Passive detection: "X-SpamReason" Internet header tags for inbound email

Products

Email Security.cloud

Issue/Introduction

Email Security.cloud adds spam diagnostic header tag “X-SpamReason:” to inbound email classified as spam or newsletter/marketing by Anti-Spam detection methods that are disabled in your ClientNet account and email from senders on your Anti-Spam Approved Senders list. This is called passive detection, because the service detects issues but does not take action based on the detection, aside from adding the header tag.

Email is delivered as normal to your mail gateway, but with the addition of Internet header tag.

If you have intentionally configured any of the Anti-Spam detection methods (Services > Email Services > Anti-Spam) to either:

Append a header but allow mail through
Tag the subject line but allow mail through

AND you have local email gateway or email client policies that act on the spam diagnostic header tag X-SpamReason: Yes, such as quarantine the email, review your local policies and adjust accordingly.

Environment

Email Security.cloud

Resolution

The table below lists Email Security.cloud's Anti-Spam detection methods, along with the header tags that are inserted in email headers based on the detection method triggered.

Note: The spam diagnostic headers tag "X-SpamReason: Yes" added to email classified as spam by the Skeptic™ Heuristics detection method is the same as the tag added to email classified as newsletter or marketing by the Newsletter/Marketing detection method, with one exception: the Newsletter/Marketing detection method inserts the additional tag X-Newsletter-Flag: YES for active detection. If you have local email gateway or email client policies that act on header tags, e.g. quarantine the email, adjust your policies accordingly to prevent email classified as newsletters or marketing from being quarantined.

