Suspected Spam Feature in Messaging Gateway and other Messaging Security products

book

Article ID: 177462

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

This document explains the suspect spam feature and how customers can utilize this in their environment to control antispam aggressiveness when filtering messages. Topics covered in this document are: definition of suspect spam, brief summary of what causes a message to be given a verdict of suspected spam, explanation of options available to customers when configuring the suspected spam feature, and frequently asked questions.
 

Resolution

What is Suspected Spam?
Suspect spam messages are messages that have suspicious attributes associated to them but are insufficient to render a full verdict of spam. By its very nature most legitimate messages are considered "suspect" as spammers try to mimic common legitimate features in order to bypass antispam filters. Users have the ability to assign an action to these messages that may not have sufficient rules firing for a full verdict of spam but enough to render it "suspicious" by enabling the suspect spam feature.

When evaluating whether messages are spam, filters associate a numerical value between 1 and 100 for each message. The visual representation of a spam verdict value within the Messaging Gateway Control Center is a threshold of 90 to 100. The table below describes the level of aggressiveness corresponding to the score range:

 

Suspected Spam Score Range Aggressiveness
25-89 High
72-89 Medium
89 Low


For example, setting the score range within a high aggressiveness level (25 – 89) would in effect cause a large numbers of messages that maybe legitimate to be given a suspect spam verdict. The average legitimate message can score anywhere between 10 to 50 weight in rules and depending on the content/origin can be even higher without reaching a full spam verdict. This should be taken into account when adjusting the threshold. Each customer's environment will be different and it's important to adjust this feature as needed to minimize the amount of suspect verdicts.

Why enable the Suspected Spam Feature?
Suspected spam is designed to give some control back to customers. There is a risk/reward situation when it comes to manipulating this threshold. The table below displays the pros/cons in leveraging this feature and should be taken into account when adjusting threshold.

 

Pro Con
Configured by the customer and can be always turned on/ off. Unidentified suspect spam messages may increase if the feature is disabled.
Can specify different actions for messages identified as suspect by using policies. Some legitimate messages may be given a suspect spam verdict.


General items to consider when using the suspected spam feature on Symantec Messaging Gateway:

 

  1. Customers should start with the default setting and adjust if necessary
  2. If too many messages are given suspect spam verdicts, the recommendation would be to adjust the threshold by a few points and monitor until the number of "suspect" false positives is at an acceptable level. This should be reviewed frequently as rules are constantly being adjusted to combat the latest spam threat.
  3. Subject line mark up and deliver is the general recommendation for this feature as it allows the recipient to know that this the message they are receiving is suspicious.


Frequently Asked Questions

Q: What can be done if a "suspected spam" false positive occurs?
A: Symantec does not consider this as a true false positive. As the individual threshold is decided by the user, these messages cannot be considered false positives as changing the rules would have an adverse impact on overall effectiveness.Therefore, messages submitted to Security Response that do not have full spam verdicts will be automatically discarded without any manual review. If you encounter a "suspect" false positive, you can do any of the following:

  • Adding senders to allowed lists:
    To ensure that messages from specific email addresses, domains, and connections are not treated as spam or suspected spam, you can add them to your Allowed Senders Lists to bypass any filters
  • Monitor the setting:
    By monitoring this setting, you will have some exposure to the amount of messages getting this verdict. Adjusting the threshold setting by 1-5 points per week can give you greater flexibility in determining your comfort level with the amount of “suspect” false positives. This feature should be monitored continuously since rules are adjusted to account for various types of new and emerging spam tactics.
  • Modify the subject line and deliver:
    This will help you to minimize the loss of legitimate message tagged as suspect spam.
  • Ensure that you are running on the latest version of the product:
    This can be a more effective path to increasing effectiveness without having to adjust the threshold.


Q: Why do legitimate messages get a verdict of suspected spam?
A: Any message has a chance to have some amount of rules firing since spammers typically mimic legitimate features to evade antispam technology. If a message contains suspected spam factors, then it will have higher probability to be rendered a suspected spam verdict.

The following is a set of email best practices to further reduce the chances of your message being marked as suspect. Please note, these best practices will only minimize the impact they do not guarantee messages to be excluded from this feature.

  • Do not to send a message from a compromised machine. Keep your anti-virus software with the latest definitions to mitigate this.
  • Compose a message carefully:
    • Avoid sending with a blank subject and body
    • Use appropriate words in subject line and body
    • Send a message in a plain text format rather than in HTML


Q: Why am I seeing an increase in suspected spam verdicts?
A: As spammers change their tactics, antispam filters must be adjusted in order to compensate. As a result not only has content been changing to evade filters but also origins. With the rise of botnets, more email messages are originating from compromised systems sending a mix of legitimate and illegitimate messages. As a result antispam filters are targeting headers more frequently in combination with the content. These specific filters may not be enough to block the message but are sufficient, in some cases, to trigger a suspect verdict.

This is but one example of a change in filter adjustments that can cause a potential increase in suspect verdicts. As spammers leverage more evasive tactics, antispam filters must compensate and as a result you may find that the amount of messages with a suspect verdicts may increase or decrease frequently.