+49 (0) 7245 919 581 info@eunetic.com
[EN]
Login
  1. Home
  2. europeanMX Knowledge Base
  3. EuropeanMX Web Interface
  4. What do the classifications of messages in the web interface mean?
europeanMX
Knowledge Base

What do the classifications of messages in the web interface mean?

Via the protocol search it can be seen for incoming and outgoing messages how EuropeanMX has classified a message. For this purpose, EuropeanMX uses different classifications in the columns Main Class, Subclass, Error Class and Extra Class to give the admin or a user a hint.


Activation of the additional columns

To do this, log into the admin panel and click on Incoming > Logs ("How can I log in to the Admin-Panel (web interface of the filter)?". Then, next to the button Show results, you can find the drop-down menu Visible columns. Open the menu and enable the columns Subclass, Error Class and Extra Class. Then click on Show results to display the desired data.






Main class: Spam

Spam messages are emails that are classified by EuropeanMX as unwanted or inappropriate for various reasons. Messages with a main class of spam can have one of the following subclasses:

  • match-set1: Nearly identical messages like this have been reported as spam by other users. The column Extra class displays a number from 0 to 1 indicating how similar the message was.
  • match-set2: Nearly identical messages like this were reported as spam by other users. The column Extra class displays a number from 0 to 1 indicating how similar the message was.
  • contact-box: It has been shown that the Reply-To address of the message or an email address in the message is typically used for spam. The column Extra Class shows the problematic address.
  • contact-box-internal: The Reply-To address of the message or an email address in the message was seen locally in spam. The Extra class column shows the problematic address is displayed.
  • dnsbl: The IP address of the sending server is known to be the source of spam. When you release the message from quarantine and train, it is reported as a classification error to correct our systems. For a temporary override and more details, you can visit https://www.spamrl.com. The column Extra Class displays the name of the quarantine list.
  • dnsbl-rcpt: The IP address of the sending server is known to be a spam source, and the message was rejected at the RCPT TO time. These messages are not quarantined. The column Extra class shows the name of the block list.
  • urlbl: The message contained a URL or domain name that has been seen in spam messages and is on multiple block lists. When you release the message from quarantine and train, it is reported as a classification error to correct our systems. The rejection message that the sender receives contains more information about the list in which the URL or domain in question is listed as blocked. The column extra class displays the name of the blocked list.
  • badly-formed: Structural problems in the message, such as non-ASCII characters (which are not allowed by RFC unless properly encoded - e.g., using UTF-8), prevented EuropeanMX from fully parsing the message.
  • invalid-domain: The target domain was not a valid domain managed by the cluster. Incoming messages were immediately rejected without being quarantined.
  • invalid-recipient: The target mailbox did not exist. Incoming messages are immediately rejected without being quarantined.
  • dictionary-attack: The sender attempted to determine valid email addresses by sending numerous emails to a series of randomly generated addresses.
  • gtube: The GTUBE test string was found in the message.
  • stube: The STUBE test string was found in the message.
  • batv: The message incorrectly pretended to be a bounce of a message sent by the user.
  • statistical-method1-cluster: The content of the message was statistically very similar to other messages previously trained on this cluster. The column Extra class displays a number from 0 - 1 indicating how similar the message was.
  • statistical-method2-cluster: The content of the message was statistically very similar to other messages previously trained on this cluster. The column Extra class displays a number from 0 - 1 indicating how similar the message was.
  • statistical-method1-global: The content of the message was statistically very similar to other messages previously trained globally. The column Extra class displays a number from 0 - 1 indicating how similar the message was.
  • statistical-method2-global: The content of the message was statistically very similar to other messages that had previously been trained globally. The column Extra class displays a number from 0 - 1 indicating how similar the message was.
  • sender-reputation: The sender of the message was known to predominantly send this type of message.
  • combinded-statistical: No particular classifier was certain of the classification of the message, and a best estimate was made based on statistical similarity to messages that had been trained in the past. The "combined" result provides a weighted classification score of the different classifiers. Depending on the configured quarantine threshold, the message is rejected or accepted as spam. If the message is not legitimate, it should be trained as spam. This will adjust the score in our various databases. If the message is legitimate, it should be released and trained. This will adjust the scoring in our various databases. More information about the score can be found in our FAQ article "What does score and threshold mean? How are they calculated?".
  • heuristic-set1: The message matched several patterns commonly found in spam messages. The column Extra class shows the patterns found in spam messages.
  • heuristic-set2: The message matched several patterns commonly found in spam messages. The column Extra class displays the patterns found in spam messages.
  • heuristic: The message contained content or metadata commonly found in spam or phishing messages. The column Extra class displays the content or metadata found in spam or phishing messages.
  • pattern: The layout, format, or content of the message matches a pattern known to spam and phishing attempts. You can release the message from quarantine and train it to be reported as a classification error and correct our systems. The rejection message received from the sender contains more information. The column Extra Class indicates the source of the data that resulted in a content pattern match.
  • pattern-remote: The message contained a link to content that matched a pattern known to occur in spam and phishing attempts. You can release the message from quarantine and train it to report as a classification error and correct our systems. The rejection message received from the sender contains more information. The Extra Class column indicates the source of the data that resulted in a match to the content pattern.
  • combined: No particular classifier was certain of the classification of the message and a best estimate was made. The "combined" result provides a weighted classification score of the different classifiers. Depending on the configured quarantine threshold, the message is rejected as spam or accepted. If the message is not legitimate, it should be trained as spam. This will adjust the rating in our various databases. If the message is legitimate, it should be released and trained. This will adjust the scoring in our various databases. The column Extra Class shows the weighted classification value between 0 and 1.
  • ratelimited: The sending server has exceeded the maximum number of simultaneous SMTP connections that can be made within the time limit. The column Extra Class displays the number of simultaneous SMTP connections and the time limit.


