In the past, Postini has been one of the filters that you knew when you got filtered, you just never knew why. In the following article I hope to remedy this. Its not possible to see same granularity in filter that Spamassassin provides but hopefully this will help a little.

In order to determine why Postini is blocking an email one must look at the customer headers it adds to messages. Postini adds the following custom headers:

• X-pstn-levels
• X-pstnvirus
• X-pstn-settings
• X-pstn-addresses
• X-pstn-disposition
• X-pstn-attach-addresses
• X-cm
• X-pstn-2strike

X-pstn-levels Header

The following is an example of the X-pstn-levels header:

X-pstn-levels: X-pstn-levels:(S: 0.00000/60.95723 R:95.91080 P:95.91081 M:64.93900 C:93.23770 )

The letter/number pairs tell you which filters were triggered and to what degree. The letters tha may appear in this header are:

Spam Filters

• S = General/bulk spam score
• P = Sexually explicit (pornography) spam score
• M = Make-money-fast (MMF) spam score
• C = Commercial or “special offer” spam score
• R = Racially insensitive spam score

Industry Heuristics Filters (optional feature)

• FC = Financial Content score
• LC = Legal Content score

• LT = Legal Transport score
  
• FT = Financial Transport score

Though thhe transport categories are listed here, they are not assigned numeric scores and don’t appear in the X-pstn-levels line. If turned on, hey will be added to the X-pstn-settings header. (see below for a description of that header and how it effects the filtering)

General Transport Heuristics Filters

• GT1 = General transport heuristics most trusted
• GT2 = General transport heuristics more trusted
• GT3 = General transport heuristics trusted

Though the General Transport Heuristics Headers are listed here, they are not assigned numeric scores and don’t appear in the X-pstn-levels line. If turned on, hey will be added to the X-pstn-settings header. (see below for a description of that header and how it effects the filtering).

The General Transport Heuristics engine analyzes both the contents of a message as well as the source of the message. Senders of ~100% valid email will be given a bias against being quarantined as spam. These “trusted senders” are not added to a white list. These senders will continue to be subject to spam filters, but the general transport heuristic will lower the risk that email from valid senders might be accidentally quarantined.

The purpose of general transport heuristics is to reduce false quarantines by creating a “reputation” database of sender behavior.

If one of the general transport heuristic categories triggers, it will show up like any other category in the X-pstn-settings header with a GT1, GT2, or GT3. “GT” stands for “General Transport” and the three categories indicate their level of trust with GT1 being the most trusted. Each of the levels has an assigned multiplier that adjusts the spam threshold based on their level of trust. If a General Transport heuristic has been triggered, the “GT” will be capitalized.

Scores

Each Category starts an 100 and goes from there. A score of 85 or lower in any category an the message gets quarantined.

The number after the slash ("/") in the S category is for the Blatant Spam Blocking (BSB) Score. The BSB score is used by the spam engine to identify
messages that should be bounced or blackholed. Unlike the spam score, the BSB score should not be evaluated directly.

Should a message score as blatant spam, the BSB disposition of bounce or blackhole will result in a message being discarded. So, there will not be
any headers for those messages. The reason the BSB score was added is to make it clear to someone evaluating the headers that the message did meet the spam score criterion but failed to meet the BSB score criterion.

X-pstnvirus Header

If Postini detects a virus it will add the X-pstnvirus header with the virus name. Postini uses two different virus scanned to detect viruses, McAfee and Authentium Antivirus.

I f a virus is detected by McAfee the format of the header will be: X-pstnvirus: McAfee_Virus_Name. You can find more information about the viruse detected by searchfor McAfee_Virus_Name in the McAfee Virus Information Library


The Authentium Antivirus engine is an optional feature for service packages. It format is X-pstnvirus: AUTH-Authentium_Virus_Name. The text AUTH- is not part of the virus name, rather it indicates that the virus was caught but Authention not McAfee. For information of viruses caught by Auntentium forAuthentium_Virus_Name at http://www.authentium.com/support/AVMatrix/portal.aspx

Messages with the X-pstnvirus header will be delivered to your users only in the
following cases:

• Virus disposition is set to Message Header Tagging for the organization that contains the user. In this case, all viruses will be tagged with the header and delivered to your mail server.
• The administrator (or user, if allowed) delivers the infected or cleaned virus to the user.

The X-pstnvirus header is omitted only when virus protection is not enabled for a user, or there is no the email protection service user associated with the recipient’s address.

X-pstn-settings Header

The X-pstn-settings line shows the recipient's spam settings. It will not be present in a message that was delivered to multiple recipients. The format of this header is:

X-pstn-settings: Bulk_Filter_Setting (Base_Threshold : Effective Threshold) category_filters

X-pstn-settings: 5 (2.0000:8.0000) r p M C is an example of this header.

