Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
14618
Views
0
Helpful
3
Replies

X-IronPort-Anti-Spam-Result Header

salware_ironport
Level 1
Level 1

‎04-19-2007 09:58 AM

Hello:

Is there any way to decode the header X-IronPort-Anti-Spam-Result. I think it has some information about the rules and the score the message ranked in CASE, but it's not explained it's meaning or how to decode.

It would be useful for me for understanding false positives in spam and which rules where aplied.

Labels:
0 Helpful
3 Replies 3

Mark [CSE]_ironport
Level 1
Level 1

‎04-19-2007 11:29 AM

There is no way for our customer to decode those headers. This is done because SPAM could use those information to reduce the catchrate of the IronPort Anti Spam engine.

If you have question about those headers please submit those header to customersupport and ask for some feedback.

Cheers,

Mark

0 Helpful

salware_ironport
Level 1
Level 1

‎04-19-2007 12:09 PM

My other choice is the CASE logs. But I think Information level has not information and debug is too exhaustive.

I think I would be nice for each message tracked by CASE having information about the reason of the scoring but not so much as tell in debug level.

For instance:

MID xxxx score Y
a points because of URL found in body
b points because of image
............

Which is the range for the score in CASE and the relationship with the theresholds in policy?

0 Helpful

Donald Nash
Level 3
Level 3

‎04-19-2007 02:14 PM 

I think I would be nice for each message tracked by CASE having information about the reason of the scoring but not so much as tell in debug level.

I haven't taken any interest in the CASE logs so I don't know exactly what's in them, but I can't see IronPort putting the information you want in there, either. That would allow spammers to buy something small like a C10, feed their spam through it, and use the log results to tune their spam.

We ran into exactly the same issue when we first started using IronPort/Brightmail back in 2004. It's frustrating, because honest customers feel like they have a right to know what's going on with their mail. I can't say I disagree with that. But giving an attacker an "oracle" by which he can indirectly view the inner workings of your defenses gives him an extreme advantage in subverting them. Therefore this stuff must be kept secret.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents