X-IronPort-Anti-Spam-Result Header

Unanswered Question
Apr 19th, 2007

Hello:

Is there any way to decode the header X-IronPort-Anti-Spam-Result. I think it has some information about the rules and the score the message ranked in CASE, but it's not explained it's meaning or how to decode.

It would be useful for me for understanding false positives in spam and which rules where aplied.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Mark [CSE]_ironport Thu, 04/19/2007 - 11:29

There is no way for our customer to decode those headers. This is done because SPAM could use those information to reduce the catchrate of the IronPort Anti Spam engine.

If you have question about those headers please submit those header to customersupport and ask for some feedback.

Cheers,

Mark

salware_ironport Thu, 04/19/2007 - 12:09

My other choice is the CASE logs. But I think Information level has not information and debug is too exhaustive.

I think I would be nice for each message tracked by CASE having information about the reason of the scoring but not so much as tell in debug level.

For instance:

MID xxxx score Y
a points because of URL found in body
b points because of image
............

Which is the range for the score in CASE and the relationship with the theresholds in policy?

Donald Nash Thu, 04/19/2007 - 14:14

I think I would be nice for each message tracked by CASE having information about the reason of the scoring but not so much as tell in debug level.

I haven't taken any interest in the CASE logs so I don't know exactly what's in them, but I can't see IronPort putting the information you want in there, either. That would allow spammers to buy something small like a C10, feed their spam through it, and use the log results to tune their spam.

We ran into exactly the same issue when we first started using IronPort/Brightmail back in 2004. It's frustrating, because honest customers feel like they have a right to know what's going on with their mail. I can't say I disagree with that. But giving an attacker an "oracle" by which he can indirectly view the inner workings of your defenses gives him an extreme advantage in subverting them. Therefore this stuff must be kept secret.

Actions

This Discussion