You need more information regarding the effectiveness of Symantec Email Security.cloud, and what to do when the spam percentage increases.

Email Security.cloud

Introduction

This document provides an overview of antispam effectiveness issues, policies, and procedures related to Symantec Email Security.cloud. It explains what messages should be captured as spam, what steps you can take to communicate with us regarding effectiveness issues, and when those steps should be taken. Symantec always strives to improve its anti-spam effectiveness over time, but it is to be expected that even Symantec’s industry leading technology will miss some spam messages. The procedures outlined in this document explain what you should expect from Symantec technology and what to do if your expectations are not being met.

Effectiveness

Spam represents as much as 75% of all email sent across the Internet. The variance of this number is representative of different regions that are impacted more or less by spam senders, as well as the ever increasing deployment of IP-based solutions to deal with spam before it is allowed to reach an MTA. Symantec has been benchmarked at greater than 99% anti-spam effectiveness for all spam. Anti-spam effectiveness is defined by the percentage of spam that is identified as spam by an anti-spam solution. This is separate from the ‘catch rate’ which is the measure of the percentage of all mail messages that have been identified as spam.

To illustrate this, consider a typical mail stream of 100 messages.

• 64 messages are spam (based on latest Symantec trend analysis of Internet mail).
• Symantec Email Security.cloud successfully identifies 60 messages as spam.
• The spam effectiveness is 93.75% (60/64 spam messages).
• The catch rate is 60% (60/100 messages).

It is critical that you do not confuse effectiveness and catch rate when considering the performance of Symantec Anti-spam solutions.

Symantec uses multiple methods to measure its anti-spam effectiveness:

• Control accounts at global service provider customers, including our Probe Network partners. These accounts provide Symantec with a direct measure of effectiveness, against a statistically significant number of accounts monitored in customer environments.
• The catch rate of the Global Intelligence Network. The GIN is made up of millions of email accounts that receive exclusively spam messages. Symantec Security Response measures the number of spam messages in the GIN that are correctly identified as spam.
• Missed spam submissions. The Email Security Group within Symantec Security Response analyzes the number of missed spam submissions from our customers. This provides direct customer feedback on the number of messages missed relative to the aggregate message flow through all mailboxes protected by Symantec mail security products.

End User Expectations

End-user experience is typically what customers refer to when discussing spam filter effectiveness. No single inbox or small group of inboxes can by themselves be an accurate gauge for measuring overall spam filtering effectiveness. One end-user may find their experience to be poor, while another finds spam filtering to be very effective. Symantec, and other anti-spam vendors, cannot guarantee the same effectiveness for every end-user's experience, since different users receive different types and volumes of spam.

End-users also have different opinions as to what constitutes spam. The definition of spam is very subjective to most end-users. Many end-users define spam as simply unwanted email (including legitimate advertisements that they no longer wish to receive). Symantec defines spam as Unsolicited bulk email (includes Unsolicited Commercial Email).

Many end-users, customers, and even analysts are actually referring to spam in a broader sense as all unwanted communication.

Symantec does not include the following in its definition of spam:

• Unwanted direct marketing emails that have been solicited by the recipient.
• Unwanted newsletters that have been solicited by the recipient.
• Unwanted transaction emails, for example, receipts, confirmations, account statements, and similar items.
• Hoaxes, urban legends, jokes, chain-letters sent by users known to the recipient.
• Challenge/response emails.
• Messages sent to the recipient in error.
• Email bounce notifications and errant worm notifications.

30-45% of all of missed spam reported by Symantec customer end-users is not spam, according to Symantec’s definition.

Increased Spam Volume

If Symantec maintains the same effectiveness ratio (of spam caught vs. spam missed) but the total volume of spam increases, the end-user will experience a perceived drop in effectiveness. For example, one missed spam message out of ten total spam messages equates to 90% effectiveness. If the total volume of spam received increases from 10 spam messages to 100 spam messages, the effectiveness remains 90%. However the end-user perceives that the product is less effective, as there are now ten missed spam messages, compared to the one missed spam message previously. Therefore the volume of mail received by end-users is critical in understanding their perceived spam filtering effectiveness rate.

Steps to Follow if Seeing Increased Missed Spam

If the Anti-spam effectiveness rate has decreased, please review your specific product documentation for details on Anti-spam best practice settings.

