Applies to: Exchange Server 2013
Anti-spam stamps help you diagnose spam-related problems by applying diagnostic metadata, or stamps, such as sender-specific information, puzzle validation results, and content filtering results, to messages as they pass through the anti-spam features that filter inbound messages from the Internet. There are three anti-spam stamps: the phishing confidence level stamp, the spam confidence level stamp, and the Sender ID stamp.
You can use anti-spam stamps as diagnostic tools to determine what actions to take on false-positives and on suspected spam messages that individuals receive in their mailboxes.
On November 1, 2016, Microsoft stopped producing spam definition updates for the SmartScreen filters in Exchange and Outlook. The existing SmartScreen spam definitions will be left in place, but their effectiveness will likely degrade over time. For more information, see Deprecating support for SmartScreen in Outlook and Exchange.
Viewing anti-spam stamps
You can view anti-spam stamps by using Microsoft Outlook. For more information, see View anti-spam stamps in Outlook.
Understanding the anti-spam report
The anti-spam report is a summary report of the anti-spam filter results that have been applied to an email message. The Content Filter agent applies this stamp to the message envelope in the form of an X-header as follows.
X-MS-Exchange-Organization-Antispam-Report: DV:<DATVersion>;CW:CustomList;PCL:PhishingVerdict <verdict>;P100:PhishingBlock;PP:Presolve;SID:SenderIDStatus <status>;TIME:<SendReceiveDelta>;MIME:MimeCompliance
The following table describes the filter information that can appear in an anti-spam report.
The anti-spam report only displays information from the filters that were applied to the specific message. An anti-spam report doesn't usually contain all the information listed in the following table. For example, you may receive the following anti-spam report:
DV:3.1.3924.1409;SID:SenderIDStatus Fail;PCL:PhishingLevel SUSPICIOUS;CW:CustomList;PP:Presolved;TIME:TimeBasedFeatures.
Filter information in an anti-spam report
|The Sender ID (SID) stamp is based on the sender policy framework (SPF) that authorizes the use of domains in email. The SPF is displayed in the message envelope as
Received-SPF. The Sender ID evaluation process generates a Sender ID status for the message. This status can be returned as one of the following values:
The Sender ID stamp is displayed as an X-Header in the message envelope as follows:
For more information about Sender ID, see Sender ID.
|The DAT version (DV) stamp indicates the version of the spam definition file that was used when scanning the message.
|The signature action (SA) stamp indicates that the message was either recovered or deleted because of a signature that was found in the message.
|The signature DAT version (SV) stamp indicates the version of the signature file that was used when scanning the message.
|The phishing confidence level (PCL) stamp displays the rating of the message based on its content and is applied when the message is processed by the Content Filter agent. This status can be returned as one of the following values:
The PCL value can range from 1 through 8:
The values are used to determine what action Outlook takes on messages. Outlook uses the PCL stamp to block the content of suspicious messages.
The PCL stamp is displayed as an X-header in the message envelope as follows:
|The spam confidence level (SCL) stamp of the message displays the rating of the message based on its content. The Content Filter agent uses Microsoft SmartScreen technology to assess the contents of a message and to assign an SCL rating to each message.
The SCL value is from 0 through 9, where 0 is considered less likely to be spam, and 9 is considered more likely to be spam. The actions that Exchange and Outlook take depend on your SCL threshold settings.
The SCL stamp is displayed as an X-header in the message envelope as follows:
For more information about SCL thresholds and actions, see Spam Confidence Level Threshold.
|The custom weight (CW) stamp of a message indicates that the message contains an unapproved word or phrase and that the SCL value, or weight, of that unapproved word or phrase was applied to the final SCL score:
For more information about how to add approved and unapproved words or phrases to the Content Filtering agent, see Manage content filtering.
|The presolved puzzle (PP) stamp indicates that if a sender's message contains a valid, solved computational postmark, based on Outlook E-mail Postmark validation functionality, it's unlikely that the sender is a malicious sender. In this case, the Content Filter agent would reduce the SCL rating.
The Content Filter agent doesn't change the SCL rating if the E-mail Postmark validation feature is enabled and either of the following conditions is true:
For more information about the postmark validation feature, see Content filtering.
|The TIME stamp indicates that there was a significant time delay between the time that the message was sent and the time that the message was received. The TIME stamp is used to determine the final SCL rating for the message.
|The MIME stamp indicates that the email message isn't MIME compliant.
|The P100 stamp indicates that the message contains a URL that's present in a phishing definition file.
|The IPOnAllowList stamp indicates that the sender's IP address is on the IP Allow list. For more information about the IP Allow list, see Understanding Connection Filtering.
|The MessageSecurityAntispamBypass stamp indicates that the message wasn't filtered for content and that the sender has been granted permission to bypass the anti-spam filters.
|The SenderBypassed stamp indicates that the Content Filter agent doesn't process any content filtering for messages that are received from this sender. For more information, see Manage content filtering.
|The AllRecipientsBypassed stamp indicates that one of the following conditions was met for all recipients listed in the message: