09-14-2010 06:16 AM
Hi all,
I don't know wether there is a post or not about this but I was unable to find it.
I've got a couple of mails that has been blacked by the Anti-Spam engine where as some other mails formated the same way were not.
In the mail log it says Dropped by CASE
I would like to know if there is way to know what as wrong with the email. Is there a log file or something else?
Users usually ask me why their mails was blocked.
Thanks
Cheers
Arnaud
09-14-2010 11:15 AM
Edited for correction
09-14-2010 11:17 AM
Greetings Amaud,
The mail logs provide detail information on message processing. They do not however provide specifics on what anti-spam rules were matched. When a message is marked as "dropped by case" it means that the components that make up the message scored high enough to be classed as spam. To get specific details on why a message was marked as spam, or even why a message was not marked as spam you would need to submit the message to us. We typically ask customers to submit messages so that rule changes can be made if needed, which should not be often, but it does occur. Once submitted you will not receive any feed back however you can contact customer support if specific details about the messages are needed.
Missed spam, 'false negative' messages are submitted to spam@access.ironport.com
False positives are submitted to 'ham@access.ironport.com
When you submit samples to these addresses it is important that they are submitted in the correct format (RFC-822).
How do I report IronPort Anti-Spam false positives or missed spam?
To send a missed spam or message incorrectly marked as "not-spam" email to IronPort Systems for examination, there are a number of ways to submit messages.
Note: Unless submitted through a plug-in (MS Outlook, not MS Outlook Express), messages forwarded must be RFC-822 compliant attachments. Forwards of previously forwarded messages cannot be processed at this time.
Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product.
Once we receive submissions from a customer or from other sources, these messages are passed through automated classification systems that makes use of our latest rule set. If these messages are tagged by the new rule-set as spam, they are classified as such. Due to a delay in receiving samples and generating rules, many of the missed-spam messages usually have rules published between the time they are received by our customers and reported to us.
There are some messages that are part of new spam trends or new variants that are sufficiently different or new spam strains that are not classified by automated systems. Basically, any messages that are held for classification due to some mitigating factors are held for human review. We attempt to get to these messages within 2-3 hours of them being injested into the corpus.
Note: Although every report sent as an RFC-822 attachment to this address will be reviewed, most submissions will not receive an actual physical reply from IronPort.
Below are details on submitting messages in RFC-822 Format.
Customers using IronPort Anti-Spam or Symantec Brightmail Anti-Spam will want to submit both 'missed spam ' (False Negatives) and messages which are incorrectly classified as SPAM (False Positives). In either case, the submission must be attached to an email as an RFC-822 MIME encoded attachment. This ensures that the submission can be processed quickly and efficiently. The actual steps to follow are different for each mail program (Mail User Agent).
Report undetected spam to: spam@access.ironport.com
Report false-positives to: ham@access.ironport.com
Microsoft Outlook
Lotus Notes
Tested vith Notes versions 6.5.x and 7.0.x
Outlook Express 6
Entourage (Apple Mac)
Apple Mail.app
Mozilla Thunderbird
Netscape Messenger
09-16-2010 03:44 AM
Christopher,
Thank you for your answer which was very .... complete , I wasn't expecting that and so fast so it's great
I've got the answer I was looking for. I was aware that we could send emails to spam@access.ironport.com
I risk myself for another question still in regards to spam detection, how the spam engine works, what criterias the spam engine bases his scans on to?
Thanks again
Arnaud
09-17-2010 05:02 AM
Arnaud,
Unfortunately we can't go into much detail on what the actual rulesets contain or what patterns are used for matching as this involves proprietary information.
Things I can tell you.
IPAS (IronPort Anti-Spam) rules are typically updated every 15 minutes or so.
They are very accurate, although no scanning solution can claim 100% effectiveness
IPAS rules can work in conjunction with SBRS, Sender Base Reputation Scoring.
Again if you have specific questions about a message you can contact support after submitting the message and we can try to point you in the right direction.
Christopher C Smith
CSE
Cisco IronPort Customer Support
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide