cancel
Showing results for 
Search instead for 
Did you mean: 

Interpreting headers added by Postini

cynicalone
Dabbler
Posts: 25
Registered: ‎17-09-2007

Re: Interpreting headers added by Postini

Let me try to help here as one of the people that worked on the internal, and live trials. There are several PSTN headers, excluding the Plusnet introduced X-pn-pstn ones. Jelv's has correctly identified two of the most important, but you should also see one for 2strike. Let me try to explain these;
x-pstn-level - This is the only one which actually scores the email, the others are hints that can be used with this header. The first number after the S: goes from 99.9999, not spam, to 0 which is definite spam. If we were using the Postini quarantine system on level 1 anything which was 0.15 would land in their quarantine, level 2 is 0.25. The R:, P:, M:, and C: scores are ratings for specific types of spam.  These are "Sexually Explicit", "Get Rich Quick", "Special Offers", and "Racially Insensitive". The closer they get to 100 the more probable the email is spam.  Each one of these can be set to a different level, but again changing this only has relevance when using the Postini quarantine at the moment.

X-pstn-settings - This gives the current levels which are set for the detection engine, and we use level 1. This actually has little relevance due to not using the Postini quarantine.
x-pstn-2strike - If an email is received from a source, and looks like spam, then the first instance is assumed to be "clear". Postini block spams which they are 100% sure of, and so if a source is spamming until it generates a level great enough to trigger blocking this header can be used to tag an email as suspect, rather than definitive spam.
You may also see a header for "neptune", though this one is still being worked on by Postini.  At the moment we don;'t make use of this as we only got access to the header one week before commencing the live trial.
How do we use this. Well to be brief we add the x-pn-pstn header according to the following rules;
x-pn-pstn = 1 means that 2strike is present and not set to clear. Plus the S: level is less than 0.3.
x-pn-pstn = 2 means that the 2strike is not present, or present and set clear. Also the S: level is < 0.2

NOTE - If all your emails are missing these headers, but you are on the trial and can see a Postini server in the received list of the header, this would mean that your default user is missing from your domain.

I hope this helped to clarify some points. Have a good Christmas and new year.
Geoff
Community Veteran
Posts: 26,780
Thanks: 983
Fixes: 10
Registered: ‎10-04-2007

Re: Interpreting headers added by Postini

I think you've repeated the error Bob made. Spam 2 is given if the S begins 0, 1 or 2 - so 0.299999 gets a Spam 2.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
jberry
Grafter
Posts: 1,886
Registered: ‎08-06-2007

Re: Interpreting headers added by Postini

To clear this one up, the system currently has three different checks in place:
x-pn-pstn = 1
* This means that 2strike is present and not set to clear. Plus the S: level is < 1
x-pn-pstn = 2
This means that either:
* The 2strike is not present and the S: level is < 0.3
* Or, present and set clear. Also the S: level is < 0.06
Just as an aside. These levels were determined after a lot of testing on our internal mail platform, tweaking the values and getting feedback of false positives and negatives.
Community Veteran
Posts: 26,780
Thanks: 983
Fixes: 10
Registered: ‎10-04-2007

Re: Interpreting headers added by Postini

Apart from the tagging of the Community forum notification emails as Spam 2 the Spam 2 level looks good to me. Still haven't seen a Spam 1.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
jberry
Grafter
Posts: 1,886
Registered: ‎08-06-2007

Re: Interpreting headers added by Postini

I am begining to think that something changed when we upgraded the Postini software because this did pick up messages when running on our internal mail.
In the new year we'll have a look through the headers as they are now and look to getting some testing on the internal mail again if they have changed.
Moderator
Moderator
Posts: 27,927
Thanks: 2,176
Fixes: 236
Registered: ‎14-04-2007

Re: Interpreting headers added by Postini

Quote from: jelv
Still haven't seen a Spam 1.

I created a folder in Outlook set to collect Spam 1 when this header marker was initiated.
Nothing has ever gone into it.

Customer and Forum Moderator. Windows 10 Firefox 67.0 (64-bit)

jberry
Grafter
Posts: 1,886
Registered: ‎08-06-2007

Re: Interpreting headers added by Postini

So,
Just to test a theory, I switched my message rules back to keeping the messages that would be marked Spam 1 on our corporate mail.
Over Christmas I have received messages picked up by this, sample headers are:
[tt]X-pstn-2strike: 7236
X-pstn-neptune: 0/0/0.00/0
X-pstn-levels: (S: 0.96331/99.72917 R:95.9108 P:95.9108 M:97.0282 C:98.6951 )
X-pstn-settings: 3 (1.0000:1.0000) s gt3 gt2 gt1 r p m c[/tt]
Based on this, I reckon that it is maybe just the differences between customer and corporate mail that mean this is rarely (if ever) used.
Superuser
Superuser
Posts: 9,929
Thanks: 1,271
Fixes: 71
Registered: ‎06-04-2007

