Understanding Spam

Spam is usually considered to be emails that are junk, unsolicited or irrelevant, typically to large numbers of users indiscriminately, for the purposes of advertising, phishing or spreading malware, to name a few. For more information about receiving spam, see our article Spam - Why do you receive it?.

In this article, we are going to break down the information transmitted with each email, known as the message headers, to understand why an email was marked as spam.

To follow along with this article, you should view the message headers for an email you've received recently. You can use any email to do this, but if you've received a spam email recently this will be the best one to use.

You can retrieve the message headers for any email right from your chosen mail program. This article will assume that you can access the message headers for any email. For tutorials for common mail programs, see our article Message Headers.

Tip: Once you have the message headers, you should copy and paste them into an empty notepad or word editor document so that you can read them more easily.


Reading the message headers

Now that you can see the message headers, you're probably thinking it looks like a foreign language! The next step is to break down each item in the report, once you do that you'll start seeing familiar words pop out at you.

You should at least be able to see that at the beginning of most lines, there is a header name separated by a colon (":") with a corresponding value. There are several online tools that can break these lines down into the header name and header value for even more readability, see http://mxtoolbox.com/Public/Tools/EmailHeaders.aspx.

This list contains all the common lines found in message headers received by WebClick customers. You may have more lines than mentioned below in your message headers, or some of the lines below may not appear at all. It all depends on what information was available that the time of transmission of the email.

Please note, advanced spam systems may be able to forge some parts of the message headers to misdirect and misinform recipients of the emails. The email addresses and the date are the most commonly targeted lines for purposely overwritting information.


Common lines found in WebClick message headers

DomainKey-Status
eg. DomainKey-Status: no signature
DomainKeys is an email authentication method. In most message headers, it will say "no signature" as the value. These are related to domain keys which are currently not supported by WebClick services.

Return-Path
eg. Return-Path: skippy@bushkangaroosaustralia.com.au
The email address which should be used for bounces. The mail server will send a message to the specified email address if the message cannot be delivered. This is usually the email address from which the email was originally sent.

X-Spam-Checker-Version
eg. X-Spam-Checker-Version: SpamAssassin 3.x.x (2016-01-01) on pleskhosting.webclick.com.au
The version information of the Anti-Spam system in place on the server checking the email.

X-Spam-Flag
eg. X-Spam-Flag: YES
This one right here, this is the header name that will confirm whether or not your message is spam. A value of "YES" means that the email has been marked as spam. If you cannot find this line in your headers, your email is not spam.

X-Spam-Level
eg. X-Spam-Level: **********
A star-rating based respresentation of the spam score the email received. As a general rule of thumb, the more stars the email has, the more likely it is to be spam. In the example above, 10 stars means the email got a score of more than 10, but less than 11.

X-Spam-Status
eg. X-Spam-Status: Yes, score=11.7 required=7.0 tests=DKIM_ADSP_CUSTOM_MED, FREEMAIL_FROM, HTML_MESSAGE, HTML_MIME_NO_HTML_TAG, MIME_HTML_ONLY, NML_ADSP_CUSTOM_MED, NO_RELAYS, TO_NO_BRKTS_HTML_ONLY, VERY_LONG_REPTO_SHORT_MSG, UPPERCASE_50_75, XPRIO autolearn=no version=3.x.x
This is one of the most important lines transmitted in the report and it is composed of several snippets of information.
- X-Spam-Status: This value can be "Yes" (meaning the email has been marked as spam) or "No" (meaning the email has not been marked as spam)
- Score: The total spam score that the message received
- Required: The minimum score the message was required to obtain in order to be marked as spam (this score can be configured in your hosting account, on a per email address basis, see the advanced Anti-Spam settings in the email account in your hosting control panel for more information or to change the setting)
- Tests: The checks that email received a score for during the testing process
- Autolearn: Reports the result of the autolearn function of SpamAssassin
- Version: The version of the anti-spam system used to test the message

X-Spam-Report
eg. * 0.8 UPPERCASE_50_75 message body is 50-75% uppercase
The X-Spam-Report gives plain text definitions of each of the checks that the email failed during the testing. In the example above, the body of the email was determined to be composed of 50-75% capital letters. WRITING IN CAPS is not a proper written language convention and, therefore in this case, contributed 0.8 points to the total spam score.

When a spam email is marked as spam, inevitably there is issues with the content of the email which, if these issues where not present, would have resulted in the email passing the spam check. Content of the emails you send should be seriously considered when sending emails.

However, some of the checks are based on the composition of the code base which generates the email, which you may not understand. If you use one of the latest versions of a modern email program, you shouldn't face this problem, as it is usually only found in website forms that send email from a contact form. If you believe the configuration of the contact form on your website is contributing to your emails being marked as spam, you should take the message headers to your website development company and ask what can be done to reduce the instances of this happening.

X-Original-To
eg. X-Original-To: ed.devereaux@waratahnationalpark.com.au
The final recipient's email address.

Delivered-To
eg. Delivered-To: ed.devereaux@waratahnationalpark.com.au
The email address that this email was delivered to, ie, your email, usually.

