By Ian Matthews, Up & Running Technologies Inc, February 10, 2010 Last Updated February 11, 2010
If you are new to Exchange it can be VERY frustrating trying to find out what happened to a particular email message which you suspect was caught in your spam filter. This page will help you understand Exchange 2007 / 2010 logging and message tracking.
Often, a user will complain that an inbound message was bounced. The first thing you need to do is confirm that YOUR sever bounced it, so get the user to have the failure message forwarded to an non-exchange address (i.e. @yahoo.com) so you can inspect it.
If you see something like:
550 5.7.1 Message rejected as spam by Content Filtering.
and it says it came from your server, you should read on.
The first thing you need to know is that MESSAGE TRACKING (from the Exchange Management Console [EMC] TOOLBOX, does NOT show messages rejected by Exchanges AntiSpam. Why not? Ya, that is a really good question. Fortunately it is still not rocket science to figure out what happened.
The ONLY log that Exchange keeps information on AntiSpam messages is the Agent Log, which is located by default in:
c:\PROGRAM FILES\MICROSOFT\EXCHANGE SERVER\TRANSPORTROLES\LOGS\AGENTLOG
If you look in there and no information, enable the logging (yes, it is OFF by default):
1. Open the following file by using Notepad:
C:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe.config
2. Modify the following line in the <appSettings> section:
<add key=”AgentLogEnabled” value=”TRUE” />
3. Save and close the EdgeTransport.exe.config file
4. Restart the Microsoft Exchange Transport service.
Note that Microsoft will NOT tell you exactly what offended the AntiSpam rules because they don’t want spammers to figure out their algorythms. However, once you are recording the events, the Agent Log will provide some useful details.
The first thing you should do is copy one of the agent logs to your PC and open it with EXCEL. Note that it is a Comma Separated Value (CSV) format even though it is a .LOG file. Most of the columns are self explanitory, except the last one… which is the important.
I recently had to diagnose what:
translated to, so lets go over it.
The first section DV stands for Dat Version. In other words which update to MS AntiSpam are you using.
The next part was more interesting. A SID status of SoftFail, turns out to mean that the server which sent the email MIGHT NOT be authorized to send mail for the domain in question. This will increase the SCL (Spam Confidence Level) score and put this message over the edge.
If you are wondering if what you can control in the AgentLog (i.e. how long they are retained, the maximum size…) read THIS easy to understand Microsoft article.
For details on “SID” (Sender ID), read THIS short Microsoft document.
For a complete description of all the DIAGNOSTIC CODES (i.e. the last field in the Agent Log) use the following table.
The following table is taken directly from THIS Microsoft page.
|SID||The Sender ID (SID) stamp is based on the sender policy framework (SPF) that authorizes the use of domains in e-mail. The SPF is displayed in the message envelope as
The Sender ID stamp is displayed as an X-Header in the message envelope as follows:
For more information about Sender ID, see Understanding Sender ID.
|DV||The DAT version (DV) stamp indicates the version of the spam definition file that was used when scanning the message.|
|SA||The signature action (SA) stamp indicates that the message was either recovered or deleted because of a signature that was found in the message.|
|SV||The signature DAT version (SV) stamp indicates the version of the signature file that was used when scanning the message.|
|PCL||The phishing confidence level (PCL) stamp displays the rating of the message based on its content and is applied when the message is processed by the Content Filter agent. This status can be returned as one of the following values:
The PCL value can range from 1 through 8. A PCL rating from 1 through 3 returns a status of
The values are used to determine what action Outlook takes on messages. Outlook uses the PCL stamp to block the content of suspicious messages.
The PCL stamp is displayed as an X-header in the message envelope as follows:
|SCL||The spam confidence level (SCL) stamp of the message displays the rating of the message based on its content. The Content Filter agent uses Microsoft SmartScreen technology to assess the contents of a message and to assign an SCL rating to each message. The SCL value is from 0 through 9, where 0 is considered less likely to be spam, and 9 is considered more likely to be spam. The actions that Exchange and Outlook take depend on your SCL threshold settings.
The SCL stamp is displayed as an X-header in the message envelope as follows:
For more information about SCL thresholds and actions, see Understanding Spam Confidence Level Threshold.
|CW||The custom weight (CW) stamp of a message indicates that the message contains an unapproved word or phrase and that the SCL value, or weight, of that unapproved word or phrase was applied to the final SCL score:
For more information about how to add approved and unapproved words or phrases to the Content Filtering agent, see Configure Content Filtering Properties.
|PP||The presolved puzzle (PP) stamp indicates that if a sender’s message contains a valid, solved computational postmark, based on Outlook E-mail Postmark validation functionality, it’s unlikely that the sender is a malicious sender. In this case, the Content Filter agent would reduce the SCL rating.
The Content Filter agent doesn’t change the SCL rating if the E-mail Postmark validation feature is enabled and either of the following conditions is true:
For more information about the postmark validation feature, see Configure Content Filtering Properties.
|TIME:TimeBasedFeatures||The TIME stamp indicates that there was a significant time delay between the time that the message was sent and the time that the message was received. The TIME stamp is used to determine the final SCL rating for the message.|
|MIME:MIMECompliance||The MIME stamp indicates that the e-mail message isn’t MIME compliant.|
|P100:PhishingBlock||The P100 stamp indicates that the message contains a URL that’s present in a phishing definition file.|
|IPOnAllowList||The IPOnAllowList stamp indicates that the sender’s IP address is on the IP Allow list. For more information about the IP Allow list, see Understanding Connection Filtering.|
|MessageSecurityAntispamBypass||The MessageSecurityAntispamBypass stamp indicates that the message wasn’t filtered for content and that the sender has been granted permission to bypass the anti-spam filters.|
|SenderBypassed||The SenderBypassed stamp indicates that the Content Filter agent doesn’t process any content filtering for messages that are received from this sender. For more information, see Configure Content Filtering Properties.|
|AllRecipientsBypassed||The AllRecipientsBypassed stamp indicates that one of the following conditions was met for all recipients listed in the message: