ACM Junk Mail and Virus Filtering Options

Highlights of ACM's Postini Email Protection Service

Headers

The Postini spam filter places information in email headers that may be useful for either determining email disposition or for handling support issues.

All Postini numeric header values display 5 digits to the right of the decimal place.

Postini minimizes processing time by only scanning for categories that the user has enabled. For example, if a user turns off the commercial category, the commercial score will not show, as it is not computed. If you do not have access to Industry Heuristics (IH), the IH score will not be computed or displayed.

X-pstn-levels Header - Letter/number Pairs and Scoring

The letter/number pairs that appear on X-pstn-levels tell you which filters (if any) were triggered and to what degree. The letters that may appear on this line are:

S - General/bulk “spam score”
P – Sexually explicit (porn) spam
M – Make-money-fast spam (MMF)
C – Commercial or “special offer” spam
R - Racially insensitive spam

Spam Score

A spam score of 100 on the S filter would indicate that this email contains nothing that triggers the general spam filter (it is a valid message). The lower the score, the more likely that this message is spam.

Category Scores

A message is assigned to a filter category when its score in that category is an 85 or below.

Example:

X-pstn-levels: (S: 0.00000/60.95723 R:95.91080 P:95.91081 M:64.93900 C:93.23770 )

X-pstn-settings: 5 (2.00000:8.00000) r p M c

The overall spam score is S: 0.00000. This is a Make-Money-Fast (M) spam message, as shown by the capital M in the X-pstn-settings line.

A score of 85 or below triggers a category filter and in this example the Make-Money-Fast score is M:64.9390.

The X-pstn-levels header will not be listed in the headers if one of the recipients has Bulk Email protection disabled. This means that if the email message is sent to two users, one with the Bulk Email filter turned on and the other with it turned off, Postini will not include this header.

SSB Score

A second numeric evaluation, the SSB score, appears after the spam score on the X-pstn-levels header. The SSB score is used by the spam engine to identify messages that should be bounced or blackholed by Sublenient Spam Blocking. Unlike the spam score, the SSB score should not be evaluated directly.

Example:

X-pstn-levels: (S: 0.00010/62.95723 )

The spam score ( "S:") is separated from the SSB score by a slash ( "/" ). The SSB score will always appear, even if SSB is not turned on.

Should a message score as sublenient, the SSB disposition of bounce or blackhole will result in the message being discarded. Thus, we do not need to worry about headers for those messages. The reason the SSB score was added is to make it clear to someone evaluating the headers that the message did meet the spam score criterion but failed to meet the SSB score criterion.

X-pstn-settings Header

User Settings

The X-pstn-settings line shows the recipient’s spam settings. It will not be present in a message that was delivered to multiple recipients.

The format of this header is:

X-pstn-settings: Bulk Filter Setting (Base Threshold : Effective Threshold) category filters

Example:

X-pstn-settings: 5 (2.0000:8.0000) r p M C

The first number is the user's Bulk Filter (base) spam setting: 1= lenient
2= less lenient
3= moderate
4= more aggressive
5= most aggressive

In the example above, the user’s bulk filter was set to 5, the most aggressive setting.

The parenthesized pair of numbers indicates the user's base threshold and effective threshold. These are derived values and should not be directly interpreted, as they are subject to change.

If any C, M, P, or R filter that the user turned on has a value less than 85, the effective threshold value is a multiple of the base threshold value. If none of these filters is less than 85, the threshold value is the same as the base value.

The final letters on the line indicate what filters the user had turned on and which had values less than 85 (these are in upper case). In the above example, the make-money-fast (M) and the commercial offer (C) category filters were triggered.

If a category filter is turned off, the letter representing it will not appear on this line.

Determining Whether or Not the Message is Spam

The final step in determining whether an email is quarantined or not is to compare the spam score against the threshold value.

If the spam score is less than the effective threshold, the email is considered spam. If it is greater, the email is sent to the recipient’s inbox.

Example:

X-pstn-levels: (S: 0.00000/60.95723 R:95.91080 P:95.91081 M:64.93900 C:93.23770 )
X-pstn-settings: 5 (2.00000:8.00000) r p M C

In this example, the spam score is 0.00000 and the effective threshold is 8.00000. Since 0.00000 is less than 8.00000, this message is spam.

X-pstn-addresses Header
Sample header line:

X-pstn-addresses: from forward (user good) [1119/49]

username@domain.com is the From address used in considering approved and blocked sender lists. If the address appears on one of these lists, the processing is terminated and the disposition noted on this line.

