ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Submit false negatives (missed spam) or false positives (legitimate email) to Symantec Security Response

book

Article ID: 177121

calendar_today

Updated On:

Products

Mail Security for Microsoft Exchange Messaging Gateway Messaging Gateway for Service Providers

Issue/Introduction

One of the following Symantec Mail Security products have missed spam, newsletter, or marketing messages, or has generated a false positive. You want to submit this to Symantec Security Response for examination.

  • Messaging Gateway
  • Messaging Gateway for Service Providers
  • Mail Security for Microsoft Exchange

If you are using Email Security.cloud, Web Security.cloud, or ATP Email and have encountered a false negative or false positive from the Cynic component, see Submit false negative threats missed by Symantec.cloud email services.

Resolution

Definitions

Spam

Symantec defines spam as unsolicited bulk email (includes unsolicited commercial email). Many end-users, customers and even analysts are actually referring to spam in a broader sense as all unwanted communication. Symantec does not include the following in its definition of spam:

  • Unwanted direct marketing emails that have been solicited by the recipient
  • Unwanted newsletters that have been solicited by the recipient

Symantec Messaging Gateway (SMG) has disposition verdicts on newsletter messages, marketing mail messages, and suspicious URL messages. To learn more about these depositions and messages submission procedures, see Disposition verdicts feature available with Messaging Gateway.

Suspect Spam

Messages which are marked as suspect spam are not treated as false positives. The suspect spam feature of Symantec Email Security products is intended to augment the spam filtering. It is up to administrators of the product to determine a threshold which is suitable for the organization. Unlike spam, which is determined by Symantec and not subject to adjustment by administrators, the suspected spam threshold should be configured to an appropriate level or disabled completely. Administrators of Symantec Email Security products are advised to use policies to specify less obstructive actions for messages identified as suspected spam than messages identified as spam by Symantec

False positive

A false positive is a legitimate email which has been incorrectly given a verdict of spam.

Missed spam submissions

Messages which have not been blocked by the anti-spam filters and which match the definition of spam above can be submitted to Symantec for analysis and possible filter creation.
To analyze a missed spam message, Symantec must receive the original spam message:

  • Within 24 hours of receipt
  • As an "message/rfc5322" email attachment* 
  • One email attachment per submission**

Send the spam message as an email attachment to the appropriate address for your region:

Instructions on how to attach messages for common email clients are provided below. For all other email systems, please check the documentation or contact the service provider for help.

What happens to missed spam submissions?

Only messages sent following the procedure listed earlier are accepted for analysis and possible spam filter creation.

The Security Response Center processes the received message using a sophisticated algorithm which groups the message with other messages received from customers or through the extensive probe network. When a group of messages that are similar enough reaches a threshold, it becomes an attack.  At this point, an automated process or a Security Response technician creates a filter to respond to the attack as accurately as possible without creating a potential False Positive.  Adding the filter to the appropriate ruleset completes the process in our Security Response Center.  Your Inbox becomes protected from that attack after the ruleset is updated on the filtering mail server.

Feedback on missed spam submissions

Symantec does not acknowledge messages submitted to the above addresses. Due to the volume of submissions received, Security Response cannot offer any guarantee that filters will be written. For the creation of specific rules, customers should be using the custom rules, compliance policies, and blacklist modules.

For mail administrators who want to enable end-user spam reporting

A “report spam” button can be configured in the mail client interface to allow end users to submit missed spam directly. Administrators should work with their mail client provider to do this. An alias should be configured for the appropriate submission address above. The action of the button should be to forward the original spam message to the alias as an RFC 822 email attachment with full headers and body preserved. A copy of the message may also be sent to the customer’s internal support desk.

False positive submissions

A legitimate email which has been incorrectly given a verdict of spam can be submitted to Symantec for analysis and filter review. As explained above, messages with a suspect spam verdict are not considered false positives, and these will not be reviewed.

To analyze a false positive message, Symantec must receive the original false positive message:

  • As an "message/rfc822" email attachment*
  • One email attachment per submission**

Send the false positive message as an email attachment to the appropriate address for your region:

Instructions on how to attach messages for common email clients are provided below. For all other email clients, please check the documentation or contact the service provider for help.

What happens to false positive submissions?

Only messages sent following the procedure above will be accepted for analysis.

Messages that have a spam verdict are processed within 24 hours. Each false positive submission is examined individually to assess what caused the message to be detected as spam and what corrective action, if any, needs to be taken. Note that Symantec does not guarantee that each submission results in an alteration of our filters.

Feedback on false positive submissions

Symantec does not acknowledge messages submitted to the above addresses. Ensure that you are following the procedure outlined above to submit in a correct format. If this fails to resolve the matter please contact your administrator or Symantec support.

What happens if the false positive email was deleted?