Use the following basic troubleshooting steps:

• Ensure spam messages are not bypassing Symantec servers. (Check the Received-from IPs).
• If the Approved Senders List is enabled (ensure none of the senders of the missed spam messages are on those lists).
• Note the time period that the suspected spike in missed spam occurred and ensure that you are securing the most recent spam messages for submission.
• When submitting samples of missed spam to the Symantec Security Response Center please ensure they are sent as RFC-822 mime encoded attachments.
• How you are tracking the increase in spam?
• Are these end user inbox complaints, management complaints or statistical in nature?
• Have you made any other changes to your environment that might have contributed to effectiveness issues?

Best practices

In the portal click the services tab, select anti-spam under email services:

• Enable both Approved Sender options and keep entries on the list to a minimum where possible.
• Optional: Enable spoofed sender detection with SPF - recommended if having an issue with spoofed spam mails.
• Enable DMARC - (Domain-based Message Authentication, Reporting, and Conformance) helps thwart phishing attempts that can lead to security breaches by detecting email sender spoofing.
• Enable Both Blocked Senders Lists - The recommended action for both is to 'block and delete'.
• Utilize the dynamic IP block list - Recommended action is block and delete as this contains a list of dynamic IP ranges that no mail should be coming from.
• Enable the Signaturing System - Recommended action Block and Delete as this works on characteristics of known spam.
• Enable Skeptic Heuristics - Predictive Spam detection - Recommended action is to tag the subject line and allow mail through as this can then be actioned by outlook rules for the end users. This is also recommended as this ruleset while still very accurate has more of a potential for false positives as it is a predictive system. Alternately Quarantine the mail should be utilized if it is enabled/activated.
• Enable the newsletter filter extension if needed - this is a very aggressive newsletter block which will stop all wanted and unwanted newsletters. We generally recommend that this be enabled and exceptions made on a case-by-case basis depending on the environment that you are deploying to.
• Utilize the Symantec Exchange Submission Client.

Additional information for all of the above settings can be found in the Administrator and User Guides.

Missed Spam Submissions

If you have followed the troubleshooting and information gathering steps outlined above and determined that the increase in missed spam is not related to configuration, then you should consider making a missed spam submission. Missed spam submissions are used by Symantec for the following:

• Antispam technology and effectiveness research.
• Emerging threat research.
• Internal reporting and data mining.
• Antispam filter development.

Submissions must be received within 5 days from the time they were initially sent. Since spammers rarely reuse old spam, Symantec does not accept submissions older than 5 days. Submissions are processed using sophisticated algorithms. This process groups the message with other messages received from customers or through the extensive Global Intelligence Network. When a group reaches a threshold, it becomes an attack. At this point, the automation systems or an Email Security Analyst creates a rule to respond to the attack.

However, due to the volume of submissions received (approximately several million messages per day), Symantec cannot guarantee that filters will be written for particular submissions. Because many submissions contain a forged sender address, they cannot provide feedback for submissions.

How End Users Submit Missed Spam

Send the spam message as an email attachment to [email protected].

Alternatively, you can upload the sample directly through the Symantec Email Security.cloud portal by utilizing our Spam Analysis Tool. This will provide you with details if the mail is now being caught as spam as our detections are ever adapting to current spam trends.

The missed spam must be sent as RFC-822 MIME encoded attachments in order for Symantec Security Response to process the mail.

Submissions can also be made from the Symantec Email Submissions Client (SESC) which is available to Exchange users at no additional cost.For more information, see the Email Submission add-in 101 for Email Security.cloud .

Repeated Spam Attacks

Many spam messages can look the same from the initial appearance, but contain many hidden characteristics that make the messages unique.

A few sample characteristics include:

• Hidden HTML comments or undefined HTML tags.
• Using text that is the same color as the background (or nearly the same color – camouflage).
• Use of extremely tiny fonts placed strategically throughout the message.
• Images that introduce randomized changes (text moved, color changed, image rotated slightly, different borders, etc.).

Effectiveness Escalations

For measurable drops in effectiveness or effectiveness issues impacting the business a support case should be opened for investigation.  Please provide support complete examples of the missed spam that include full headers and body if possible.