exchange online protection scl sfv and other headers
TRANSCRIPT
Exchange SCL and EOP headers blog.ahasayen.com /exchange-scl-eop-headers/
Ammar Hasayen
Exchange Online Protection or EOP is Microsoft cloud anti-spam solution, that protects Office 365 mailboxes, andon-premise email systems. Exchange SCL and EOP headers are essential to understand how EOP really works.
During inspecting messages for malware and spam, EOP generate SCL for each message that indicates theprobability that a message is a spam or not. EOP also adds multiple headers to the message throughout thetransport pipeline.
In this blog post, we will touch on the different headers that EOP works with, and how they are used withing theoverall EOP solution.
Spam confidence level (SCL)To understand Exchange SCL and EOP headers, you have to understand SCL. Spam confidence level (SCL) is ascore that is set by anti-spam engines, that indicates the probability that this message is considered a spam or not.
The values for SCL that is set by EOP range from -1 (not spam) up to a value of 9 (high confident spam).
Here is a table taken from Microsoft documentation that shows the different values of SCL:
When a message is inspected by EOP, the anti-spam engine will analyze the message, and will determine the SCLscore for the message. According to each SCL value, there is a default action that is taken.
In EOP, you can change the default action that is taken for different SCL values. This can be deleting the message,move it to quarantine, deliver it to the recipient’s junk email folder or others.
It is worth mentioning also that EOP never assign an SCL value = 2, 3, 4, 7 and 8. So, when EOP inspect amessage, it will only set the SCL to 0, 1, 5, 6 or 9.
EOP will insert a message header called X-Forefront-Antispam-Report Header and within that header, EOP willinsert the SCL value.
1/7
Spam Filtering Verdict (SFV)The next thing to understand in the Exchange SCL and EOP headers is the SFV value. Exchange Online Protectionor EOP uses Spam Filtering Verdict value, to help you understand why a specific anti-spam filtering action is takenon that message.
For example, suppose that you find the message delivered to the user’s inbox folder instead of the junk folder. Youexpected that this message should end at the junk folder. So you open the message headers, and look for the SFVvalue. You might find the value SFV = SFE , which indicates that “Filtering was skipped and the message was letthrough because it was sent from an address on an individual’s safe sender list.”
If you are an Exchange Online Protection administrator, then this SFV value is your magic place to understand howEOP handle messages. You should master and understand all possible values of SFV so that you can understandhow each message was handled by EOP anti-spam filtering.
Bonus:
Check the resources section at the end of this blog post, to download my own full list of all EOP headers, and SFVvalues.
EOP HeadersEOP will add to three headers as shown in the below figure:
2/7
X-Forefront-Antispam-ReportThis is a unique header that is inserted by EOP to host multiple values, like SCL, SFV and many others. You candownload the list of values in the resource section of this blog post.
Whenever you want to analyze a message, search for this header, and inspect all values here. This will give you fullinsight about how EOP inspected this message, and why it ended in the recipient inbox or junk folder. This header isconsidered your play area when it comes to understanding how EOP works.
X-Microsoft-AntispamThis is another header inserted by EOP and contains the following information:
The Bulk Complaint Level (BCL).
The Phishing Confidence Level (PCL).
BCL is a score that is assigned by EOP to indicate if this message is considered a bulk message or not. A completeoverview about this value can be found here.
PCL is a score that is assigned by EOP to which indicates whether it’s a phishing message.
3/7
0-3 The message’s content isn’t likely to be phishing.
4-8 The message’s content is likely to be phishing.
-9990 (Exchange Online Protection only) The message’s content is likely to be phishing.
Authentication-resultsThis header is used by EOP to stamp the result of message authentication. The results of checks against SPF,DKIM, and DMARC are recorded here.
Here is how the SPF Authentication results are treated:
Here is how the DKIM Authentication results are treated:
4/7
Here is how the DMARC Authentication results are treated:
5/7
6/7
ResourcesDownload my own EOP Header Table, that shows each EOP header value and description, that will help youunderstand how EOP really works.
7/7