cancel
Showing results for 
Search instead for 
Did you mean: 

Spam Scores

andyrogers
Grafter
Posts: 131
Registered: 30-07-2007

Spam Scores

Bob
With Postini here http://community.plus.net/blog/2008/02/01/postini-the-story-so-far/#scoring is a table explaining about the scoring in the headers, for the relevant Spam levels.
With Ironport how do you tell in the headers what Spam 1-5 should be triggered from, I can't seem to find any notes about this at the moment only this part :-
Quote
Spam scoring is based on Ironport's 'reputation based filter' and will be set to a conservative level. Messages with scores between -10 and -7 will be blocked, -7 to -2 will be throttled, -2 to +7 will be scanned for spams, and greater than +7 will be allowed, and assumed clean. These settings will allow us to continue offering the controls that are available in the Manage My Mail tool. A separate thread has been set up here for discussions surrounding spam scoring.
located here in this post http://community.plus.net/forum/index.php/topic,70212.0.html .
Thanks
Andy
18 REPLIES
Community Gaffer
Community Gaffer
Posts: 12,808
Thanks: 636
Fixes: 62
Registered: 04-04-2007

Re: Spam Scores

Hi Andy,
If I'm completely honest I'm not actually sure of the answer to this. Finding out more about the ins and outs of the spam scoring is on my list of things to do next week though.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

andyrogers
Grafter
Posts: 131
Registered: 30-07-2007

Re: Spam Scores

Ok Thanks Bob
Your work is really appreciated.
Regards
Andy
ChrisL
Grafter
Posts: 733
Thanks: 2
Registered: 13-12-2007

Re: Spam Scores

I've just had my first spam for over a week  Grin
All the spams I've had since migration to Ironport have been marked Spam 3 -- whatever the IPAS score, etc.  Since the aggressiveness I have set in MMM is 3, I wonder if Spam 3 will be given to everything Ironport identifies as spam?  In other words, would the same obvious spam have been given Spam 1 if the aggressiveness set in MMM had been 1?
Chris
edit: I'm talking about the headers, of course -- all the spams have been correctly marked [-SPAM-] in the subject-line.
Community Gaffer
Community Gaffer
Posts: 12,808
Thanks: 636
Fixes: 62
Registered: 04-04-2007

Re: Spam Scores

Quote from: ChrisL
All the spams I've had since migration to Ironport have been marked Spam 3 -- whatever the IPAS score, etc.  Since the aggressiveness I have set in MMM is 3, I wonder if Spam 3 will be given to everything Ironport identifies as spam?  In other words, would the same obvious spam have been given Spam 1 if the aggressiveness set in MMM had been 1?

I wondered exactly the same thing a few days ago Chris when I noticed that all of mine were marked Spam 5 (aggressiveness was set to 5). I set aggressiveness to 3 & 4 across another two accounts but they're yet to receive any spam. I've a sneaking suspicion you're correct though.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

Community Gaffer
Community Gaffer
Posts: 12,808
Thanks: 636
Fixes: 62
Registered: 04-04-2007

Re: Spam Scores

Chris, you are correct.
I've just posted the following over on the UserGroup forum in response to a post there. Hopefully this helps explain in a bit more detail how the spam scoring on IronPort works. Please take the X-SBRS: thresholds with a pinch of salt though as these values may have changed since they were first given to me. Even without the thresholds though you should get a pretty good idea as to how things work...
When mail comes into the IronPort it will block/refuse blatant spam as a result of its SenderBase reputation. This applies for all mail that passes through IronPort irrespective of a customer's spam preferences. If message fails at this stage then you'll commonly see it rejected with a message similar to this.
Mail that is accepted by IronPort is then assigned a reputation score and passed to the next stage (I believe that's what the X-SBRS: header represents).
An LDAP query is then performed against the recipient address to see if it exists. If it doesn't then the mail is rejected with a message like this.
Assuming the message is still with us then it's then undergoes 'policy' filtering. The first step of this is to decide whether or not to actually spam filter the message content. If the reputation score is high enough then the message will pass through as clean without undergoing any additional filtering (I believe this is an X-SBRS: score of greater than +7).
If the message is considered to be potential spam then it will undergo further policy filtering (I believe this is an X-SBRS: score between -7 and +7). What happens here is the bit that you can't really determine by looking at the headers of a message and is why we've not been able to provide a definitive explanation of the headers and scoring mechanics like we were able to with Postini. This is also where the aggressiveness filter comes into play and will affect whether or not a message actually gets identified as spam or not. The presence of the X-IPAS: and x-pn-pstn: headers in an email are used to identify whether or not a message has been identified as spam. The value of these headers will *always* be the same as the value you have the aggressiveness filter set to. A x-pn-pstn: score of '0' is not a spam score and indicates that the message is clean.
If you have Edge Protection switched on then this is also applied at the policy level. Messages that are almost certainly spam (I believe this is those with an X-SBRS: score below -7) are silently dropped. No rejection or failed delivery report is generated for these messages. We're looking at renaming 'Edge Protection' and updating the support content to reflect this.

