I can see why an email is tagged how spam?

Question

Hi all, i'm using a sophos utm SG430 v.9.5, i'm trying to find on smtp proxy log why an email is tagged how *** SPAM *** (a spam level?) but i don't know where i must search, this is an example:

2017:11:13-14:15:12 c2 exim-in[31676]: 2017-11-13 14:15:12 [ipgreylisted] F=<emailfrom@taggedspam.it> R=<pippo@myemail.it> Verifying recipient address with callout
2017:11:13-14:15:12 c2 exim-in[31676]: 2017-11-13 14:15:12 1eEEa0-0008Eu-2i DKIM: d=segugio.it s=splio c=relaxed/relaxed a=rsa-sha256 i=emailfrom@taggedspam.it [verification succeeded]
2017:11:13-14:15:13 c2 exim-in[5458]: 2017-11-13 14:15:13 SMTP connection from [senderip]:49114 (TCP/IP connection count = 3)
2017:11:13-14:15:13 c2 exim-in[31676]: 2017-11-13 14:15:13 1eEEa0-0008Eu-2i ctasd reports 'Bulk' RefID:str=0001.0A0C0201.5A099AE1.0035,ss=3,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
2017:11:13-14:15:13 c2 exim-in[31676]: 2017-11-13 14:15:13 1eEEa0-0008Eu-2i Greylisting: Greylisted ipgreylisted
2017:11:13-14:15:13 c2 exim-in[31676]: [1\38] 2017-11-13 14:15:13 1eEEa0-0008Eu-2i H=******** [ipgreylisted]:50356 F=<emailfrom@taggedspam.it> temporarily rejected after DATA: Temporary local problem, please try again!
2017:11:13-14:15:13 c2 exim-in[31676]: [2\38] Envelope-from: <emailfrom@taggedspam.it>
2017:11:13-14:15:13 c2 exim-in[31676]: [3\38] Envelope-to: <pippo@myemail.it>
2017:11:13-14:15:13 c2 exim-in[31676]: [4\38] P Received: from ******** ([ipgreylisted]:50356)
2017:11:13-14:15:13 c2 exim-in[31676]: [5\38] by myserver with esmtp (Exim 4.82_1-5b7a7c0-XX)
2017:11:13-14:15:13 c2 exim-in[31676]: [6\38] (envelope-from <emailfrom@taggedspam.it>)
2017:11:13-14:15:13 c2 exim-in[31676]: [7\38] id 1eEEa0-0008Eu-2i
2017:11:13-14:15:13 c2 exim-in[31676]: [8\38] for pippo@myemail.it; Mon, 13 Nov 2017 14:15:12 +0100
2017:11:13-14:15:13 c2 exim-in[31676]: [9\38] X-CTCH-RefID: str=0001.0A0C0201.5A099AE1.0035,ss=3,re=0.000,recu=0.000,reip=0.000,cl=3,cld=1,fgs=0
2017:11:13-14:15:13 c2 exim-in[31676]: [10\38] DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; s=splio; d=segugio.it;
2017:11:13-14:15:13 c2 exim-in[31676]: [11\38] h=X-CSA-complaints:Message-ID:List-Unsubscribe:List-Unsubscribe-Post:List-ID:
2017:11:13-14:15:13 c2 exim-in[31676]: [12\38] Feedback-ID:MIME-Version:From:To:Subject:Reply-To:Content-Type:
2017:11:13-14:15:13 c2 exim-in[31676]: [13\38] Content-Transfer-Encoding:Date; i=emailfrom@taggedspam.it;
2017:11:13-14:15:13 c2 exim-in[31676]: [14\38] bh=o1mYAi5BRfgf1QpLDq60OrC5xQUL+O9a4Ffe037Be/A=;
