Reputation filter
This filter performs various checks on the email envelope, the content of the email and the headers. Some of the checks also analyse DKIM (DomainKeys Identified Mail) and SPF (Sender Policy Framework). Depending on the results of the individual tests, SCL points can be assigned, which can be configured individually. This allows you to adapt the assessments to the requirements of your company.
Test type Connection
| Title | Description |
|---|---|
| Unsecured connection | Checks if the inbound connection is secured by TLS. TLS encryption guarantees that both meta and content data are exchanged in encrypted form between the email client and the server or between different email servers. The General Data Protection Regulation (GDPR) prescribes the use of TLS encryption. Since spammers often do not comply with the GDPR, this test allows conclusions to be drawn about the legitimacy of the email. |
Test type Envelope
| Title | Description |
|---|---|
| Missing PTR record | Checks whether the IP address can be resolved back to a hostname. If this is not the case, the cause is a missing PTR entry. PTR (Pointer Resource Records) assign one or more hostnames to an IP address in the DNS. If this assignment is not possible, this indicates an attempt at misuse. |
| Suspected dynamic address |
Checks whether the hostname associated with the IP address includes the IP address in text form. NoSpamProxy checks whether the IP address originates from a dynamic IP address range. This often occurs with infected computers acting as spambots. |
| Reverse lookup failed | Checks whether the hostname associated with the IP address of the email server can be resolved back to this IP address in a 'reverse lookup'. If this is not possible, this indicates spoofing, since it is highly likely that the actual identity of the host is to be concealed. |
| Missing IP address | Checks whether the 'MAIL FROM' domain can be resolved to an IP address. If this is not possible, this indicates an attempt at misuse, as the domain in question most probably does not exist. |
Test type DMARC
| Title | Description |
|---|---|
| SPF failed | Checks whether a valid SPF record exists. Checks whether the IP address of the email server is stored in the DNS as an authorised MTA (Mail Transfer Agent), i.e. whether it is allowed to send emails for this domain. This test only awards points if no DMARC policy (see below) is active. |
| DKIM failed |
Performs DKIM checks for the respective email. These checks consist of verification of the header signature and the hash calculated from the body of the email, which is also signed. The sender's public key is stored in the DNS. This test only awards points if no DMARC policy (see below) is active. |
| DMARC result 'quarantine' |
The mode 'quarantine' is defined in the DMARC policy of the sender for the case of a failed check. The DMARC examination also includes the so-called 'alignment' between the domains examined by DKIM and SPF. The amount of points awarded depends on the DMARC result applied. |
| DMARC result 'reject' |
In the DMARC policy of the sender, the mode 'reject' is defined for the case of a failed check. The DMARC examination also includes the so-called 'alignment' between the domains examined by DKIM and SPF. The amount of points awarded depends on the DMARC result applied. |
| Address is not aligned |
Checks whether the 'MAIL FROM' domain and 'Header-From' domain are identical ('alignment'). This test only awards points if no DMARC policy is active. |
NOTE: If one or more DMARC-type checks, i.e. SPF, DKIM or DMARC fail, this result is overwritten by an intact ARC control chain. In such a case, no penalty points are awarded which would increase the Spam Confidence Level (SCL). See Trusted ARC signers.
