none
Detailed explanation of some of the fields contained within a Exchange delivery report that may be indicative of an email being tagged as SPAM. RRS feed

  • Question

  • Hello,

    My name is Isaac and I'm trying to figure out the meaning of some of the fields contained within the delivery reports generated by Exchange, can I please get a brief explanation of the meaning of the fields contained in the following copy pasted delivery report that has been partially striped off to leave only those lines that are interesting (every time you see a line starting by "…" it means that the line or lines at that point have been deleted):

    (...)
    X-MS-Exchange-Organization-MxPointsToUs: true
    X-MS-Exchange-Organization-CompAuthRes: pass
    X-MS-Exchange-Organization-CompAuthReason: 100
    X-MS-Exchange-Organization-SenderRep-Score: 5
    X-MS-Exchange-Organization-SenderRep-Data:
     IpClassLargeGrayOther_GrayOther_unknown
    X-MS-Exchange-Organization-VBR-Class: GrayOther
    (...)
    X-MS-Exchange-Organization-Auth-ExtendedDmarcStatus: Pass
    (...)
    X-MS-Exchange-Organization-HMATPModel-Spf: 1
    X-MS-Exchange-Organization-HMATPModel-FeatureReputationValues-Spam:
     134;-1;112;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;80;-1
    X-MS-Exchange-Organization-HMATPModel-FeatureReputationValues-Phish:
     17;-1;0;-1;-1;-1;-1;-1;-1;-1;-1;-1;-1;0;-1
    (...)
    X-MS-Exchange-Organization-ASND: true
    (...)
    X-MS-Exchange-Organization-Scanned-By-IP-Filter: true
    (...)
    X-MS-Exchange-Organization-AuthAs: Anonymous
    X-MS-Exchange-Organization-FromEntityHeader: Internet
    (...)
    X-MS-Exchange-Organization-TransportTrafficType: Email
    X-MS-Exchange-Organization-TransportTrafficSubType:
    X-MS-PublicTrafficType: Email
    X-MS-Exchange-Organization-Antispam-ProtocolFilterHub-ScanContext:
    	ProtocolFilterHub:SmtpOnEndOfData;
    (...)
    X-MS-Exchange-Organization-Auth-DmarcStatus: Pass
    (...)
    X-MS-Exchange-Organization-HygienePolicy: Premium
    (...)
    X-MS-Exchange-Organization-IsPotentialIntraOrgMail: False
    X-MS-Exchange-Organization-Antispam-PreContentFilter-PolicyLoadTime:
    	MAOSUB:0;MAOSUBLOAD:0;SAORES:0;SAORESLOAD:0;SLORES:0;SLORESLOAD:0;
    X-MS-Exchange-Organization-AttachmentDetailsHeaderStamp-Success: 1.0
    (...)
    X-MS-Exchange-Organization-Persisted-Urls-ChunkCount: 1
    (...)
    X-MS-Exchange-Organization-Antispam-PreContentFilter-ScanContext:
    	CategorizerOnSubmitted;CategorizerOnResolved;
    X-MS-Exchange-Organization-AVScannedByV2: Symantec;Command;Microsoft
    X-MS-Exchange-Organization-AVScanComplete: true
    X-MS-Exchange-Organization-UrlSelected: 1
    X-MS-Exchange-Organization-UrlLogged: 1
    X-MS-Exchange-Organization-Recipient-Limit-Verified: True
    X-MS-Exchange-Organization-TotalRecipientCount: 1
    X-MS-Exchange-Organization-ASDirectionalityType: 1
    X-MS-Exchange-Organization-HMATPModel-DkimAuthStatus: 1
    X-MS-Exchange-Organization-HMATPModel-DmarcAuthStatus: 1
    X-MS-Exchange-Organization-Antispam-ContentFilter-ScanContext:
    	CategorizerOnResolved;
    X-MS-Exchange-Organization-CFA-UserOption: 0
    X-MS-Exchange-Organization-CommunicationStateSummary: FC
    X-MS-Exchange-Organization-FirstContactSummary:
    	ST=3;MRG=0;EXT=0;UN=1;ORCT=1;EV=1;FC=1;NESI=0;NES=0;ESTI=0;EST=0;INS=0;ERR=0
    (...)
    X-MS-Exchange-Organization-CompAuth-Eop: compauth=pass reason=100
    X-MS-Exchange-Organization-ContainsAttachments: true
    (...)
    X-MS-Exchange-Organization-ExtractionAttachmentNames:
    	0;1;2;3;4;5;6;7;8;9;10;11;12;13
    X-MS-Exchange-Organization-ExtractionTags: SUB64;1IMG;2IMG;LINK;
    X-MS-Exchange-Organization-ExtractionTagsURLFound: URL
    (...)
    X-MS-Oob-TLC-OOBClassifiers: OLM:751;
    X-MS-Exchange-Organization-SpamScore: 30
    X-MS-Exchange-Organization-Antispam-AnalystRuleHits: (10001)
    X-MS-Exchange-Organization-SCL: 5
    X-MS-Exchange-Organization-Antispam-ScanContext: DIR:Incoming;SFV:SPM;SKIP:0;
    X-MS-Exchange-Organization-Antispam-PostContentFilter-ScanContext:
    	CategorizerOnResolved;CategorizerOnRouted;CategorizerOnCategorized;
    X-MS-Exchange-Organization-Transport-Properties: DeliveryPriority=Low
    X-MS-Exchange-Organization-Prioritization: 2:AS-Message-Spam
    X-MS-Exchange-Organization-IncludeInSla: False:AS-Message-Spam
    X-This-Is-Spam: This message appears to be spam.
    X-Microsoft-Antispam: BCL:0;
    (...)