Main class: Not-Spam

Messages classified as Not-Spam are messages that have been determined by EuropeanMX to be safe from unwanted or inappropriate content. Messages with the main class Not-Spam can have one of the following subclasses:

  • dnswl: The IP address of the sending server is listed in several DNS allow lists. This means that no spam has been seen from this server recently. If you train the message as spam, the system will correct this. The column Extra Class shows the admission list where the IP address of the sending server is listed.
  • batv: The message incorrectly pretended to be a bounce of a message sent by the user.
  • statistical-method1-cluster: The content of the message was statistically very similar to other messages previously trained on this cluster. The column Extra class displays a number from 0 - 1 indicating how similar the message was.
  • statistical-method2-cluster: The content of the message was statistically very similar to other messages previously trained on this cluster. The column Extra class displays a number from 0 - 1 indicating how similar the message was.
  • statistical-method1-global: The content of the message was statistically very similar to other messages previously trained globally. The column Extra class displays a number from 0 - 1 indicating how similar the message was.
  • statistical-method2-global: The content of the message was statistically very similar to other messages that were previously trained globally. The column Extra class displays a number from 0 - 1 indicating how similar the message was.
  • sender-reputation: The sender of the message was known to predominantly send this type of message.
  • combined-statistical: No particular classifier was certain of the message's classification and a best estimate was made based on statistical similarity to messages that had been trained in the past. The "combined" result provides a weighted classification score of the different classifiers. Depending on the configured quarantine threshold, the message is rejected or accepted as spam. If the message is not legitimate, it should be trained as spam. This will adjust the score in our various databases. If the message is legitimate, it should be released and trained. This will adjust the scoring in our various databases. More information about the score can be found in our FAQ article "What does score and threshold mean? How are they calculated?".
  • heuristic-set1: The message matched several patterns commonly found in legitimate messages. The column Extra Class shows the patterns found in legitimate messages.
  • heuristic-set2: The message matched several patterns commonly found in legitimate messages. The column Extra class displays the patterns found in legitimate messages.
  • combined: No particular classifier was sure of the classification of the message and a best guess was made. The "combined" result provides a weighted classification score of the different classifiers. Depending on the configured quarantine threshold, the message is rejected as spam or accepted. If the message is not legitimate, it should be trained as spam. This will adjust the rating in our various databases. If the message is legitimate, it should be released and trained. This will adjust the scoring in our various databases. The column Extra Class shows the weighted classification value between 0 and 1.


Main class: Phish

Phishing messages are fraudulent messages that are specifically designed to trick a user into giving out confidential information or to introduce malicious software into the network. Emails that are detected as phishing messages may have been forged or spoofed. Using protocols and frameworks such as SPF, DMARC and DKIM can help prevent this. Messages with the main class Phish may have one of the following subclasses:

  • dmarc-quarantine: The sender's domain has a strict DMARC policy stating that the message should be quarantined.
  • dmarc-reject: The sender's domain has a strict DMARC policy that says the message should be rejected.
  • spf: The envelope sender's domain indicated that it was a phishing message. If it was a legitimate email, this could be due to a forwarding feature. You can find more information in our FAQ article "What is an SPF entry and how should it be designed?". Releasing and training many messages that were rejected because of SPF may cause the sending domain to be skipped in further SPF checks, so this is not recommended.
  • dkim: The message uses an invalid DKIM signature.
  • pattern: The layout, format, or content of the message matches a pattern known to spam and phishing attempts. You can release the message from quarantine and train to report it as a classification error and correct our systems. The rejection message received from the sender contains more information. The column Extra Class indicates the source of the data that resulted in a content pattern match.
  • pattern-remote: The message contained a link to content that matched a pattern known to occur in spam and phishing attempts. You can release the message from quarantine and train it to report as a classification error and correct our systems. The rejection message received from the sender contains more information. The column Extra Class indicates the source of the data that resulted in a match to the content pattern.


