Outlook: Is it possible to define a filter rule comparing a number in a header field?

Question

In the mail I receive in Outlook, some service provider has set up a SPAM filter with a comparatively low level, tagging the subject with [SPAM] when the message is not SPAM in several cases. In the past we had used Sophos Pure Message locally with a rather high threshold and there never was a false positive. Unfortunately I had set up a filtering rule that moves such messages into the junk mail folder.

Complaining at the service provider that the detection level is too low, the told me I should adjust my filtering rule not to match the subject line, but read the SPAM level from the header.

Unfortunately I think that's not possible.

Example

For reference here's the "SPAM summary" for a false positive (a message from product support):

X-DFN-Virus-Scanned: Debian amavisd-new at mgw7-tub.srv.dfn.de
X-DFN-Spam-Flag: YES
X-DFN-Spam-Score: 3.833
X-DFN-Spam-Level: ***
X-DFN-Spam-Status: Yes, score=3.833 tagged_above=2 required=3 tests=[BAYES_50=0.1,
    BOGO_UNSURE=0.1, BT_50=0.01, DKIM_SIGNED=0.1, DKIM_VALID=-0.01,
    DKIM_VALID_AU=-0.01, DMARC_PASS=-0.01,
    HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_IMAGE_ONLY_16=3.3,
    HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
    SPF_HELO_NONE=0.01, SPF_PASS=-0.01] autolearn=disabled
X-DFN-Spam-Report: * -0.0 SPF_PASS SPF: sender matches SPF record
 *  0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
 * -0.0 DKIM_VALID Message has at least one valid DKIM or DK signature
 *  0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
 *      valid
 * -0.0 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
 *       domain
 *  0.1 BAYES_50 BODY: Bayes spam probability is 40 to 60%
 *      [score: 0.4892]
 *  0.0 BT_50 BODY: Test Bayes spam probability is 40 to 60%
 *      [score: 0.5003]
 *  0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4)
 *      [85.222.158.197 listed in wl.mailspike.net]
 *  0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
 *  0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
 *      domains are different
 *  0.0 HTML_MESSAGE BODY: HTML included in message
 *  3.3 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words
 *  0.1 BOGO_UNSURE Bogofilter is unsure.
 * -0.0 DMARC_PASS DMARC pass policy

(As I understand it rule HTML_IMAGE_ONLY_16 BODYtriggered the SPAM flag. Most of all, the message has a considerable amount of text and one small image, so "image-only body" does not apply actually. Also I don't know a way to display the original message format in Outlook (only the headers).)

So what I want is a filter matching when the number in X-DFN-Spam-Score: 3.833 exceeds a specific value (higher than the default that is obviously too low, triggering the addition of the [SPAM] tag in the subject).

Answer 1

So what I want is a filter matching when the number in X-DFN-Spam-Score: 3.833 exceeds a specific value (higher than the default that is obviously too low, triggering the addition of the [SPAM] tag in the subject).

Not possible using the built-in options available in Outlook. At present, it's only supported to add some static keywords included in the message header for the rule condition, while comparing the number with a specific value is not yet supported.

Given this, I'd suggest checking other message headers with static value and see if they can be used in the rule. For example, if the "X-DFN-Spam-Level: " field has some limited values, like Low, medium and high, and the value "low" corresponding to what you want to prevent from being moved to Junk mail folder, you can create a rule like below:

Or adding an exception like this:

Answer 2

If the value you're comparing against in the header is static, or one of a small number of values, then yes this is doable.

Configure the rule like so:

You may want to include other Search Text using the dialog where "HTML_IMAGE_ONLY_16 BODY" was entered, but you can't perform any functions on this such as < 10

The last step (stop processing more rules) then escapes the rules process, and won't move on to the rule which moves the message into Junk. You will need to move this rule to the top of the list, so it's applied first.

Answer 3

Note: When working with software from the market leader, you'll have to live with the fact that you cannot resize dialog boxes to show all the relevant content, nor can you copy the content of the rule as text. And the rule syntax is localized, too.

So while deprecated, here is my solution described as screenshots (see reason above). Obviously the solution is ugly, but it fits the product. I apologize for the language (L18n) being German, but I cannot control it.