Understanding email headers in Email Security.cloud
Article ID: 161415
Updated On:
Products
Email Security.cloud
Issue/Introduction
Learn about the headers applied to email messages by Symantec Email Security.cloud.
Resolution
The following lines are inserted into the Internet header of email that passes through Email Security.cloud Email Services, depending on the service outcomes.
|
Header Line
|
Description
|
|---|---|
X-Brightmail-Tracker: |
The X-Brightmail-Tracker helps Symantec analyze email that is either erroneously classified as spam (False Positives) or that is missed by spam analysis (False Negatives). In either case, Symantec spam analysts use data in the tracker to help improve spam detection accuracy. The X-Brightmail-Tracker is encrypted and contains Symantec-proprietary data like: scan results, timestamps, sender and recipient information, scanner host/IP details and more. |
X-Content-Flag: YESX-ContentInfo: Condition 1, Condition 2, ..., Rule Name, Domain Name |
Data Protection scanned the mail and triggered a Tag With Header action, according to the configuration of the Data Protection policy. The conditions which matched, the name of the policy, and the domain are displayed.
|
X-Env-Sender: [email protected] |
Indicates the actual sender's email address. The email address can then be added to the allowed or blocked senders lists if required.
|
X-Msg-Ref: server-X.clusterX.messagelabs.com!0000000000!0000000!0 |
The unique message ID. The line also indicates the part of the infrastructure that has accepted the email.
|
X-Originating-IP: [000.000.000.000] |
The IP address of the server that the email was received from.
|
X-Porninfo: found (level 1) |
Image Control scanned the email and detected it as unacceptable on a High setting.
|
X-Porninfo: found (level 2) |
Image Control scanned the mail and detected it as unacceptable on a High and Medium setting.
|
X-Porninfo: found (level 3) |
Image Control scanned the mail and detected it as unacceptable on a High, Medium, and Low setting.
|
X-SpamInfo: blackholed by Dynamic IP block list |
AntiSpam has scanned the email and the dynamic IP block list has identified the email as spam.
The dynamic IP block list is a list of known dial-up or dynamically assigned pools of IP addresses.
|
X-SpamInfo: filtered by Signaturing SystemX-SpamReason: Matched rule 00000000 |
AntiSpam has scanned the email and the signaturing system detection method classified it as spam.
|
X-SpamInfo: Sender domain in blacklist |
The sending domain is in your AntiSpam blocked senders list.
|
X-SpamInfo: Sender IP in blacklist |
The sending IP address is in your AntiSpam blocked senders list.
|
X-SpamInfo: spam detected heuristicallyX-SpamReason: Yes, hits=50.0 required=7.0 tests=Bad HELO |
AntiSpam has scanned the email and the Skepticâ„¢ heuristics predictive detection method classified it as spam.
|
X-SpamReason: No, hits=0.5 required=7.0 tests=HTML_60_70,HTML_MESSAGE |
AntiSpam has scanned the email and the email did not score high enough to be classed as spam.
|
X-SpamWhitelisted: IP whitelist |
The sending IP address is in your AntiSpam approved senders list.
|
X-SpamWhitelisted: domain whitelist |
The sending domain or email address is in your AntiSpam approved senders list, or the email was released from Spam Quarantine.
|
X-StarScan-Version: 5.4.15; banners=-,-,yourdomain.com |
Indicates the cloud security services email engine version. It also indicates the domain banners or disclaimers that are appended.
|
X-VirusChecked: Checked |
The cloud security services AntiVirus scanners have scanned the email.
|
X-SYMC-ESS-Client-Auth: mailfrom-relay-check=passX-SYMC-ESS-Client-Auth: outbound-route-from=pass |
The outbound email was sent using a Header From domain that is registered in the account's Domain list and from an authorized server listed in the Outbound Routes.
|
|
|
This string identifies the email as spam and enables further action when the message enters your email system or your users' email clients.
|
X-Spam-Flag: YESX-SpamInfo: filtered by SPFX-SpamReason: Domain of symcemailsecurity.com does not designate 104.47.38.81 as permitted sender |
AntiSpam has scanned the email and the SPF authentication filter has identified the email as spoofed.
|
X-Spam-Flag: YESX-SpamInfo: filtered by DMARCX-SpamReason: Sender policy of symcemailsecurity.com p=quarantine adkim=r aspf=r) |
AntiSpam has scanned the email and the DMARC authentication filter has identified the email as spoofed.
|
X-Newsletter-Flag: YESX-Spam-Flag: YESX-SpamInfo: spam detected hueristically X-SpamReason: Yes,* |
AntiSpam has scanned the email and the Newsletter / Marketing detection method classified it newsletter or marketing.
|
| X-SpamReason: No,*,domain_age: sample1.com:a=1,s=body; sample2.com:a=2,s=body; {END} |
This string will only show when the domain age is less than 90 days. This is strictly for informational purpose only.
a = domain age in days.
|
Passive Detection Internet Headers:
https://knowledge.broadcom.com/external/article/173201/passive-detection-xspamreason-internet-h.html
Can I turn the X-Brightmail-Tracker off?
No, X-Brightmail-Tracker cannot be switched off.
If X-SpamInfo is not displayed in the header, it may be due to:
- Anti-Spam is not switched on.
- The email did not trigger any rules.
- The sending domain or IP address is in the Approved Senders list.
- The recipient has Anti-Spam turned off.
If X-PornInfo is not displayed in the header, it may be due to:
- Image Control is not switched on.
- The attachment was not classed as unacceptable.
- The recipient has the Image Control service turned off.
If X-Msg-Ref: server-X.clusterX.messagelabs.com!0000000000!0000000!0 is not displayed in the header, the mail may be unscanned by Symantec.cloud scan.
Feedback
Yes
No
Powered by