The text after the address can be one of the following 5 options:

[If nothing appears, the address was not on any of the following lists.]

forward (org good) - the address is on the organization's Approved Senders list.
quarantined (org bad) - the address is on the organization's Blocked Senders list.
forward (user good) - the address is on the user's Approved Senders list.
quarantined (user bad) - the address is on the user's Blocked Senders list.
forward (good recip) - the address is on the user's Approved Mailing List.

The bracketed numbers at the end of the line are the total number of characters in the approved (or blocked) senders list/ the total number of entries on the list. In this example there are 1119 characters in the approved senders list and the total number of entries in the list is 49. If the sender did not appear in the approved or blocked senders list, no numbers would appear at the end of the line.

The X-pstn-addresses header will not appear in the headers if the one message was sent to multiple Postini users

X-pstn-disposition Header

The message was delivered from an end-user's Message Center. The disposition is shown on the X-pstn-disposition line.

Example:

X-pstn-disposition: quarantine

This header states that the message was quarantined by Postini and then was delivered by to the inbox from the Postini Message Center.

X-Apparently-From Header

The X-Apparently-From header is an AOL custom mail header that lists the sender's address when email headers are forged when a message is sent via their servers.

This is not Postini functionality, so Postini does not guarantee that the information included in the header is correct.

X-pstn Headers and Attachment Manager

If the sender appears on the organization-based Approved Senders list, the message containing the attachment will be passed on to the recipient inbox. The header will look like this:

X-pstn-attach-addresses: from sender@address.com (approved)
Attachment Manager does not evaluate the end-user's Approved Senders list.

If a message is quarantined because it triggered an Attachment Manager filter, the X-pstn-disposition header will contain the same information as any other quarantined message. For example:

X-pstn-disposition: quarantine

X-pstn Headers and Content Manager

If a Content Manager filter is triggered, the following line will appear in the headers:

X-CM: name of triggered CM filter
X-pstn Headers and Industry Heuristics

There are four codes used by Industry Heuristics in X-pstn headers:

Content codes:

lc: legal content
fc: financial content

Transport codes:

lt: legal transport
ft: financial transport

These headers will only appear for those customers using Enterprise Edition. The transport categories will appear only on the X-pstn-settings line; the content categories will appear on both the X-pstn-levels and X-pstn-settings lines.

If content or transport filtering is not triggered, the codes appear on the x-pstn-settings line in lowercase letters. If filters are triggered, the codes appear in uppercase letters.

Content example:

X-pstn-levels: (S: 0.94030 FC:95.53901 LC:95.53900 R:95.91080 P:95.91080 M:98.96070 C:66.27330 )
X-pstn-settings: 3 (1.00000:2.00000) fc lc r p m C

In this example, the organization had both financial-content and legal-content categories turned on. These are scored categories, so they appear on the X-pstn-levels line ('FC:95.53901 LC:95.53900'). As with the other categories, they trigger when their scores drop below 85; in this case, neither triggered, so they again appear in lower case on the X-pstn-settings line.

Transport example:

X-pstn-levels: (S: 0.00410 R:95.91080 P:95.91080 M:99.40560 C:78.19610 )
X-pstn-settings: 3 (1.00000:2.00000) lt r p m C

In this example, the organization has the legal transport filter category turned on (the 'lt' on the X-pstn-settings line). It was not triggered, but it would be an uppercase 'LT' if it had. The transport categories don't get numeric scores, so they don't appear in the X-pstn-levels line.

Analyzing Headers Example

X-pstn-levels: (S: 0.46800 R:95.91081 P:95.91081 M:99.85141 C:55.44761 )
X-pstn-settings: 5 (2.00000:8.00000) r p m C
X-pstn-addresses: from
X-pstn-disposition: quarantine

In the above example:

The Overall Spam score is 0.46800.

The only Category filter triggered was the Commercial Offer filter (C).

The user’s Bulk Spam filter was set to Most Aggressive (5).

The Effective threshold was 8.00000

This message is spam. We know it is spam because we compare the spam score (S: 0.46800) against the threshold value (8.00000). If the spam score is less than the effective threshold, the email is considered spam. In this example, 0.46800 is less than 8.0000, so this message is spam.

This message was quarantined in the Message Center. We know this by looking at the X-pstn-disposition header.

For Additional Information on the Postini Service, please visit the Overview of ACM's Postini Email Protection Service