Bob Pullen
Plusnet Products Team
If I've been helpful then please give thanks ⤵

ChrisL
Grafter
Posts: 733
Thanks: 2
Registered: 13-12-2007

Re: Spam Scores

Thanks for the explanation, Bob.  I guess if we want to understand the policy-filter bit, we're going to have to learn how to read this  Wink :
Quote
X-SBRS: 5.3
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: AkQDALw4PklC51qdmWdsb2JhbACCVxglgWKCK4FDinoBAQEBAQgLCgcRvTAEgXk

I think I'll just let Ironport get on with it!
Chris
Community Veteran
Posts: 19,098
Thanks: 432
Fixes: 21
Registered: 31-08-2007

Re: Spam Scores

Moderator's Note:
I've merged this post and the following two replies into this thread since they cover the same ground. Essentially this topic is the "link" requested in the current post.
David (spraxyt)

Except for the inserted emphasis, this is a quote from Bob Pullen's post "Ironport & plans for the email platform" on this board:
Quote
Spam scoring is based on Ironport's 'reputation based filter' and will be set to a conservative level. Messages with scores between -10 and -7 will be blocked, -7 to -2 will be throttled, -2 to +7 will be scanned for spams, and greater than +7 will be allowed, and assumed clean. These settings will allow us to continue offering the controls that are available in the Manage My Mail tool. A separate thread has been set up here for discussions surrounding spam scoring.

Sorry if I'm being a bit thick here or missed something, but please confirm who is doing the blocking, PlusNet or IronPort.
The thread discussing spam scoring, can we have a linky please?
Community Veteran
Posts: 26,357
Thanks: 607
Fixes: 8
Registered: 10-04-2007

Re: Spam Scores

The Plusnet owned IronPort boxes which sit in the Plusnet London data centre.
jelv (a.k.a Spoon Whittler)
   Why I have left Plusnet (warning: long post!)   
Broadband: Andrews & Arnold Home::1 (FTTC 80/20)
Line rental: Pulse 8 Home Line Rental (£13/month)
Mobile: iD mobile (£4/month)
Community Veteran
Posts: 19,098
Thanks: 432
Fixes: 21
Registered: 31-08-2007

Re: Spam Scores

Sorry, I've perhaps not explained that clearly enough. If the SBRS score is -7 to -10, is the mail being rejected immediately (by the boxes) or is it rejected at the point when PN would be adding the x-pn-pstn header if the score had been better than -7.
Also any linky?
Superuser
Superuser
Posts: 8,884
Thanks: 411
Fixes: 36
Registered: 06-04-2007

Re: Spam Scores

Moderator's Note:
I think reply #5 in this newly merged topic covers most of the points raised/discussed in today's merged posts, replies #7-9.
David (spraxyt)
David
Community Veteran
Posts: 19,098
Thanks: 432
Fixes: 21
Registered: 31-08-2007

Re: Spam Scores

Sorry guys, I've re-read this and some other bits several times now, and I think it's all as clear as mud.
So let's do one bit at a time.
X-SBRS scores of -7 to -10.
Do customer spam preferences affect what happens to messages given these scores? ie. will we EVER see messages with such scores? Do they get rejected with a bounce message or just dropped silently?
There is a conflict in what is stated in Bob's blog "Ironport & plans for the email platform" and in reply #5
ChrisL
Grafter
Posts: 733
Thanks: 2
Registered: 13-12-2007

Re: Spam Scores

Quote from: Anotherone
There is a conflict in what is stated in Bob's blog "Ironport & plans for the email platform" and in reply #5

Chris, can you say exactly what you think the conflict is? Bob's blog (actually the 'sticky' on this board rather than the blog itself) says:
Quote
Spam scoring is based on Ironport's 'reputation based filter' and will be set to a conservative level. Messages with scores between -10 and -7 will be blocked,

This is expanded in post #5 above to:
Quote
When mail comes into the IronPort it will block/refuse blatant spam as a result of its SenderBase reputation. This applies for all mail that passes through IronPort irrespective of a customer's spam preferences. If message fails at this stage then you'll commonly see it rejected with a message similar to this.

This looks consistent to me, and I'm worried I might be missing something you've noticed and I haven't.
Chris
Community Veteran
Posts: 19,098
Thanks: 432
Fixes: 21
Registered: 31-08-2007

Re: Spam Scores

Well OK 'sticky' then. But you've now also quoted the second 'inconsistency' in your 3rd quote.  Your 2nd quote correctly quotes the relevant bit from the sticky, which the OP quoted, and I quoted in reply#7. This is indeed consistent with your 3rd quote. But it is not consistent with the last paragraph of reply #5 which I do not want to quote in isolation as it should be read in the context of the rest of reply #5.
Nor is consistent with the FAQ sticky which says (in connection with not receiving newsletters)
Quote
The IP address of the sending MTA fails IronPort's Senderbase lookup (see next but one question). The only immediate solution to this problem is to disable anti-spam filtering.
You have Edge Protection enabled and the email is deleted as blatant spam. If this is the case then either whitelist the address (but see the next question) or turn the feature off.

Furthermore, there in no definition of Blatant Spam (in Ironport terms), we assume it's that that scores -7 to -10. You and I know what "blatant" spam is, the minute we look at it, but that's not the same.
That's why I have asked the questions in the way I have in reply #11, to which I would like a direct reply please Bob, not just a load of it says this in this link, that in this other link, and the other in that link and so on.
@Bob
Could you please respond, you seem to have been avoiding this all day.
Plusnet Help Team
Plusnet Help Team
Posts: 17,626
Thanks: 611
Fixes: 158
Registered: 05-04-2007

Re: Spam Scores

Quote
Could you please respond, you seem to have been avoiding this all day.

I don't think that's fair on Bob, he's responded to every question asked so far, however as is normal for Monday's he's had alot to look at today.
Unfortunately I don't know the answer to this question, but I'll ask when I get in the office tomorrow and make sure you get an answer.
If this post resolved your issue please click the 'This fixed my problem' button
 Chris Parr
 Plusnet Help Team