Test type Header-From
| Title | Description |
|---|---|
| Invalid angle brackets |
Checks if the 'header-from' contains an angle bracket with an invalid email address, which is not RFC compliant. Lack of RFC compliance indicates spam, as spammers may be less concerned with ensuring such compliance. |
| Missing sender |
Checks if the 'MAIL FROM' is empty and the 'Header-From' contains a valid email address. If this is not the case, this indicates NDR backscatter. Mobile devices and email applications such as Outlook only show the display name, so abuse is not detected. |
| Corporate domain in email address |
Checks whether the email address specified in the header form contains a corporate domain. If this is the case, it indicates identity theft, since this test can only be used for inbound emails and therefore it must be an external email. Note that such a case can also occur if an external email system sends on behalf of the corporate domain but is not configured as Adding corporate email servers. EXAMPLE: <xyz@netatwork.de> NOTE: A valid DKIM signature for the 'Header-From' domain overrides this filter by default so that no penalty points are awarded. To prevent this behaviour, please refer to the information under How to override the DKIM signature in the reputation filter. |
| Corporate domain in display name |
Checks if the display name contains an email address that includes a corporate domain. Email addresses that include corporate domaina are used by spammers as part of display names, as this is the only name that initially appears in many mobile devices and email programs. The sender can thus pretend a false identity. EXAMPLE: "Uwe Ulbrich uwe.ulbrich@netatwork.de" <spam@spammer.de> |
| Subdomain of a corporate domain in email address |
Checks whether a subdomain of a corporate domain is in use. If this subdomain is legitimate, the filter 'Corporate domain in email address' is applied. EXAMPLE: <xyz@hr.netatwork.de> |
| Subdomain of a corporate domain in display name |
Checks if the display name contains a subdomain of a corporate domain. Domains in the display name are used by spammers because many mobile devices and email applications initially display only this name. The sender can thus pretend a false identity. EXAMPLE: "hr.netatwork.de" <spam@spammer.de> |
| Obfuscated corporate domain in email address |
See filter 'Corporate domain in email address'. In addition, it is checked here whether ASCII characters were used in the domain that look similar to certain letters. EXAMPLE: <xyz@n3tatw0rk.de> |
| Obfuscated corporate domain in display name. |
See test 'Corporate domain in display name'. In addition, it is checked here whether ASCII characters were used in the domain that look similar to certain letters. Domains in the display name are used by spammers because many mobile devices and email applications initially display only this name.
EXAMPLE: "Uwe Ulbrich uwe.ulbrich@n3tatw0rk.de" <spam@spammer.de> |
| Subdomain of an obfuscated corporate domain in email address |
See test 'Subdomain of a corporate domain in email address'. In addition, it is checked here whether ASCII characters were used in the domain that look similar to certain letters. EXAMPLE: <xyz@hr.netatwork.de> |
| Subdomain of an obfuscated corporate domain in display name |
See test 'Subdomain of a corporate domain in display name'. In addition, it is checked here whether ASCII characters were used in the domain that look similar to certain letters. Domains in the display name are used by spammers because many mobile devices and email applications initially display only this name. EXAMPLE: Uwe Ulbrich uwe.ulbrich@hr.n3tatw0rk.de" <spam@spammer.de> |
| Multiple email addresses |
Checks whether the 'Header-From' contains more than one email address, which is not RFC compliant. Lack of RFC compliance indicates spam, as spammers may be less concerned with ensuring such compliance. |
| Domain in display name different from email address |
Checks if a domain specified in the display name of the header-from is different from the domain that is part of the header-from email address. Domains in the display name are used by spammers because many mobile devices and email applications initially display only this name. EXAMPLE: "service@paypal.com" <spam@spammer.de> |
Test type Header-To
| Title | Description |
|---|---|
| Invalid '@' |
Checks if the 'Header-To' contains an '@' character that is not part of an email address, which is not compliant with RFC 5322. Lack of RFC compliance indicates spam, as spammers may be less concerned with ensuring such compliance. |
| Invalid angle brackets |
Checks if the 'Header-To' contains angle brackets with an invalid email address, which is not compliant with RFC 5322. Lack of RFC compliance indicates spam, as spammers may be less concerned with ensuring such compliance. |
| Missing 'Header-To' | Checks whether the 'Header-To' contains a specification or is present at all. If this is not the case, the recipient cannot be determined. In this case, information on the recipient can only be found in the 'Bcc' field. |
| Missing corporate email address | Checks whether the 'Header-To' or the 'CC' contains a corporate email address. In this case, information on the recipient can only be found in the 'Bcc' field. |