Add Spam Explanation into the message header for MailSite 9.1 and later
Document #:10501
Applies To:
Synopsis:
This document applies to MailSite 9.1 and later only. For previous versions of MailSite see KB 10419
Mailsite’s Sieve and AS implementation has been enhanced to allow the insertion into message headers of the reasons for the score receive from the AS engine.
These new extensions can currently only be configured via the advanced sieve editor. GUI support will be considered at a later stage.
More Information:
To enable the feature you need to a) create a new property entry in the registry or SQL Connector, and b) manually add new entries into a sieve filter. To log the spam information to the operational log you need to have scoring_explanation within the property list and have ‘Protocol exchanges’ enabled. To enable this new functionality please see below for the different connectors.
Registry Connector
HKLM\Software\Rockliffe\MailSite\Mailfilter0
Add a new ‘String Value’ with the name of ‘ExtraInfo’ (without the quotes).
The value is a list of the items you require to be added to messageheaders or logged to the SMTPRA operational log. See Appendix 1 for a full list of these items.
Sample list to add to the registry:
charsets,countries,phishing_status,rbl_summary,spamcatcher1,
spf_status,scoring_summary,scoring_explanation
SQL Connector
Within the Database table MailServerProperties enter this information:
| Property | Value |
| ServiceName | Mailfilter0 |
| PropertyName | ExtraInfo |
| ServerRoleId | 0 (depending on your configuration) |
| PropType | 1 |
| PropIntValue | Null |
| PropStringValue | charsets,countries,phishing_status,rbl_summary,spamcatcher1,
spf_status,scoring_summary,scoring_explanation |
For a list of the Values entered into PropStringValue please see Appendix 1 (the above is an example only).
Sieve Filter
Now that we have the Database or the Registry values entered we need to add a sieve filter to enable the information to be added into message headers.
This is an example of a filter that can be used to put all available extra information into the header.
Note: when the information is not available the header is still included, but with a blank value. For example if a message is sent and delivered with the same country “X-Spam-Score-Countries” would contain an empty list of country codes.
The below needs to be pasted as is within the Advanced view of sieve filters.
You also need to make sure that in the 'require' section at the very top of the
Advanced view you have the option 'x_variables' for example
require ["virustest","x_spamtest","relational","comparator-i;ascii-numeric","reject","x_editheader","x_variables","regex","x_body"];
/*
RuleName: Add Spam Score
RuleDescription: Adds spam score to message X-Header
*/
if true {
/*This command is inserted to make the $spamscore variable available.*/
if spamtest :matches :comparator "i;ascii-numeric" "*" {set "spamscore" "$1";}
addheader"X-Spam-Score" "${spamscore}";
addheader"X-Spam-Score-Charsets" "${spamtest.charsets}";
addheader"X-Spam-Score-Countries" "${spamtest.countries}";
addheader"X-Spam-Score-Phishing_status" "${spamtest.phishing_status}";
addheader"X-Spam-Score-rbl_summary" "${spamtest.rbl_summary}";
addheader"X-Spam-Score-Summary" "${spamtest.scoring_summary}";
addheader"X-Spam-Score-Spamcatcher1" "${spamtest.spamcatcher1}";
addheader"X-Spam-Score-spf_status" "${spamtest.spf_status}";
addheader"X-Spam-Score-scoring_explanation" "${spamtest.scoring_explanation}";
}
Appendix 1
The list of explanatory attributes to extract from the spam scanner, in addition to the score, is detailed below. These attributes will be cached in the stream of the message, and available for use in mail headers through the sieve filter. The extra information is only read into the cache if the feature is enabled, and some additional server load should be expected. By default no extra information is read, and therefore server load will remain unchanged. The property is a comma separated list, at the time of writing the options are:
“charsets” A comma delimited list of “char-set” found in message MIME sections. Only text/ plain and text/html body sections are considered. A char-set to foreign language map can be found at:
http://www.w3.org/International/O-charset-list.html.
