Submit false negative spam emails missed by Symantec.cloud email services

book

Article ID: 160831

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

Resolution

For spam email that was not blocked by Symantec.cloud anti-spam filters, and which match the definition of spam, you can submit these to Symantec for analysis (and possible filter creation).

What is a false negative?

A false negative occurs when an email containing spam has been incorrectly identified as being clean of security threats. An example of a threat may be links that appear to be for familiar websites, but in fact lead to phishing web sites.

Submit false negative spam samples automatically

You can now use the following submission method, available in the Symantec.cloud Portal under Tools > Email Submissions > Email Submission Service Settings.

Submit false negative spam samples manually

To analyze a missed spam message, Symantec must receive the original spam message:

  • Within 5 days of receipt
  • As an "message/rfc822" email attachment * 
  • One email attachment per submission **
  • Do not provide ".zip" file, only ".eml" file or ".msg" file can be attached

To submit a false negative

Send sample spam messages as an email attachment to [email protected].

For more information about attaching messages, see Email client instructions.

Additional information and a FAQ can be found in Information about Email Security.cloud Submission Service.


WARNING: Do not attach false negative samples directly to support cases. This is not a valid method of delivering mail samples to Symantec Security Response. For security reasons, all samples attached directly to support cases will be deleted.


Other submission methods

Alternatively, you can use the following submission methods, available in the Symantec.cloud portal.

  • Spam Analysis Tool - Click Dashboard > Tools > Email Submissions > Submit False negative.
    This tool provides details if the mail is now being caught as spam, as our detections are always adapting to current spam trends.
  • Symantec Email Submission Client (SESC) - Click Dashboard > Tools > Downloads. For more information, see About Symantec Email Submission Client.

What happens to missed spam submissions?

Only messages sent following the procedure above will be accepted for analysis and possible spam filter creation.

Symantec's Security Response Center processes the received message using a sophisticated algorithm which groups the message with other messages.  These may be received from customers or gathered through the extensive Probe Network. When a group of messages that are similar enough reaches a threshold, it becomes an attack.  At this point, an automated process or a Security Response technician will create a filter to respond to the attack as accurately as possible without creating a potential False Positive.  Adding the filter to the appropriate ruleset completes the process in our Security Response Center.  Your Inbox becomes protected from that attack after the ruleset is updated on the Brightmail filtering mail server.

Feedback on missed spam submissions?

Due to the volume of submissions received, Symantec does not acknowledge missed spam messages and cannot offer any guarantee that filters will be written. Should you face a situation where feedback is required, or the complexity of the attack demands interaction with our Anti-Spam team, please prepare all of the information required below and open a case with our Technical Support team either through the service portal or by phone.

Sample/s submission Details:
* Submitter email address:
* Date/Time of submission:
* Submission method/address:

Sample/s Details
* Did you submit a single spam or multiple samples?
* Provide the following details from at least 1 of the submitted samples: Envelope From address, Recipient Address, Subject, Delivery Date
* When was the spam from this particular attack first seen?
* Are the sample/s recent, within 5 days (Y/N)?

Customer Impact/Scope of the issue:
* Scope/Pain point of the issue: how many users does this impact, does it involve CEO/VIP, is it a random incident?
* What type of spam did you receive? (URL, Phish, Attachment, ReplyTo, etc.)
* What is the volume of missed messages? (How many spam messages are your users seeing)

Email client instructions

Note: For email software not listed, please check the software's documentation, or contact your service provider.

Microsoft Outlook 2010, 2013 and 2016

Select the sample message and press Ctrl + Alt + F on the keyboard or

  1. Open the sample message,
  2. On the Message ribbon, click on More or More Respond Actions menu.
  3. Click on Forward as an attachment.

