You need more information regarding the effectiveness of Symantec.cloud, and what to do when the spam percentage increases.
This document provides an overview of antispam effectiveness issues, policies, and procedures related to Symantec.cloud. It explains what messages should be captured as spam, what steps you can take to communicate with us regarding effectiveness issues, and when those steps should be taken. Symantec always strives to improve its anti-spam effectiveness over time, but it is to be expected that even Symantec’s industry leading technology will miss some spam messages. The procedures outlined in this document explain what you should expect from Symantec technology and what to do if your expectations are not being met.
Spam represents as much as 75% of all email sent across the Internet. The variance of this number is representative of different regions that are impacted more or less by spam senders, as well as the ever increasing deployment of IP-based solutions to deal with spam before it is allowed to reach an MTA. Symantec has been benchmarked at greater than 99% anti-spam effectiveness for all spam. Anti-spam effectiveness is defined by the percentage of spam that is identified as spam by an anti-spam solution. This is separate from the ‘catch rate’ which is the measure of the percentage of all mail messages that have been identified as spam.
To illustrate this, consider a typical mail stream of 100 messages.
It is critical that you do not confuse effectiveness and catch rate when considering the performance of Symantec Anti-spam solutions.
Symantec uses multiple methods to measure its anti-spam effectiveness:
End-user experience is typically what customers refer to when discussing spam filter effectiveness. No single inbox or small group of inboxes can by themselves be an accurate gauge for measuring overall spam filtering effectiveness. One end-user may find their experience to be poor, while another finds spam filtering to be very effective. Symantec, and other anti-spam vendors, cannot guarantee the same effectiveness for every end-user's experience, since different users receive different types and volumes of spam.
End-users also have different opinions as to what constitutes spam. The definition of spam is very subjective to most end-users. Many end-users define spam as simply unwanted email (including legitimate advertisements that they no longer wish to receive). Symantec defines spam as Unsolicited bulk email (includes Unsolicited Commercial Email).
Many end-users, customers, and even analysts are actually referring to spam in a broader sense as all unwanted communication.
Symantec does not include the following in its definition of spam:
30-45% of all of missed spam reported by Symantec customer end-users is not spam, according to Symantec’s definition.
If Symantec maintains the same effectiveness ratio (of spam caught vs. spam missed) but the total volume of spam increases, the end-user will experience a perceived drop in effectiveness. For example, one missed spam message out of ten total spam messages equates to 90% effectiveness. If the total volume of spam received increases from 10 spam messages to 100 spam messages, the effectiveness remains 90%. However the end-user perceives that the product is less effective, as there are now ten missed spam messages, compared to the one missed spam message previously. Therefore the volume of mail received by end-users is critical in understanding their perceived spam filtering effectiveness rate.
If the Anti-spam effectiveness rate has decreased, please review your specific product documentation for details on Anti-spam best practice settings.
Use the following basic troubleshooting steps:
In the portal click the services tab, select anti-spam under email services
Additional information for all of the above settings can be found in the Administrator and User Guides.
If you have followed the troubleshooting and information gathering steps outlined above and determined that the increase in missed spam is not related to configuration, then you should consider making a missed spam submission. Missed spam submissions are used by Symantec for the following:
Submissions must be received within 5 days from the time they were initially sent. Since spammers rarely reuse old spam, Symantec does not accept submissions older than 5 days. Submissions are processed using sophisticated algorithms. This process groups the message with other messages received from customers or through the extensive Global Intelligence Network. When a group reaches a threshold, it becomes an attack. At this point, the automation systems or an Email Security Analyst creates a rule to respond to the attack.
However, due to the volume of submissions received (approximately several million messages per day), Symantec cannot guarantee that filters will be written for particular submissions. Because many submissions contain a forged sender address, they cannot provide feedback for submissions.
Send the spam message as an email attachment to [email protected].
Alternatively, you can upload the sample directly through the Symantec.cloud portal by utilizing our Spam Analysis Tool. This will provide you with details if the mail is now being caught as spam as our detections are ever adapting to current spam trends.
The missed spam must be sent as RFC-822 MIME encoded attachments in order for Symantec Security Response to process the mail.
Submissions can also be made from the Symantec Email Submissions Client (SESC) which is available to Exchange users at no additional cost. SESC is available from support and will be available on the portal in the near future. For more information, see the Symantec Email Submission Client 1.0 Implementation Guide.
Many spam messages can look the same from the initial appearance, but contain many hidden characteristics that make the messages unique.
A few sample characteristics include:
For measurable drops in effectiveness or effectiveness issues impacting the business a support case should be opened for investigation. Please provide support complete examples of the missed spam that include full headers and body if possible.