2017:11:13-14:15:13 c2 exim-in[31676]: [15\38] b=wGw7pUGBvVGlV4GX0sMXXcGNpHnEAYnozRCEmolavW4jyQnrstk1eMDqA3GiMDFvb1xVePTrTgzY
2017:11:13-14:15:13 c2 exim-in[31676]: [16\38] R1clIhw8XKyZAhT6dz5KWMujIFep0sfwy/KsAE/7uaEmkScIJSJuVTWVLxAnbpdWcaGXhhB0gJLS
2017:11:13-14:15:13 c2 exim-in[31676]: [17\38] saIosxi6zDdfSK0Z8is=
2017:11:13-14:15:13 c2 exim-in[31676]: [18\38] P Received: by ******** id h16de02bhok1 for <pippo@myemail.it>; Mon, 13 Nov 2017 14:15:12 +0100 (envelope-from <emailfrom@taggedspam.it>)
2017:11:13-14:15:13 c2 exim-in[31676]: [19\38] X-Abuse-Reports-To: abuse@splio.com
2017:11:13-14:15:13 c2 exim-in[31676]: [20\38] X-CSA-complaints: whitelist-complaints@eco.de
2017:11:13-14:15:13 c2 exim-in[31676]: [21\38] I Message-ID: <6uwRAGklB-7215076@segugio.it>
2017:11:13-14:15:13 c2 exim-in[31676]: [22\38] X-Auto-Response-Suppress: OOF,AutoReply
2017:11:13-14:15:13 c2 exim-in[31676]: [23\38] X-CampaignID: 6uwRAGklB
2017:11:13-14:15:13 c2 exim-in[31676]: [24\38] List-Unsubscribe: <s3s.fr/.../g'loria.html>, <mailto:un-6uwRAGklB-centrolibri.it=email@***.it
2017:11:13-14:15:13 c2 exim-in[31676]: [25\38] List-Unsubscribe-Post: List-Unsubscribe=One-Click
2017:11:13-14:15:13 c2 exim-in[31676]: [26\38] List-ID: v3segugio
2017:11:13-14:15:13 c2 exim-in[31676]: [27\38] Feedback-ID: 6uwRAGklB:v3segugio:splio
2017:11:13-14:15:13 c2 exim-in[31676]: [28\38] X-SignalSpam-CID: 6uwRAGklB:v3segugio:splio
2017:11:13-14:15:13 c2 exim-in[31676]: [29\38] MIME-Version: 1.0
2017:11:13-14:15:13 c2 exim-in[31676]: [30\38] F From: "Segugio.it" <emailfrom@taggedspam.it>
2017:11:13-14:15:13 c2 exim-in[31676]: [31\38] T To: =?UTF-8?Q?=20?= <pippo@myemail.it>
2017:11:13-14:15:13 c2 exim-in[31676]: [32\38] Subject: =?UTF-8?Q?=E2=9C=94Assicurazioni_online:_cresce_la_fiducia_grazie?=
2017:11:13-14:15:13 c2 exim-in[31676]: [33\38] =?UTF-8?Q?_a_3_vantaggi?=
2017:11:13-14:15:13 c2 exim-in[31676]: [34\38] R Reply-To: <incopyemail@spammed.it>
2017:11:13-14:15:13 c2 exim-in[31676]: [35\38] Content-Type: text/html;
2017:11:13-14:15:13 c2 exim-in[31676]: [36\38] charset="utf-8"
2017:11:13-14:15:13 c2 exim-in[31676]: [37\38] Content-Transfer-Encoding: quoted-printable
2017:11:13-14:15:13 c2 exim-in[31676]: [38/38] Date: Mon, 13 Nov 2017 14:15:12 +0100
2017:11:13-14:15:13 c2 exim-in[31676]: 2017-11-13 14:15:13 SMTP connection from ******** [ipgreylisted]:50356 closed by QUIT

in this case emailfrom@taggedspam.it is tagged how spam (and is true) but i can seehow the utm know that this is spam?

Thanks all

This thread was automatically locked due to age.