Submit spam false positives to Symantec Security Response

book

Article ID: 171524

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange Messaging Gateway Messaging Gateway for Service Providers

Issue/Introduction

Resolution

Definitions:

Spam

Symantec defines spam as unsolicited bulk email (includes unsolicited commercial email). Many end-users, customers and even analysts are actually referring to spam in a broader sense as all unwanted communication. Symantec does not include the following in its definition of spam:

  • Unwanted direct marketing emails that have been solicited by the recipient
  • Unwanted newsletters that have been solicited by the recipient

Symantec Messaging Gateway has disposition verdicts on newsletter messages, marketing mail messages, and suspicious URL messages. See Disposition verdicts feature available with Messaging Gateway for more information.

Suspect Spam

Messages marked as suspect spam are not be treated as false positives. The suspect spam feature of Symantec mail products is intended to augment the spam filtering. It is up to administrators of the product to determine a threshold which is suitable for the organization.

Unlike spam, which is determined by Symantec and not subject to adjustment by administrators, the suspected spam threshold should be configured to an appropriate level or disabled completely. Administrators of Symantec mail products are advised to use policies to specify less obstructive actions for messages identified as suspected spam than messages identified as spam by Symantec

False positive

A false positive is a legitimate email which has been incorrectly given a verdict of spam.

False positive submissions

A legitimate email which has been incorrectly given a verdict of spam can be submitted to Symantec for analysis and filter review. As explained above, messages with a suspect spam verdict are not considered false positives and these are not reviewed.

To analyze a false positive message, Symantec must receive the original false positive message:

  • As an "message/rfc822" email attachment*
  • One email attachment per submission**

Send the false positive message as an email attachment to the appropriate address for your region:

Instructions on how to attach messages for common email clients are provided below. For all other email clients, please check the documentation or contact the service provider for help.

What happens to false positive submissions?

Only messages sent following these procedures are accepted for analysis. Messages that have a spam verdict are processed within 24 hours. Each false positive submission is examined individually to assess what caused the message to be detected as spam and what corrective action, if any, needs to be taken.

Symantec does not guarantee that each submission results in an alteration of our filters.

Feedback on false positives submissions

Symantec does not acknowledge messages submitted to the above addresses. Ensure that you are following the procedure outlined above to submit in a correct format. If this fails to resolve the matter please contact your administrator or Symantec support.

What happens if the false positive email was deleted?

If the action for a spam verdict is to delete and you are aware of a legitimate email getting deleted due to a spam verdict, you can work with the original sender to re-send their email plus:

  • You can create a temporary whitelist for the sender’s address in order to obtain the sample message from the recipient for submission.
  • The whitelist should be removed after the sample message has been obtained as email addresses are often spoofed by spammers and this could lead to messages bypassing spam scanning.

In Symantec Messaging Gateway it is possible to submit messages directly from the quarantine:

  • Create a new group policy for the recipient of the email and change the action to quarantine
  • Ensure the option to send Misidentified Messages to Symantec Security Response is enabled on the Spam > Settings > Quarantine Settings page.
  • Ask the sender to resend their email
  • Release the email from the quarantine.

Mail client instructions for submitting valid samples (missed spam and false positives):

The following mail clients have been tested and confirmed to be able to submit messages in the required format. If your mail client does not appear in the list below please consult the Technical Information section of the document for email submission requirements and your email software documentation to determine whether submissions are possible using your mail client.

Microsoft Outlook 2010

Select sample message, right-click the sample message More Actions choose Forward as attachment 

Microsoft Outlook 2007

Select the sample message and press Ctrl + Alt + F
OR
Open a new message and drag the sample message you want to forward out of the "messages" pane into the body of the new message window
OR
Open a new message, select the “Attach Item” icon and choose 'Item' from the drop-down list. Then select the sample message you wish to attach from the "Insert Item" dialog box
OR
Always forward messages as attachments. Select Tools > Options > Preferences Tab > E-Mail Options. In the ‘On replies and forwards’ section, select “Attach original message“ from the “When forwarding a message” drop-down list. Click OK twice. Then select the sample message and click the forward button.

Microsoft Outlook 2003

Open a new message and drag the sample message you want to forward out of the "messages" pane into the body of the new message window
OR
Open a new message, select the attachment icon and choose 'Item' from the drop-down list. Then select the sample message you wish to attach from the "Insert Item" dialog box
OR
Always forward messages as attachments. Select Tools > Options > Preferences Tab > E-Mail Options. In the ‘On replies and forwards’ section, select “Attach original message from the “When forwarding a message” drop-down list. Click OK twice. Then select the sample message and click the forward button

Windows Mail/ Microsoft Outlook Express 6

Right-click the sample message > Forward as an attachment.

Mozilla Thunderbird

Select the sample message (message is highlighted). Click Message > Forward As > “Attachment". (Message" is at the top, next to "File Edit View Go")

Mac OS X Mail

Highlight the sample message. Click Message > “Forward as Attachment” from the menu.

Lotus Notes

For information on using Lotus Notes, read How To Export Messages From IBM Lotus Notes.

Technical information

* Email attachments MUST be in "message/rfc822" attachment format. RFC 822 is a mime subtype, specified here: http://www.ietf.org/rfc/rfc2046.txt. Section 5.2 of RFC 2046 addresses the "Message Media Type", and section 5.2.1 addresses the "RFC 822 subtype". The full internet headers and body of the message should be retained exactly as the message was received and forwarded intact as an attachment.

As a general guideline, email attachments should be in the same file format that the mail client uses. For example, .msg attachments work from Outlook if you follow the earlier instructions. *.eml attachments work from mail clients such as Windows Live Mail, Microsoft Outlook Express, etc.

Note: Symantec does not see submissions as valid if email attachments are in a format other than message/rfc822. For example, submissions with .eml attachments from Outlook or submissions with msg attachments from Outlook Express are seen as invalid submission.

** Multiple sample emails may be attached to one submission email providing the overall size limit of 2MB per submission, including attachments, is not exceeded.

Note: Any false positive or missed spam messages that you submit to Symantec Corporation may contain personally identifiable information such as email addresses and information in email message body and/or enclosures. Symantec uses this information globally only for creating spam detection rules. We encourage the submission of false positives or missed spam because it makes our product more effective and enables us to serve you better. Access to this information is not shared with any third party and it is restricted to Symantec personnel involved in spam rule creation.

For any question regarding your personal information, you may read our Privacy Policy or contact us at [email protected].

Additional information

See the Connect article Symantec Insider Tip: Successful Submissions! for details on how to safely submit missed suspicious files that entered an organization via mail attachments or URLs in mail, how to report suspected phishing sites, and more.