Submitting a spam false positive for investigation when unable to use the Anti-Spam submission portal

book

Article ID: 174218

calendar_today

Updated On:

Products

Email Security.cloud

Issue/Introduction

Submitting a spam false positive for investigation when unable to use the Anti-Spam submission portal.

553 - Message Filtered

Track and Trace shows an email Action as Quarantined or Blocked or Redirected or Subject Tagged with the Service listed as "Anti-spam"
Solution. A false positive spam email is a legitimate email incorrectly given a verdict of spam. This email can be submitted to Symantec for analysis and filter review.
 
Indicators of a False Positive Spam Email

Sender of the email received a bounce back stating "553-Message filtered".

Track and Trace search result in the Symantec.cloud Portal displays "Anti-Spam" under the "Service" column and "Brightmail" or "spam detected heuristically" under the "Reason" column.

 

Resolution

Format for sample submission if unable to use the submission portal:

  •     As an "message/rfc822" email attachment
  •     Emailed to [email protected]
  •     Only one email attachment per submission is preferred. However, multiple sample emails may be attached to one submission email provided the overall size does not exceed the hard limit of 2MB per submission, including attachments and email headers.
  •     Do not provide a ".zip" file, only provide ".eml" or ".msg" file

Mail client instructions can be found in the article: Mail client instructions for submitting valid email attachments
If the problem persists after 24 hours of a submission or you need feedback regarding it, contact support with the following information:

Details of the original email

  •     Original sender and recipient addresses
  •     Date/Time Sent
  •     Subject of the email

Details of the false positive spam sample submission

  •     "Sending" email address of submission
  •     Date/Time Sent
  •     Subject of the email

Alternative submission process for large samples

    If the total size of email submission exceeds 2 MB, email or upload the sample in a password-protected zip file to the applicable support case.
    Include the password to the zip file in a case note or separate email.

Frequently Asked Questions

  • What happens to false positive submissions?
    • Only the samples that meet the listed requirements are accepted for analysis. Samples that have a spam verdict are processed within 24 hours. Each false positive submission is examined individually to assess what caused the sample to be detected as spam and what corrective action to be taken, if needed. Note that Symantec does not guarantee that each submission results in an alteration of our filters.
  •     Will I get feedback on false positive submissions?
    • Symantec does not acknowledge the samples that are submitted to the previously listed address or provide the results of the investigation automatically. Please ensure that you follow the procedure that is outlined previously to submit in a correct format. If after 24 hours it fails to resolve the matter, or if you require feedback regarding your submission, please contact Symantec support with details outlined in this article.
  •     How can I verify if the email still triggers a spam verdict?
    • The original sender of the email should attempt to resend the email. While we strive to action submissions as quickly as possible, it may take up to 24 hours before detection is amended. After 24 hours from submission to the feedback address, if the email is still categorized as spam when resent or checked in the Spam Analysis Tool, then it is likely that amendment to the detection is not possible in this case.
    • Who needs to submit the sample?
      • Who submits depends on the action being applied to the false positive email based on your settings in the client portal.
        • Action: Append a header but allow the email through OR Tag the subject line but allow the email through
          • The recipient submits the sample.
        • Action: Quarantine the email
          • The recipient submits the sample.
        • Action: Append a header and redirect the email to a bulk mail address
          • The administrator of the bulk mail address submits the sample.
        • Action: Block and Delete
          • The original sender submits the sample.
            • The administrator can try adding the sender to the "Approved Senders" list in the client portal and have them resend the message. This addition may allow the recipient to receive and submit the sample. If the email is still blocked, the original sender needs to submit the sample.

Disclaimer
Note that any false positive or missed spam messages that you submit to Symantec Corporation may contain personally identifiable information such as email addresses and information in email message body and/or enclosures. Symantec uses this information globally only for creating spam detection rules. We encourage the submission of false positives or missed spam because it makes our product more effective and enables us to serve you better. Access to this information is not shared with any third party and it is restricted to Symantec personnel involved in spam rule creation. For any question regarding your personal information, you may read our Privacy Policy or contact us at [email protected]

Terms of use for this information are found in Legal Notices.