Anti-Spam Detection Method	Description	Internet Header Tags (Active Detection)	Internet Header Tags (Passive Detection)	Internet Header Tags - From Approved Senders (Passive/Active Detection)
Skeptic™ Heuristics	Anti-Spam has scanned the email and the Skeptic™ Heuristics predictive detection method classified it as spam.	X-Spam-Flag: YES X-SpamInfo: spam detected heuristically X-SpamReason: Yes, *	X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: spam detected heuristically X-SYMC-ESS-Spam-Reason:* X-SpamReason: *	X-SpamWhitelisted: * X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: spam detected heuristically X-SYMC-ESS-Spam-Reason: * X-SpamReason: *
Newsletter Marketing	Anti-Spam has scanned the email and the Newsletter/Marketing detection method classified it as newsletter or marketing email.	X-Newsletter-Flag: YES X-Spam-Flag: YES or X-Spam-Flag: NO X-SpamInfo: spam detected heuristically X-SpamReason: Yes, *	X-SYMC-ESS-Newsletter-Ignored: YES X-SpamReason: *	X-SpamWhitelisted: * X-SYMC-ESS-Newsletter-Ignored: YES X-SpamReason: *
Signaturing System	Anti-Spam has scanned the email and the Signaturing System detection method classified it as spam.	X-Spam-Flag: YES X-SpamInfo: filtered by Signaturing System X-SpamReason: Matched rule *	X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: filtered by Signaturing System X-SYMC-ESS-Spam-Reason: Matched rules * X-SpamReason: *	X-SpamWhitelisted: * X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: filtered by Signaturing Systems X-SYMC-ESS-Spam-Reason: Matched rules * X-SpamReason: *
SPF Authentication	Anti-Spam has scanned the email and the email failed SPF authentication.	X-Spam-Flag: YES X-SpamInfo: filtered by SPF X-SpamReason: Domain of *	X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: filter by SPF X-SYMC-ESS-Spam-Reason: Doman of *	X-SpamWhitelisted: * X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: filtered by SPF X-SYMC-ESS-Spam-Reason: Domain of *
DMARC Authentication	Anti-Spam has scanned the email and the email failed DMARC authentication.	X-Spam-Flag: YES X-SpamInfo: filtered by DMARC X-SpamReason: Sender policy of *	X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: filter by DMARC X-SYMC-ESS-Spam-Reason: Sender policy of *	X-SpamWhitelisted: * X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: filtered by DMARC X-SYMC-ESS-Spam-Reason: Sender policy of *
Dynamic IP Blocklist	Anti-Spam has scanned the email and the dynamic IP block list has identified the email as spam. The dynamic IP block list is a list of known dial-up or dynamically assigned pools of IP addresses.	X-Spam-Flag: YES X-SpamInfo: blackholed by DUL	X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: blackholed by DUL* X-SYMC-ESS-Spam-Reason: *	X-SpamWhitelisted: * X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: blackholed by DUL* X-SYMC-ESS-Spam-Reason: *
Blocked Senders List (IP addresses only)	The sending IP address is in your Anti-Spam blocked senders list.	X-Spam-Flag: YES X-SpamInfo: Sender IP in blacklist	X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: Sender IP in blacklist X-SYMC-ESS-Spam-Reason: *	X-SpamWhitelisted: * X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: Sender IP in blacklist X-SYMC-ESS-Spam-Reason: *
Blocked Senders List (Domains and email addresses only)	The sending domain or email address is in your Anti-Spam blocked senders list.	X-Spam-Flag: YES X-SpamInfo: Sender domain in blacklist	X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: Sender domain in blacklist X-SYMC-ESS-Spam-Reason: *	X-SpamWhitelisted: * X-SYMC-ESS-Spam-Ignored: YES X-SYMC-ESS-Spam-Info: Sender domain in blacklist X-SYMC-ESS-Spam-Reason: *
Domain Age info	This string will only show when the domain age is less than 90 days. This is strictly for informational purposes only. Any action towards domain age alone must be taken post delivery via rules against the info found in the header.	X-SpamReason: No,,domain_age: sample1.com:a=5,s=body; sample2.com:a=10,s=env; {END.EN_US} a = domain age in days, 0 to 90 s = where the domain was found in the email. There are 3 possible values: 1. env:* found in envelope (Mail From). 2. header: found in headers (From or Reply-To). 3. body: found in body. O365 Rule example to act against these emails In the example below, it acts on domains with age between 0 and 60 days in the body, header and envelope sender Apply this rule if... A message header matches... > 'x-spamreason' header matches ':a=([0-9]\|[1-5][0-9]\|60),s=(env\|header\|body)' Additional regex examples:* 00 to 30 days: ':a=([0-9]\|[1-2][0-9]\|30),s=(env\|header\|body)' 31 to 60 days: ':a=(3[1-9]\|[4-5][0-9]\|60),s=(env\|header\|body)' 61 to 90 days: ':a=(6[1-9]\|[7-8][0-9]\|90),s=(env\|header\|body)' The last segment can be adjusted too, s=(env\|header\|body) includes all 3 locations, but this can be modified, ie s=(body) only for the body links.

Anti-Spam
Detection Method

Description

Internet Header Tags
(Active Detection)

Internet Header Tags
(Passive Detection)

Internet Header Tags - From Approved Senders
(Passive/Active Detection)

Skeptic™ Heuristics

Anti-Spam has scanned the email and the Skeptic™ Heuristics predictive detection method classified it as spam.

X-Spam-Flag: YES

X-SpamInfo: spam detected heuristically

X-SpamReason: Yes, *

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: spam detected heuristically

X-SYMC-ESS-Spam-Reason:*

X-SpamReason: *

X-SpamWhitelisted: *

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: spam detected heuristically

X-SYMC-ESS-Spam-Reason: *

X-SpamReason: *

Newsletter Marketing

Anti-Spam has scanned the email and the Newsletter/Marketing detection method classified it as newsletter or marketing email.

X-Newsletter-Flag: YES

X-Spam-Flag: YES or X-Spam-Flag: NO

X-SpamInfo: spam detected heuristically

X-SpamReason: Yes, *

X-SYMC-ESS-Newsletter-Ignored: YES

X-SpamReason: *

X-SpamWhitelisted: *

X-SYMC-ESS-Newsletter-Ignored: YES

X-SpamReason: *

Signaturing System

Anti-Spam has scanned the email and the Signaturing System detection method classified it as spam.

