When an email matches a DNS black list from the DNS black list (insert X-Header) section of the Connection Filtering tab, an X-Header is inserted into the message. X-Headers are also inserted when a message fails a validation test, or if the Insert X-Header spam action is selected on the Content Filtering tab. This X-Header line indicates which spam test the message failed.
Also included in the X-Header is an IP address or CNAME, that explains why the message is on the black list. Each black list has different reasons for why an IP address is blacklisted such as, dialups, bulk mailers, spammers and open relays.
Each black list also has different ways of categorizing the IP addresses. Some use different domains (query domains) to separate IP addresses based on the reason they are blacklisted. This type of categorization allows you to select the reasons for which you do not want to accept black listed mail, and use the domain that contains IP addresses for that reason.
Other black lists return a reason code/IP address (i.e. 127.0.0.3) to indicate why an IP address is black listed. Although all IP addresses are listed in one domain, each will contain a reason code. For example, a code of 127.0.0.3 may represent a dialup account, and a code of 127.0.0.4 might represent a bulk mailer. The Fiveten black list is an example of one of these black lists.
Unfortunately, there is no standard across black lists. One black list may use separate query domains, and another may use reason/IP codes. Likewise, there is no standard across reason/IP codes. For one black list, 127.0.0.3 may represent dial ups, and on another black list this code may represent bulk mailers. The best resource for finding out this information is the black list itself. By going to their Websites, you can learn how each black list classifies the listed IP addresses.
An example and a table of all possible antispam X-Headers are shown below.
X-Header Example 1:
X-Header Example 2
X-Header Explanation X-IMAIL-SPAM-ADDRBL: (name_of_service, message_ID, IP address/reason) The message matched an ADDR black list. X-IMAIL-SPAM-DNSBL: (name_of_service, message_ID, IP address/reason) The message matched a DNS black list. X-IMAIL-SPAM-HELOBL: (name_of_service, message_ID, IP address/reason) The message matched a HELO/EHLO black list. X-IMAIL-SPAM-HELODOMAIN: (domain_name) The message failed the HELO/EHLO domain validation. X-IMAIL-SPAM-INVALIDFROM: (from_address) The message contained an invalid "FROM" address. X-IMAIL-SPAM-IP4R: (name_of_service) The message matched an IP4R(PTR) black list. X-IMAIL-SPAM-STATISTIC: (<message ID>,<spam probobility>) The message has been identified as spam by the statistical filter. X-IMAIL-SPAM-REVDNS: (ip_address) The message failed a DNS lookup based on the IP address. X-IMAIL-SPAM-RHSBL: (name_of_service, message ID, IP address/reason) The message matched a RHS black list. X-IMAIL-SPAM-PHRASE: (<message ID) A phrase in the message matched the phrase list. X-IMAIL-SPAM-VALFROM: (<message ID>) The message failed the "MAIL FROM" address validation. X-IMAIL-SPAM-VALREVDNS: (<message ID>) The message failed the reverse DNS lookup validation. X-IMAIL-SPAM-VALHELO The message failed the HELO/EHLO domain validation. X-IMAIL-SPAM-FEATURES:(<message ID>, <found features>) The message contained the specified HTML tags. X-IMAIL-SPAM-URL-DBL:(<message ID>,<domain>) The message contained HREF or IMG SRC tags with links to a domain name listed in the URL Domain Black List. X-IMail-SPAM-Premium The message contained spam content. X-IMail-SPAM-SPF-None The domain did not publish SPF data. X-IMail-SPAM-SPF-Neutral The domain published SPF data and returned a "?" value. X-IMail-SPAM-SPF-Pass The domain published SPF data and the message met the publishing domain's definition of legitimacy. X-IMail-SPAM-SPF-Fail The domain published SPF data and the message did not meet a domain's definition of legitimacy. The message was identified as a forged message by the SPF filter. X-IMail-SPAM-SPF-Softfail The domain published SPF data and the message did not meet a domain's strict definition of legitimacy, but the domain cannot confidently state the message is forged. The message was identified as a forged message by the SPF filter. X-IMail-SPAM-SPF-Error There was an error during the SPF record lookup and could not correctly interpret the error. X-IMail-SPAM-SPF-TempError There was an error during SPF record lookup. For example, the server was up, but it gave an error. X-IMail-Broken-Mime-Header The message included a broken MIME header. X-IMAIL-Attachment-Blocked The message included a file attachment type or MIME type that was selected to be blocked. X-IMAIL-ThreadID: (<message ID>) Message written to a mailbox includes a ThreadID to simplify tracing the message path through the logs. The ThreadID corresponds to the ID number placed in the syslogs and the number given to corresponding Q and D files.