authentication checks.
- DKIM: The message failed the DKIM check configured by you in the policy.
- DMARC: The message failed the DMARC check configured by you in the policy.
- SPF: The message failed the SPF check configured by you in the policy.
- Header anomaly: The message failed the header anomaly check because the From address doesn't match the real sender or is different from the MAIL FROM address in the envelope. This could mean the email was spoofed.
- Domain anomaly: The message failed the domain anomaly check because it was sent from a non-existent or improperly configured domain with no valid MX or A records.
-
Data control: The message is flagged because it triggered a Data Control policy rule.
- Push encrypted: The message was encrypted using Push Encryption because it triggered a Data Control rule.
- Portal encrypted: The message was encrypted and stored within the Sophos Secure Message portal because it triggered a Data Control rule.
-
Secure message: The message is encrypted to ensure confidentiality and protect sensitive data.
- Push encrypted: The message was encrypted using Push Encryption, as configured in your Secure Message policy.
- Portal encrypted: The message was encrypted and stored within the Sophos Secure Message portal, as configured in your Secure Message policy.
- S/MIME: The message was signed or encrypted using the S/MIME protocol, as configured in your Secure Message policy.
- TLS v1.2: The message was delivered securely using TLS 1.2 encryption, as configured in your Secure Message policy.
- TLS v1.3: The message was delivered securely using TLS 1.3 encryption, as configured in your Secure Message policy.
-
Legitimate: The message is identified as valid and trusted.
- S/MIME: The message was received as signed or encrypted using the S/MIME protocol.
- PT campaign: The message is part of a Phish Threat campaign.
How to search
Find out how to use advanced search features to filter messages in Message History.
Advanced Search
In Message History, you can use Advanced Search to filter and find specific messages.
Click Advanced Search to begin.
Advanced Search options may vary for Processed and Rejected.
You can filter messages by the following search fields:
- From: Sender. Supports partial strings. Not case sensitive.
- To: Recipient. Supports partial strings. Not case sensitive.
- Subject: Supports partial strings. Not case sensitive. Click the subject of a message to see its details. See Message Details.
- Message size: Greater than or less than a number of MB. This uses the MIME size of an email, which may be greater than the raw file size. See Calculating email attachment file sizes.
- Attachment: Type of attachment. Supports partial strings.
-
DSN code: Select a delivery status notification (DSN) code.
You can enter an entire DSN code, or select one of the following options:
- 2.*.*: Successful delivery
- 4.*.*: Transient failure
- 5.*.*: Permanent failure
Note
- When we analyze senders and recipients of messages, we use the SMTP envelope sender and recipient addresses, not the From and To message headers.
- Special characters, including punctuation marks such as periods, commas, and hash symbols
#
, as well as symbols, accent marks, ASCII control characters, and formatting characters, are ignored in the search criteria fields.
You can filter messages by the following search fields:
- From: Sender. Supports partial strings. Not case sensitive.
- To: Recipient. Supports partial strings. Not case sensitive.
- Sender Ip: The sender's IP address. Supports partial IP address value.
You can configure several search criteria. The search results will include messages that match all criteria.
You can filter messages by Direction, Status, or Reason.
If you change the date range or filter the messages, you must click the Refresh icon to update the search results.
Search results
In your search results, the parameters you selected appear in the search box. You can click individual parameters to remove them from the search. Your search results are updated immediately.
You can click the direction arrow to limit your search to inbound or outbound messages. The down arrow is for inbound messages, and the up arrow is for outbound messages. If you click a direction arrow, your search results are updated immediately.
Message Details
To view Message Details, click a message's Subject.
The URLs tab is part of Advanced Search, which might not be available to all users yet.
You can click the following tabs for more information about the message.
- Details shows general information about the message and a history of events for the message. Event history is grouped by Recipients.
- Raw Header shows the header details.
- Attachments shows the name and size of attachments.
-
URLs shows any URLs in the message.
