Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=email-history-message-categories

Message Categories

This page lists the categories and subcategories used in Message History. Categories help you understand how Sophos Email classifies and handles messages.

For example, messages may be tagged as "Spam", "Malware", or "Authentication failure" depending on their content or behavior.

Realtime blocked

If you see "Realtime blocked" as a category, the message was blocked in real-time.

Enterprise blocked

If you see "Enterprise blocked" as a category, the message was blocked by enterprise-level security policies.

The subcategories are as follows:

  • Admin blocked: The message was blocked by an administrator setting.
  • User blocked: The message was blocked by a user setting.

Malware

If you see "Malware" as a category, the message contains malware.

Unscannable

If you see "Unscannable" as a category, the message couldn't be scanned for threats.

If you see "Excessive URLs" as a subcategory, the message contains an unusually high number of URLs.

Intelix threat

If you see "Intelix threat" as a category, the message is flagged as a potential threat based on Intelix analysis.

The subcategories are as follows:

  • Malicious: The message contains malicious content or includes links to it.
  • Intelix unscannable: The message couldn't be scanned by Intelix.
  • Suspicious: The message is flagged as suspicious but not confirmed as malicious.

URL/QR Code

If you see "URL/QR Code" as a category, the message contains URLs or QR codes that link to harmful or unsafe websites.

The subcategories are as follows:

  • Malicious URL (High risk): The URL is identified as high risk based on the reputation of the source.

  • Malicious URL (Criminal): The URL is linked to criminal activity or intent.

    Note

    If an email contains a link on the Internet Watch Foundation's criminal URL list, we're legally required to delete the email. We're also legally required not to disclose the URL or its classification anywhere in Sophos Central, including Message History. See IWF: URL List.

    We always delete these emails. We don't use the settings in your Email Security policies.

  • QR Code (High risk): The QR code is identified as high risk based on the reputation of the linked website.

  • QR Code (Criminal): The QR code is linked to a website involved in criminal activity or intent.
  • Clean QR code: The QR code is linked to a website that passed all security checks and showed no signs of malicious behavior.

Spam

If you see "Spam" as a category, the message is flagged as unsolicited bulk email, also known as junk email.

The subcategories are as follows:

  • Suspected L<x>: The message is flagged as suspected spam, and categorized from level 1 to level 5 (L1 to L5). For more information on the suspected spam levels, see Anti-spam.
  • Confirmed: The message was identified as spam because it contains known and verified spam patterns.
  • Disallowed Country: The message originated from a country disallowed by your policy.
  • Disallowed Language: The message contains content in a language disallowed by your policy.

  • BATV: The message failed the Bounce Address Tag Validation (BATV) check because it lacked a valid bounce address tag, which is required to verify legitimate bounce messages. A missing bounce tag may indicate a forged return address, often seen in spam or backscatter attacks.

    For information on BATV, see Bounce Address Tag Validation (BATV).

Bulk

If you see "Bulk" as a category, the message was sent to a large group of recipients, such as newsletters, mailing lists, or other forms of solicited email.

Impersonation

If you see "Impersonation" as a category, the message impersonated a trusted sender.

The subcategories are as follows:

  • Brand: The message spoofed a well-known brand or organization.
  • Internal VIP: The message targeted a high-profile individual within your organization.
  • External VIP: The message targeted a trusted external contact, such as a vendor, customer, or partner.
  • General: The message is considered impersonation but doesn't match a specific VIP or brand. It's flagged based on machine learning or anti-phishing heuristics.

Tip

Click the subject of a message flagged as impersonation to view more details. You can check if the message is from an internal or external VIP, multiple VIPs, or flagged as aggressive mode.

Authentication failure

If you see "Authentication failure" as a category, the message failed the DMARC, SPF, or DKIM authentication checks.

The subcategories are as follows:

  • DKIM: The message failed the DKIM check configured by you in the policy.
  • DMARC: The message failed the DMARC check configured by you in the policy.
  • SPF: The message failed the SPF check configured by you in the policy.
  • Header anomaly: The message failed the header anomaly check because the From address doesn't match the real sender or is different from the MAIL FROM address in the envelope. This mismatch could indicate that the email was spoofed.
  • Domain anomaly: The message failed the domain anomaly check because it was sent from a non-existent or improperly configured domain with no valid MX or A records.

Data control

If you see "Data control" as a category, the message is flagged because it triggered a Data Control policy rule.

The subcategories are as follows:

  • Push encrypted: The message was encrypted using Push Encryption because it triggered a Data Control rule.
  • Portal encrypted: The message was encrypted and stored within the Sophos Secure Message portal because it triggered a Data Control rule.

Secure message

If you see "Secure message" as a category, the message is encrypted to ensure confidentiality and protect sensitive data.

The subcategories are as follows:

  • Push encrypted: The message was encrypted using Push Encryption, as configured in your Secure Message policy.
  • Portal encrypted: The message was encrypted and stored within the Sophos Secure Message portal, as configured in your Secure Message policy.
  • S/MIME: The message was signed or encrypted using the S/MIME protocol, as configured in your Secure Message policy.
  • TLS v1.2: The message was delivered securely using TLS 1.2 encryption, as configured in your Secure Message policy.
  • TLS v1.3: The message was delivered securely using TLS 1.3 encryption, as configured in your Secure Message policy.

Legitimate

If you see "Legitimate" as a category, the message is identified as valid and trusted.

The subcategories are as follows:

  • S/MIME: The message was received as signed or encrypted using the S/MIME protocol.
  • PT campaign: The message is part of a Phish Threat campaign.