    Note that the reason I'm asking this is because I'm trying to determine if the email was tagged as SPAM (it seems so) and if so, why it has been tagged as SPAM.

    Many thanks and best regards

    Isaac

    Tuesday, November 19, 2019 6:52 PM

All replies

  • Hi Isaac,

    From the information you provided, the SCL of this message is 5. The Content Filter agent assigns a spam confidence level (SCL) to each message by giving it a rating between 0 and 9. A higher number indicates that a message is more likely to be spam. 

    This message may include some words or phrases that are set to be blocked for content filtering, and it results that SCL is 5. You can check these articles to know more about Content Filter agent: Content filteringContent filtering procedures

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, November 20, 2019 4:53 AM
    Moderator
  • Hi Lydia,

    Many thanks for your response, is very much appreciated.

    Before posting in TechNet I made a bit of digging in the matter and I found a pair of helpful Microsoft documents:

    How to prevent real email from being marked as spam in Office 365

    Antispam stamps

    Those documents versed about the SCL (which, as you said, this particular email is marked as 5) and also the SFV:SPM (which indicates that the message was marked as SPAM because of the Exchange Online Protection spam filters).

    In my non expert opinion, I believe it is estrange that the email has been tagged as SCL 5 because it is entirely written in Catalan langauge (very little SPAM ever made in this language) and the email is coming from a completely new domain (not even listed in search engines) that has been never used before (the logs presented in my previous post come from the very first, non testing, outgoing email).

    I'm trying to find out a bit more of information on the reasons that pushed EOP filters to mark the email as SPAM as I don't want this situation to happen again, this is why I would like to know if there is any other log field that may provide some insight on the reasons to mark the email as SPAM, so that I can take corrective actions.

    Any further input on how to proceed would be appreciated.

    Regards

    Isaac

    Wednesday, November 20, 2019 10:45 AM
  • Do you use on-premises Exchange server or Exchange online?

    Yes, Anti-spam message headers also mentions that "SFV:SPM" means the message was marked as spam by the content filter. So the language used by the message has more relation with this issue. If available, you can send a regular message from this domain, and check if the message will be blocked.

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Friday, November 22, 2019 10:10 AM
    Moderator
  • Hi Lydia,

    I'm afraid I don't have access to either Exchange server or Exchange online.

    Sorry but I'm not really sure to be fully understanding your feedback, what were you meaning by "(…) you can send a regular message from this domain, and check if the message will be blocked.", the email we have been talking about so far, the one being categorized as SPAM is, for all intents and purposes, what I would consider a "regular" email, there was nothing special to it, or at least not that I'm aware of. When you say "you can send", do you mean that I should send the email to an Exchange server that I'm the admin of? If that is the case I'm afraid I won't be able to do so.

    Please bear in mind that the partial / cut log that I provided in a previous post comes from an attachment in a  "delivery recipt" email sent by the Exchange server that tagged the email as SPAM.

    Regards

    Isaac

    Monday, November 25, 2019 5:21 PM
  • Hi Lydia,

    I'm afraid I don't have access to either Exchange server or Exchange online.

    Sorry but I'm not really sure to be fully understanding your feedback, what were you meaning by "(…) you can send a regular message from this domain, and check if the message will be blocked.", the email we have been talking about so far, the one being categorized as SPAM is, for all intents and purposes, what I would consider a "regular" email, there was nothing special to it, or at least not that I'm aware of. When you say "you can send", do you mean that I should send the email to an Exchange server that I'm the admin of? If that is the case I'm afraid I won't be able to do so.

    Please bear in mind that the partial / cut log that I provided in a previous post comes from an attachment in a  "delivery recipt" email sent by the Exchange server that tagged the email as SPAM.

    Regards

    Isaac

    You'll never know why a message was marked as SPAM, thats all proprietary. 

    What you can do is ensure you have correctly set up SPF/DKIM and DMARC and that your sending server is not a block list. Other than that, your only option is to ask the recipient to add your SMTP address to their safe sender list.

    Monday, November 25, 2019 7:01 PM
    Moderator
  • Hello Andy,

    Many thanks for your input, to the best of my knowledge the SPF, the DKIM and the DMARC DNS TXT registries are all correctly setup and I don't see why the domain would be included in any black list as the email we are talking about was the very first outgoing email, so I guess my only option will be to tell the customers using Microsoft Exchange servers to manually add the recipient to their white list.

    Regards

    Isaac

    Monday, November 25, 2019 10:03 PM
  • Hi Isaac,

    Since you mentioned "I believe it is estrange that the email has been tagged as SCL 5 because it is entirely written in Catalan langauge", so if available, we can try to get a message with Exchange from that domain. Then check if this message will be blocked as well.

    If all messages from that domain will be blocked, add the sender's domain into the allow list should be a workaround. For your reference: Create safe sender lists in Office 365

    Regards,

    Lydia Zhou


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, November 27, 2019 9:41 AM
    Moderator