False postive / negative report addresses

Unanswered Question
pvdberg00 Mon, 02/01/2010 - 07:25

As far as I know (and the knowledge base) these addresses are still right


IIAGDTRnSC Mon, 02/01/2010 - 07:34

Thanks Peter, I will continue to send them, just hope they are still being used.

jarends Wed, 02/03/2010 - 05:53

Agreed! These email addresses are right and still usable.


steven.p.russel... Wed, 03/10/2010 - 08:30

How do you all handle the forwarding of these spam or ham messages to IronPort in RFC-822 format?

End users are typically not "smart" enough to do this on their own.  How do you all automate this on behalf of the end user?

steven.p.russel... Wed, 03/10/2010 - 12:23

Do you have your mail client already configured to forward mail as a RFC-822 formatted message?  Because if not simply forwarding the message with default settings to that spam reporting address it does no good.

pvdberg00 Fri, 03/12/2010 - 01:30

Have a look in knowledge base about this (Answer ID   472 , Answer ID   471 )


pvdberg00 Fri, 03/12/2010 - 09:40

Copied from the support document:

Customers using IronPort Anti-Spam or Symantec Brightmail Anti-Spam will want to submit both 'missed spam ' (False Negatives) and messages which are incorrectly classified as SPAM (False Positives). In either case, the submission must be attached to an email as an RFC-822 MIME encoded attachment. This ensures that the submission can be processed quickly and efficiently. The actual steps to follow are different for each mail program (Mail User Agent).

Report undetected spam to: [email protected]
Report false-positives to: [email protected]


rokeeffe265 Wed, 03/24/2010 - 03:30

Cheers guys,

We're getting quite a few false negatives (missed spam) through these past couple of weeks. I've followed the instructions outlined in the knowledge base.

Out of curiosity, how long does it take on average before the forwarded spam gets picked up on and is secured against?


Sorry to say it appears to be an unknown.  I have yet to see any cogent official reply here.  I've forwarded several false positive to the ham address weeks ago and the same mailing list messages are still being flagged as marketing.  I'd guess the chances of action will be similar for your false negative situation.  Cisco picked up Ironport within a year or so of our implementation of the product.  The "support" forum was never stellar to begin with (they want you to call for every little issue) such that it was useful primarily in a social way, or for people who won't read the docs. The Cisco acquisition clearly has not helped in any way that I can see. Now we have a forum that's an order of magnitude slower and more annoying to use and you can see the deafening silence above.  I highly recommend you open a ticket if you need action.

We purchased Ironport instead of CanIT Pro because "we'll get better support from a larger company."  While the performance of the product has been pretty good, that statment hasn't worked out to be true and (also given the lack of flexability of the product compared to a more open solution) you can probably guess what my recommendation will be when our C100 kicks the bucket.

Maybe all this shouldn't be a surprise: http://etherealmind.com/yes-no-question-cisco-licensing/

I finally had to open a ticket on this one.  After a month we figured out that S/MIME signed (but non-encrypted) messages broke their submission system.  After another month the documentation was updated slightly (and I had a firm "maybe" that they will work on fixing the submission system). Since the docs *still* aren't entirely clear (and I was tired of dealing with the unsupport department and gave up ) I offer some simple bottom line guidance to follow which should increase your chances of a successful submission.

Try using the MS Outlook plugin.  When you submit WITHOUT using the MS Outlook plugin (for example because it is not supported when the MS Exchange 2003 management tools are installed on the workstation) make sure the following are true:

  1. the mis-categorized mail is an RFC/822 attachment
  2. the mis-categorized mail retains these headers in addition to the RFC required headers (this may be a problem if you have Exchange 2007 SP2+, Exchange 2010 or Outlook 2010 against any Exchange version)
    1. X-IronPort-Anti-Spam-Filtered:
    2. X-IronPort-Anti-Spam-Result:
  3. There is only one mis-categorized mail attached to each submission
  4. There are NO other attachments of any kind
  5. The submission email must not be encrypted
  6. See #4

Obviously, there is no indication when the submissions are hitting the bit-bucket, so it would be wise to follow the list above.  Good luck!


This Discussion