Emailology: How to Please Postini

Steer Clear of the SPAM Filter

Here at EOA we already offer you a powerful set of tools to ensure that your emails look the way you want them to, no matter how they're viewed. But all that effort will be wasted if your message is caught in a spam filter and never makes it to the inbox. This blog is the first in a series which will cover spam filters: how they work, how to avoid them, and what we can learn from their output.

Postini

Postini is a cloud-computing service provided by Google for filtering email spam and malware before it is delivered to a client's mail server. Analyzing Postini headers can give you a lot of information about why an email was flagged as spam or not. It can also give you information about the recipient's spam settings. We will dissect these headers and discuss the significance of each one below. Here is an example of a complete set of Postini headers:

I know what you're thinking: that looks pretty confusing. It's actually not as bad as it might seem. Take it step by step and you'll find that it's easy to get a lot of useful information from these headers. If you think you're a really fast learner, you can just skip to the bottom and read the summary!

X-pstn-levels Header

The X-pstn-levels Header is the first header you'll see. It contains information about how your email scored in a number of different categories. Just like in the Olympics, higher is better. A score of less than 85 in any category and you'll be "disqualified." The X-pstn-levels header looks like this:

Each letter (S, R, P, M, C) represents a different spam category. A score is assigned for each of these categories. The categories are as follows:

• S = General/bulk spam score
• CV = Internal use only. This has no effect on the overall spam score or message disposition.
• P = Sexually explicit (pornography) spam score
• M = Make-money-fast (MMF) spam score
• C = Commercial or “special offer” spam score
• R = Racially insensitive spam score

Each of these categories is assigned a score, with a perfect score being 100. As "flags" are raised, points are subtracted from the score. If a score falls below 85, the message will be marked as spam. The number after the slash for S (general/bulk spam score) is called the Blatant Spam Blocking (BSB) score. This score is used to identify messages that should be discarded. This is a score that shouldn't be directly interpreted.

Industry Heuristics (optional)

• LC: legal content
• FC: financial content
• LT: legal transport
• FT: financial transport

The content codes are an optional feature, and if present they appear on both the levels and settings lines. If content or transport filtering is triggered, the code appears in uppercase letters on the x-pstn-settings line. If filtering isn’t triggered, the codes appear in lowercase letters. Here's an example that includes industry heuristics:

X-pstn-settings Header

The X-pstn-settings Header can inform you about user spam settings. You'll only see this header on messages delivered to a single user. This header will appear in this format:

Or for an example settings header:

The Bulk_Filter_Setting is the aggressiveness of the filter setting, with 1 being the least aggressive and 5 being the most. The base threshold and effective threshold are derived and shouldn't be directly interpreted. If any of the filters listed above (pornographic, MMF, commercial, etc) are turned on and score 85 or below, the effective threshold value is a multiple of the base threshold value. If none of the filters are triggered (by being less than 85), the threshold value will equal the base value. The letters that come after the base threshold/effective threshold indicate which filters are turned on. A letter will be capitalized if that filter was triggered (because that category scored less than 85). If the S category of the levels header (above) is less than the "effective threshold" the message will be marked as spam. For example, take a look at the following:

Because the spam score is 0.00000 and the effective threshold is 8.00000, this message is spam.

General Transport Heuristics Filters

• GT1 = Most trusted
• GT2 = More trusted
• GT3 = Trusted

The general transport heuristics score is awarded to senders who mostly send valid emails. It doesn't guarantee that your email will be delivered (or add it to a "whitelist"), but it helps increase your chances that your email will not be marked as spam. This is like having a "reputation" as a sender, and gaining the benefit of the doubt through a good record.

X-pstnvirus Header

The X-pstnvirus Header gets added to the message if a virus is detected. These messages will only be delivered if the organization has set their mail server to tag and deliver the messages, or if an administrator delivers the message to the recipient.

X-pstn-2strike Header

The X-pstn-2strike Header is an exception to the spam score and threshold calculations. This is applied to messages that got a spam score below the effective threshold, but are likely to be valid messages. It appears as follows:

In this example, the X-pstn-2strike is set to "clear" so the message was delivered.

X-pstn-addresses Header

The X-pstn-addresses Header is used when comparing the message sender to the recipients approved and blocked senders lists. It appears only if the message was sent to only a single user of Postini. Here is an example:

If the address is found in either the approved or blocked list, the process is terminated and this is noted on this line. The text after the email address can be any of the following:

forward (org good)

This address appears on the organization's Approved Senders list.

quarantined (org bad)

This address appears on the organization's Blocked Senders list.

forward (user good)

This address appears on the user's Approved Senders list.

quarantined (user bad)

This address appears on the user's Blocked Senders list.

forward (good recip)

This address appears on the user's Approved Mailing List.

If there is no message after the email address, the address was not on any list. The number at the end, [2321/87] indicates [the number of characters in the list/the number of entries in the list]. If the list is empty this will display as [db-null].

X-pstn-disposition Header

The X-pstn-disposition Header shows that a message was delivered from the user's message center. Here is an example:

This header shows that the message was quarantined and then was delivered by to the user's inbox from the Message Center.

X-pstn-attach-addresses Header

The X-pstn-attach-addresses Header is created by the Attachment Manager. If a message is quarantined because of its attachments it will not have normal spam headers. It will only get a "X-pstn-disposition: quarantine" header.

X-CM Header

The X-CM Header indicated that a Content Management filter has been triggered. The name of the filter appears in parentheses after the header.

Putting It All Together

Here again is our example of a complete set of Postini headers. Hover over words or numbers in navy blue text to see an explanation of their meaning.

From this we can learn the following:

• The overall spam score is 0.84300.
• The user has racially insensitive, sexually explicit, make-money-fast and commercial spam filters active.
• The make-money-fast (M) filter is capitalized because it was triggered (scored less than 85).
• The user's spam filter was set to an aggressiveness of 3, moderately aggressive.
• The effective threshold was set to 7.0000.
• The message was quarantined in the Message Center.