MxGuard Help — How scoring works

How scoring works

Every message that hits MxGuard is scored on a scale from 0.0 (definitely clean) to 1.0 (definitely spam). The final verdict (clean / quarantine / reject) is determined by where the score falls against configurable thresholds.

The scoring pipeline

For each message, MxGuard runs six independent checks in parallel and combines them into a final score:

  1. ML model — A LightGBM gradient-boosted classifier trained on around 34,000 labelled examples. Returns 0.0–1.0. AUC on holdout: 0.998.
  2. URL reputation — URLs extracted from the body and headers are checked against surbl.org and dbl.spamhaus.org. A hit adds +0.30 to +0.40 depending on the zone.
  3. Sender reputation — MxGuard tracks the historical clean / spam ratio per sender domain (kept in Redis). Domains that have repeatedly sent spam get a positive score adjustment.
  4. Attachment scanning — ClamAV runs as a milter before our scanner sees the mail. Attachment file types (.exe, password-protected zips, etc.) also boost the score.
  5. Threat feed match — Sender domain and URLs are checked against URLhaus malicious-URL feed.
  6. Heuristics — Cheap signal-rich rules that catch patterns the ML model under-recognises:
    • no_rdns — sender's IP has no reverse DNS (+0.20, forces reject)
    • gibberish_local — random-looking envelope-from like xpvqfmtpkrqz@example.com (+0.15). VERP-shaped bulk-mailer addresses are exempted.
    • freemail_pitch — gmail/outlook/etc. sender with a numeric localpart writing to support@/info@/etc. (+0.15)
    • tld=xyz — sender on an obscure spam-prone TLD (+0.10)

Ham discount

When you mark a message as ham (not spam) in the feed or quarantine, MxGuard remembers the sender's registrable domain. Future mail from the same domain — including its subdomains — gets a −0.30 adjustment for 30 days. So if you mark newsletter@em1538.currensea.com as ham, future mail from *.currensea.com gets the discount.

Verdicts

The combined score determines the verdict using three thresholds. Defaults:

ScoreVerdictWhat happens
≥ 0.97 reject SMTP-rejected at DATA. Sender's server gets a 5xx error.
0.75 – 0.97 quarantine Held for review. You decide release or delete.
0.50 – 0.75 tag Delivered with [SPAM] in subject (only if tag mode is enabled for the domain).
< 0.50 clean Delivered straight through.

Customising thresholds

Per-domain thresholds can be overridden in Settings. Most customers leave the defaults alone. If a particular domain receives mostly noisy newsletters, you might lower the quarantine threshold to catch more borderline mail.