Re: Interpreting headers added by Postini

For 'definite' I think Postini might have changed the headers in the latest release so that what was '2strike: integer' is now 'xfilter: y' (not 'yes' as described in the header descriptions). If that is the case it would explain why trialists (using a later release?) don't see SPAM 1. I have had the xfilter header.
Also there's in interesting "s" in that 'settings' line. Haven't seen that in the header descriptions.
David
mikeb
Grafter
Posts: 367
Registered: ‎10-06-2007

Re: Interpreting headers added by Postini

Hmmmmmm ...............
Well, whatever the situation might be in reality, x-pstn-2strike: [number]  still continues to be an undocumented feature so far as all publicly available postini data is concerned. I did raise the question of postini versions and updates etc ages back as well as identifying the relatively recent appearance of x-pstn-xfilter: header.  I did also suggest that maybe it was 'old' information from a previous version of the system that was no longer relevant somewhere as well.  But either way and whatever the real answer might be, something really does tell me that as also threatened ages back, I probably do indeed need to wheel out Mr.RTFM here in order to demonstrate 'best practice' in such situations rather than taking the suck-it-and-see, trial-and-error or we-have-always-done-it-so-it-must-be-right stylee approach Wink
However, it is quite interesting that an example was apparently found during the Christmas break seeing that the latest release of postini documentation appears to be V6.12 dated 14th December which implies no formal changes since then.  When was that message actually received ?
Of course, all this does raise yet another very serious potential issue.  If postini can and do make random changes to fundamental headers willy-nilly then what exactly are PN going to do to ensure that such actions are not going to 'upset' their analysis and result in problems for customers ?
How are PN going to track and evaluate any changes that postini may make to their systems so that they can take appropriate action to ensure that customers don't get problems ?
How are such version changes or other tweaks announced and monitored ?
It would appear that some form of reliable configuration management is going to be pretty essential here to avoid customers experiencing problems that PN could and should have sorted way before they happened.
Community Veteran
Posts: 26,780
Thanks: 983
Fixes: 10
Registered: ‎10-04-2007

Re: Interpreting headers added by Postini

Mike, Have you found any messages with x-pstn-2strike: [number] header? All of the emails I've seen with x-pstn-2strike: have it set to clear.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)
mikeb
Grafter
Posts: 367
Registered: ‎10-06-2007

Re: Interpreting headers added by Postini

Nope. As I said somewhere else on here, I've seen absolutely no evidence that x-pstn-2strike can be anything other than "not present at all" or have the value "clear". There is no evidence that I can see anywhere on the postini site or in any of the manuals or user guides to indicate that it can be anything else either. This was why I asked for documentary evidence to substantiate the PN claim.  It would appear that it does indeed exist in messages via the PN internal system but the question "why" still remains as does seeing some documentary evidence from postini to explain what it is all about.
The postini header analyzer also appears to completely ignore any value other than "clear". Mind you, there was a time when the analyzer also appeared to basically ignore any reference to x-pstn-2strike whatsoever, but more recently it has been taking note if it has the value "clear".  It seems that postini do go a tweaking as/when required but I've not found any status, update notification or similar info page anywhere - not that I've tried particularly hard TBH.
I suspect that it is either a very old and subsequently removed condition, another configuration problem somewhere or simply that the PN internal and customer facing postini systems/configurations are fundamentally different. Either way it raises an 'interesting' potential problem regarding postini making changes that could break PNs implementation.  It also casts more doubt on the validity of the PN internal trial and comparing results of that trial with the current set up or using historic data to make decisions on what to do now. I still find it incredibly odd and quite unlikely that none of the strange issues that have come up were ever seen internally.
Moderator
Moderator
Posts: 27,927
Thanks: 2,176
Fixes: 236
Registered: ‎14-04-2007

Re: Interpreting headers added by Postini

So just to make it crystal clear to myself.
If S=99.999 then that's zero % chance of it being Spam
If S=0 then that's 100% chance of it being Spam
Well that's logical enough for anyone  Roll eyesCheesy

Edit: I think I'll stick to Spam 2 for now.

Customer and Forum Moderator. Windows 10 Firefox 67.0 (64-bit)

bobp
Grafter
Posts: 64
Registered: ‎29-06-2007

Re: Interpreting headers added by Postini

or
If S=99.999 then it's 99.999% chance of being OK
If S=0 then it's 0% chance of being OK
bobp
Community Veteran
Posts: 3,366
Thanks: 15
Registered: ‎06-04-2007

Re: Interpreting headers added by Postini


The 2strike header does not show up on the postini account used by my employer, the only postini headers I get in a message are:
Quote
X-pstn-neptune: 13/1/0.08/43
X-pstn-levels:    (S:24.66688/99.90000 R:95.9108 P:95.9108 M:95.5423 C:86.0174 )
X-pstn-settings: 4 (1.5000:1.5000) s gt3 gt2 gt1 r p m c

SW.
--
3Mb FTTC
https://portal.plus.net/my.html?action=data_transfer_speed
Community Veteran
Posts: 26,780
Thanks: 983
Fixes: 10
Registered: ‎10-04-2007

Re: Interpreting headers added by Postini

How many message headers did you check? It will only show up on spammy messages and is quite rare.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£14.40/month)
Mobile: iD mobile (£4/month)