Grab the headers
Find the entry: X-Forefront-Antispam-Report
X-Original-X-Forefront-Antispam-Report:
CIP:96.43.148.64;CTRY:US;IPV:NLI;SRV:BULK;EFV:NLI;SFV:SPM;SFS:(6009001)(438002)(659001)(609006)(48214007)(377454003)(189002)(199003)(164054003)(349900001)(252514010)(349010);DIR:INB;SFP:;SCL:9;SRVR:BY2PR04MB742;H:smtp01-was.mta.salesforce.com;FPR:;SPF:Pass;MLV:ovrnspm;PTR:smtp01-was.mta.salesforce.com;MX:1;A:1;
·
CIP:[IP Address] is the
Connecting IP address. The IP address can be
checked at MXToolbox to see if its on any blacklists. [Example is CIP:96.43.148.64]
·
CTRY is the country from which the message
connect to the service. This is determined by the Connecting IP address (CIP). [Example
is CTRY:US]
·
LANG is the language the message was written.
[No Example]
·
IPV specifies if the message was on a Client
Access List (CAL) or not listed (NLI) [Example is IPV:NLI so it was not on a
CAL]
·
SRV:BULK means the message was identified as
bulk email. If the Block all bulk email messages advanced spam filtering option
is enabled, it will be marked as spam. If it is not enabled, it will only be
marked as spam if the rest of the filtering rules determine that the message is
spam. [Example shows SRV:BULK]
·
SFV:SPM means the message was marked as spam by
the content filter. [Example shows SFV:SPM]
·
SCL:# is the Spam Confidence Level (-1 to 9).
[Example is SCL:9]
o -1:
the message was on a safe list (rule or ACL)
o 0
or 1: The message scanned resulted with a “Safe” level
o 5
or 6: The message scanned resulted with a “Spam” level
o 9:
The message scanned resulted with a “High Confidence Spam” level
·
H:[helostring] Is the HELO or EHLO string of the
connecting mail server. [Example is H:smtp01-was.mta.salesforce.com]
·
SPF:[result]
is the result of the SPF check. Pass means the sender was specified in the SPF
record for the sender
·
PTR:[ReverseDNS]
is the PTR record of the sending IP address (reverse DNS address). [Exampled is
PTR:smtp01-was.mta.salesforce.com]
Search for the entry: X-CustomSpam
If this is present, then the
message matched an advanced spam filtering (ASF) option. For example, X-CustomSpam: Image links to remote sites
denotes that the Image links to remote sites
ASF option was matched.
Find the Entry: X-Microsoft-Antispam
This entry is for coming features
for Exchange Online Protection
·
BCL: This shows the Bulk Complaint Level (BCL)
of the message.
·
PCL: This shows the Phishing Confidence Level
(PCL) of the message, which indicates whether it’s a phishing message. The PCL
value can range from 1 through 8. A PCL rating from 1 through 3 returns a
status of Neutral. This means that the message's content isn't likely to be
phishing. A PCL rating from 4 through 8 returns a status of Suspicious. This
means that the message is likely to be phishing. This status can be returned as
one of the following values:
Notes…
X-Original-X-Forefront-Antispam-Report:
CIP:96.43.148.64;
CTRY:US;
IPV:NLI;
SRV:BULK;
EFV:NLI; ???
SFV:SPM;
SFS:(6009001)(438002)(659001)(609006)(48214007)(377454003)(189002)(199003)(164054003)(349900001)(252514010)(349010);
DIR:INB;
SFP:;
SCL:9;
SRVR:BY2PR04MB742;
H:smtp01-was.mta.salesforce.com;
FPR:;
SPF:Pass;
MLV:ovrnspm;
PTR:smtp01-was.mta.salesforce.com;
MX:1;
A:1;