The Bulk_Filter_Setting will be one of the following integers:

• 1= lenient
• 2= less lenient
• 3= moderate
• 4= more aggressive
• 5= most aggressive

The (Base_Threshold : Effective Threshold) are derived values and should not be directly interpreted, as they are subject to change. If any C, M, P, or R filter that the user turned on has a value less than 85, the effective threshold value is a multiple of the base threshold value. If none of these filters is less than 85, the threshold value is the same as the base value.

The category_filters indicate what filters the user had turned on (see X-pstn-levels section for possible letters and their description). If a filter is triggered because is score is less than 85 the letter will appear in upper case. If a filter is turned off, its corresponding letter will not append in the header.


If theS category in theX-pstn-levels header is less than theEffective Threshold the email will be quarantined.


Example:

X-pstn-levels: (S: 0.00000/60.95723 R:95.91080 P:95.91081 M:64.93900 C:93.23770 )
X-pstn-settings: 5 (2.00000:8.00000) r p M C

In this example, the spam score is 0.00000 and the effective threshold is 8.00000.
Since 0.00000 is less than 8.00000, this message is spam.

X-pstn-2strike Header

An exception to the spam score and threshold calculations is the X-pstn-2strike header. The X-pstn-2strike header indicates that the spam score was below the effective threshold, but was likely to be a valid message. This is based on the IP address of the sender and the number of recipients of the mail message. If the spam score (S:) is greater than 0.15, the message was allowed through as a valid message.
Example:

X-pstn-levels: (S: 0.22604/99.8045 R:97.45080 P:76.42022 M:64.93900 C:93.23770 )
X-pstn-settings: 5 (2.00000:1500.00000) r P M c
X-pstn-2strike: clear

In this example, the X-pstn-2strike is set to “clear” so the message was delivered.

X-pstn-addresses Header

Following is an example of a X-pstn-addresses header:

X-pstn-addresses: from someguy@example.com forward (user good) [1119/49]

someguy@example.comis the From address used in evaluating the user’s approved and blocked sender lists. If the address appears on one of these lists, the processing is terminated and the disposition noted on this line. The text after the address can be one of the following options. (If nothingappears, the address was not on any of the following lists.)

• forward (org good) = Address is on the organization's Approved Senders list.
• quarantined (org bad) = Address is on the organization's Blocked Senders list.
• forward (user good) = Address is on the user's Approved Senders list.
• quarantined (user bad) = Address is on the user's Blocked Senders list.
• forward (good recip) = Address is on the user's Approved Mailing List.

[1119/49] is a summary of the user’s approved senders list. The first number isthe total number of characters in the approved senders list. The second number is the total number of entries in the list. In the above example, there are 1119 characters in the approved senders list and the total number of entries in the list is 49. If there are no entries in the user approved senders list, this will display as [db-null].

The X-pstn-addresses header will not appear in the headers if the one message was sent to multiple users of the the email protection service.

X-pstn-disposition Header

This header indicates message was delivered from a user's Message Center. The disposition is shown on the X-pstn-disposition line.
Example:

X-pstn-disposition: quarantine

This header states that the message was quarantined by the email protection service and then was delivered by to the inbox from the Message Center.

X-pstn-attach-addresses

If Attachment Manager quarantines a message, the message will not have normal spam headers. Instead, there will be only one header:

X-pstn-disposition: quarantine

If the sender appears on the organization-based Approved Senders list, the message containing the attachment will be passed on to the recipient inbox. The header will look like this:

X-pstn-attach-addresses: from sender@address.com (approved)

Attachment Manager does not evaluate the user's Approved Senders list.

X-CM Header

If a Content Manager filter is triggered, the following line appears in the headers:

X-CM: (name of triggered Content Manager filter)

For example:

X-CM: RolexSpam

A Final Example

Following are the headers in an example message:

X-pstn-levels: (S: 0.46800 R:95.91081 P:95.91081 M:99.85141 C:55.44761 )
X-pstn-settings: 5 (2.00000:8.00000) r p m C
X-pstn-addresses: from <junkyjunk9@hotmail.com>
X-pstn-disposition: quarantine

The headers give this information about the message

• The overall spam score is 0.46800.
• The only junk mail filter triggered was the Commercial Offer filter (C).
• The user's Bulk Spam filter was set to Most Aggressive (5).
• The Effective threshold was 8.00000
• This message was quarantined in the Message Center (X-pstn-disposition header)

This message is spam based on comparing the spam score (S: 0.46800) against the threshold value (8.00000). If the spam score is less than the effective threshold, the message is considered spam. In this example, 0.46800 is less than 8.0000, so this message is spam.