Received
eg. Received: from bushkangaroosaustralia.com.au (unknown [156.375.120.54]) by pleskhosting.webclick.com.au (Postfix) with ESMTPS id D9F201DA523C for <ed.devereaux@waratahnationalpark.com.au>; Fri, 4 Dec 2015 12:20:18 +0800 (AWST)
The received is the most important part of the email header and is usually the most reliable. You may have more than one received line in your message headers. Together, they form a list of all the servers/computers through which the message traveled in order to reach you.

The received lines are best read from bottom to top. That is, the first "Received:" line is your own system or mail server. The last "Received:" line is where the mail originated. Each mail system has their own style of "Received:" line. A "Received:" line typically identifies the machine that received the mail and the machine from which the mail was received.

To
eg. To: "Ed Devereaux" <ed.devereaux@waratahnationalpark.com.au>
This shows to whom the message was addressed, but note that it may not always contain the recipient's address.

Subject
eg. Subject: *** SPAM*** Changes to scheduled park feeding times
This is what the sender placed as a topic of the email content. If an email is marked as spam and the email account is configured to mark the subject line of an email if it is determined to be spam, you may see a prefix added to the subject line. The default in the WebClick control panel is "*** SPAM ***".

X-PHP-Originating-Script
eg. X-PHP-Originating-Script: 10044:class-phpmailer.php
Indicates that the email was generated from a website, rather than an email program. You would expect an email sent with a contact form to include this line.

Date
eg. Date: Fri, 4 Dec 2015 12:20:18 +0800
This shows the date and time at which the email was received by the WebClick server or your email client.

From
eg. From: "Skippy" <skippy@bushkangaroosaustralia.com.au>
This displays who the message is from. However, please note that this can be easily forged and can be the least reliable.

MIME-Version
eg.MIME-Version: 1.0
Multipurpose Internet Mail Extensions (MIME) is an Internet standard that extends the format of email.

Content-Type
eg. Content-Type: text/html; charset=UTF-8
Generally, this will tell you the format of the message, such as html or plaintext.

Content-Transfer-Encoding
eg. Content-Transfer-Encoding: 8bit
Indicates the type of transform the email code into an acceptable manner for transport across mail servers.

Message-ID
eg. Message-ID: <91f527f69e783405a06459e23f2c7d54@waratahnationalpark.com.au>
A unique string assigned by the mail system when the message is first created. Note, these can easily be forged.

Message Body
At the very bottom of the message the original email may be included. If the email was composed in HTML, the full source code of the email, including HTML code may also be output.


An example of the message headers from an email that has been determined to be spam

Below, we have included an example of a message header which, in this case, indicates that the email was marked as spam.

DomainKey-Status: no signature
Return-Path: <admin@waratahnationalpark.com.au>
X-Spam-Checker-Version: SpamAssassin 3.x.x (2016-01-01) on pleskhosting.webclick.com.au
X-Spam-Flag: YES
X-Spam-Level: *****************
X-Spam-Status: Yes, score=17.9 required=7.0 tests=FORGED_HOTMAIL_RCVD2, FREEMAIL_FROM, FREEMAIL_REPLYTO_END_DIGIT, HTML_MESSAGE, HTML_MIME_NO_HTML_TAG, MIME_HTML_ONLY, NO_RELAYS, TO_NO_BRKTS_HTML_ONLY, UPPERCASE_50_75, VERY_LONG_REPTO_SHORT_MSG, URIBL_JP_SURBL, HTML_IMAGE_ONLY_08, HTML_SHORT_LINK_IMG_1, XPRIO
autolearn=no version=3.x.x
X-Spam-Report:
* 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider
* (national_park_enthusiast_1984[at]hotmail.com)
* -0.0 NO_RELAYS Informational: message was not relayed via SMTP
* 0.2 FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
* (national_park_enthusiast_1984[at]hotmail.com)
* 1.2 FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:'
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 1.1 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
* 0.6 HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
* 0.8 UPPERCASE_50_75 message body is 50-75% uppercase
* 4.0 VERY_LONG_REPTO_SHORT_MSG Very long Reply-To username + short message
* 2.0 TO_NO_BRKTS_HTML_ONLY To lacks brackets and HTML only
* 2.9 URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist 
* 2.4 HTML_IMAGE_ONLY_08 BODY HTML images with 400-800 bytes of words
* 1.1 HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image 
* 1.6 XPRIO Has X-Priority header
X-Original-To: ed.devereaux@waratahnationalpark.com.au
Delivered-To: ed.devereaux@waratahnationalpark.com.au
Received: by pleskhosting.webclick.com.au (Postfix, from userid 100654) id 7CCF01DA60A9; Wed, 13 Jan 2016 07:34:47 +0800 (AWST)
To: info@waratahnationalpark.com.au, ed.devereaux@waratahnationalpark.com.au, skippy@bushkangaroosaustralia.com.au
Subject: ***SPAM*** Changes to scheduled park feeding times
X-PHP-Originating-Script: 10044:class-phpmailer.php
Date: Tue, 12 Jan 2016 23:34:47 +0000
From: Natalie <national_park_enthusiast_1984@hotmail.com>
Message-ID: <91f527f69e783405a06459e23f2c7d54@waratahnationalpark.com.au>
X-Priority: 3
X-Mailer: PHPMailer 5.2.10 (https://github.com/PHPMailer/PHPMailer/)
Reply-To: national_park_enthusiast_1984@hotmail.com
MIME-Version: 1.0
Content-Type: text/html; charset=UTF-8
Content-Transfer-Encoding: 8bit

