Troubleshooting Exchange’s Built-In Anti-Spam Technologies: Pt. 8 Anti-Spam StampsWritten by Casper Manes on September 24, 2012
With all the different agents in Exchange 2010 that can help determine whether a message is delivered or denied, trying to figure out which agent is responsible for flagging a message as spam can drive you just a little bonkers. You can review all the various logs, but with anti-spam stamps, you can see a summary of all agent activity in one place-the message itself-to help you determine which agent or agents determined that a specific message is spam. Knowing which agents are involved, you can then quickly narrow down your troubleshooting and tweaking.
Displaying Anti-Spam Stamps in Outlook 2010
To view the anti-spam stamps, you need to examine the headers of the message in Outlook 2010. Each agent that makes a determination on a message will add to the anti-spam stamp, which appears at the bottom of the Internet headers. You can view the Internet headers by doing the following.
- Open the message
- Click on File, Properties
- Scroll down to the bottom of the Internet headers.
Look for the X-headers at the bottom of the list. You can see the X-MS-Exchange-Organization-PCL, the X-MS-Exchange-Organization-SCL, and the X-MS-Exchange-Organization-Antispam-Report.
Information contained in those three X-headers can be translated using the table below.
|SID||The Sender ID (SID) stamp is based on the sender policy framework (SPF) that authorizes the use of domains in e-mail. The SPF is displayed in the message envelope as Received-SPF. The Sender ID evaluation process generates a Sender ID status for the message. This status can be returned as one of the following values:
The Sender ID stamp is displayed as an X-Header in the message envelope as follows:
|DV||The DAT version (DV) stamp indicates the version of the spam definition file that was used when scanning the message.|
|SA||The signature action (SA) stamp indicates that the message was either recovered or deleted because of a signature that was found in the message.|
|SV||The signature DAT version (SV) stamp indicates the version of the signature file that was used when scanning the message.|
|PCL||The phishing confidence level (PCL) stamp displays the rating of the message based on its content and is applied when the message is processed by the Content Filter agent. This status can be returned as one of the following values:
The PCL value can range from 1 through 8. A PCL rating from 1 through 3 returns a status of Neutral. This means that the message’s content isn’t likely to be phishing. A PCL rating from 4 through 8 returns a status of Suspicious. This means that the message is likely to be phishing.
The values are used to determine what action Outlook takes on messages. Outlook uses the PCL stamp to block the content of suspicious messages.
The PCL stamp is displayed as an X-header in the message envelope as follows:
|SCL||The spam confidence level (SCL) stamp of the message displays the rating of the message based on its content. The Content Filter agent uses Microsoft SmartScreen technology to assess the contents of a message and to assign an SCL rating to each message. The SCL value is from 0 through 9, where 0 is considered less likely to be spam, and 9 is considered more likely to be spam. The actions that Exchange and Outlook take depend on your SCL threshold settings.The SCL stamp is displayed as an X-header in the message envelope as follows:X-MS-Exchange-Organization-SCL:<status>|
|CW||The custom weight (CW) stamp of a message indicates that the message contains an unapproved word or phrase and that the SCL value, or weight, of that unapproved word or phrase was applied to the final SCL score:
|PP||The presolved puzzle (PP) stamp indicates that if a sender’s message contains a valid, solved computational postmark, based on Outlook E-mail Postmark validation functionality, it’s unlikely that the sender is a malicious sender. In this case, the Content Filter agent would reduce the SCL rating. The Content Filter agent doesn’t change the SCL rating if the E-mail Postmark validation feature is enabled and either of the following conditions is true:
|TIME:TimeBasedFeatures||The TIME stamp indicates that there was a significant time delay between the time that the message was sent and the time that the message was received. The TIME stamp is used to determine the final SCL rating for the message.|
|MIME:MIMECompliance||The MIME stamp indicates that the e-mail message isn’t MIME compliant.|
|P100:PhishingBlock||The P100 stamp indicates that the message contains a URL that’s present in a phishing definition file.|
|IPOnAllowList||The IPOnAllowList stamp indicates that the sender’s IP address is on the IP Allow list.|
|MessageSecurityAntispamBypass||The MessageSecurityAntispamBypass stamp indicates that the message wasn’t filtered for content and that the sender has been granted permission to bypass the anti-spam filters.|
|SenderBypassed||The SenderBypassed stamp indicates that the Content Filter agent doesn’t process any content filtering for messages that are received from this sender.|
|AllRecipientsBypassed||The AllRecipientsBypassed stamp indicates that one of the following conditions was met for all recipients listed in the message:
You can view the original table at http://technet.microsoft.com/en-us/library/aa996878.aspx.