What do the classifications of messages in the web interface mean?

Via the protocol search it can be seen for incoming and outgoing messages how EuropeanMX has classified a message. For this purpose, EuropeanMX uses different classifications in the columns "Main Class", "Subclass", "Error Class" and "Extra Class" to give the admin or a user a hint.

Activation of the additional columns

To do this, log into the admin panel and click on "Incoming" > "Logs" ("How can I log in to the Admin-Panel (web interface of the filter)?". Then, next to the button "Show results", you can find the drop-down menu "Visible columns". Open the menu and enable the columns "Subclass", "Error Class" and "Extra Class". Then click on "Show results" to display the desired data.

Main class: Spam

Spam messages are emails that are classified by EuropeanMX as unwanted or inappropriate for various reasons. Messages with a main class of "spam" can have one of the following subclasses:

  • match-set1
    Nearly identical messages like this have been reported as spam by other users. The "extra class" column displays a number from 0 to 1 indicating how similar the message was.
  • match-set2
    Nearly identical messages like this were reported as spam by other users. The "extra class" column displays a number from 0 to 1 indicating how similar the message was.
  • contact-box
    It has been shown that the Reply-To address of the message or an email address in the message is typically used for spam. The "Extra Class" column shows the problematic address.
  • contact-box-internal
    The Reply-To address of the message or an email address in the message was seen locally in spam. The "Extra class" column shows the problematic address is displayed.
  • dnsbl
    The IP address of the sending server is known to be the source of spam. When you release the message from quarantine and train, it is reported as a classification error to correct our systems. For a temporary override and more details, you can visit https://www.spamrl.com. The "Extra Class" column displays the name of the quarantine list.
  • dnsbl-rcpt
    The IP address of the sending server is known to be a spam source, and the message was rejected at the "RCPT TO" time. These messages are not quarantined. The "Extra class" column shows the name of the block list.
  • urlbl
    The message contained a URL or domain name that has been seen in spam messages and is on multiple block lists. When you release the message from quarantine and train, it is reported as a classification error to correct our systems. The rejection message that the sender receives contains more information about the list in which the URL or domain in question is listed as blocked. The "extra class" column displays the name of the blocked list.
  • badly-formed
    Structural problems in the message, such as non-ASCII characters (which are not allowed by RFC unless properly encoded - e.g., using UTF-8), prevented EuropeanMX from fully parsing the message.
  • invalid-domain
    The target domain was not a valid domain managed by the cluster. Incoming messages were immediately rejected without being quarantined.
  • invalid-recipient
    The target mailbox did not exist. Incoming messages are immediately rejected without being quarantined.
  • dictionary-attack
    The sender attempted to determine valid email addresses by sending numerous emails to a series of randomly generated addresses.
  • gtube
    The GTUBE test string was found in the message.
  • stube
    The STUBE test string was found in the message.
  • batv
    The message incorrectly pretended to be a bounce of a message sent by the user.
  • statistical-method1-cluster
    The content of the message was statistically very similar to other messages previously trained on this cluster. The "extra class" column displays a number from 0 - 1 indicating how similar the message was.
  • statistical-method2-cluster
    The content of the message was statistically very similar to other messages previously trained on this cluster. The "extra class" column displays a number from 0 - 1 indicating how similar the message was.
  • statistical-method1-global
    The content of the message was statistically very similar to other messages previously trained globally. The "extra class" column displays a number from 0 - 1 indicating how similar the message was.
  • statistical-method2-global
    The content of the message was statistically very similar to other messages that had previously been trained globally. The "extra class" column displays a number from 0 - 1 indicating how similar the message was.
  • sender-reputation
    The sender of the message was known to predominantly send this type of message.
  • combinded-statistical
    No particular classifier was certain of the classification of the message, and a best estimate was made based on statistical similarity to messages that had been trained in the past. The "combined" result provides a weighted classification score of the different classifiers. Depending on the configured quarantine threshold, the message is rejected or accepted as spam. If the message is not legitimate, it should be trained as spam. This will adjust the score in our various databases. If the message is legitimate, it should be released and trained. This will adjust the scoring in our various databases. More information about the score can be found in our FAQ article "What does score and threshold mean? How are they calculated?".
  • heuristic-set1
    The message matched several patterns commonly found in spam messages. The "Extra class" column shows the patterns found in spam messages.
  • heuristic-set2
    The message matched several patterns commonly found in spam messages. The "Extra class" column displays the patterns found in spam messages.
  • heuristic
    The message contained content or metadata commonly found in spam or phishing messages. The "extra class" column displays the content or metadata found in spam or phishing messages.
  • pattern
    The layout, format, or content of the message matches a pattern known to spam and phishing attempts. You can release the message from quarantine and train it to be reported as a classification error and correct our systems. The rejection message received from the sender contains more information. The "Extra Class" column indicates the source of the data that resulted in a content pattern match.
  • pattern-remote
    The message contained a link to content that matched a pattern known to occur in spam and phishing attempts. You can release the message from quarantine and train it to report as a classification error and correct our systems. The rejection message received from the sender contains more information. The Extra Class column indicates the source of the data that resulted in a match to the content pattern.
  • combined
    No particular classifier was certain of the classification of the message and a best estimate was made. The "combined" result provides a weighted classification score of the different classifiers. Depending on the configured quarantine threshold, the message is rejected as spam or accepted. If the message is not legitimate, it should be trained as spam. This will adjust the rating in our various databases. If the message is legitimate, it should be released and trained. This will adjust the scoring in our various databases. The "Extra Class" column shows the weighted classification value between 0 and 1.
  • ratelimited
    The sending server has exceeded the maximum number of simultaneous SMTP connections that can be made within the time limit. The Extra Class column displays the number of simultaneous SMTP connections and the time limit.