Microsoft Outlook 2007

Select the sample message and press Ctrl + Alt + F
- OR -
Open a new message and drag the sample message you want to forward out of the "messages" pane into the body of the new message window
- OR -
Open a new message, select the "Attach Item" icon and choose 'Item' from the drop-down list. Then select the sample message you wish to attach from the "Insert Item" dialogue box
- OR -
Always forward messages as attachments. Select Tools -> Options -> Preferences Tab ->E-Mail Options. In the 'On replies and forwards' section, select "Attach original message" from the "When forwarding a message" drop-down list. Click OK twice. Then select the sample message and click the forward button.

Microsoft Outlook 2003

Open a new message and drag the sample message you want to forward out of the "messages" pane into the body of the new message window.
- OR -
Open a new message, select the attachment icon and choose 'Item' from the drop-down list. Then select the sample message you wish to attach from the "Insert Item" dialogue box.
- OR -
Always forward messages as attachments.

  1. Click Tools > Options.
  2. In the Preferences Tab, click E-Mail Options.
  3. Under On replies and forwards, select Attach original message from the When forwarding a message drop-down list.
  4. Click OK, and then click OK again.
  5. Select the sample message, and then click Forward.

Windows Live Mail/ Microsoft Outlook Express 6

  1. Right-click the sample message, and click Forward as an attachment.

Netscape Messenger

  1. Right-click the sample message, and click Forward as an attachment.

Mozilla Thunderbird

  1. Click the sample message.
    The message is highlighted.
  2. From the menu, click Message > Forward As > Attachment.

Mac OS X Mail

  1. Click the sample message.
    The message is highlighted.
  2. From the menu, click Message > Forward as Attachment.

Lotus Notes

For information on using Lotus Notes, read How To Export Messages From IBM Lotus Notes.

Definitions

What is spam?

Symantec defines spam as unsolicited bulk email.  This includes unsolicited commercial email. Many end users, customers and even analysts are referring to spam in a broader sense as all unwanted communication. Symantec does not include the following in its definition of spam:

  • Unwanted direct marketing emails that have been solicited by the recipient
  • Unwanted newsletters that have been solicited by the recipient

Details for blocking Newsletters can be found in the following article on How to manage newsletter / marketing email filtering with Symantec Cloud Email Security.

If an email contains a phishing or malicious link (for example, an attached document that contains no code but attempts to social engineer the recipient into visiting a phishing page) it falls into the category of spam.  Symantec classifies these mails or attachments as Threat Artifacts rather than Malware. Anti-Spam tools have proven to be the most effective defense, rather than Anti-Malware.

What is malware?

Malware is software that is intended to damage or disable computers and computer systems. Symantec will add detection for Malware email attachments.

If an email contains a suspicious/malicious attachment(s) which have code, these are classified as possible malware.  To report these, please follow our Anti-Malware False Negative Process.

Technical information

* Email attachments should be in "message/rfc822" attachment format. RFC 822 is a mime subtype, specified in RFC 2046. Section 5.2 of RFC 2046 addresses the "Message Media Type," and section 5.2.1 addresses the "RFC 822 subtype". The full internet headers and body of the message should be retained exactly as the message was received and forwarded intact as an attachment.

As a general guideline, email attachments should be in the same file format that the mail client uses. For example, .msg attachments will work from Outlook providing the step-by-step instructions above are followed; .eml attachments will work from mail clients such as Windows Live Mail / Microsoft Outlook Express / Hotmail, etc.

NOTE: Please notice that Symantec DOES NOT see submissions as valid if an email attachment is in a different file format that the mail client uses. For example, submissions with EML attachments from Outlook or submissions with msg attachments from Outlook Express will be seen as invalid submission.

** Multiple sample emails may be attached to one submission email providing the overall size limit of 2MB per submission, including attachments, is not exceeded.

 

Note that any false positive or missed spam messages that you submit to Symantec Corporation may contain personally identifiable information such as email addresses and information in email message body and/or enclosures. Symantec uses this information globally only for creating spam detection rules. We encourage the submission of false positives or missed spam because it makes our product more effective and enables us to serve you better. Access to this information is not shared with any third party, and it is restricted to Symantec personnel involved in spam rule creation. For any question regarding your personal information, you may read our Privacy Policy or contact us at [email protected]