Spam email not detected by Symantec Email Security.Cloud
search cancel

Spam email not detected by Symantec Email Security.Cloud

book

Article ID: 160831

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

Environment

Email Security.cloud

Resolution

For spam email that was not blocked by Symantec.cloud anti-spam filters, and which match the definition of spam, you can submit these to us for analysis (and possible filter creation).

What is a false negative?

A false negative occurs when an email containing spam has been incorrectly identified as being clean of security threats. An example of a threat may be links that appear to be for familiar websites, but in fact, lead to phishing websites.


WARNING: Do not attach false negative samples directly to support cases. This is not a valid method of delivering mail samples to Symantec Security Response. For security reasons, all samples attached directly to support cases will be deleted.


False negative submission methods:

You can use one of these two methods to submit false negative emails to Symantec 

  • Submit False Negative Tool - After you upload the sample, the tool provides details if the email is now being caught as spam or not as our detections are always adapting to current spam trends. Click Submit in order to submit the email for analysis if it isn't currently flagged as spam
    To access the tool, please go to: Tools > Email Submissions > Submit False negative.

  • Symantec Email Submission add-in Report button - Learn more about the Report button at About the Email Submission Client.
    You can download it from this page: Tools > Downloads.

What happens to missed spam submissions?

Only messages sent following the procedure above will be accepted for analysis and possible spam filter creation.

The Symantec Security Center processes the received message using a sophisticated algorithm that groups the message with other messages. These may be received from customers or gathered through the extensive Probe Network.

When a group of messages that are similar enough reaches a threshold, it becomes an attack.  At this point, an automated process or a Security Response technician will create a filter to respond to the attack as accurately as possible without creating a potential False Positive.

Adding the filter to the appropriate ruleset completes the process in our Symantec Security Center. Your inbox becomes protected from that attack after the ruleset is updated on the filtering mail server.

Feedback on missed spam submissions

Due to the volume of submissions received, we do not acknowledge missed spam messages and cannot offer any guarantee that filters will be written.

Should you face a situation where feedback is required or the complexity of the attack demands interaction with our Anti-Spam team, prepare all of the information required below and open a case with Technical Support.

Sample submission details

  • Submitter email address or Sample ID
  • Date/Time of submission
  • Submission method/address

Sample details

  • Did you submit a single spam or multiple samples?
  • Provide the following details from at least 1 of the submitted samples:
    • Envelope From address
    • Recipient address
    • Subject
    • Delivery date
    • When was the spam from this particular attack first seen?
  • Are the samples recent, within 5 days (Y/N)?

Customer Impact/Scope of the issue

  • Scope/Pain point of the issue
    • Number of users impacted
    • Does it involve the CEO/VIP
    • Is it a random incident?
  • What type of spam did you receive?
    • URL
    • Phish
    • Attachment
    • ReplyTo
    • etc
  • What is the volume of missed messages?
  • How many spam messages are your users seeing>

Manually submit false negative spam samples:

Note: You only use this method when you can't upload the samples via the Submit False Negative page.

To analyze a missed spam message, Symantec must receive the original spam message:

  • Within 5 days of receipt
  • As a "message/rfc822" email attachment * 
  • One email attachment per submission **
  • Do not provide a ".zip" file, only a ".eml" file.
  • Send sample spam messages as an email attachment to [email protected].

For more information about attaching messages, see Email client instructions.

Also see Information about the Email Security.cloud submission service.

 

Additional Information

Email client instructions:

Note: For email software not listed, check the software's documentation or contact your service provider.

Microsoft Outlook 2010, 2013 and 2016

Select the sample message and press Ctrl + Alt + F on the keyboard or

  1. Open the sample message,
  2. On the Message ribbon, click on More or More Respond Actions menu.
  3. Click on Forward as an attachment.

