ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Understanding email headers in Email Security.cloud

book

Article ID: 161415

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

Learn about the headers applied to email messages by Symantec Email Security.cloud.

Resolution

The following lines are inserted into the Internet header of email that passes through Email Security.cloud Email Services, depending on the service outcomes.

 

Header Line
Description
X-Brightmail-Tracker: 
H4sIAAAAAAAAA+NgFrrPLMWRWljuD2YHR48Gmsd
Axigum5TUnMyy1CJ9uwSujM7Ow0A5bwpiZVNb973m
YBVYlbF5eD2cICQhJPtp8Gq2cT4J9Sfkpl9SfkplTm33
CjJwaQkyrtJfoePEF9SfkplRmJxRn43bOEZ01KlTls9Q
eZCMYFFqempFWmYOMJxg0kwcMsI9LkQT0FqUT0
3QBYJgPRnlObB7bnEKColzMsI9LkfQBywRG9gWMD
0X7RLLuh+aVTJooI7rvV83crxyLygolzMsI9LkQT0FqU
xArGxDNWX7Me/gnn+3osgr3G8rq+X8dO4Qt4V(jk4m
The X-Brightmail-Tracker helps Symantec analyze email that is either erroneously classified as spam (False Positives) or that is missed by spam analysis (False Negatives). In either case, Symantec spam analysts use data in the tracker to help improve spam detection accuracy. The X-Brightmail-Tracker is encrypted and contains Symantec-proprietary data like: scan results, timestamps, sender and recipient information, scanner host/IP details and more.
X-Content-Flag: YES
X-ContentInfo: Condition 1, Condition 2, ..., Rule Name, Domain Name
Data Protection scanned the mail and triggered a Tag With Header action, according to the configuration of the Data Protection policy. The conditions which matched, the name of the policy, and the domain are displayed
X-Env-Sender: [email protected]
Indicates the actual sender's email address. The email address can then be added to the allowed or blocked senders lists if required
X-Msg-Ref: server-X.clusterX.messagelabs.com!0000000000!0000000!0
The unique message ID. The line also indicates the part of the infrastructure that has accepted the email
X-Originating-IP: [000.000.000.000]
The IP address of the server that the email was received from
X-Porninfo: found (level 1)
Image Control scanned the email and detected it as unacceptable on a High setting
X-Porninfo: found (level 2)
Image Control scanned the mail and detected it as unacceptable on a High and Medium setting
X-Porninfo: found (level 3)
Image Control scanned the mail and detected it as unacceptable on a High, Medium, and Low setting
X-SpamInfo: blackholed by Dynamic IP block list
AntiSpam has scanned the email and the dynamic IP block list has identified the email as spam
The dynamic IP block list is a list of known dial-up or dynamically assigned pools of IP addresses
X-SpamInfo: filtered by Signaturing System
X-SpamReason: Matched rule 00000000
AntiSpam has scanned the email and the signaturing system detection method classified it as spam
X-SpamInfo: Sender domain in blacklist
The sending domain is in your AntiSpam blocked senders list
X-SpamInfo: Sender IP in blacklist
The sending IP address is in your AntiSpam blocked senders list
X-SpamInfo: spam detected heuristically
X-SpamReason: Yes, hits=50.0 required=7.0 tests=Bad HELO
AntiSpam has scanned the email and the Skeptic™ heuristics predictive detection method classified it as spam
X-SpamReason: No, hits=0.5 required=7.0 tests=HTML_60_70,HTML_MESSAGE
AntiSpam has scanned the email and the email did not score high enough to be classed as spam
X-SpamWhitelisted: IP whitelist
The sending IP address is in your AntiSpam approved senders list
X-SpamWhitelisted: domain whitelist
The sending domain or email address is in your AntiSpam approved senders list, or the email was released from Spam Quarantine
X-StarScan-Version: 5.4.15; banners=-,-,yourdomain.com
Indicates the cloud security services email engine version. It also indicates the domain banners or disclaimers that are appended
X-VirusChecked: Checked
The cloud security services AntiVirus scanners have scanned the email
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=pass
X-SYMC-ESS-Client-Auth: outbound-route-from=pass
The outbound email was sent using a Header From domain that is registered in the account's Domain list and from an authorized server listed in the Outbound Routes

X-Spam-Flag: YES

This string identifies the email as spam and enables further action when the message enters your email system or your users' email clients.
X-Spam-Flag: YES
X-SpamInfo: filtered by SPF
X-SpamReason: Domain of symcemailsecurity.com does not designate 104.47.38.81 as permitted sender
AntiSpam has scanned the email and the SPF authentication filter has identified the email as spoofed
X-Spam-Flag: YES
X-SpamInfo: filtered by DMARC
X-SpamReason: Sender policy of symcemailsecurity.com p=quarantine adkim=r aspf=r)
AntiSpam has scanned the email and the DMARC authentication filter has identified the email as spoofed
X-Newsletter-Flag: YES
X-Spam-Flag: YES
X-SpamInfo: spam detected hueristically
X-SpamReason: Yes,*
AntiSpam has scanned the email and the Newsletter / Marketing detection method classified it newsletter or marketing

X-SpamReason:No,*,domain_age: sample1.com:a=1,s=body; sample2.com:a=2,s=body; {END.EN_US}

 
This string will only show when the domain age is less than 90 days. This is strictly for informational purpose only.

a = domain age in days
s = where the domain was found in the email. There are 3 possible values:

  1. env: found in envelope (MAIL FROM).
  2. header: found in headers (From or Reply-To).
  3. body: found in body.
 
 
 
 
 
Passive Detection Internet Headers:
 

https://support.symantec.com/au/en/article.TECH252519.html

 

Can I turn the X-Brightmail-Tracker off?

 

No, X-Brightmail-Tracker cannot be switched off.
 

If X-SpamInfo is not displayed in the header, it may be due to:

  • Anti-Spam is not switched on.
  • The email did not trigger any rules.
  • The sending domain or IP address is in the Approved Senders list.
  • The recipient has Anti-Spam turned off.
If X-PornInfo is not displayed in the header, it may be due to:
  • Image Control is not switched on.
  • The attachment was not classed as unacceptable.
  • The recipient has the Image Control service turned off. 

If X-Msg-Ref: server-X.clusterX.messagelabs.com!0000000000!0000000!0 is not displayed in the header, the mail may be unscanned by Symantec.cloud scan.