Why are we getting incidents that have #TAG# or #QUAR# in the Subject line?
Incoming Email, Barracuda
If your mailbox is hosted by Oracle Service Cloud, incidents are generated with preceding #TAG# or #QUAR# tags depending on how the Barracuda filter is set for the mailbox through which the incident was submitted.
For comprehensive information regarding the Barracuda application, refer to Answer ID 2345: Filtering SPAM for Hosted Mailboxes.
Tag, Quarantine, and Block Scores
Within the Barracuda filter, you can define a Tag Score, Quarantine Score, and a Block Score. These can be configured from the PREFERENCES: Spam Settings page.
The Tag Score specifies the value at which incidents are submitted into the hosted mailbox, but the Subject line is flagged with a prefix of #TAG#. This indicates a threshold at which you would like incoming email incidents to be flagged for further evaluation, but you do not necessarily want them quarantined or blocked.
The Quarantine Score is the value at which incoming emails are quarantined in the Quarantine Inbox if Quarantine is enabled. If Quarantine is not enabled, incoming email that exceeds this score is flagged with a prefix of #QUAR# so that these incidents can easily be seen from the Support Console.
The Block Score indicates the value at which emails are blocked completely and discarded.
Note: To disable any of these three options, set the Score value to 10 and click Save Changes.
Spam Scores for Individual Emails
Each email sent to the mailbox receives a Barracuda Spam Score which determines how the email will be handled. By default, each Oracle Service Cloud hosted mailbox is configured with a Tag Score of 3.5, a Quarantine Score of 10.0 (disabled) and the Block Score set to 9. The quarantine feature is disabled so that emails are not actually quarantined.
As a result, by default, email with a score higher than 3.5 are flagged with the #TAG# flag in the Subject line. This lets you know that the email exceeded the Tag Score. When the quarantine feature disabled and the Quarantine Score is set to anything lower than 10, emails exceeding that value are flagged with #QUAR# to indicate that the email exceeded the Quarantine Score. If the quarantine feature were enabled, these emails would have been routed to the Quarantine Inbox instead of having an incident created.
You can view the Spam Score for each individual incident by viewing the email headers for that incident. In order to view the headers, they must be enabled within your Oracle Service Cloud application. For more information on enabling email headers, refer to Answer ID 1595: Enabling Email Headers.
When the headers are enabled, click the envelope icon from the incident thread to view the headers for that email. The Barracuda Spam Score is typically listed towards the bottom of the pop-up along with the Spam Status, which compares the email score to the tag score and quarantine score. For example:
X-Barracuda-Spam-Status: No, SCORE=1.58 using per-user scores of TAG_LEVEL=3.5 QUARANTINE_LEVEL=7.5 KILL_LEVEL=1000.0 tests=CN_BODY_332, HTML_TAG_BALANCE_BODY, HTML_TAG_EXIST_TBODY, THREAD_INDEX, THREAD_TOPIC
In this case, the spam score for the email is 1.58, which is less than the tag score of 3.5 or the quarantine score of 9.0. Note that if you change the tag or quarantine scores, these scores are reflected in the Spam Status section.
Evaluating and Changing Score Thresholds
Review the incidents and their spam scores that are flagged with the #TAG# and #QUAR# tags to determine which scores are appropriate thresholds for tagging, quarantining, or even blocking incidents. By reviewing the individual spam scores from these incidents, you can better determine the Tag Score, Quarantine Score, and Block Score.
For example, if you determine that there are too many incidents with #TAG#, review the spam scores for those incidents to determine a better threshold and set the Tag Score to a higher value and click Save Changes.
In addition, review the spam scores for the incidents that are flagged with #QUAR# and determine if those emails should be quarantined (or even blocked). If you wish, you can enable the quarantine feature from the PREFERENCES: Quarantine Settings page. You can also choose to enable blocking by changing the Block Score to a value other than 10.Note: Exercise caution in setting the Block Score. Once an email is blocked, it is permanently removed and is not delivered and is not accessible. If there is any concern with blocking emails and permanently removing them, it is better to be conservative and have emails tagged or quarantined so that they can be evaluated and reviewed.
Legitimate incidents are being tagged with #TAG#
If the spam score is equal to or greater than the Tag Score configured in Barracuda, then the subject of the incident is tagged with #TAG#. However, if you are seeing incidents that have the #TAG# tag, but have a spam score that is less than the Tag Score configured in Barracuda, then Barracuda may have the originating IP address of the email in their system as a "poor" reputation.
You can easily check this by following these steps:
1) Open the email header for the incident that is being tagged with #TAG#.
2) In the email header, verify that the 'X-Barracuda-Spam-Score' line has a score that is less than the Tag Score that you have configured in Barracuda spam filtering. The default Tag Score is 3.5. If the 'X-Barracuda-Spam-Score' line has a score that is equal to or greater than the Tag Score configured in Barracuda, then Barracuda has determined that this is spam. If the score is less than the Tag Score value then continue on to the next step.
3) Locate the 'X-Barracuda-Connect' line in the email header. You will see an IP address of the mail server that submitted the email.
4) Go to http://www.barracudacentral.org/lookups and enter the IP address from the previous step into the "IP Lookup" field. You will be asked to enter some text from a security image and then submit your query.
5) If the 'IP Lookup' results inform you that the IP address is listed as "poor" on the Barracuda Reputation System, this is why the emails from that source are being tagged in Oracle Service Cloud. This results page provides you with a form that you can use to request adjustment of the reputation.
The Barracuda Reputation System real-time database IP Lookup can be accessed and searched on via the following URL: http://www.barracudacentral.org/lookups
The following URL contains information of why originating IP addresses can be listed with a "poor" reputation: http://www.barracudacentral.org/lookups/reason
The Oracle Service Cloud Hosting group currently tags emails originating from email servers that are listed as "poor" instead of deleting them. IP addresses expire from the "poor" list when their reputation improves so checking the list in real time will not always show an IP address as being on the "poor" list.