We calculate attachment size using the email's MIME-encoding. We don't use the size of the raw files. This means attachment file sizes are often reported as larger than the actual file. See Calculating email attachment file sizes.
For inbound and outbound "Spam" emails, depending on our message analysis, you'll see either Report threat or Report clean. Click either of these options to send the message to SophosLabs and help improve our spam detection.
Blocking
In Message History, you can click the subject of a message you want to block and then view its message details. Next, click Block under SMTP From and select either Block sender or Block sender domain to add the sender's email address or the domain to your block list.
You can also click Block IP Address under IP Address to add the IP address to your block list. Alternatively, you can add email addresses and domains from the Inbound Allow/Block list.
Warning
Be careful when you block an IP address. You can accidentally block a whole service. For example, if you block the IP address used by Microsoft 365, you won't receive messages from any Microsoft 365 users.
You can add descriptions when blocking a sender's email address, domain, or IP address to specify the reason for each block entry. For example, a description might be "blocked due to spam". You can view and edit these descriptions later on the Inbound Allow/Block list.
For more information, see Inbound Allow/Block.
Recover deleted messages
You must be a Super Admin to perform this feature.
Outbound messages flagged as spam are deleted. This is because servers downgrade the reputation of Sophos Email delivery IP addresses when they receive spam from Sophos Email. If the Super Admin wants to check whether deleted messages were false positives, they can recover and quarantine them for further inspection. This applies for inbound and outbound messages.
You can recover and send the deleted messages to quarantine in Message History. The only deleted messages you can recover and send back to quarantine are as follows:
-
Inbound messages flagged as malware:
- Virus
- Intelix threat (unscannable)
- Intelix threat (malicious)
-
Outbound messages flagged as spam
Click the subject of a message to view its message details, then click Deleted to start message recovery. You can select Recover for all recipients to recover the message for all recipients, then click Recover.
Note
Messages recovered to quarantine must undergo a thorough evaluation before they're released so that the security of the recipient isn't compromised.
It may take a few minutes to recover the message to quarantine. When it's recovered to quarantine, you must thoroughly assess the message by using techniques such as submitting the message to Intelix for scanning. You can download the attachments to inspect them for malicious content. You can read the message content to determine whether it's spam. See Quarantined Messages.
Releasing outbound spam harms the reputation of delivery IP addresses of Sophos Email. A compromised reputation may result in delays or rejection of messages for all customers. So, an hourly rate limit is applied to the recovery of deleted outbound spam. In an hour, you can recover a maximum of five messages, each of which may have been addressed to one or more recipients.
The following video shows you how to recover deleted messages to quarantine and configure your users' quarantine as read-only.
Suspected spam messages
Inbound messages are scanned for spam, and then messages are categorized based on scan results. When Sophos Central identifies a suspicious message, it marks it as 'Suspected' and adds its spam level.
Sophos Central categorizes the suspected spam messages based on their level. For example, a message corresponding to an L3 spam level will be marked as "Suspected L3" in Message History.
The action will depend on the adjustments you made on the slider. For example, you set the slider to 'L3' and the action to 'Quarantine'. In that case, suspected spam messages from L1 to L3 will be quarantined, and those from L4 to L5 will be delivered to the recipient.
You can filter the messages by suspected spam level. You can also click the subject of a message to view more details and its suspected spam level. The suspected spam level you configured using the catch rate slider is shown in Reason, and the suspected spam level Sophos Central validated is shown in Sub Category.
Multiple recipients
If a message is sent to multiple recipients, in Details you can do the following:
- Scroll through the SMTP Recipients and Header Recipients.
- You can see a list of recipients with their latest delivery status. You can also search events by recipient email address or domain. You can expand a message to see all the events associated with it.
- Filter the messages by clicking the links under Status Summary.
On-demand clawback
You can manually claw back messages determined to be objectionable from recipients' M365 mailboxes and move them to post-delivery quarantine.
