cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2344
Views
0
Helpful
14
Replies

False postive / negative report addresses

IIAGDTRnSC
Level 1
Level 1

Do we still send reports to these addresses or does Cisco use new ones? Been getting a lot of missed spam lately and despite reports for very similar spam emails they still are not being blocked.

False positives should go to ham@access.ironport.com

False negatives (missed spam) should be sent to spam@access.ironport.com

14 Replies 14

pvdberg00
Level 1
Level 1

As far as I know (and the knowledge base) these addresses are still right

Peter

Thanks Peter, I will continue to send them, just hope they are still being used.

Agreed! These email addresses are right and still usable.

Jeroen

How do you all handle the forwarding of these spam or ham messages to IronPort in RFC-822 format?

End users are typically not "smart" enough to do this on their own.  How do you all automate this on behalf of the end user?

I do it myself, just click on the message and then forward it to spam@access.ironport.com

I always try to prevent/insulate the users from making ANY decisions when it comes to security.

Do you have your mail client already configured to forward mail as a RFC-822 formatted message?  Because if not simply forwarding the message with default settings to that spam reporting address it does no good.

Have a look in knowledge base about this (Answer ID   472 , Answer ID   471 )

Peter

Wondering if this is also the correct rout to go for submitting mis-categorized Marketing emails?

There's a mailing list I'm on where every message get's flagged as Marketing.  I reported yesterday to the ham address but they're still being flagged.

Copied from the support document:

Customers using IronPort Anti-Spam or Symantec Brightmail Anti-Spam will want to submit both 'missed spam ' (False Negatives) and messages which are incorrectly classified as SPAM (False Positives). In either case, the submission must be attached to an email as an RFC-822 MIME encoded attachment. This ensures that the submission can be processed quickly and efficiently. The actual steps to follow are different for each mail program (Mail User Agent).

Report undetected spam to: spam@access.ironport.com
Report false-positives to: ham@access.ironport.com

Peter

Yup, that's what I did

I have not been sending them as an attachment. All messages go through a mail filter where I believe they are in this format and I have been forwarding the message intact to spam@access.ironport.com. So likely I have been wasting my time.

rokeeffe265
Level 1
Level 1

Cheers guys,

We're getting quite a few false negatives (missed spam) through these past couple of weeks. I've followed the instructions outlined in the knowledge base.

Out of curiosity, how long does it take on average before the forwarded spam gets picked up on and is secured against?

R.

Sorry to say it appears to be an unknown.  I have yet to see any cogent official reply here.  I've forwarded several false positive to the ham address weeks ago and the same mailing list messages are still being flagged as marketing.  I'd guess the chances of action will be similar for your false negative situation.  Cisco picked up Ironport within a year or so of our implementation of the product.  The "support" forum was never stellar to begin with (they want you to call for every little issue) such that it was useful primarily in a social way, or for people who won't read the docs. The Cisco acquisition clearly has not helped in any way that I can see. Now we have a forum that's an order of magnitude slower and more annoying to use and you can see the deafening silence above.  I highly recommend you open a ticket if you need action.

We purchased Ironport instead of CanIT Pro because "we'll get better support from a larger company."  While the performance of the product has been pretty good, that statment hasn't worked out to be true and (also given the lack of flexability of the product compared to a more open solution) you can probably guess what my recommendation will be when our C100 kicks the bucket.

Maybe all this shouldn't be a surprise: http://etherealmind.com/yes-no-question-cisco-licensing/

jasongurtz
Level 1
Level 1

I finally had to open a ticket on this one.  After a month we figured out that S/MIME signed (but non-encrypted) messages broke their submission system.  After another month the documentation was updated slightly (and I had a firm "maybe" that they will work on fixing the submission system). Since the docs *still* aren't entirely clear (and I was tired of dealing with the unsupport department and gave up ) I offer some simple bottom line guidance to follow which should increase your chances of a successful submission.

Try using the MS Outlook plugin.  When you submit WITHOUT using the MS Outlook plugin (for example because it is not supported when the MS Exchange 2003 management tools are installed on the workstation) make sure the following are true:

  1. the mis-categorized mail is an RFC/822 attachment
  2. the mis-categorized mail retains these headers in addition to the RFC required headers (this may be a problem if you have Exchange 2007 SP2+, Exchange 2010 or Outlook 2010 against any Exchange version)
    1. X-IronPort-Anti-Spam-Filtered:
    2. X-IronPort-Anti-Spam-Result:
  3. There is only one mis-categorized mail attached to each submission
  4. There are NO other attachments of any kind
  5. The submission email must not be encrypted
  6. See #4

Obviously, there is no indication when the submissions are hitting the bit-bucket, so it would be wise to follow the list above.  Good luck!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: