This document provides an overview of antispam effectiveness issues, policies, and procedures related to Symantec Messaging Gateway (SMG) and other Symantec mail security products. It explains:
Symantec strives to improve its spam effectiveness over time, but even Symantec’s industry-leading antispam technology will miss some spam messages. The procedures outlined in this document explain what you should expect from Symantec technology, and what to do if your expectations are not being met.
Spam represents as much as 75% of all email sent across the Internet. The variance of this number is representative of different regions that are impacted more or less by spam senders, as well as the ever increasing deployment of IP-based solutions to deal with spam before it is allowed to reach an MTA.
Symantec has been benchmarked at greater than 99% anti-spam effectiveness for all spam. Anti-spam effectiveness is defined by the percentage of spam that is identified as spam by an anti-spam solution. This is separate from the ‘catch rate’ which is the measure of the percentage of all mail messages that have been identified as spam.
To illustrate this, consider a typical mail stream of 100 messages.
It is critical that you do not confuse effectiveness and catch rate when considering the performance of Symantec Messaging Gateway solutions.
Symantec uses multiple methods to measure its anti-spam effectiveness:
End-user experience is typically what customers refer to when discussing spam filter effectiveness. No single inbox or small group of inboxes can by themselves be an accurate gauge for measuring overall spam filtering effectiveness. One end-user may find their experience to be poor, while another finds spam filtering to be very effective. Symantec, and other antispam vendors, cannot guarantee the same effectiveness for every end-user's experience, since different users receive different types and volumes of spam.
End-users also have different opinions as to what constitutes spam. The definition of spam is very subjective to most end-users. Many end-users define spam as simply unwanted email (including legitimate advertisements that they no longer wish to receive). Symantec defines spam as Unsolicited bulk email (includes Unsolicited Commercial Email).
Many end-users, customers, and analysts are actually referring to spam in a broader sense as all unwanted communication.
Symantec does not include the following in its definition of spam:
30-45% of all of missed spam reported by Symantec customer end-users is not spam according to Symantec’s definition.
Symantec’s antispam technology is focused on stopping true spam messages. Symantec also provides administrator and end-user tools to enable them to block unwanted messages. These tools include web based personal Allowed and Blocked Senders Lists as well as New Disposition verdicts available in the Symantec Messaging Gateway.
If Symantec maintains the same effectiveness ratio (of spam caught vs. spam missed) but the total volume of spam increases, the end-user will experience a perceived drop in effectiveness. For example, one missed spam message out of ten total spam messages equates to 90% effectiveness. If the total volume of spam received increases from 10 spam messages to 100 spam messages, the effectiveness remains 90%. However the end-user perceives that the product is less effective, as there are now ten missed spam messages, compared to the one missed spam message previously. Therefore the volume of mail received by end-users is critical in understanding their perceived spam filtering effectiveness rate.
If spam effectiveness seems to have dropped, there are troubleshooting steps you can perform and information you can gather that can help determine where the issue may be. Please review your specific product documentation for details on how to investigate the following troubleshooting steps.
Use the following basic troubleshooting steps :
Symantec mail security products have the ability to react to most new attacks via new filters that use existing technologies. However, over time, Symantec introduces new anti-spam technologies into its products to deliver new capability. It is critical that customers evaluate new versions of Symantec mail security products, since some new spam attacks can only be caught with them. If you are experiencing lower spam effectiveness, you should consider upgrading to the latest version of your Symantec technology. Customers should plan to deploy the latest release to ensure the highest levels of antispam effectiveness.
You can obtain custom spam rules specifically for your organization based on the missed spam messages and false positive messages that administrators and end users submit.
See Setting up customer-specific spam submissions.
See About submitting messages for customer-specific spam rules.
If you have followed the troubleshooting and information gathering steps outlined above and determined that the increase in missed spam is not related to configuration or version issues, then you should consider making a missed spam submission. Missed spam submissions are used by Symantec for the following:
Submissions must be received within one day from the time they were initially sent. Since spammers rarely reuse old spam, Symantec does not accept submissions older than 24 hours. Submissions are processed using sophisticated algorithms. This process groups the message with other messages received from customers or through the extensive Global Intelligence Network. When a group reaches a threshold, it becomes an attack. At this point, the automation systems or an Email Security Analyst creates a rule to respond to the attack. Adding the rule to the rule set completes the process. Your computer becomes protected when your rule set is updated.
However, due to the volume of submissions received (approximately several million messages per day), Symantec cannot guarantee that filters will be written for particular submissions. Because many submissions contain a forged sender address, they cannot provide feedback for submissions.
The customer creates an alias for the appropriate Symantec missed spam address:
Note: Only missed spam messages are sent to this address. If your deployment is over 50,000 users, then unique submission addresses for missed spam and false positives can be created. The missed spam must be sent as RFC-822 MIME encoded attachments in order for Symantec Security Response to process the mail. See Manually submit missed messages to Symantec Security Response Center.
Many spam messages look the same from the initial appearance, but contain many hidden characteristics to make the messages unique.
A few sample characteristics include:
If end users encounter multiple missed messages that seem to be related, they should report them to Symantec, following the procedures outlined above.
There is no Service Level Agreement for missed spam and/or effectives issues. Escalations are not handled during weekends or non-business hours outside of U.S Pacific Time.
Note: Customers of Symantec OEM's, 3rd party vendors, or appliance partners that are not direct Symantec Messaging Gateway customers need to go through their vendor who can contact the appropriate support agent to assist in this process. Those customers should not contact Symantec Support directly.
Symantec’s Global Intelligence Network (GIN) ™ is a vast collection of email accounts. The patented GIN is built on a base of over 2 million accounts donated by service provider and enterprise customers, as well as accounts owned by Symantec. It is one of the key reasons why Symantec Messaging Gateway is the leading solution for accurately stopping spam.
The GIN is crucial to Symantec and its antispam customers for a variety of reasons:
Symantec Messaging Gateway strives to maintain a false positive rate of less than one false positive in one million messages scanned. Symantec utilizes several methodologies to determine our false positive ratio with a conservative estimate to account for data that is not reported.
The caveat with field data is that not 100% of end-users report false positives. The other issue is that some customers elect to delete detected spam and therefore do not have the ability to report false positives. Understanding this we can compare an aggregate false positive ratio (used to establish a baseline) to a false positive ratio of only those domains that reported false positives. We compare the total number of reported legitimate false positives to the total number of messages scanned. These numbers usually average to approximately 1 false positive for every 20-35 million messages scanned.
The mail administrator creates an alias for the address:
Note: Only false positive messages are sent to these addresses. If the customer has more than 50,000 users, a unique submission address for missed spam and false positives can be created End users send FULL HEADERS and BODY in the message as a RFC-822 MIME encoded attachment in order for Symantec to investigate and process the message. A copy of the message may also be forwarded to the customer’s Support Desk. Symantec investigates and adjusts filters, as necessary.
A: Symantec does not consider this as a true false positive. All three rulesets are optional features that customers opt in at their own discretion. If you encounter such “false positive”, you can do any of the following:
Symantec targets the largest phishing email threats with gateway email detection. The primary differences between phishing and spam are the ability of phishing attacks to be a) very small and b) difficult to distinguish from legitimate direct e-mail communications. Phishing attacks deployed using spamming techniques are readily detected and stopped, but attacks that are targeted and presumed legitimate are difficult to discern from actual communications from banks or credit card issuers. Symantec endeavors to be as effective against these threats as we are with spam by utilizing our premium antispam technology to capture them.