This feature applies to individual recipients, email aliases, and distribution lists. After a successful clawback attempt, the clawback status for distribution lists remains "Clawback Initiated".
Before you perform a clawback, note the following points:
- You can claw back a message only if it's delivered to a M365 mailbox whose domain is connected for post-delivery protection.
- It may take up to 10 minutes to claw back a message from a M365 mailbox.
- A message released from post-delivery quarantine can't be clawed back again.
You can report a message to SophosLabs and claw it back at the same time. Clawback starts after you submit the message to SophosLabs, as long as it was successfully delivered to a supported M365 mailbox.
A detection is sent to MDR if you select a reason during clawback. The reason appears as a suffix in the Detection Rule column on the Detections page in the Threat Analysis Center.
After a successful clawback, the messages are quarantined. You can check the messages in the post-delivery quarantine list and release them if they're non-malicious or legitimate. See Quarantined Messages.
You can also claw back messages from a recipient's inbox using the clawback API. For more information, see Email Management API.
You can perform on-demand clawback using the following methods.
Claw back messages in Message History
You can claw back messages directly from the Message History page.
To do this, do as follows:
- In Sophos Central, go to Reports > Email Security Logs > Message History.
-
Select the messages you want to claw back. You can select up to 100 messages at once.
Tip
- You can use Advanced Search to narrow down your message selection.
- You can use the checkbox next to the up/down arrow icon to select all messages on the current page. Make sure you're viewing only inbound messages, as only those can be clawed back.
- You can filter for delivered messages because only messages delivered successfully can be clawed back.
-
Click Initiate clawback.
The Clawback messages dialog appears.
-
(Optional) Select a reason for clawing back the selected messages from the following options:
- Spam emails
- Malware emails
- Phishing emails
- Unwanted emails
-
(Optional) If you selected Spam emails, Malware emails, or Phishing emails, you can select Report the emails to SophosLabs to report the messages to SophosLabs.
This helps us improve our threat detection.
-
Click Confirm to claw back messages from the M365 mailboxes.
Claw back messages in Message Details
You can claw back messages from their message details page.
To do this, do as follows:
- In Sophos Central, go to Reports > Email Security Logs > Message History.
- Click the subject of a message you want to claw back to view its message details.
- Click Initiate clawback.
- Select the recipients from whom you want to claw back the delivered message.
-
Select a reason for clawing back the selected message from the following options:
- Spam emails
- Malware emails
- Phishing emails
- Unwanted emails
-
(Optional) If you selected Spam emails, Malware emails, or Phishing emails, you can select Report the emails to SophosLabs to report the message to SophosLabs.
This helps us improve our threat detection.
-
(Optional) Click View Report to view the post-delivery summary report for the messages clawed back. See Post-delivery summary report.
- Click Clawback to claw back messages from the M365 mailboxes of the selected recipients.
Report "Rejected"
The Rejected report, also known as "Rejection Log Report", shows messages that were rejected because the mailbox wasn't found in Sophos Email.
Warning
If we detect more than 1,000 messages from a single IP address within a 5-minute window, we temporarily stop logging more messages from that IP address and send an alert. You can see the alert from the Alerts page.
After five minutes, we'll resume normal logging of rejection messages.
For each rejected message, the report shows the following details:
- Date: The date and time of the most recent activity for the message.
- Sender: The sender's email address.
- Sender IP: The sender's IP address.
- Recipient: The recipient's email address.
- Type: The type of message, either Gateway or Mailflow.
- Reason: The reason why the message was rejected, such as a mailbox not being found.
Note
Rejected messages can't be released from Sophos Email. If a message is rejected due to a hard bounce reason, such as a "Mailbox couldn't be found" or a "550 5.1.1 User unknown" error, it isn't quarantined or retained by Sophos. Therefore, you can't resent rejected messages.
You can schedule the Rejected report as a custom report. Save as Custom Report lets you save the Rejected report using the "Email Rejection Report" template on the Reports page.
For more information on saving or scheduling reports, see Email reports.