This document explains the suspect spam feature and how customers can utilize this in their environment to control antispam aggressiveness when filtering messages. Topics covered in this document are: definition of suspect spam, brief summary of what causes a message to be given a verdict of suspected spam, explanation of options available to customers when configuring the suspected spam feature, and frequently asked questions.
What is Suspected Spam?
Suspect spam messages are messages that have suspicious attributes associated to them but are insufficient to render a full verdict of spam. By its very nature most legitimate messages are considered "suspect" as spammers try to mimic common legitimate features in order to bypass antispam filters. Users have the ability to assign an action to these messages that may not have sufficient rules firing for a full verdict of spam but enough to render it "suspicious" by enabling the suspect spam feature.
When evaluating whether messages are spam, filters associate a numerical value between 1 and 100 for each message. The visual representation of a spam verdict value within the Messaging Gateway Control Center is a threshold of 90 to 100. The table below describes the level of aggressiveness corresponding to the score range:
Suspected Spam Score Range | Aggressiveness |
25-89 | High |
72-89 | Medium |
89 | Low |
For example, setting the score range within a high aggressiveness level (25 – 89) would in effect cause a large numbers of messages that maybe legitimate to be given a suspect spam verdict. The average legitimate message can score anywhere between 10 to 50 weight in rules and depending on the content/origin can be even higher without reaching a full spam verdict. This should be taken into account when adjusting the threshold. Each customer's environment will be different and it's important to adjust this feature as needed to minimize the amount of suspect verdicts.
Why enable the Suspected Spam Feature?
Suspected spam is designed to give some control back to customers. There is a risk/reward situation when it comes to manipulating this threshold. The table below displays the pros/cons in leveraging this feature and should be taken into account when adjusting threshold.
Pro | Con |
Configured by the customer and can be always turned on/ off. | Unidentified suspect spam messages may increase if the feature is disabled. |
Can specify different actions for messages identified as suspect by using policies. | Some legitimate messages may be given a suspect spam verdict. |
General items to consider when using the suspected spam feature on Symantec Messaging Gateway:
Frequently Asked Questions
Q: What can be done if a "suspected spam" false positive occurs?
A: Symantec does not consider this as a true false positive. As the individual threshold is decided by the user, these messages cannot be considered false positives as changing the rules would have an adverse impact on overall effectiveness.Therefore, messages submitted to Security Response that do not have full spam verdicts will be automatically discarded without any manual review. If you encounter a "suspect" false positive, you can do any of the following:
Q: Why do legitimate messages get a verdict of suspected spam?
A: Any message has a chance to have some amount of rules firing since spammers typically mimic legitimate features to evade antispam technology. If a message contains suspected spam factors, then it will have higher probability to be rendered a suspected spam verdict.
The following is a set of email best practices to further reduce the chances of your message being marked as suspect. Please note, these best practices will only minimize the impact they do not guarantee messages to be excluded from this feature.
Q: Why am I seeing an increase in suspected spam verdicts?
A: As spammers change their tactics, antispam filters must be adjusted in order to compensate. As a result not only has content been changing to evade filters but also origins. With the rise of botnets, more email messages are originating from compromised systems sending a mix of legitimate and illegitimate messages. As a result antispam filters are targeting headers more frequently in combination with the content. These specific filters may not be enough to block the message but are sufficient, in some cases, to trigger a suspect verdict.
This is but one example of a change in filter adjustments that can cause a potential increase in suspect verdicts. As spammers leverage more evasive tactics, antispam filters must compensate and as a result you may find that the amount of messages with a suspect verdicts may increase or decrease frequently.