Where is the official manual to read forefront error log? RRS feed

  • Question

  • I got log about SCL 9 on Forefront Protection 2010 for Exchange Server, saying
    "rejected due to content restrictions,SclAtOrAboveRejectedThreshold,9".

    It seems that the email was classified as spam and the number 9 might mean its SCL.
    But, I need to prove this and would like have the official manual to see log and the field correctly.

    I'd appreciate it if anyone can share the knowledge of these with me!



    Friday, August 30, 2013 8:33 AM


All replies

  • Hi

    I think you would like to know more about SCL .Please check the links below , you can get more information on how to configure SCL and how it works on each SCL  level .

     Configuring content filtering


     Spam confidence level


     Spam confidence level threshold


    Best Regards

    Quan Gu


    Tuesday, September 3, 2013 5:49 AM
  • I believe krg-taro is asking about how to see FSE log data / records

    Possibly how to interpret it as well


    to see the log use “Get-FseSpamAgentLog” in FSE PowerShell console

    you might like using some parameters lie “–after” or “-before” or both

    possibly with some filter after and saving result in a variable for further analysis

    something like this

    $mm = Get-FseSpamAgentLog –after 9/10/2013 –before 10/10/2013 | where { $_.P1FromAddress -like "*@contoso.com" }

    Then you will get records containing following fields (fragment)

    Agent            : FSE Content Filter Agent

    Event            : OnEndOfData

    Action           : RejectMessage

    SmtpResponse     : 550 5.7.1 Message rejected due to content restrictions

    Reason           : SclAtOrAboveRejectThreshold

    ReasonData       : 9

    Diagnostics      : v=2.1 cv=N7gQSQNB c=0 sm=1 tr=0 p=svrnb3KtAAAA:8 a=M8n21Iu83pa51FM8VonJ9g==:...

    Except “Diagnostics” these fields are quite understandable

    Next question would be “how to interpret ‘Diagnostics’ field?”

    Unfortunately I have no answer now

    Moderator might

    Friday, November 1, 2013 5:33 PM