×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

X-IronPort-Anti-Spam-Result Header

Unanswered Question
Apr 19th, 2007
User Badges:

Hello:

Is there any way to decode the header X-IronPort-Anti-Spam-Result. I think it has some information about the rules and the score the message ranked in CASE, but it's not explained it's meaning or how to decode.

It would be useful for me for understanding false positives in spam and which rules where aplied.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mark [CSE]_ironport Thu, 04/19/2007 - 11:29
User Badges:

There is no way for our customer to decode those headers. This is done because SPAM could use those information to reduce the catchrate of the IronPort Anti Spam engine.

If you have question about those headers please submit those header to customersupport and ask for some feedback.

Cheers,

Mark

salware_ironport Thu, 04/19/2007 - 12:09
User Badges:

My other choice is the CASE logs. But I think Information level has not information and debug is too exhaustive.

I think I would be nice for each message tracked by CASE having information about the reason of the scoring but not so much as tell in debug level.

For instance:

MID xxxx score Y
a points because of URL found in body
b points because of image
............

Which is the range for the score in CASE and the relationship with the theresholds in policy?

Donald Nash Thu, 04/19/2007 - 14:14
User Badges:


I think I would be nice for each message tracked by CASE having information about the reason of the scoring but not so much as tell in debug level.

I haven't taken any interest in the CASE logs so I don't know exactly what's in them, but I can't see IronPort putting the information you want in there, either. That would allow spammers to buy something small like a C10, feed their spam through it, and use the log results to tune their spam.

We ran into exactly the same issue when we first started using IronPort/Brightmail back in 2004. It's frustrating, because honest customers feel like they have a right to know what's going on with their mail. I can't say I disagree with that. But giving an attacker an "oracle" by which he can indirectly view the inner workings of your defenses gives him an extreme advantage in subverting them. Therefore this stuff must be kept secret.

Actions

This Discussion