TechNet
Export (0) Print
Expand All

Antispam stamps

 

Applies to: Exchange Server 2016

Topic Last Modified: 2016-05-09

Learn how to use the antispam stamps that are applied to messages in Exchange 2016 to investigate suspected spam messages.

Antispam stamps in Exchange Server 2016 apply diagnostic metadata, or stamps, such as sender-specific information, puzzle validation results, and content filtering results, to messages as they pass through the antispam features that filter inbound messages from the Internet. You can use antispam stamps to see the results of antispam filtering on a message, and to diagnose spam-related problems. The antispam features and stamps are basically unchanged from Exchange Server 2010. There are four major Exchange anti-spam stamps:

  • The phishing confidence level (PCL) stamp

  • The Sender ID stamp

  • The spam confidence level (SCL) stamp

  • The antispam report stamp

The antispam stamps are added to messages as X-header fields in the message header. You can view antispam stamps on a message by using Microsoft Outlook. For more information, see View antispam stamps in Outlook.

The PCL stamp indicates the likelihood that a message is a phishing message based on its content. The PCL stamp is applied when the message is processed by the Content Filter agent. For more information about content filtering, see Content filtering.

The PCL values are described in the following table.

 

PCL value Verdict Description

1 through 3

Neutral

The message content isn't likely to be phishing.

4 through 8

Suspicious

The message content is likely to be phishing.

The PCL value appears in the X-MS-Exchange-Organization-PCL: X-header, and the PCL verdict appears in the antispam report stamp as PCL:PhishingLevel <Verdict>. Outlook uses the PCL stamp to block the content of suspicious messages.

The Sender ID stamp is based on the sender policy framework (SPF) that authorizes the use of domains in email. The Sender ID agent determines the Sender ID status for the message. These status values are described in the following table.

 

Status Description

Pass

Both the IP address and Purported Responsible Address (PRA) passed the Sender ID verification check.

Neutral

Published Sender ID data is explicitly inconclusive.

SoftFail

The IP address for the PRA may be in the not permitted set.

Fail

The IP Address is not permitted. No PRA is found in the incoming mail or the sending domain does not exist.

None

No published SPF data exists in the sender's DNS.

TempError

A temporary DNS failure occurred, such as an unavailable DNS server.

PermError

The DNS record is invalid, such as an error in the record format.

The Sender ID stamp is displayed in the X-MS-Exchange-Organization-SenderIdResult: X-header, and also in the antispam report stamp as SenderIDStatus <Status>. The SPF result is displayed in the Received-SPF header.

For more information, see the following topics:

Return to top

The SCL stamp displays the rating of the message based on its content. The Content Filter agent uses Microsoft SmartScreen technology to assess the contents of a message, and to assign an SCL rating to each message. The SCL values are described in the following table.

 

SCL value Description

0 through 9

0 indicates an extremely low probability that the message is spam.

9 indicates an extremely high probability that the message is spam.

-1

The message bypassed antispam scanning (for example, the message was from an internal sender).

The SCL value appears in the X-MS-Exchange-Organization-SCL: X-header.

The actions that Exchange and Outlook take based on the SCL value depend on your SCL threshold settings. For more information, see Exchange spam confidence level (SCL) thresholds.

Return to top

The antispam report stamp is a summary of the antispam filter results that have been applied to the message. The Content Filter agent applies this stamp to the message in the X-MS-Exchange-Organization-Antispam-Report: X-header. The anti spam report uses the following syntax:

X-MS-Exchange-Organization-Antispam-Report: DV:<DATVersion>;CW:CustomList;PCL:PhishingVerdict <verdict>;P100:PhishingBlock;PP:Presolve;SID:SenderIDStatus <status>;TIME:<SendReceiveDelta>;MIME:MimeCompliance;OrigIP:<SourceIPAddress>

The antispam filter information that can appear in the antispam report stamp is described in the following table. Note that the antispam report stamp only contains results and conclusions from antispam filters that were applied to the message. so the antispam report stamp usually doesn't contain all of the possible stamps and values.

 

Stamp Description

DV

The DAT version (DV) stamp indicates the version of the spam definition file that was used when scanning the message.

SA

The signature action (SA) stamp indicates that the message was either recovered or deleted because of a signature that was found in the message.

SV

The signature DAT version (SV) stamp indicates the version of the signature file that was used when scanning the message.

CW

The custom weight (CW) stamp indicates that the message contains an unapproved word or phrase and that the SCL value, or weight, of that unapproved word or phrase was applied to the final SCL score:

  • Unapproved phrases, or Block phrases, have maximum weight and change the SCL score to 9.

  • Approved words or phrases, or Allow phrases, have minimum weight and change the SCL score to 0.

For more information about how to add approved and unapproved words or phrases to the Content Filtering agent, see Content filtering procedures.

PP

The presolved puzzle (PP) stamp indicates that if a sender's message contains a valid, solved computational postmark (based on Outlook E-mail Postmark validation functionality), it's unlikely that the sender is a malicious sender. In this case, the Content Filter agent would reduce the SCL rating.

The Content Filter agent doesn't change the SCL rating if the E-mail Postmark validation feature is enabled and either of the following conditions is true:

  • An inbound message doesn't contain a computational postmark header.

  • The computational postmark header isn't valid.

For more information about the postmark validation feature, see Content filtering.

TIME:TimeBasedFeatures

Indicates that there was a significant time delay between the time that the message was sent and the time that the message was received. The TIME stamp is used to determine the final SCL rating for the message.

OrigIP

Indicates the IP address of the source messaging server.

MIME:MIMECompliance

Indicates that the email message isn't MIME compliant.

P100:PhishingBlock

Indicates that the message contains a URL that's present in a phishing definition file.

IPOnAllowList

Indicates that the sender's IP address is on the IP Allow list. For more information about the IP Allow list, see IP Allow list.

MessageSecurityAntispamBypass

Indicates that the message wasn't filtered for content and that the sender has been granted permission to bypass the antispam filters.

SenderBypassed

Indicates that the Content Filter agent doesn't process any content filtering for messages that are received from this sender. For more information, see Content filtering procedures.

AllRecipientsBypassed

Indicates that one of the following conditions was met for all recipients listed in the message:

Return to top

 
Show:
© 2016 Microsoft