“countries” Returns a comma separated list of ISO-3166 country codes through which a message was routed. A list of country codes can be found at:
here
“phishing_status” Possible values are either yes or no. Yes indicates the message has phishing content.
“rbl_summary” The IP address and RBL server used
“scoring_summary” A colon “:” delimited list of Rule numbers which triggered and other scoring information. “spamcatcher1” A hash which indicates that message has already been scored.
“spf_status”
| Possible values are: | fp - Mail From pass |
| hp - HELO pass |
| ff - Mail From fail |
| hf - HELO fail |
| fn - Mail From none |
| hn - HELO none |
| fu - Mail From neutral |
| hu - HELO neutral |
| fe - Mail From permError |
| he - HELO permError |
| ft - Mail From tempError |
| ht - HELO tempError |
| fs - Mail From softfail |
| hs - HELO softfail |
“scoring_explanation” This will give human readable information on why a message was allocated a particular score. This acts as an explanation of the “scoring_summary” which is not itself human readable. The information will be added to the header or log as per the example:
(25%) BODY: contains a tracking ID
(21%) RECEIVED: Received headers not consistent with Hotmail "FROM:
(18%) Sender has spammy reputation
(18%) MESSAGE-ID: was added by a hotmail.com relay
(12%) HTML: background matches font color
(6%) URL TEXT: contains "click here"
Appendix 2
Example Header information
X-Spam-Score-scoring_explanation: (100%) BODY: contains "rates" obfuscated
X-Spam-Score-spf_status:
X-Spam-Score-Spamcatcher1: 3fdced5a2bc7c4cc5a14f2055c558926
X-Spam-Score-Summary: 40,2.5,0,9b5ea54b18b66d5d,8b5854dd0a77a4ea,example@example.com,
,RULES_HIT:1:2:10:75:355:379:476:539:541:542:602:945:960:962:967:
973:980:983:988:989:1155:1156:1160:1189:1208:1221:1261:1308:1309:
1313:1314:1345:1431:1436:1437:1515:1516:1517:1521:1575:1588:1589:
1592:1594:1712:1730:1775:1792:2075:2078:2194:2199:2380:2525:2526:
2528:2551:2553:2559:2563:2682:2685:2743:2857:2859:2902:2917:2933:
2937:2939:2942:2945:2947:2951:2954:3022:3354:3521:3522:3523:3586:
3622:3636:3742:3865:3866:3867:3868:3869:3870:3871:3872:3874:3934:
3936:3938:4050:4078:4083,0,RBL:none,CacheIP:none,Bayesian:0.5,0.5
,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:
X-Spam-Score-rbl_summary: none
X-Spam-Score-Phishing_status: no
X-Spam-Score-Countries:
X-Spam-Score-Charsets: iso-8859-1,iso-8859-1,us-ascii,us-ascii
X-Spam-Score: 4
Example SMTPRA Operational Log Entry
---- SMTPRA log entry made at 08/10/2006 00:01:44
220 mail.example.com MailSite ESMTP Receiver Version 7.0.5 Ready
EHLO sss
250-rockliffe.com
250-SIZE 15000000
250-ETRN
250-ENHANCEDSTATUSCODES
250-X-IMS 3 3
250-DSN
250-VRFY
250-AUTH LOGIN NTLM SCRAM-MD5 CRAM-MD5
250-AUTH=LOGIN
250-X-AVU 1155190767
250-STARTTLS
250 8BITMIME
MAIL FROM:tester@abcexample.com
250 2.0.0 tester@abcexample.com OK
RCPT TO:test@example.com
250 2.0.0 test@example.com OK
DATA
354 Ready for data
Message B0003498438@mail.example.com received spam score of: 2:(100%) SUBJ: contains text similar to "!!!"
Related:
See these other knowledge base documents:
Last revised 2009-7-16