In the mail I receive in Outlook, some service provider has set up a SPAM filter with a comparatively low level, tagging the subject with [SPAM]
when the message is not SPAM in several cases.
In the past we had used Sophos Pure Message locally with a rather high threshold and there never was a false positive.
Unfortunately I had set up a filtering rule that moves such messages into the junk mail folder.
Complaining at the service provider that the detection level is too low, the told me I should adjust my filtering rule not to match the subject line, but read the SPAM level from the header.
Unfortunately I think that's not possible.
Example
For reference here's the "SPAM summary" for a false positive (a message from product support):
X-DFN-Virus-Scanned: Debian amavisd-new at mgw7-tub.srv.dfn.de
X-DFN-Spam-Flag: YES
X-DFN-Spam-Score: 3.833
X-DFN-Spam-Level: ***
X-DFN-Spam-Status: Yes, score=3.833 tagged_above=2 required=3 tests=[BAYES_50=0.1,
BOGO_UNSURE=0.1, BT_50=0.01, DKIM_SIGNED=0.1, DKIM_VALID=-0.01,
DKIM_VALID_AU=-0.01, DMARC_PASS=-0.01,
HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_IMAGE_ONLY_16=3.3,
HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H4=0.001, RCVD_IN_MSPIKE_WL=0.001,
SPF_HELO_NONE=0.01, SPF_PASS=-0.01] autolearn=disabled
X-DFN-Spam-Report: * -0.0 SPF_PASS SPF: sender matches SPF record
* 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record
* -0.0 DKIM_VALID Message has at least one valid DKIM or DK signature
* 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily
* valid
* -0.0 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's
* domain
* 0.1 BAYES_50 BODY: Bayes spam probability is 40 to 60%
* [score: 0.4892]
* 0.0 BT_50 BODY: Test Bayes spam probability is 40 to 60%
* [score: 0.5003]
* 0.0 RCVD_IN_MSPIKE_H4 RBL: Very Good reputation (+4)
* [85.222.158.197 listed in wl.mailspike.net]
* 0.0 RCVD_IN_MSPIKE_WL Mailspike good senders
* 0.2 HEADER_FROM_DIFFERENT_DOMAINS From and EnvelopeFrom 2nd level mail
* domains are different
* 0.0 HTML_MESSAGE BODY: HTML included in message
* 3.3 HTML_IMAGE_ONLY_16 BODY: HTML: images with 1200-1600 bytes of words
* 0.1 BOGO_UNSURE Bogofilter is unsure.
* -0.0 DMARC_PASS DMARC pass policy
(As I understand it rule HTML_IMAGE_ONLY_16 BODY
triggered the SPAM flag.
Most of all, the message has a considerable amount of text and one small image, so "image-only body" does not apply actually.
Also I don't know a way to display the original message format in Outlook (only the headers).)
So what I want is a filter matching when the number in X-DFN-Spam-Score: 3.833
exceeds a specific value (higher than the default that is obviously too low, triggering the addition of the [SPAM]
tag in the subject).