Logs, reports and alerts : About FortiMail logging : Classifiers and dispositions in history logs
Classifiers and dispositions in history logs
Each history log contains one field called Classifier and another called Disposition.
The Classifier field displays which FortiMail scanner applies to the email message. For example, “Banned Word” means the email messages was detected by the FortiMail banned word scanner. The Disposition field specifies the action taken by the FortiMail unit.
 
If you view the log messages on the FortiMail web UI or send the logs to a Syslog server, the dispositions and classifiers are displayed in English terms. However, if you download log files from FortiMail web UI to your PC and open them, the dispositions and classifiers are displayed in hex numbers.
The following tables map the hex numbers with English terms.
Table 60: Classifiers
Hex number
Classifier
Hex Number
Classifier
0x00
Undefined
0x21
Domain Safe
0x01
User Safe
0x22
Domain Block
0x02
User Block
0x23
SPF
0x03
System Safe
0x24
Domain Key
0x04
System Block
0x25
DKIM
0x05
DNSBL
0x26
Recipient Verification
0x06
SURBL
0x27
Bounce Verification
0x07
FortiGuard AntiSpam
0x28
Endpoint Reputation
0x08
FortiGuard AntiSpam-Safe
0x29
TLS Enforcement
0x09
Bayesian
0x2A
Message Cryptography
0x0A
Heuristic
0x2B
Delivery Control
0x0B
Dictionary Filter
0x2C
Encrypted Content
0x0C
Banned Word
0x2D
SPF Failure as Spam
0x0D
Deep Header
0x2E
Fragmented email
0x0E
Forged IP
0x2F
Email contains image
0x0F
Quarantine Control
0x30
Content Requires Encryption
0x10
Virus as Spam
(before v4.3 release)
0x31
FortiGuard AntiSpam-IP
0x11
Attachment Filter
(see note above)
0x32
Session Remote
0x12
Grey List
0x33
FortiGuard Phishing
0x13
Bypass Scan On Auth
0x34
AntiVirus
0x14
Disclaimer
0x35
Sender Address Rate Control
0x15
Defer Delivery
0x36
SMTP Auth Failure
0x16
Session Domain
0x37
Access Control List Reject
0x17
Session Limits
0x38
Access Control List Discard
0x18
Session Safe
0x39
Access Control List Bypass
0x19
Session Block
0x3a
FortiGuard Antispam Webfilter
0x1A
Content Monitor and Filter
0x3b
Newsletter Suspicious
0x1B
Content Monitor as Spam
0x3c
TLS Streaming
0x1C
Attachment as Spam
0x3d
Policy Match
0x1D
Image Spam
0x3e
Dynamic Safe List
0x1E
Sender Reputation
0x3f
Sender Verification
0x1F
Access Control List Relay Denied
0x40
Behavior Analysis
0x20
Safelist Word
0x41
File Signature
 
 
When the classifier is “Attachment Filter”, a new field “atype” (attachment type) is also displayed. This field is for debug purpose only.
Table 61: Dispositions
Hex number
Disposition
Hex Number
Disposition
0x00
Accept
0x1000
Disclaimer Header
0x01
Accept
0x2000
Defer
0x04
Reject
0x4000
Quarantine to Review
0x08
Add Header
0x8000
Content Filter as Spam
0x10
Modify Subject
0x10000
Encrypt
0x20
Quarantine
0x20000
Decrypt
0x40
Accept
0x40000
Alternate Host
0x80
Discard
0x80000
BCC
0x100
Replace
0x100000
Archive
0x200
Delay
0x200000
Customized repackage
0x400
Rewrite
0x400000
Repackage
0x800
Disclaimer Body
0x800000
Notification
 
 
The disposition field in a log message may contain one or more dispositions/actions. For example, “accept” and “defer” dispositions may appear in the same message. Defer disposition is added when an email message is deferred for either of the following two reasons: FortiGuard antispam outbreak and FortiSandbox scan.