Email analysis: X-Lastline header
search cancel

Email analysis: X-Lastline header

book

Article ID: 333859

calendar_today

Updated On:

Products

VMware vDefend Network Detection and Response

Issue/Introduction

When a NSX Lastline Sensor is configured in full MTA mode, it will add a custom header with the outcome of the NSX Lastline analysis to every email.

The header is called X-Lastline and can contain the following keywords: 

KeywordDescription
analysis-skipped

Analysis was skipped because of whitellist match reason as below. 

* sender-whitelist
* recipient-whitelist
* subject-whitelist
* attachment-filename-whitelist
* attachment-md5-whitelist
* url-whitelist

analysis-incomplete=X

 The analysis was not completed. This header is associated to a value that tells you the reason for the failure:

  • backend-unreachable: we do not seem to be able to connect to the backend
  • attachment-too-large: at least one attachment was over the maximum configured file size and was skipped
  • attachment-upload-error: we encountered an unexpected error when attempting to upload the attachment
  • url-upload-error: same for URL
  • queue-full: we failed open because the analysis queue is full
analysis-disabledAnalysis was disabled, usually in case of fail-open scenarios (analysis queue full)
analysis-timed-outReached maximum amount of time to attempt to analyse the artifacts and failed open
benignNo suspicious/malicious URL or attachment was found
max-malicious-attachment-score=XMalicious/suspicious attachments were found, with maximum score of X
max-malicious-url-score=XMalicious/suspicious URL's were found, with maximum score of X
attachment-blockedAt least one attachment was removed from the email
suspicious-urlSuspicious/malicious URLs were found
url-blockedAt least one URL was removed from the email
message-suspiciousUsed when Lastline found reasons to consider the message suspicious that go beyond the analysis of artifacts or URLs. This includes the analysis of the headers, the text parts of the message, and other factors that may affect the reputation of the message as a whole.*

* these are static heuristic checks that influence the score of the message in the UI. Currently, it is not possible to define thresholds for these messages. For inline sensors deployments, a message matching exclusively on the static heuristics will not be blocked.

 

Examples:

X-Lastline: benign
X-Lastline: max-malicious-attachment-score=10
X-Lastline: max-malicious-attachment-score=90 attachment-blocked
X-Lastline: suspicious-url
X-Lastline: suspicious-url url-blocked
X-Lastline: max-malicious-attachment-score=90 attachment-blocked suspicious-url url-blocked

 This feature is supported starting from sensor version 709.


Powered by Wolken Software