(Message Body)
From: Natalie [mailto:national_park_enthusiast_1984@hotmail.com]
Sent: Wednesday, 13 January 2016 10:35 AM
To: info@waratahnationalpark.com.au, ed.devereaux@waratahnationalpark.com.au, skippy@bushkangaroosaustralia.com.au
Subject: ***SPAM*** Changes to scheduled park feeding times

Name: Natalie
Number: 0499 123 123
Email: national_park_enthusiast_1984@hotmail.com
Message: HI
I'M JUST AFTER THE UPDATED PARK FEEDING TIMES. BELOW IS A SCREENSHOT FROM YOUR WEBSITE, IS THIS CORRECT ??
WEBSITE: http://blocked.suspiciousdomainname.com
<IMG7465.jpg>

Understanding the score

Let's have a look at some of the checks that were flagged and the scores they were assigned.

FREEMAIL_REPLYTO_END_DIGIT Reply-To freemail username ends in digit
Total score: 0.2
Explanation: the "username" (the part of the email address preceding the @ symbol, in the case of our example "national_park_enthusiast_1984") ends in a digit and is a free (online) email account.

FORGED_HOTMAIL_RCVD2 hotmail.com 'From' address, but no 'Received:'
Total score: 1.2
Explanation: the from email address (eg, "national_park_enthusiast_1984@hotmail.com") did not pass through the Hotmail server, meaning the email was unlikely to have actually been sent from a hotmail account. In our case, because it was sent from a contact form, we know for a fact that this is correct and was intended to happen.

MIME_HTML_ONLY BODY: Message only has text/html MIME parts
Total score: 1.1
Explanation: message body doesn't contain a plain text alternative to the email, which is useful if a mail program does not display HTML or images. This is considered to be an important standard practice to include in emails.

HTML_MIME_NO_HTML_TAG HTML-only message, but there is no HTML tag
Total score: 0.6
Explanation: the email source code isn't properly constructed.

UPPERCASE_50_75 message body is 50-75% uppercase
Total score: 0.8
Explanation: most of the content of the message body was in capitals.

VERY_LONG_REPTO_SHORT_MSG Very long Reply-To username + short message
Total score: 4.0
Explanation: the "username" (the part of the email address preceding the @ symbol, in the case of our example "national_park_enthusiast_1984") is very long and the message body is very short. Consider some of the spam you get regularly, both of these are quite common!

TO_NO_BRKTS_HTML_ONLY To lacks brackets and HTML only
Total score: 2.0
Explanation: the "From" email address were not written in the following format ""Full Name" <emailaddress@domain.com>", which is the correct format for an email.

URIBL_JP_SURBL Contains an URL listed in the JP SURBL blocklist
Total score: 2.9
Explanation: a URL in the email has been flagged on a blocklist. This is usually because of malicious online activity (such as sending spam or distributing viruses). There is multiple blocklists, so including a blocked URL in an email can cause a dramatic increase in the spam score of an email.

HTML_IMAGE_ONLY_08 BODY HTML images with 400-800 bytes of words
Total score: 2.4
Explanation: an image was included in the email which was determined to be showing mostly text. This is a popular method for attempting to avoid text-based content filters by spammers.

HTML_SHORT_LINK_IMG_1 HTML is very short with a linked image
Total score: 1.1
Explanation: the body of the message is short and and has a linked image. Also a common feature of spam emails.


What does it all mean?

I'm sure you are starting to see a trend in the flags that were being failing.

The person sending the email contributed a total of 8.3 to this spam score. If the message body hadn't been very short, with an image that was mostly composed of text, a link to a blocked URL and written in normal letters instead of capitals, the email scored would have been 9.6.

While the contribution of the sender wasn't quite enough to get it below the minimum spam score, issues with the contact form configuration added 3.7 points to the total score. If these issues could be resolved, that would definitely be enough to get it under the minimum required score.

In most cases, the message headers are enough information to help you make an informed decision about the email you receive.

If you are regularly receiving email that is not being marked as spam, you can use the scores assigned to each email to determine what changes can be made to your anti-spam filter settings, include the mimimum required score, which you can access directly in the control panel of your website.

Alternatively, if you have a website that is generating emails that are regularly being marked as spam, reviewing the flags that the email failed can help inform you if it is a case of user error or if the contact form can perhaps be tweaked to ensure that emails are less likely to be marked as spam.
  • 4 Kasutajad peavad seda kasulikuks
Kas see vastus oli kasulik?

Seotud artiklid

Message Headers

When you send and receive an email, information about your message is transmitted along with the...

Spam - Why do you receive it?

Spam is usually considered to be emails that are junk, unsolicited or irrelevant, typically to...