I’d need the full headers from BOTH samples. My suspicion is that the IPs used in each are different. Otherwise, without solid forensic data (the full headers), I’m not prepared to, “Guess Authoritatively”. 😊
We need the full headers of both samples, from both the BCL:2 and BCL:7 emails. Aloha, Michael. -- Michael J Wise Microsoft Corporation| Spam Analysis "Your Spam Specimen Has Been Processed." Got the Junk Mail Reporting Tool<http://www.microsoft.com/en-us/download/details.aspx?id=18275> ? From: mailop [mailto:mailop-boun...@mailop.org] On Behalf Of Stefano Bagnara Sent: Tuesday, May 23, 2017 10:43 AM To: mailop <mailop@mailop.org> Subject: Re: [mailop] Hosted exchange/Office 365 specific domain junk issue (MLV:ovrnspm) On 23 May 2017 at 19:34, Michael Wise <michael.w...@microsoft.com<mailto:michael.w...@microsoft.com>> wrote: Machine Learning Verdict. But it was the BCL value of the sending IP that classified it as SCL:9 High Confidence Spam.. Can you add something more? The same message is not blocked from other office domains (BCL:1 & SCL:1). is the BCL something related to internal abuse collection for that specific domain? (the postmaster told me that they don't think the emails are spam, but in fact I see "low open rates" and this is the only "monitor" I have (didn't receive complaints and the postmaster confirmed they are happy to receive that messages). Or is it just related to the fact that the sender send the same message to 2000 recipients for that domain and this "alone" is enough to trigger MLV? What are the inputs for the BCL value for an IP? I guess this is not "shared" (because BCL is 1 when I send the same message to another recipient) but then if it is not shared this domain just received this messages from that IP and they say they are happy to receive it. Iis there anything I can suggest their postmaster to do about this "false positive"? Aloha, Michael. -- Michael J Wise Microsoft Corporation| Spam Analysis "Your Spam Specimen Has Been Processed." Got the Junk Mail Reporting Tool<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.microsoft.com%2Fen-us%2Fdownload%2Fdetails.aspx%3Fid%3D18275&data=02%7C01%7Cmichael.wise%40microsoft.com%7C8305d3726620416ef92208d4a2045272%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636311586832595587&sdata=iok5raOnu64zolhsGvkYdFt8B9koGzmrxOAku5V9lgM%3D&reserved=0> ? From: mailop [mailto:mailop-boun...@mailop.org<mailto:mailop-boun...@mailop.org>] On Behalf Of Stefano Bagnara Sent: Tuesday, May 23, 2017 5:24 AM To: mailop <mailop@mailop.org<mailto:mailop@mailop.org>> Subject: [mailop] Hosted exchange/Office 365 specific domain junk issue (MLV:ovrnspm) Hi all, One of my customer is sending an email to 2000 recipients in the unicampania.it<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Funicampania.it&data=02%7C01%7Cmichael.wise%40microsoft.com%7C1709f6dca22f4b6c9ee308d4a1d85109%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636311397820342048&sdata=v0q%2Bu8429kdiBqte2uIZQRI6HsK%2BCHyo%2F%2F0CumcJWdc%3D&reserved=0> domain (the domain is a university domain and the sender is a labor-union for the university employees), a domain hosted pointing to the outlook protection MX and using an hosted exchange service. Here is an excerpt of the junked email their postmaster sent back to me: X-Forefront-Antispam-Report: CIP:213.171.189.21;IPV:NLI;CTRY:IT;EFV:NLI;SFV:SPM;SFS:(8196002)(31630200002)(3000300001)(438002)(286005)(359002)(199003)(349900001)(189002)(349012);DIR:INB;SFP:;SCL:9;SRVR:AM4PR0501MB2274;H:ms21.mailvox.it<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fms21.mailvox.it&data=02%7C01%7Cmichael.wise%40microsoft.com%7C1709f6dca22f4b6c9ee308d4a1d85109%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636311397820342048&sdata=bDRwhXK79U8jCj6O7ISNV1tVzLO7Jrs2o4fsANs%2BURQ%3D&reserved=0>;FPR:;SPF:Pass;MLV:ovrnspm;A:1;MX:1;PTR:ms21.mailvox.it<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fms21.mailvox.it&data=02%7C01%7Cmichael.wise%40microsoft.com%7C1709f6dca22f4b6c9ee308d4a1d85109%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636311397820342048&sdata=bDRwhXK79U8jCj6O7ISNV1tVzLO7Jrs2o4fsANs%2BURQ%3D&reserved=0>;CAT:HSPM;LANG:it; X-DkimResult-Test: Passed X-Microsoft-Antispam: UriScan:;BCL:7;PCL:0;RULEID:(22001)(421252002)(81800236)(3001016)(71702078);SRVR:AM4PR0501MB2274; X-Exchange-Antispam-Report-Test: UriScan:(81227570615382); X-Exchange-Antispam-Report-CFA-Test: BCL:7;PCL:0;RULEID:(601004)(701104)(2401047)(13018025)(8121501046)(13016025)(9101536074)(10201501046)(3002001)(93006095)(93005095);SRVR:AM4PR0501MB2274;BCL:7;PCL:0;RULEID:;SRVR:AM4PR0501MB2274; X-CustomSpam: Bulk Mail | Bulk Mail SpamDiagnosticOutput: 1:6 SpamDiagnosticMetadata: Default:7 X-MS-Exchange-Organization-SCL: 6 I'm in touch with the unicampania.it<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Funicampania.it&data=02%7C01%7Cmichael.wise%40microsoft.com%7C1709f6dca22f4b6c9ee308d4a1d85109%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636311397820342048&sdata=v0q%2Bu8429kdiBqte2uIZQRI6HsK%2BCHyo%2F%2F0CumcJWdc%3D&reserved=0> admin that say that they have no specific filter and they started using hosted exchanged only recently. If I send the same message to my own office365 hosted account (on a different domain) it is delivered in inbox with SCL=1 instead of SCL=9 (and with BCL:2 instead of BCL:7). Does anyone know what are the meanings of the "MLV" part of the header? This is the first time I see that "MLV:ovrnspm". We all guess what spm is for, but what about "ovrn" ? The receiving postmaster told me that they are using an "almost unconfigured" version of hosted exchange and they didn't apply any specific rule (the postmaster for the receiving domain know the sender). I know how to open a ticket for the Outlook.com platform, but this is something specific to the hosted exchange (and maybe specific to a custom domain, even if they didn't configure anything): is there an only form for office365/hosted-exchange issues? Stefano -- Stefano Bagnara Void Labs / VOXmail.it Apache James/jSPF/jDKIM
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop