Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Submiting False Positif Spam

I have sent several false positif spam messages to spam@access.ironport.com

Anyone has any idea, how to control every false positif of spam messages sent to spam@access.ironport.com has already been updated?

17 REPLIES
Community Member

Re: Submiting False Positif Spam

How does it work? Do you check every single incoming mail manually? What exactly do you check? Could you please tell us your process to add/remove a spam-report to the above mail-adress?

Community Member

False positives

False positives should go to ham@access.ironport.com

False negatives (missed spam) should be sent to spam@access.ironport.com

Community Member

Re: Submiting False Positif Spam

Can I just forward such a (non) SPAM-Mail to the above adresses?
Do I have to add some information about the number of recipients, my serial-number or something else?

Community Member

Re: Submiting False Positif Spam

Part of the analysis is done based on the IPAS X-header signature tags as to why the message was process wrong (spam vs. ham when it should have been the other).

Community Member

False positives

Often, new rules take care of false positives.

However, if a false positive is critical to your business or are not resolved by new rules within a reasonable amount of time, please contact IronPort Support.

Community Member

Re: Submiting False Positif Spam

To send a missed spam or incorrectly marked as not-spam email to IronPort Systems for examination, there are a number of ways to submit messages.

Unless submitted through a plug in (MS Outlook, not MS outlook Express), messages forwarded must be RFC-822 compliant attachments.
Please note: forwards of previously forwarded messages cannot be processed at this time.
The preferred method is to use the plug in for Outlook, found on the IronPort Anti-Spam page of our portal, but for customers using clients other than Microsoft Outlook, there are other alternatives. Details for ensuring RFC-822 compliant attachments for MS Outlook (including Express), Lotus Notes, (Mac) Entourage, Thunderbird, are detailed in the link below.

Go to your email program and follow the instructions to attach the email as an RFC-822 MIME encoded attachment. See article 472.

Send false negative (missed spam) to spam@access.ironport.com.
Send false positive (mail marked as spam, but is actually ham) email to IronPort Systems to ham@access.ironport.com.

Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product.

Note: Although every report sent as an RFC-822 attachment to this address will be reviewed, most submissions will not receive an actual physical reply from IronPort.


Symantec provides two email addresses specifically to receive false positive and false negative reports.

Messages that have been scanned by Brightmail and resulted in false positives should be sent with all headers to gfeedback@feedback-1.brightmail.com.
Messages that have been scanned and are false negatives should be sent, with all headers, to gsubmit@submit-1.brightmail.com.
Important - You must send FULL HEADERS and BODY in the message as a RFC-822 MIME encoded attachment when submitting messages to these addresses. Symantec must receive false positives and negatives within 24 hours from the date initially sent to effectively write rules and filter the spam.


Note - If you can't see the Brightmail header "X-BrightmailFiltered: true" in the message you're sending to Symantec, then either the message was not filtered through Brightmail or you aren't forwarding all headers. If you don't have all headers available to you because of a defective email client, you should not submit the message to Symantec, as it will not be reviewed.

Community Member

Re: Submiting False Positif Spam

The preferred method is to use the plug in for Outlook, found on the IronPort Anti-Spam  page of our portal
Unfortunately, this plugin only works only with the english Outlook - but there are some other languages out there. 8)
...but there are other alternatives. ...are detailed in the link below.
Sorry, I can't find this link.
See article 472.
from the IronPort-KB? Is there a possibility to create a direct URL to this KB-Entry?

This reporting way is not that easy and you have to change the mail-settings for every spam-message.
It would be much better to have a working plugin for the non-english Outlook. :wink:

Community Member

Re: Submiting False Positif Spam

Pat, which version of the outlook plug-in are you using ?

Community Member

Re: Submiting False Positif Spam

The newest officially available v 1.7 - is there any other version around?

Community Member

Re: Submiting False Positif Spam

There is an other version. But this is an older one (version 1.5)

Community Member

Re: Submiting False Positif Spam

And this older version (1.5) works with a non-english Outlook like my german one?

Community Member

Re: Submiting False Positif Spam

I don't know but it is worth trying it I think.

The link to the kb is https://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=472&p_sid=cA4In5Fi&p_lva=119&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlkc29ydD0mcF9yb3dfY250PTY1JnBfcHJvZHM9MCZwX2NhdHM9MCZwX3B2PSZwX2N2PSZwX3NlYXJjaF90eXBlPWFuc3dlcnMuc2VhcmNoX25sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9YnJpZ2h0bWFpbA%2A%2A&p_li=cF91c2VyaWQ9cGV0ZXIudmFuLmRlbi5iZXJnQG1haWwuaW5nLm5sJnBfcGFzc3dkPU9EdXRHUUQxJnBfbGlfZXhwaXJ5PTExODI4Njg2Njc%2A

Community Member

Re: Submiting False Positif Spam

If I understand this article, my most important steps are:

a) Hold down the control key (Ctrl) and highlight at least two (spam- or not-spam-)messages.

b) Right Click on the highlighted messages, choose Forward.
(This "forces" outlook to use RFC-822 - really?)

If I only have one spam-mail to report, I delete the other attachment.

c) I send attachment(s) for false negative (missed spam) to spam@access.ironport.com
and for false positive (mail marked as spam, but is actually ham) email to IronPort Systems to ham@access.ironport.com.

That's all? And this attachments can be analyzed by IronPort?

Community Member

Re: Submiting False Positif Spam

In Outlook 2007 when you right mouse click the menu will say "Forward Items" not just "Forward".

Basically you need to send the examples as attachments.

You can also open a new email spam@access.ironport.com or ham@access.ironport.com which ever is the case and "drag n' drop" the examples into the new email. This will make them an attachment in the correct format.

The problem is a standard "Forward" does not include the original email in it's orginal format, it removes the email headers.

Erich

462
Views
0
Helpful
17
Replies
CreatePlease to create content