Main class: Not-Spam

Messages classified as "Not-Spam" are messages that have been determined by EuropeanMX to be safe from unwanted or inappropriate content. Messages with the main class "Not-Spam" can have one of the following subclasses:

  • dnswl
    The IP address of the sending server is listed in several DNS allow lists. This means that no spam has been seen from this server recently. If you train the message as spam, the system will correct this. The "Extra Class" column shows the admission list where the IP address of the sending server is listed.
  • batv
    The message incorrectly pretended to be a bounce of a message sent by the user.
  • statistical-method1-cluster
    The content of the message was statistically very similar to other messages previously trained on this cluster. The "extra class" column displays a number from 0 - 1 indicating how similar the message was.
  • statistical-method2-cluster
    The content of the message was statistically very similar to other messages previously trained on this cluster. The "extra class" column displays a number from 0 - 1 indicating how similar the message was.
  • statistical-method1-global
    The content of the message was statistically very similar to other messages previously trained globally. The "extra class" column displays a number from 0 - 1 indicating how similar the message was.
  • statistical-method2-global
    The content of the message was statistically very similar to other messages that were previously trained globally. The "extra class" column displays a number from 0 - 1 indicating how similar the message was.
  • sender-reputation
    The sender of the message was known to predominantly send this type of message.
  • combined-statistical
    No particular classifier was certain of the message's classification and a best estimate was made based on statistical similarity to messages that had been trained in the past. The "combined" result provides a weighted classification score of the different classifiers. Depending on the configured quarantine threshold, the message is rejected or accepted as spam. If the message is not legitimate, it should be trained as spam. This will adjust the score in our various databases. If the message is legitimate, it should be released and trained. This will adjust the scoring in our various databases. More information about the score can be found in our FAQ article "What does score and threshold mean? How are they calculated?".
  • heuristic-set1
    The message matched several patterns commonly found in legitimate messages. The "Extra Class" column shows the patterns found in legitimate messages.
  • heuristic-set2
    The message matched several patterns commonly found in legitimate messages. The "extra class" column displays the patterns found in legitimate messages.
  • combined
    No particular classifier was sure of the classification of the message and a best guess was made. The "combined" result provides a weighted classification score of the different classifiers. Depending on the configured quarantine threshold, the message is rejected as spam or accepted. If the message is not legitimate, it should be trained as spam. This will adjust the rating in our various databases. If the message is legitimate, it should be released and trained. This will adjust the scoring in our various databases. The "Extra Class" column shows the weighted classification value between 0 and 1.

Main class: Phish

Phishing messages are fraudulent messages that are specifically designed to trick a user into giving out confidential information or to introduce malicious software into the network. Emails that are detected as phishing messages may have been forged or spoofed. Using protocols and frameworks such as SPF, DMARC and DKIM can help prevent this. Messages with the main class "Phish" may have one of the following subclasses:

  • dmarc-quarantine
    The sender's domain has a strict DMARC policy stating that the message should be quarantined.
  • dmarc-reject
    The sender's domain has a strict DMARC policy that says the message should be rejected.
  • spf
    The envelope sender's domain indicated that it was a phishing message. If it was a legitimate email, this could be due to a forwarding feature. You can find more information in our FAQ article "What is an SPF entry and how should it be designed?". Releasing and training many messages that were rejected because of SPF may cause the sending domain to be skipped in further SPF checks, so this is not recommended.
  • dkim
    The message uses an invalid DKIM signature.
  • pattern
    The layout, format, or content of the message matches a pattern known to spam and phishing attempts. You can release the message from quarantine and train to report it as a classification error and correct our systems. The rejection message received from the sender contains more information. The "Extra Class" column indicates the source of the data that resulted in a content pattern match.
  • pattern-remote
    The message contained a link to content that matched a pattern known to occur in spam and phishing attempts. You can release the message from quarantine and train it to report as a classification error and correct our systems. The rejection message received from the sender contains more information. The Extra Class column indicates the source of the data that resulted in a match to the content pattern.