Microsoft Outlook 2007

  • Select the sample message and press Ctrl + Alt + F
    - OR -
  • Open a new message, and drag the sample message you want to forward out of the "messages" pane into the body of the new message window
    - OR -
  • Open a new message, select the "Attach Item" icon and choose 'Item' from the drop-down list. Then select the sample message you wish to attach from the "Insert Item" dialogue box
    - OR -
    Always forward messages as attachments. Select Tools -> Options -> Preferences Tab ->E-Mail Options. In the 'On replies and forwards' section, select "Attach original message" from the "When forwarding a message" drop-down list. Click OK twice. Then select the sample message and click the forward button.

Microsoft Outlook 2003

Open a new message and drag the sample message you want to forward out of the "messages" pane into the body of the new message window.
- OR -
Open a new message, select the attachment icon and choose 'Item' from the drop-down list. Then select the sample message you wish to attach from the "Insert Item" dialogue box.
- OR -
Always forward messages as attachments.

  1. Click Tools > Options.
  2. In the Preferences Tab, click E-Mail Options.
  3. Under On replies and forwards, select Attach original message from the When forwarding a message drop-down list.
  4. Click OK, and then click OK again.
  5. Select the sample message, and then click Forward.

Windows Live Mail/ Microsoft Outlook Express 6

  1. Right-click the sample message, and click Forward as an attachment.

Netscape Messenger

  1. Right-click the sample message, and click Forward as an attachment.

Mozilla Thunderbird

  1. Click the sample message.
    The message is highlighted.
  2. From the menu, click Message > Forward As > Attachment.

Mac OS X Mail

  1. Click the sample message.
    The message is highlighted.
  2. From the menu, click Message > Forward as Attachment.

Lotus Notes

For information on using Lotus Notes, read Exporting messages from IBM Lotus Notes for submission to Symantec Security Response.

Definitions:

What is spam?

Symantec defines spam as unsolicited bulk email.  This includes unsolicited commercial emails. Many end users, customers, and even analysts are referring to spam in a broader sense as all unwanted communication. Symantec does not include the following in its definition of spam:

  • Unwanted direct marketing emails that have been solicited by the recipient
  • Unwanted newsletters that have been solicited by the recipient

Details for blocking Newsletters can be found in the following article on How to manage newsletter/marketing email filtering with Symantec Cloud Email Security.

If an email contains a phishing or malicious link (for example, an attached document that contains no code but attempts to social engineer the recipient into visiting a phishing page) it falls into the category of spam.  Symantec classifies these emails or attachments as Threat Artifacts rather than Malware. Anti-Spam tools have proven to be the most effective defense, rather than Anti-Malware.

What is malware?

Malware is software that is intended to damage or disable computers and computer systems. Symantec will add detection for Malware email attachments.

If an email contains a suspicious/malicious attachment(s) that have code, these are classified as possible malware.  To report these, please follow our Anti-Malware False Negative Process.

Technical information:

* Email attachments should be in "message/rfc822" attachment format. RFC 822 is a mime subtype, specified in RFC 2046. Section 5.2 of RFC 2046 addresses the "Message Media Type," and section 5.2.1 addresses the "RFC 822 subtype". The full internet headers and body of the message should be retained exactly as the message was received and forwarded intact as an attachment.

As a general guideline, email attachments should be in the same file format that the mail client uses. For example, .msg attachments will work from Outlook providing the step-by-step instructions above are followed; .eml attachments will work from mail clients such as Windows Live Mail / Microsoft Outlook Express / Hotmail, etc.

Note: We DO NOT see submissions as valid if an email attachment is in a different file format that the mail client uses. For example, submissions with EML attachments from Outlook or submissions with msg attachments from Outlook Express will be seen as invalid submissions.

** Multiple sample emails may be attached to one submission email providing the overall size limit of 2MB per submission, including attachments, is not exceeded.

Note: Any false positive or missed spam messages that you submit to Symantec Corporation may contain personally identifiable information such as email addresses and information in the email message body and/or enclosures. Symantec uses this information globally only for creating spam detection rules. We encourage the submission of false positives or missed spam because it makes our product more effective and enables us to serve you better. Access to this information is not shared with any third party, and it is restricted to Symantec personnel involved in spam rule creation. For any questions regarding your personal information, you may read our Privacy Policy or contact us at [email protected]