Jump to content
pronto

Understand ESET X-Header tags

Recommended Posts

Servus Community,

I try to figure out why an email is moved to the end users Junk Mail folder in Outlook. Note that we are working an Exchange 2016 DAG with two nodes. An example mail header lokks like the following:

X-MS-Exchange-Organization-MessageDirectionality: Incoming
X-ESET-AS: R=OK;S=0;OP=CALC;TIME=1580052250;VERSION=7846;MFE-VER=58;MC=2416161006;TRN=2002;CRV=0;IPC=54.240.0.225
X-ESET-Antispam: OK
Old-X-EsetResult: clean, is OK
Old-X-EsetId: 37303A29666CC669677661
X-MS-Exchange-Organization-Network-Message-Id: 269bf092-eb36-4fb7-8920-08d7a273caf8
X-EsetResult: clean, is OK
X-EsetId: 37303A294BD8CC69677661
X-MS-Exchange-Organization-AVStamp-Enterprise: 1.0
X-MS-Exchange-Organization-AuthSource: UNIVERSE-3.DOMAIN.local
X-MS-Exchange-Organization-AuthAs: Anonymous
X-MS-Exchange-Transport-EndToEndLatency: 00:00:01.5779049
X-MS-Exchange-Processed-By-BccFoldering: 15.01.1847.001

On the Mail Security policy side we are using a standard policy with only two user defined changes: First we configured a white list in the 'Approved sender list in the 'Filitering and Verification section', but we configured it after the false positiv detection and second, we changed the behaviour of the 'Action to take if cleaning not possible' from 'Truncate to zero length' to 'Replace content with action information'.

In the header of a false positive example above, we see an 'X-ESET-Antispam: OK' tag, which menas to me, that ESET didn't apply any anti spam action but the question remains, why this E-Mail was moved to the users Junk-Mail folder. Please note that this was an Amazon e-mail, not related to a specific order but offering products for promotional purposes. So it is not that important but a good example how to learn how the anti spam filter works...

Is there a documetation about the single values of the 'X-ESET-Antispam' tag? I guess I understand some of the values, like the versions and the receive yes and send no, as well as the time stamp but MC= for example and TRN=, CRV= and IPC= isn't clear to me...

Thx in advance & Bye Tom

Bildschirmfoto 2020-01-27 um 16.53.56.png

 

Bildschirmfoto 2020-01-27 um 16.53.30.png

Bildschirmfoto 2020-01-27 um 16.55.43.png

Edited by pronto

Share this post


Link to post
Share on other sites

Hi Tom,

"we see an 'X-ESET-Antispam: OK' tag, which menas to me, that ESET didn't apply any anti spam action":

you are right, based on this ESET Mail Security is not responsible for placing the email to the Junk folder. It could be Oulook's state-of-art antispam, or one of the Exchange server's default antispam agents. Check the X-MS-Exchange-Organization-SCL header.

The format of X-ESET-AS header is not public, it's used for diagnostic purposes.

Matej

Share this post


Link to post
Share on other sites
28 minutes ago, M.K. said:

you are right, based on this ESET Mail Security is not responsible for placing the email to the Junk folder. It could be Oulook's state-of-art antispam, or one of the Exchange server's default antispam agents. Check the X-MS-Exchange-Organization-SCL header

Servus Matej,

according to the policy, ESET should remove the SCL, and apparently it does, as there is no longer one in the header. Of course I don't know now if Exchange will evaluate the SCL before ESET deletes it. Is there any other overlap where Exchange Server might still be doing things that ESET doesn't know about? What is the order in which an e-mail passes through the individual filters?

Anyway, I noticed that since we got the new Exchangers with ESET, only these Amazon mails are now in my junk mail directory. So I guess that ESET checks the mail before Exchange Server does and has already filtered out all spam and a filter behind ESET, classifies this Amazon mail as spam. Then it really looks like a filter in Exchange server.

But then it looks like ESET is responsible for the fact that in principle no more spam mails can be found in the junk mail directories of the users. Is it possible to setup that spam mails will be delivered in the Junk Mail folder again. Our users are so used to it...

Thx & Bye Tom

Share this post


Link to post
Share on other sites

Hi Tom,

in general multiple transport agents can act on an email independently, in order based on their priority (see cmdlet Get-TransportAgent, or https://help.eset.com/emsx/7.1/en-US/idh_agent_priority2.html).

Ad "Is it possible to setup that spam mails will be delivered in the Junk Mail folder again":

Yes, for example set the action to take on spam to "No action" and configure a rule to set the SCL header (https://help.eset.com/emsx/7.1/en-US/idh_wizard_rule_action.html). By default Exchange will then move all emails with SCL above threshold to Junk folder (https://docs.microsoft.com/en-us/exchange/antispam-and-antimalware/antispam-protection/configure-antispam-settings?view=exchserver-2019).

Matej

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...