Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Trustwave and Cybereason Merge to Form Global MDR Powerhouse for Unparalleled Cybersecurity Value. Learn More

Services
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Microsoft Security
Unlock the full power of Microsoft Security
Offensive Security
Solutions to maximize your security ROI
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
Loading...
Loading...

INFO: Message and Quarantine Naming Conventions

Expand / Collapse


This article applies to:

  • Trustwave MailMarshal (SEG)
  • Trustwave ECM/MailMarshal Exchange 7.X

Question:

  • What do SEG or ECM message names mean?
  • How are quarantine folders named and structured?

Information:

Message Naming Conventions

SEG and ECM ("MailMarshal") message names are split into four main parts.

The full message name (Base Name, Edition and Server ID) uniquely identifies a message passing through the system.

 An example message name, “B44509c560000.445590480001.0001.mml,” is broken down below:

Message Name Component

Component Example

Base Name

B44509c560000

Edition ID

445590480001

Server ID

0001

File Extension

mml

  • Base Name: An ID given to each message that enters MailMarshal. The base name includes a timestamp and sequence counter. This guarantees uniqueness of the base name for a specific processing node server.
  • Edition ID: A unique ID given to each edition of a particular message. An edition of a message is generated each time the message is copied or split by a rule, or by operator action such as passing through for some recipients.
  • Server ID: An ID number that identifies which node processed the message.
  • File Extension: MailMarshal uses the “mml” extension to identify messages.

The base name and edition ID can be broken into additional sections:

Name Component

Component Example

Letter Code (Base Name Only)

B

Message Sequence (Time)

44509c56

Message Sequence (Increment)

0000

  • Letter Code: One of several letter codes is assigned to each message. This varies based on how the message entered MailMarshal.

B – Email message traffic scanned by SEG. In MailMarshal SMTP, B message names are assigned by the MailMarshal SMTP Receiver. In MailMarshal Exchange, B messages are picked up by the Exchange Agent. These messages are processed by the MailMarshal Engine and delivered by the MailMarshal SMTP Sender or by being re-inserted to Exchange Server.

C – Messages created by the MailMarshal SMTP Sender.  In most cases these will be either Message Delayed in Transit notifications or Message Failed Delivery notifications.

D – Messages generated by the MailMarshal Engine.  These messages are either notifications generated by rules or DeadLetter notifications.

E – Messages generated by the MailMarshal Array Manager or MailMarshal Controller. These include Digests, license status messages, and messages that are forwarded to someone from the MailMarshal Console.

  • Message Sequence (Time): A 32-bit number, in hexadecimal, representing the number of seconds since 01/01/1970 00:00:00at the time the message was created. This measure of time is commonly known as the Unix epoch. This value is given in Greenwich Mean Time.
  • Message Sequence (Increment): A 16-bit counter, in hexadecimal. Since multiple messages can be received within a second, a counter is added to the Unix epoch to ensure that names remain unique on the specific server.

Quarantine Directory Contents

The SEG Quarantine directory contains four main sections.

  • Deadletter directory: The Deadletter directory contains several subdirectories which house various types of messages that could not be delivered or analyzed by MailMarshal.
  • ValidFingerprints directory: The ValidFingerprints directory holds files which are known to SEG, for use with the fingerprint rule condition.
  • GUID directories: These directories hold MML files that have been parked, moved, or copied into different folders by SEG. They are named after the unique hexadecimal UID that identifies particular folders within the MailMarshal configuration.
  • Symbolic directory: Internally, MailMarshal only uses the GUID directories when performing operations on the quarantine. However, the Symbolic directory exists for human convenience. Each of the 'folders' within the Symbolic directory are junctions to a currently active GUID folder referenced by the MailMarshal configuration. (Note: junctions are similar to symlinks in Unix-based operating systems. Physical MML files are stored only once within the Quarantine.)

Quarantine Sub-Folder Naming Conventions

Quarantine folders contain sub-folders that are broken up into time periods. These sub-folder names are split into two parts:

 Quarantine Sub-Folder Name Component

Component Example

Base Name

2006_04_22_4449fa3d0000

Friendly Date

2006_04_22

Unix Epoch Time

4449fa3d0000

  • Friendly Date: A friendly name for human purposes, identifying the beginning quarantine time period for this sub-folder. This is given in the format yyyy_mm_dd.
  • Unix Epoch Time:  A 32-bit number, in hexadecimal, representing the number of seconds since 01/01/1970 00:00:00 at the time the first message was quarantined in this sub-folder. This value is given in UTC or Greenwich Mean Time.

It is common for MailMarshal to create multiple sub-folders for a particular day in any given quarantine directory. This occurs when the current sub-folder contents reaches 2000 MMLs. After 2000 messages are placed within a particular sub-folder, a new sub-folder is created with the same friendly date and the current Unix epoch, and messages arriving from then on are placed in the new folder.

If a sub-folder does not reach 2000 quarantined items within a 24-hour period, a new folder is created.


To contact Trustwave about this article or to request support:


Rate this Article:
     

Add Your Comments


Comment submission is disabled for anonymous users.
Please send feedback to Trustwave Technical Support or the Webmaster
.