cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3905
Views
0
Helpful
4
Replies

Anti-spam Logs

araudevain
Level 1
Level 1

Hi all,

I don't know wether there is a post or not about this but I was unable to find it.

I've got a couple of mails that has been blacked by the Anti-Spam engine where as some other mails formated the same way were not.

In the mail log it says Dropped by CASE

I would like to know if there is way to know what as wrong with the email. Is there a log file or something else?

Users usually ask me why their mails was blocked.

Thanks

Cheers

Arnaud

4 Replies 4

Edited for correction

Greetings Amaud,

The mail logs provide detail information on message processing. They do not however  provide specifics on what anti-spam rules were matched.  When a message is marked as "dropped by case" it means that the components that make up the message scored high enough to be classed as spam. To get specific details on why a message was marked as spam, or even why a message was not marked as spam you would need to submit the message to us. We typically ask customers to submit messages so that rule changes can be made if needed, which should not be often, but it does occur. Once submitted you will not receive any feed back however you can contact customer support if specific details about the messages are needed.

Missed spam, 'false negative' messages are submitted to spam@access.ironport.com

False positives are submitted to 'ham@access.ironport.com

When you submit samples to these addresses it is important that they are submitted in the correct format (RFC-822).

How do I report IronPort Anti-Spam false positives or missed spam?

To  send a missed spam or message incorrectly marked as "not-spam" email to  IronPort Systems for examination, there are a number of ways to submit  messages.

  • Preferred: Use the Outlook plug-in or Lotus plug-in, found on the Cisco IronPort Email Security Page.
  • For  customers using clients other than Microsoft Outlook, go to your email  program and follow the instructions to attach the email as an RFC-822 MIME encoded attachment. See article 472.
  • (NOTE: All  submitted messages must be in the RFC 822 format and ONLY that format.   Any other formats (such as S/MIME) are currently not compatible with  the submission tool.)

Note: Unless submitted through a  plug-in (MS Outlook, not MS Outlook Express), messages forwarded must be  RFC-822 compliant attachments. Forwards of previously forwarded  messages cannot be processed at this time.

Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product.

Once  we receive submissions from a customer or from other sources, these  messages are passed through automated classification systems that makes  use of our latest rule set. If these messages are tagged by the new  rule-set as spam, they are classified as such. Due to a delay in  receiving samples and generating rules, many of the missed-spam messages  usually have rules published between the time they are received by our  customers and reported to us.

There are some messages that are  part of new spam trends or new variants that are sufficiently different  or new spam strains that are not classified by automated systems.  Basically, any messages that are held for classification due to some  mitigating factors are held for human review. We attempt to get to these  messages within 2-3 hours of them being injested into the corpus.

Note:  Although every report sent as an RFC-822 attachment to this address will be reviewed, most submissions will not receive an actual physical reply from IronPort.

Below are details on submitting messages in RFC-822 Format.

Customers using IronPort Anti-Spam or Symantec Brightmail Anti-Spam will want to submit both 'missed spam ' (False Negatives) and messages which are incorrectly classified as  SPAM (False Positives). In either case, the submission must be attached  to an email as an RFC-822 MIME encoded attachment. This ensures that the  submission can be processed quickly and efficiently. The actual steps  to follow are different for each mail program (Mail User Agent).

Report undetected spam to: spam@access.ironport.com
Report false-positives to: ham@access.ironport.com

Microsoft Outlook

  1. The most effective way to submit using Outlook is to use the plug-in. found here: Cisco IronPort Email Security Page.
  2. Click the submission buttons located in the tool bar
  3. To cause all forwarded messages to be an RFC-822 MIME encoded attachment:
    1. Click Tools > Options.
    2. Click Preferences > E-mail Options.
    3. In the drop-down section "When forwarding a message," choose " Attach original message."
    4. Click OK
    5. Click OK.
    6. In the drop-down section "When replying to a message," choose "Attach original message."
    7. Click OK
    8. Click OK
  4. If you prefer "in-line" style forwarding generally, you can force Outlook to use RFC-822 for a given message(s).
    1. Navigate the folder that contains the submission.
      1. For example, your In box
    2. Hold down the control key (Ctrl) and highlight at least two messages.
    3. Right Click on the highlighted messages, choose Forward.
    4. This "forces" outlook to use RFC-822, however, Brightmail does not accept multiple submissions in this format.
    5. Brightmail users
      1. Delete all but one "attachment"
      2. Repeat for each message
    6. IronPort Anti-Spam accepts multiple attachments,
      1. Click Send
    7. If you have only one example, delete the additional message.

Lotus Notes

Tested vith Notes versions 6.5.x and 7.0.x

  1. From your Lotus Notes inbox
    1. The most effective way to submit using Notes is to use the plug-in - found here: Cisco IronPort Email Security Page
    2. Open the false negative (missed spam) or false positive message
    3. Click View > Show > Page Source
    4. Copy all the data into a text file and save the file with .eml extension. Repeat for each message
    5. Create a new message
    6. Attach the .eml file(s) and send the new message

Outlook Express 6

  1. Open Outlook Express 6.
  2. Right-click the message that you want to submit, choose Forward As Attachment.

Entourage (Apple Mac)

  1. Open Entourage.
  2. Right-click the message to submit, choose  Forward As Attachment.

Apple Mail.app

  1. Open Apple Mail.app
  2. File -> Save As, Format - Raw Message Source, Repeat for each spam message
  3. Create a new message
  4. Attach raw source file(s) to the new message

Mozilla Thunderbird

  1. Open Thunderbird.
  2. Select message (message is highlighted)
  3. Then click Message -> Forward As -> "Attachment"
    1. "Message" is at the top, next to "File Edit View Go"

Netscape Messenger

  1. Open Netscape Messenger.
  2. Right-click the message to submit, choose  Forward as an attachment.

Christopher C Smith
CSE
Cisco IronPort Customer Support

Christopher,

Thank you for your answer which was very .... complete , I wasn't expecting that and so fast so it's great

I've got the answer I was looking for. I was aware that we could send emails to  spam@access.ironport.com

I risk myself for another question still in regards to spam detection, how the spam engine works, what criterias the spam engine bases his scans on to?

Thanks again

Arnaud

Arnaud,

Unfortunately we can't go into much detail on what the actual rulesets contain or what patterns are used for matching as this involves proprietary information.

Things I can tell you.

IPAS (IronPort Anti-Spam) rules are typically updated every 15 minutes or so.

They are very accurate, although no scanning solution can claim 100% effectiveness

IPAS rules can work in conjunction with SBRS, Sender Base Reputation Scoring.

Again if you have specific questions about a message you can contact support after submitting the message and we can try to point you in the right direction.

Christopher C Smith
CSE

Cisco IronPort Customer Support 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: