Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 0 subscribers
  • Views 13762 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

need help interpreting message_log

PierreE

Hello. I need to find out why a particular message was quarantined. I got the following snippet from the message_log.

2010-02-18T10:43:38 q=o1I2harw009087 f=<luke@rebels.com> t=<vader@evilempire.com> h=RDNS_SUSP_MSGID h=MSGID_SPAM_5 h=HTML_70_90 h=BODY_SIZE_5000_5999 h=BODY_SIZE_7000_LESS h=INVALID_MSGID_NO_FQDN h=RDNS_NXDOMAIN h=RDNS_SUSP h=RDNS_SUSP_GENERIC h=__BOUNCE_CHALLENGE_SUBJ h=__BOUNCE_NDR_SUBJ_EXEMPT h=__CT h=__CTYPE_HAS_BOUNDARY h=__CTYPE_MULTIPART h=__CTYPE_MULTIPART_ALT h=__HAS_HTML h=__HAS_MSGID h=__HAS_X_MAILER h=__HTML_FONT_BLUE h=__MIME_HTML h=__MIME_VERSION h=__OUTLOOK_MSGID_1 h=__OUTLOOK_MUA h=__OUTLOOK_MUA_1 h=__SANE_MSGID h=__STYLE_RATWARE h=__STYLE_RATWARE_2 h=__TAG_EXISTS_HTML h=__TO_MALFORMED_2 h=__USER_AGENT_MS_GENERIC Size=7853 fur=0.0.0.0 vs p=0.825 pmx_action=quarantine,-,-,vader@evilempire.com,vader@evilempire.com r=[111.11.11.11] tm=0.81 a=d/eom

I don't know how to interprete this. Can some one help me with this? Or if you point me to some documentation, that would be great too. Thank you.

- Pierre

:1442


This thread was automatically locked due to age.
Parents
  • 0

    The first thing I see is that pmx is 82.5% sure (positive) the messages is spam. p=0.825

    The other thing is all of the h=Some_Value are the reasons why it's at 82%. The h stands for hit, as in it matched a SPAM rule and each time it matched, the internal counter for pmx tallied this up to a number past the threshold in your policy. The policy then quarantined the message. Check out page 212 of the admin reference to see what each entry in the log file means.

    From the appendix:

    ``spam score
     The spam score is the score assigned to a message by the anti-spam engine that indicates the relative likelihood that the
     message is spam.
     Anti-spam rules consist of a test definition and a "weight". If the test matches the message, the corresponding weight is
     added to the message's total spam score. Generally, multiple rules must be triggered by a message in order to result in a
     spam score high enough for an action to be taken. SophosLabs constantly analyzes emerging spam techniques and updates
     the ES4000 and PureMessage anti-spam rule sets accordingly.''

    You may also want to review the troubleshooting steps starting on page 217.

    :1471
Reply
  • 0

    The first thing I see is that pmx is 82.5% sure (positive) the messages is spam. p=0.825

    The other thing is all of the h=Some_Value are the reasons why it's at 82%. The h stands for hit, as in it matched a SPAM rule and each time it matched, the internal counter for pmx tallied this up to a number past the threshold in your policy. The policy then quarantined the message. Check out page 212 of the admin reference to see what each entry in the log file means.

    From the appendix:

    ``spam score
     The spam score is the score assigned to a message by the anti-spam engine that indicates the relative likelihood that the
     message is spam.
     Anti-spam rules consist of a test definition and a "weight". If the test matches the message, the corresponding weight is
     added to the message's total spam score. Generally, multiple rules must be triggered by a message in order to result in a
     spam score high enough for an action to be taken. SophosLabs constantly analyzes emerging spam techniques and updates
     the ES4000 and PureMessage anti-spam rule sets accordingly.''

    You may also want to review the troubleshooting steps starting on page 217.

    :1471
Children
No Data