Main class: Virus

Messages caught by the filter with the main class "Virus" have been sent with the express purpose of infecting your computer or network with malicious software specifically designed to cause damage or data loss. Intercepting messages that contain this malicious software is therefore very important. Messages with a main class "virus" may have one of the following subclasses:

  • pattern-set1
    The layout, format or content of the message matches a pattern known for spam and phishing attempts. You can release the message from quarantine and train it to report as a classification error and correct our systems. The rejection message received from the sender contains more information. The "Extra Class" column indicates the source of the data that resulted in a match to the content pattern.
  • pattern-set1-remote
    The message contained a link to content that matched a pattern known to be used in malware. The rejection message received from the sender contains more information. The Extra Class column indicates the source of the data that resulted in a match to the content pattern.
  • pattern-set2
    The message contained a link to content that matched a pattern known to be used in malware. The rejection message received from the sender contains more information. The Extra Class column indicates the source of the data that resulted in a match to the content pattern.

Main class: Error

Mails with the main class "Error" were not successfully delivered due to a problem with access, verification or processing of the message. Messages that are in this state will be retried. Messages with the "Error" main class can have one of the following subclasses:

  • antivirus-unavailable
    A temporary error prevented the message from being scanned by antivirus systems, so the message was temporarily rejected. Delivery of the message will be attempted again later.
  • database-unavailable
    A temporary error occurred while accessing the database. Delivery of the message will be retried later.
  • memory
    A temporary error occurred while processing the message. Delivery of the message will be retried later.
  • database-crash
    A temporary error occurred while accessing the database. Delivery of the message will be retried later.
  • unknown
    An error occurred while processing the message. Delivery will be retried later.
  • verification-fail
    A problem prevented verification that the recipient domain was known to the cluster.
  • verification-crash
    A problem prevented verification that the recipient domain was known to the cluster.

Main class: Unsure

Unsure messages are those where the filter cannot determine exactly what to do with them. These messages often have a "medium" combined rating, where part of the content is classified as potential spam and part as safe. Messages with the main class "Unsure" can have one of the following subclasses:

  • combined
    No particular classifier was sure of the message's classification and a best guess was made. The "combined" result provides a weighted classification score from the various classifiers. Depending on the configured quarantine threshold, the message is rejected as spam or accepted. If the message is not legitimate, it should be trained as spam. This will adjust the rating in our various databases. If the message is legitimate, it should be released and trained. This will adjust the scoring in our various databases. The "Extra Class" column shows the weighted classification value between 0 and 1.

Main class: Unknown

Messages with the main class " Unknown" are messages that do not fall into one of the other main classes. Messages with the main class "Unknown" can have one of the following subclasses:

  • disabled
    The filter was disabled when the message was received, so no filtering was done.
  • message/partial
    The sending server tried to send the message over multiple connections, which is not supported.
  • connection-lost
    The sending server disconnected before the message delivery was complete.
  • disparate-settings
    The message could not be delivered to all recipients in the same connection because there was a conflict with the recipients' settings. Delivery of the message will be retried to some recipients.
  • recipient-verification
    The destination mailbox did not exist.
  • sender-verification
    The sender's address did not exist and the settings required a valid sender mailbox.
  • ratelimited
    The sending server exceeded the maximum number of simultaneous SMTP connections that can be made within the time limit. The Extra Class column shows the number of simultaneous SMTP connections and the time limit.

Main class: Block list

The blocking list can be applied to a large number of characteristics of a message. All messages that have an aspect corresponding to a rule in the blocking lists are displayed with the main class "Block list". Messages with the main class "Block list" can have one of the following subclasses:

  • oversize
    The message was larger than the maximum allowed size. These messages are immediately rejected without being quarantined.
  • local-characters
    The local part of the recipient's address contained characters that were not allowed in the user's settings. These messages are rejected immediately without being quarantined.
  • filename-extension
    The message contained an attachment type that was not allowed in the user's settings. The "Extra class" column shows the file extension of the attachment.
  • password-protected-attachment
    The message contained a password-protected attachment and the user's settings did not allow it.
  • ehlo
    The sending server identified itself with characters that are not allowed in the user's settings. These messages are immediately rejected without being quarantined.
  • ip
    The IP address of the sending server was on the user's IP blocklist.
  • recipients-count
    The message appeared to be a bounce, but was sent to multiple recipients. SMTP RFC states that null-sender emails (=bounces) can never be sent to multiple recipients. So there could be a misconfiguration on the mail server.
  • rule-header
    The message headers corresponded to a user-defined filtering rule. The "extra class" column shows the name of the rule that was matched.
  • rule-body
    The text in the message matched a user-defined filtering rule. The "Extra class" column displays the name of the rule that was fulfilled.
  • rule-attachment_type
    The message contained an attachment type that matched a user-defined filtering rule. The "Extra class" column displays the name of the rule that was satisfied.
  • rule-attachment_name
    The message contained an attachment with a file name that matched a custom filtering rule. The Extra Class column displays the name of the rule that was satisfied.
  • rule-decoded
    The content of the message matched a user-defined filtering rule. The "Extra class" column displays the name of the rule that was matched.
  • rule-helo
    The sending server identified itself in a way that matched a user-defined filtering rule. The "Extra class" column displays the name of the rule that was satisfied.
  • rule-rcpt_to
    The recipient matched a user-defined filtering rule. The "Extra class" column displays the name of the rule that was satisfied.
  • rule-s_addr
    The sender matched a user-defined filtering rule. The "Extra class" column displays the name of the rule that was matched.
  • rule-s_addr_spf
    The envelope sender matched a user-defined filtering rule and was verified as authentic via SPF. The Extra Class column displays the name of the rule that was satisfied.
  • rule-s_ip
    The IP address of the sender matched a user-defined filtering rule. The Extra Class column displays the name of the rule that was matched.
  • rule-s_hostname
    The sender's hostname matches a user-defined filtering rule. The Extra Class column displays the name of the rule that was matched.
  • rule-url
    A URL or domain name in the message matches a custom filtering rule. The Extra Class column displays the name of the rule that was matched.
  • recipient
    The recipient address matched an address in the user's allow or block list, or filtering was disabled for the mailbox. The "Extra Class" column displays the recipient address that was matched.
  • sender
    The sender address matched an address in the user's allow or block list. The extra class column displays the sender address with which the match was made.
  • ratelimited
    The sending server exceeded the maximum number of simultaneous SMTP connections that can be made within the time limit. The Extra Class column shows the number of simultaneous SMTP connections and the time limit.

Main class: Allow list

Allow list can be applied to a large number of characteristics of a message. All messages that have an aspect that corresponds to an Allow rule are displayed with the Allow list main class. Messages with the Allow list main class can have one of the following subclasses:

  • rule-header
    The message headers corresponded to a user-defined filtering rule. The "Extra class" column displays the name of the rule that was matched.
  • rule-body
    The text in the message matched a user-defined filtering rule. The "Extra class" column displays the name of the rule that was matched.
  • rule-attachment_type
    The message contained an attachment type that matched a user-defined filtering rule. The "Extra class" column displays the name of the rule that was matched.
  • rule-attachment_name
    The message contained an attachment with a file name that matched a custom filtering rule. The Extra Class column displays the name of the rule that was matched.
  • rule-decoded
    The content of the message matched a user-defined filtering rule. The "Extra class" column displays the name of the rule that was matched.
  • rule-helo
    The sending server identified itself in a way that matched a user-defined filtering rule. The "Extra class" column displays the name of the rule that was matched.
  • rule-rcpt_to
    The recipient matched a user-defined filtering rule. The "Extra class" column displays the name of the rule that was matched.
  • rule-s_addr
    The sender matched a user-defined filtering rule. The "Extra class" column displays the name of the rule that was matched.
  • rule-s_addr_spf
    The envelope sender matched a user-defined filtering rule and was verified as authentic via SPF. The Extra Class column displays the name of the rule that was matched.
  • rule-s_ip
    The IP address of the sender matched a user-defined filtering rule. The Extra Class column displays the name of the rule that was matched.
  • rule-s_hostname
    The sender's hostname matches a user-defined filtering rule. The Extra Class column displays the name of the rule that was matched.
  • rule-url
    A URL or domain name in the message matches a custom filtering rule. The Extra Class column displays the name of the rule that was matched.
  • recipient
    The recipient address matched an address in the user's allow or block list, or filtering was disabled for the mailbox. The "Extra Class" column displays the recipient address that was matched.
  • sender
    The sender address matched an address in the user's allow or block list. The "Extra class" column displays the sender address with which the match was made.

Was this article helpful?
No Yes