Main class: Virus

Messages caught by the filter with the main class Virus have been sent with the express purpose of infecting your computer or network with malicious software specifically designed to cause damage or data loss. Intercepting messages that contain this malicious software is therefore very important. Messages with a main class virus may have one of the following subclasses:

  • pattern-set1: The layout, format or content of the message matches a pattern known for spam and phishing attempts. You can release the message from quarantine and train it to report as a classification error and correct our systems. The rejection message received from the sender contains more information. The column Extra Class indicates the source of the data that resulted in a match to the content pattern.
  • pattern-set1-remote: The message contained a link to content that matched a pattern known to be used in malware. The rejection message received from the sender contains more information. The column Extra Class indicates the source of the data that resulted in a match to the content pattern.
  • pattern-set2: The message contained a link to content that matched a pattern known to be used in malware. The rejection message received from the sender contains more information. The column Extra Class indicates the source of the data that resulted in a match to the content pattern.


Main class: Error

Mails with the main class Error were not successfully delivered due to a problem with access, verification or processing of the message. Messages that are in this state will be retried. Messages with the main class Error can have one of the following subclasses:

  • antivirus-unavailable: A temporary error prevented the message from being scanned by antivirus systems, so the message was temporarily rejected. Delivery of the message will be attempted again later.
  • database-unavailable: A temporary error occurred while accessing the database. Delivery of the message will be retried later.
  • memory: A temporary error occurred while processing the message. Delivery of the message will be retried later.
  • database-crash: A temporary error occurred while accessing the database. Delivery of the message will be retried later.
  • unknown: An error occurred while processing the message. Delivery will be retried later.
  • verification-fail: A problem prevented verification that the recipient domain was known to the cluster.
  • verification-crash: A problem prevented verification that the recipient domain was known to the cluster.


Main class: Unsure

Unsure messages are those where the filter cannot determine exactly what to do with them. These messages often have a "medium" combined rating, where part of the content is classified as potential spam and part as safe. Messages with the main class Unsure can have one of the following subclasses:

  • combined: No particular classifier was sure of the message's classification and a best guess was made. The "combined" result provides a weighted classification score from the various classifiers. Depending on the configured quarantine threshold, the message is rejected as spam or accepted. If the message is not legitimate, it should be trained as spam. This will adjust the rating in our various databases. If the message is legitimate, it should be released and trained. This will adjust the scoring in our various databases. The column Extra Class shows the weighted classification value between 0 and 1.


Main class: Unknown

Messages with the main class Unknown are messages that do not fall into one of the other main classes. Messages with the main class Unknown can have one of the following subclasses:

  • disabled: The filter was disabled when the message was received, so no filtering was done.
  • message/partial: The sending server tried to send the message over multiple connections, which is not supported.
  • connection-lost: The sending server disconnected before the message delivery was complete.
  • disparate-settings: The message could not be delivered to all recipients in the same connection because there was a conflict with the recipients' settings. Delivery of the message will be retried to some recipients.
  • recipient-verification: The destination mailbox did not exist.
  • sender-verification: The sender's address did not exist and the settings required a valid sender mailbox.
  • ratelimited: The sending server exceeded the maximum number of simultaneous SMTP connections that can be made within the time limit. The column Extra Class shows the number of simultaneous SMTP connections and the time limit.


Main class: Block list

The blocking list can be applied to a large number of characteristics of a message. All messages that have an aspect corresponding to a rule in the blocking lists are displayed with the main class Block list. Messages with the main class Block list can have one of the following subclasses:

  • oversize: The message was larger than the maximum allowed size. These messages are immediately rejected without being quarantined.
  • local-characters: The local part of the recipient's address contained characters that were not allowed in the user's settings. These messages are rejected immediately without being quarantined.
  • filename-extension: The message contained an attachment type that was not allowed in the user's settings. The column Extra class shows the file extension of the attachment.
  • password-protected-attachment: The message contained a password-protected attachment and the user's settings did not allow it.
  • ehlo: The sending server identified itself with characters that are not allowed in the user's settings. These messages are immediately rejected without being quarantined.
  • ip: The IP address of the sending server was on the user's IP blocklist.
  • recipients-count: The message appeared to be a bounce, but was sent to multiple recipients. SMTP RFC 5.3.2.1 states that null-sender emails (=bounces) can never be sent to multiple recipients. So there could be a misconfiguration on the mail server.
  • rule-header: The message headers corresponded to a user-defined filtering rule. The column Extra class shows the name of the rule that was matched.
  • rule-body: The text in the message matched a user-defined filtering rule. The column Extra class displays the name of the rule that was fulfilled.
  • rule-attachment_type: The message contained an attachment type that matched a user-defined filtering rule. The column Extra class displays the name of the rule that was satisfied.
  • rule-attachment_name: The message contained an attachment with a file name that matched a custom filtering rule. The column Extra Class displays the name of the rule that was satisfied.
  • rule-decoded: The content of the message matched a user-defined filtering rule. The column Extra class displays the name of the rule that was matched.
  • rule-helo: The sending server identified itself in a way that matched a user-defined filtering rule. The column Extra class displays the name of the rule that was satisfied.
  • rule-rcpt_to: The recipient matched a user-defined filtering rule. The column Extra class displays the name of the rule that was satisfied.
  • rule-s_addr: The sender matched a user-defined filtering rule. The column Extra class displays the name of the rule that was matched.
  • rule-s_addr_spf: The envelope sender matched a user-defined filtering rule and was verified as authentic via SPF. The column Extra Class displays the name of the rule that was satisfied.
  • rule-s_ip: The IP address of the sender matched a user-defined filtering rule. The column Extra Class displays the name of the rule that was matched.
  • rule-s_hostname: The sender's hostname matches a user-defined filtering rule. The column Extra Class displays the name of the rule that was matched.
  • rule-url: A URL or domain name in the message matches a custom filtering rule. The column Extra Class displays the name of the rule that was matched.
  • recipient: The recipient address matched an address in the user's allow or block list, or filtering was disabled for the mailbox. The column Extra Class displays the recipient address that was matched.
  • sender: The sender address matched an address in the user's allow or block list. The column Extra class displays the sender address with which the match was made.
  • ratelimited: The sending server exceeded the maximum number of simultaneous SMTP connections that can be made within the time limit. The column Extra Class shows the number of simultaneous SMTP connections and the time limit.


Main class: Allow list

Allow list can be applied to a large number of characteristics of a message. All messages that have an aspect that corresponds to an Allow rule are displayed with the Allow list main class. Messages with the main class Allow list can have one of the following subclasses:

  • rule-header: The message headers corresponded to a user-defined filtering rule. The column Extra class displays the name of the rule that was matched.
  • rule-body: The text in the message matched a user-defined filtering rule. The column Extra class displays the name of the rule that was matched.
  • rule-attachment_type: The message contained an attachment type that matched a user-defined filtering rule. The column Extra class displays the name of the rule that was matched.
  • rule-attachment_name: The message contained an attachment with a file name that matched a custom filtering rule. The column Extra class displays the name of the rule that was matched.
  • rule-decoded: The content of the message matched a user-defined filtering rule. The column Extra class displays the name of the rule that was matched.
  • rule-helo: The sending server identified itself in a way that matched a user-defined filtering rule. The column Extra class displays the name of the rule that was matched.
  • rule-rcpt_to: The recipient matched a user-defined filtering rule. The column Extra class displays the name of the rule that was matched.
  • rule-s_addr: The sender matched a user-defined filtering rule. The column Extra class displays the name of the rule that was matched.
  • rule-s_addr_spf: The envelope sender matched a user-defined filtering rule and was verified as authentic via SPF. The column Extra class displays the name of the rule that was matched.
  • rule-s_ip: The IP address of the sender matched a user-defined filtering rule. The column Extra class displays the name of the rule that was matched.
  • rule-s_hostname: The sender's hostname matches a user-defined filtering rule. The column Extra class displays the name of the rule that was matched.
  • rule-url: A URL or domain name in the message matches a custom filtering rule. The column Extra class displays the name of the rule that was matched.
  • recipient: The recipient address matched an address in the user's allow or block list, or filtering was disabled for the mailbox. The column Extra class displays the name of the rule that was matched.
  • sender: The sender address matched an address in the user's allow or block list. The column Extra class displays the name of the rule that was matched.
Related topics:

Was this article helpful?

No Yes
You may also be interested in...
The Role of IT Security Policies in Your Business: Protecting Your Digital World

In this article, we look at the importance of IT security policies in your organization and cover various aspects that ensure a secure and resilient business environment.

15.03.2024 Security Awareness
The importance of data classification for data protection

This article addresses the critical role of data classification in privacy. By effectively categorizing and managing your data, you can strengthen your cybersecurity measures and ensure the confidentiality, integrity and availability of your digital assets.

29.03.2024 Data protection