X-Spam-Flag: YES

X-SpamInfo: filtered by Signaturing System

X-SpamReason: Matched rule *

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: filtered by Signaturing System

X-SYMC-ESS-Spam-Reason: Matched rules *

X-SpamReason: *

X-SpamWhitelisted: *

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: filtered by Signaturing Systems

X-SYMC-ESS-Spam-Reason: Matched rules *

X-SpamReason: *

SPF Authentication

Anti-Spam has scanned the email and the email failed SPF authentication.

X-Spam-Flag: YES

X-SpamInfo: filtered by SPF

X-SpamReason: Domain of *

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: filter by SPF

X-SYMC-ESS-Spam-Reason: Doman of *

X-SpamWhitelisted: *

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: filtered by SPF

X-SYMC-ESS-Spam-Reason: Domain of *

DMARC Authentication

Anti-Spam has scanned the email and the email failed DMARC authentication.

X-Spam-Flag: YES

X-SpamInfo: filtered by DMARC

X-SpamReason: Sender policy of *

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: filter by DMARC

X-SYMC-ESS-Spam-Reason: Sender policy of *

X-SpamWhitelisted: *

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: filtered by DMARC

X-SYMC-ESS-Spam-Reason: Sender policy of *

Dynamic IP Blocklist

Anti-Spam has scanned the email and the dynamic IP block list has identified the email as spam. The dynamic IP block list is a list of known dial-up or dynamically assigned pools of IP addresses.

X-Spam-Flag: YES

X-SpamInfo: blackholed by DUL

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: blackholed by DUL*

X-SYMC-ESS-Spam-Reason: *

X-SpamWhitelisted: *

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: blackholed by DUL*

X-SYMC-ESS-Spam-Reason: *

Blocked Senders List
(IP addresses only)

The sending IP address is in your Anti-Spam blocked senders list.

X-Spam-Flag: YES

X-SpamInfo: Sender IP in blacklist

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: Sender IP in blacklist

X-SYMC-ESS-Spam-Reason: *

X-SpamWhitelisted: *

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: Sender IP in blacklist

X-SYMC-ESS-Spam-Reason: *

Blocked Senders List
(Domains and email addresses only)

The sending domain or email address is in your Anti-Spam blocked senders list.

X-Spam-Flag: YES

X-SpamInfo: Sender domain in blacklist

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: Sender domain in blacklist

X-SYMC-ESS-Spam-Reason: *

X-SpamWhitelisted: *

X-SYMC-ESS-Spam-Ignored: YES

X-SYMC-ESS-Spam-Info: Sender domain in blacklist

X-SYMC-ESS-Spam-Reason: *

Domain Age info

This string will only show when the domain age is less than 90 days.

This is strictly for informational purposes only. Any action towards domain age alone must be taken post delivery via rules against the info found in the header.

X-SpamReason: No,*,domain_age: sample1.com:a=5,s=body; sample2.com:a=10,s=env; {END.EN_US}

a = domain age in days, 0 to 90

s = where the domain was found in the email. There are 3 possible values:
1. env: found in envelope (Mail From).
2. header: found in headers (From or Reply-To).
3. body: found in body.

O365 Rule example to act against these emails

In the example below, it acts on domains with age between 0 and 60 days in the body, header and envelope sender

*Apply this rule if...
A message header matches... > 'x-spamreason' header matches ':a=([0-9]|[1-5][0-9]|60),s=(env|header|body)'

Additional regex examples:
00 to 30 days: ':a=([0-9]|[1-2][0-9]|30),s=(env|header|body)'

31 to 60 days: ':a=(3[1-9]|[4-5][0-9]|60),s=(env|header|body)'

61 to 90 days: ':a=(6[1-9]|[7-8][0-9]|90),s=(env|header|body)'

The last segment can be adjusted too, s=(env|header|body) includes all 3 locations, but this can be modified, ie s=(body) only for the body links.