Documentation Home > Exchange Anti-Spam Toolkit
Search
Search allows anti-spam policies to be checked to confirm whether an Email Address, Domain or IP Address is specifically allowed or blocked, without having to check individual policies. By searching for the identifiers of a particular message, the Search feature can be used to determine why anti-spam agents are blocked or did not block the message. Partial matches are possible for all types of searches with the Contains and Starts With Match Types.
The policies which are searched depend on the type of identifier being searched (Email Address, Domain or IP Address) and the Match Type (Exact, Starts With or Contains). In the case of an Exact Match IP Address or Domain search, QSS Exchange Anti-Spam Toolkit performs a real-time lookup of IP Allow and Block List Providers or URL Block List Providers respectively. Starts With and Contains searches only search static lists as the Block List Provider services do not support partial match searches.
Coming Soon: Automated Message Analysis by Message ID
Currently under development, a future update to QSS Exchange Anti-Spam Toolkit will provide the ability to search for a specific Message ID, in addition to the above search types. This will perform detailed content analysis of the message, including inspection of URLs within the message, and will explain why it was blocked or not blocked, without having to search for the individual characteristics (email address, domain name or IP addresses).
Search Criteria
Search for
Select the type of identifier to search for. The type of identifier determines what will be searched as certain policies are only relevant to certain types of identifier.
-
Email Address
An Email Address search will check the following policies:- Sender Filter Blocked Senders
- Sender Filter Blocked Sender Domains*
- Sender ID Allowed Recipients
- Sender ID Allowed Sender Domains*
- Connection Filter IP Block List Providers Allowed Recipients
- Content Filter Allowed Recipients
- Content Filter Allowed Senders
- Recipient Filter Blocked Recipients
- Mailbox Junk Configuration Allowed Senders and Domains
- Mailbox Junk Config Blocked Senders and Domains
*For these policies, only the domain part of the email address can be checked. If the Search Query is not a complete address with an @ symbol, the entire Search Query will be checked.
-
Domain
An Domain search will check the following policies:- Sender Filter Blocked Sender Domains
- Sender ID Allowed Sender Domains
- URL Filter Block List Providers
- URL Filter Allowed Domains
- URL Filter URL Shorteners
- Sender Score Allowed Domains
- Content Filter Allowed Sender Domains
- Mailbox Junk Config Allowed Domains
- Mailbox Junk Config Blocked Domains
-
IP Address
- Transport Config Internal SMTP Servers
- Connection Filter IP Allow List Entries
- Connection Filter IP Block List Entries
- Connection Filter IP Allow List Providers*
- Connection Filter IP Block List Providers*
- Sender Score Reputation Service*
*These policies can only be analyzed if the Match Type is Exact.
Entry Type
Either Allow or Block entries can be searched. If the Entry Type is set to Allow, only policies which allow will be checked. If the Entry Type is set to Block, only policies which block will be checked.
Both Allow & Block Policies may need to be searched
Searching for Allow policies will display any policies which would allow the identifier being searched, even if another policy would block the same identifier. Conversely, searching for Block policies will display any policies which would block the identifier being searched, even if another policy would allow the same identifier.
This allows you to see a complete view of your configuration and makes it possible to find and correct errors in the anti-spam configuration. To determine how the policies will be applied, it is necessary to understand how the different types of filters work (as explained in the documentation).
Match Type
-
Exact
Only exact matches will be returned. This is the only type of search which can perform real-time checks on IP Allow or Block List Provider services, Sender Scores and URL Block List Providers, as those services do not support partial matches. -
Starts With
Any entries which start with the entered Search Query will be returned. -
Contains
Any entries which contain with the entered Search Query (not necessarily at the start) will be returned. This type of search may take longer than others.
Search Query
For the Search Query, enter the Email Address, Domain or IP Address to search for.
Tips for Analyzing Specific Messages
When analyzing a specific message for email-address- or domain-related policies, be aware that the From address provided in the MAIL FROM command during the SMTP session (sometimes referred to as the Envelope From address) can be different from the value in the From MIME header. The Envelope From address can usually be found in the Return-Path MIME header. In some cases, the address in the Reply-To MIME header may also need to be checked.
When analyzing a specific message for domain-related polices, the domains of URLs contained within the body of the message will need to be checked if any URL Block List Providers are enabled. Also note that the domain provided in the SMTP EHLO/HELO command is checked by QSS URL Blocklist Agent, but it cannot be obtained from message headers. The exact domain which caused a message to be blocked is recorded in the QSS URL Filter Agent Logs.
In all cases, it is recommended to check the Received-SPF, X-MS-Exchange-Organization-SCL and X-ReturnPathSenderScore MIME headers, if present.
Allow & Block List Providers regularly update their lists
When analyzing an existing message, it is possible that entries on all types of Allow or Block List Providers have changed since the message was delivered, and would now produce a different filtering result. If the Search results indicate a different filtering outcome than expected, the Exchange Message Tracking Logs and the individual logs for the QSS URL Filter Agent or QSS Sender Score Agent should be consulted to determine the reason for the filtering result of the message in question.