Email Security 9.0 Admin Guide


SonicWall Email Security’s Auditing module enables the administrator to monitor all emails, both inbound and outbound, that pass through Email Security. This allows the user to monitor where emails have filtered into or locate the destination of a particular email.

The Auditing module also allows the administrator to track the actions performed on every server connecting to the Email Security server.

Topics include:


The default view after selecting Auditing > Messages is to see inbound messages captured in the auditing database. The messages displayed are based on the auditing parameters you set. Click on the Outbound button to see the outbound messages. Click the Inbound button to return to the inbound view.

Setting Audit Parameters

This procedure sets audit parameters on both the inbound and outbound path.

To set the auditing parameters:
Click the Settings button (far right).

Select on or off to enable or disable the following settings:
Auditing for inbound email
Auditing for outbound email
Enable Judgment Details logging
Auditing for connections
IMPORTANT: Enabling Auditing for connections can generate five to ten times more data than not enabling it. To more effectively manage your storage space, you may wish to keep connection data for less time than you keep the email auditing files .
To specify how long you want to keep the auditing files, select one of the preset times for following:
Keep Email auditing files for:
Keep connection auditing files for:

The preset times for both options are 1 Day, 2 Days, 3 Days, 7 Days, 30 Days, 60 Days, 90 Days, 180 Days, or 1 year.

Select Apply to save the settings.

Searches, Filters and Sorts

Email Security offers both simple and advanced search queries of the audit data.

Simple Search Queries

To perform a simple search:
Enter the text you want to search for in the Simple search field.

Surround sentence fragments with quotes (for example: “look for me”). Boolean operators AND, OR, and NOT are supported.

Select the field to search on from the drop-down menu.

Choose from Subject, To, From, or Unique Message ID.

Click on Search.

The results are displayed in the data table.

Advanced Search Filters

Advanced search filters can be performed directly on the data displayed in the table. Select the down arrow next to the column title to filter the data. Some columns are searchable by typing in a string of text to search on. Other columns allow you to choose one or more filters from a list of pre-populated options. The results of any filtering are immediately shown in the data table. You can filter more than one column at a time. Click on the Clear Filters button to clear any filters you selected.


The columns in the data table can be sorted in ascending or descending order.

To sort a column:
Click in the heading of the column you want to sort. A small arrowhead appears in the column. The arrowhead points up to indicate ascending order and down to indicate descending order.
Click in the column again to change the direction of the arrowhead. The data refreshes immediately to reflect the choice you made.
Click on the Reset to Default View button to reset back to the prior view.

Sharing Data

Data from the audit messages can be shared or saved several different ways:


Button name


Send Copy To

Sends selected messages to a specific recipient. Select one message by clicking on it. Select a series of messages by clicking on the first message and then shift-clicking on the last one. Select disconnected messages by control-clicking on each one you want.


Sends the selected messages to the downloads file in zip format.

Export to csv

Exports the data displayed to a file in CSV format.

Release from Capture Box

Releases an email from the Capture Box before analysis is complete.


Refreshes the data in the table.

Managing the Data Table Format

Manage the table format by using the buttons on the right.


Button name


Add Columns

Select Add Columns to get the drop down menu. Check the boxes for the data you want to appear in the table. Uncheck them to remove them from the table.

Clear Filters

Clears any filters you set during an Advanced Search.

Save View

Saves the view you created after adding or removing columns.

Reset to Default View

Resets the data table back to the default view.

Diagnosing Issues

Email Security helps you diagnose why an email failed. You can use both the message audit information or the Judgment Details if they were enabled. While some Message Audit data is available to users, only administrators can see the Judgment Details.

NOTE: Auditing must also be turned on or Judgment Detail is not logged.

Using Message Audit Data

To activate the Message Audit window, click on the desired email address which is displayed in the data table on the Inbound or Outbound tab. Email Security displays the message audit.

When the message audit window is open, data is displayed about the actions of the email, such as the IP address of the computer that sent the email and details about the email itself like subject and message size.

The following tables describe message actions and message details with their descriptions:

Message Action


Arrived into gateway from

Shows the IP address from the computer that sent the email.

The date and time are taken from the email header.


The email is either inbound or outbound.

Arrival notes

Additional information about the arrival of the email, i.e. if the email arrived encrypted.

Audit trails

Provides information on what happens to the email on a per recipient basis.


Message Field



Subject title of the email


Sender’s email address


Recipient’s email address

Date Received

Date and time, taken from the email header

Message Size

Size of the message


Identifies the threat status of the email


Identifies the subtype of spam the email is categorized with


Attachments with the email

Using Judgment Details

The SonicWall Judgment Details feature allows administrators to view blocked email and determine why it was blocked. This additional information allows them to tune their filters better and reduce false positives.

Judgment Details are a description of why a particular email message was flagged as Junk or Possible Junk by Email Security. This might include keywords, suspicious headers, or other data that indicates a message is not legitimate. This information is only available to administrators.

Email Security has always collected data on why a particular email was rejected. A simplified version of the judgment details appears to users in their junk boxes, explaining that their messages were flagged as having attributes of a particular category of junk mail, including phishing or gambling. Judgment Details for administrators provides more details, identifying exactly which words, phrases, headers, or contents caused Email Security to put the message in the Junk Box.

To view Judgment Details:
Navigate to Auditing > Messages.
Configure the search to find the message(s) you are interested in. Refer to Searches, Filters and Sorts for more information on searching the audit data.
Click on the link in the Subject column for the message you want details on. The Message Audit window displays.

Your judgment details appear as a part of this window. The specific fields recorded depend on whether the message was inbound or outbound. Not all fields appear all the time—fewer judgment details are collected on outbound messages.

The following table provides more details about how to read the Judgment Details.

Effectiveness Field



The virus scanner that was first to find a virus in the message.


The name of the policy that blocked emails with this characteristic.

People, Companies, Lists

If this message was blocked because of a list you configured, the list item that occurred in the message.

Anti-Spam Aggressiveness

Depending on the aggressiveness setting you have configured, where the message falls on the sensitivity rating.

Significant Keywords and Phrases Found

The words in the email that increased the email’s score.

Spammer’s Tricks

The known spammer tricks that have been coded against. Only the first-found spammer trick is reported in this window.

Language Detected

The language the email is in. Some organizations block languages they do not expect.

GRID Network

Reports from other users about this email.


The sender ID


The reason a message was allowed through without checking. This is usually because the message is from a sender in the same domain as the recipient.


You can use the Connections page to track the actions performed on every server that connects to your Email Security server and delivers email. Use the advanced search query method described in Advanced Search Filters to find specific messages.

Select the Settings button to enable Auditing for connections and set the length of time connection auditing files should be stored. Refer to Setting Audit Parameters for more details.

Organizing the data for the Connections Found table is the same as for the Inbound or Outbound Messages data table. Refer to Managing the Data Table Format for details.