If the action for a spam verdict is to delete and you are aware of a legitimate email getting deleted due to a spam verdict, you can work with the original sender to re-send their email plus:

  • You can create a temporary whitelist for the sender’s address in order to obtain the sample message from the recipient for submission.
  • The whitelist should be removed after the sample message has been obtained as email addresses are often spoofed by spammers and this could lead to messages bypassing spam scanning.

In Symantec Messaging Gateway it is possible to submit messages directly from the quarantine:

  • Create a new group policy for the recipient of the email and change the action to quarantine
  • Ensure the option to send Misidentified Messages to Symantec Security Response is enabled on the Spam, Settings, Quarantine Settings page.
  • Ask the sender to resend their email
  • Release the email from the quarantine.

Submitting messages for customer-specific spam rules

You can obtain custom spam rules specifically for your organization based on the missed spam messages and false positive messages that administrators and end users submit.

This feature provides the following benefits:

  • It improves Symantec Messaging Gateway's ability to detect spam and helps administrators control false positive incidents
  • It makes it easier to submit missed spam messages or false positive messages to Symantec for analysis and ruleset creation
  • It provides visibility into the submission status and ruleset creation

See Setting up customer-specific spam submissions 

See About submitting messages for customer-specific spam rules

Mail client instructions for submitting samples

The following mail clients have been tested and confirmed to be able to submit messages in the required format. If your mail client does not appear in the list below please consult the Technical Information section of the document for email submission requirements and your email software documentation to determine whether submissions are possible using your mail client.

Microsoft Outlook 2013, 2016, and Office 365

Select the sample message, and click the Home ribbon. In the Respond group, click More, and then click Forward as Attachment.

Microsoft Outlook 2010

Right-click the sample message, choose More Actions, and then click Forward as Attachment.

Microsoft Outlook 2007

Select the sample message and press Ctrl + Alt + F
—OR—
Open a new message and drag the sample message you want to forward out of the "messages" pane into the body of the new message window
—OR—
Open a new message, select the “Attach Item” icon and choose 'Item' from the drop-down list. Then select the sample message you wish to attach from the "Insert Item" dialog box
—OR—
Always forward messages as attachments. Select Tools, Options, Preferences Tab, E-Mail Options. In the ‘On replies and forwards’ section, select “Attach original message“ from the “When forwarding a message” drop-down list. Click OK twice. Then select the sample message and click the forward button.

Microsoft Outlook 2003

Open a new message and drag the sample message you want to forward out of the "messages" pane into the body of the new message window
—OR—
Open a new message, select the attachment icon and choose 'Item' from the drop-down list. Then select the sample message you wish to attach from the "Insert Item" dialog box
—OR—
Always forward messages as attachments. Select Tools, Options, Preferences Tab, E-Mail Options. In the ‘On replies and forwards’ section, select “Attach original message from the “When forwarding a message” drop-down list. Click OK twice. Then select the sample message and click the forward button

Windows Mail/ Microsoft Outlook Express 6

Right-click the sample message, Forward as an attachment.

Mozilla Thunderbird

Select the sample message (message is highlighted). Click Message, Forward As, “Attachment". (Message" is at the top, next to "File Edit View Go")

Mac OS X Mail

Highlight the sample message. Click Message, “Forward as Attachment” from the menu.

Lotus Notes

For information on using Lotus Notes, read How To Export Messages From IBM Lotus Notes.

Technical information

* Email attachments MUST be in "message/rfc822" attachment format. RFC 822 is a mime subtype, specified here: http://www.ietf.org/rfc/rfc2046.txt. Section 5.2 of RFC 2046 addresses the "Message Media Type", and section 5.2.1 addresses the "RFC 822 subtype". The full internet headers and body of the message should be retained exactly as the message was received and forwarded intact as an attachment.

As a general guideline, email attachments should be in the same file format that the mail client uses. For example, *.msg attachments work from Outlook providing the step-by-step instructions provided earlier are followed; *.eml attachments work from mail clients such as Windows Live Mail, Microsoft Outlook Express, etc.

Note: Symantec DOES NOT see submissions as valid if the email attachment is in a format other than message/rfc822. For example, submissions with *.eml attachments from Outlook or submissions with *.msg attachments from Outlook Express are seen as invalid submission.

** Multiple sample emails may be attached to one submission email providing the overall size limit of 2MB per submission, including attachments, is not exceeded.

Any false positive or missed spam messages that you submit to Symantec Corporation may contain personally identifiable information such as email addresses and information in email message body and/or enclosures. Symantec uses this information globally only for creating spam detection rules. We encourage the submission of false positives or missed spam because it makes our product more effective and enables us to serve you better. Access to this information is not shared with any third party and it is restricted to Symantec personnel involved in spam rule creation. For any question regarding your personal information, you may read our Privacy Policy at https://www.broadcom.com/company/legal/privacy.

Additional information

See Symantec Insider Tip: Successful Submissions! to learn how to safely submit missed suspicious files that entered an organization through attachments or URLs in email, how to report suspected phishing sites, and more.

Attachments