In PhishProtection, there are three methods via which a message may be "tagged" as spam:
- A user-visible banner may be injected into the top or bottom of the message content
- A user-visible subject-line prefix may be added to the Subject header of the message
- A set of non-user-visible X-headers will be injected into the message structure
The headers documented in this KB can be used to filter email messages. A typical use case would be to create transport or mail flow rules to disposition the messages based on the criteria.
Headers are always included with the messages, and the same triggers that apply to these headers have in message body banners also. However, in banners can be disabled by the admin, and may not be visible for every end user. The message headers cannot be disabled and are ideal for triggering quarantine actions in message rules on your email server.
Example mail flow rules for Office 365.
High Spam Score
Sample Banner:
No visible banner added to message content
When either the "Suspect Mail Action" or "Spam Mail Action" delivery settings are set to "Deliver with Tag", a user-visible prefix *SPAM* is added to the message subject line. Choosing "Deliver without Tag" will suppress this subject-line prefix.
Headers:
X-Spam-Flag=YES|NO
When an email is classified as spam or suspect, this header will be set to YES; otherwise, it will be set to NO
X-Spam-Tag=spam|suspect
When header X-Spam-Flag=YES is present, the value of the accompanying X-Spam-Tag header will identify the reason that the message was identified as spam:
- spam = the message received a spam score above the "reject" threshold
- suspect = the message received a spam score above the "tag" threshold but below the "reject" threshold
External Messsage Notice
Sample Banner:
Headers:
X-PhishProtection-Warning: external_sender
Triggered when an email comes from an external domain. This is probably the simplest example and adds to the existing functionality of services like Office 365. The message is not only tagged as external but the sending domains are incorporated into the warning displayed to the end user:
Impersonation Banner
Sample Banner:
Headers:
X-PhishProtection-Warning: domainimp
Triggered when an email is sent from a domain that closely matches your own internal domain. This is flagged as red, as it is more than likely a phishing attempt. This rule may trigger (but can be whitelisted) if you have multiple legitimate top level domains that are on different extensions, like .com and .net.
X-PhishProtection-Warning: senderspoof
X-PhishProtection-Warning: senderimp
Triggered when an email is trying to impersonate the Friendly From: with a name of a user in the organization.
SPF Banner
Sample Banner:
Headers:
X-PhishProtection-Warning: spf_soft_fail
Triggered is an email from a server that the sender's IP is not listed in the SPF record for the sending domain. It could be a misconfiguration or a spoofing attempt.
X-PhishProtection-Warning: spf_soft_fail_self
Triggered is an email from a server not listed in your domains SPF record and your SPF record is set to ~all rather than -all. This means that you are receiving emails from your own domain, from a set of servers not explicitly permitted by your SPF policy. This may be spoofing, but because of the SPF policy, we are not rejecting the email.