Export (0) Print
Expand All

Anti-Spam Stamps

 

Applies to: Exchange Server 2007 SP3, Exchange Server 2007 SP2, Exchange Server 2007 SP1, Exchange Server 2007

Topic Last Modified: 2007-07-06

In Microsoft Exchange Server 2007, anti-spam stamps help you diagnose spam-related problems by applying diagnostic metadata, or "stamps," such as sender-specific information, puzzle validation results, and content filtering results, to messages as they pass through the anti-spam features that filter inbound messages from the Internet.

This topic explains how to view anti-spam stamps and describes the different anti-spam stamps: the anti-spam report, the phishing confidence level stamp, the spam confidence level (SCL) stamp, and the Sender ID stamp.

You can use anti-spam stamps as diagnostic tools to determine what actions to take on false-positives and on suspected spam messages that individuals receive in their mailboxes.

You can view anti-spam stamps by using Microsoft Office Outlook 2007. For more information about how to view anti-spam stamps, see How to View Anti-Spam Stamps in Outlook 2007.

The anti-spam report is a summary report of the anti-spam filter results that have been applied to an e-mail message. The Content Filter agent applies this stamp to the message envelope in the form of an X-header as follows:

X-MS-Exchange-Organization-Antispam-Report: DV:<DATVersion>;CW:CustomList;PCL:PhishingVerdict <verdict>;P100:PhishingBlock;PP:Presolve;SID:SenderIDStatus <status>;TIME:<SendReceiveDelta>;MIME:MimeCompliance 

Table 1 describes the filter information that can appear in an anti-spam report.

noteNote:
The anti-spam report only displays information from the filters that were applied to the specific message. An anti-spam report doesn't usually contain all the information listed in Table 1. For example, you may receive the following anti-spam report: DV:3.1.3924.1409;SID:SenderIDStatus Fail;PCL:PhishingLevel SUSPICIOUS;CW:CustomList;PP:Presolved;TIME:TimeBasedFeatures.

Table 1   Filter information in an anti-spam report

Stamp Description

SID

The Sender ID (SID) stamp is based on the sender policy framework (SPF) that authorizes the use of domains in e-mail. The SPF is displayed in the message envelope as Received-SPF. The Sender ID evaluation process generates a Sender ID status for the message. This status can be returned as one of the following values:

  • Pass   The IP Address and Purported Responsible Domain pair passed the Sender ID verification check.
  • Neutral   The Sender ID verification check was inconclusive.
  • Softfail   The IP Address may not be in the SPF. Softfail is considered less trusted than Neutral.
  • Fail   The IP address is not listed in the SPF.
  • None   No published SPF data exists in the sender's Domain Name System (DNS).
  • TempError   A temporary DNS failure occurred, such as an unavailable DNS server.
  • PermError   The DNS record is invalid, such as an error in the record format.

For more information about Sender ID, see Sender ID.

DV

The DAT version (DV) stamp indicates the version of the spam definition file that was used when scanning the message.

SA

The signature action (SA) stamp indicates that the message was either recovered or deleted because of a signature that was found in the message.

SV

The signature DAT version (SV) stamp indicates the version of the signature file that was used when scanning the message.

PCL

The phishing confidence level (PCL) of the message displays the following values, which are based on the PCL Stamp described later in this topic:

  • Neutral   The message's content is not likely to be phishing.
  • Suspicious   The message's content is likely to be phishing.

Outlook uses the PCL stamp to block the content of suspicious messages.

SCL

The spam confidence level (SCL) of the message displays the rating of the message based on its content. The SCL value is between 0 and 9, where 0 is considered less likely to be spam, and 9 is considered more likely to be spam. The actions that Exchange Server and Outlook take depend on your SCL threshold settings. For more information about SCL thresholds and actions, see Adjusting the Spam Confidence Level Threshold.

CW

The custom weight (CW) of a message indicates that the message contains an unapproved word or phrase and that the SCL value, or "weight," of that unapproved word or phrase was applied to the final SCL score:

  • Unapproved phrases, or Block phrases, have maximum weight and change the SCL score to 9.
  • Approved words or phrases, or Allow phrases, have minimum weight and change the SCL to 0.

For more information about how to add approved and unapproved words or phrases to the content filtering agent, see How to Configure Allow or Block Phrases for Content Filtering.

PP

The presolved puzzle (PP) stamp indicates that if a sender's message contains a valid, solved computational postmark, based on Outlook E-mail Postmark validation functionality, it is unlikely that the sender is a malicious sender. In this case, the Content Filter agent would reduce the SCL rating.

The Content Filter agent does not change the SCL rating if the E-mail Postmark validation feature is enabled and either of the following conditions is true:

  • An inbound message does not contain a computational postmark header.
  • The computational postmark header is not valid.

For more information about the postmark validation feature, see How to Enable or Disable Outlook E-Mail Postmark Validation.

TIME: TimeBasedFeatures

The TIME stamp indicates that there was a significant time delay between the time that the message was sent and the time that the message was received. The TIME stamp is used to determine the final SCL rating for the message.

MIME:MIMECompliance

The MIME stamp indicates that the e-mail message is not MIME-compliant.

P100:PhishingBlock

The P100 stamp indicates that the message contains a URL that is present in a phishing definition file.

IPOnAllowList

The IPOnAllowList stamp indicates that the sender's IP address is on the IP Allow list. For more information about the IP Allow list, see Connection Filtering.

MessageSecurityAntispamBypass

The MessageSecurityAntispamBypass stamp indicates that the message was not filtered for content and that the sender has been granted permission to bypass the anti-spam filters.

SenderBypassed

The SenderBypassed stamp indicates that the Content Filter agent does not process any content filtering for messages that are received from this sender. For more information, see How to Specify Recipient and Sender Exceptions for Content Filtering.

AllRecipientsBypassed

The AllRecipientsBypassed stamp indicates that one of the following conditions was met for all recipients listed in the message:

  • The AntispamBypassedEnabled parameter on the recipient's mailbox is set to $True. This is a per-recipient setting that can only be set by an administrator. For more information about this setting, see Set-Mailbox.
  • The message sender is in the recipient's Outlook Safe Senders List. For more information about the Safe Senders List, see How to Configure Safelist Aggregation.
  • The Content Filter agent does not process any content filtering for messages that are sent to this recipient. For more information about recipient exceptions, see How to Specify Recipient and Sender Exceptions for Content Filtering.

The phishing confidence level (PCL) stamp is a property that Microsoft Exchange applies to each e-mail message when the message is processed by the Content Filter agent. The PCL stamp is displayed as an X-header in the message envelope as follows:

X-MS-Exchange-Organization-PCL:<status> 

The PCL stamp displays the rating of the message based on its content. The PCL value is between 1 and 8. The values are used to determine what action Outlook takes on messages. Outlook uses the PCL stamp to block the content of suspicious messages. A PCL rating of 1 to 3 returns a status of Neutral in the anti-spam report. This means that the message's content is not likely to be phishing. A PCL rating of 4 to 8 returns a status of Suspicious in the anti-spam report. This means that the message is likely to be phishing.

The spam confidence level (SCL) stamp displays the rating of the message based on its content. The SCL stamp is displayed as an X-header in the message envelope as follows:

X-MS-Exchange-Organization-SCL:<status>

The Content Filter agent uses Microsoft SmartScreen technology to assess the contents of a message and to assign an SCL rating to each message. The SCL value is between 0 and 9, where 0 is considered less likely to be spam, and 9 is considered more likely to be spam. The actions that Exchange Server and Outlook take depend on your SCL threshold settings. For more information about the SCL thresholds and actions, see Adjusting the Spam Confidence Level Threshold.

The Sender ID stamp is based on the SPF that authorizes the use of domains in e-mail. The SPF is displayed in the message envelope as Received-SPF. The Sender ID stamp is displayed as an X-Header in the message envelope as follows:

X-MS-Exchange-Organization-SenderIdResult:<status>

The Sender ID evaluation process generates a Sender ID status for the message. This status can be set to one of the following values:

  • Pass   The IP Address and Purported Responsible Domain pair passed the Sender ID verification check.
  • Neutral   The Sender ID verification check was inconclusive.
  • Soft fail   The IP Address may not be in the SPF. Softfail is considered less trusted than Neutral.
  • Fail   The IP address is not listed in the SPF.
  • None   No published SPF data exists in the sender's DNS.
  • TempError   A temporary DNS failure occurred, such as an unavailable DNS server.
  • PermError   The DNS record is invalid, such as an error in the record format.

For more information about how to configure Sender ID, see Configuring Sender ID.

For more information about content filtering, see the following topics:

For more information about Sender ID, see the following topics:

To ensure that you are reading the most up-to-date information and to find additional Exchange Server 2007 documentation, visit the Exchange Server TechCenter.
Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft