Manually submitting missed spam and false positive messages to the Symantec Security Response Center.

Article:TECH83081  |  Created: 2005-01-24  |  Updated: 2013-02-26  |  Article URL http://www.symantec.com/docs/TECH83081
Article Type
Technical Solution


Issue



You have a missed spam or false positive mail to send to Symantec Security Response Center for examination.

You need to know the process to send feedback to Security Response.


Solution



Definitions:

Spam

Symantec defines spam as unsolicited bulk email (includes unsolicited commercial email). Many end-users, customers and even analysts are actually referring to spam in a broader sense as all unwanted communication. Symantec does not include the following in its definition of spam:

  • Unwanted direct marketing emails that have been solicited by the recipient
  • Unwanted newsletters that have been solicited by the recipient

Symantec Messaging Gateway 9.5 has new disposition verdicts on Newsletter messages, Marketing mail messages and Suspicious URL messages. Details on these depositions and messages submission procedures to Symantec can be found under here.

Suspect Spam

Messages which are marked as suspect spam will not be treated as false positives. The suspect spam feature of Symantec Brightmail products is intended to augment the spam filtering. It is up to administrators of the product to determine a threshold which is suitable for the organization. Unlike spam, which is determined by Symantec and not subject to adjustment by administrators, the suspected spam threshold should be configured to an appropriate level, or disabled completely. Administrators of Symantec Brightmail products are advised to use policies to specify less obstructive actions for messages identified as suspected spam than messages identified as spam by Symantec

False positive

A false positive is a legitimate email which has been incorrectly given a verdict of spam.

 

Missed Spam Submissions

Messages which have not been blocked by the anti-spam filters and which match the definition of spam above can be submitted to Symantec for analysis and possible filter creation.

NOTE:  Customers using Symantec Message Gateway (SMG) or Symantec Mail Security for Microsoft Exchange (SMSMSE) can use the add-on product Symantec Email Submission Client (SESC) to easily submit spam to Symantec.  SESC is available from Symantec Fileconnect using the standard product serial numbers for SMG or SMSMSE.  See the following forum post for information on the release of SESC: Symantec Email Submission Client (SESC) 1.0: NOW AVAILABLE.

To analyze a missed spam message, Symantec must receive the original spam message:

  • Within 24 hours of receipt
  • As an "message/rfc822" email attachment* 
  • One email attachment per submission**

Send the spam message as an email attachment to the appropriate address for your region:

Americas: gsubmit@submit-1.brightmail.com
EMEA: eurosubmit@submit-23.brightmail.com
APAC: apacsubmit@submit-22.brightmail.com
Japan: jpnsubmit@submit-47.brightmail.com

Instructions on how to attach messages for common email clients are provided below. For all other email systems, please check the documentation or contact the service provider for help.

What happens to missed spam submissions?

Only messages sent following the procedure above will be accepted for analysis and possible spam filter creation.
The Security Response Center processes the received message using a sophisticated algorithm which groups the message with other messages received from customers or through the extensive probe network. When a group of messages that are similar enough reaches a threshold, it becomes an attack.  At this point, an automated process or a Security Response technician will create a filter to respond to the attack as accurately as possible without creating a potential False Positive.  Adding the filter to the appropriate ruleset completes the process in our Security Response Center.  Your Inbox becomes protected from that attack after the ruleset is updated on the Brightmail filtering mailserver.

Feedback on missed spam submissions

Symantec does not acknowledge messages submitted to the above addresses. Due to the volume of submissions received, Security Response cannot offer any guarantee that filters will be written. For creation of specific rules, customers should be using the custom rules, compliance policies, and blacklist modules.

For Mail Administrators who want to enable end user spam reporting

A “report spam” button can be configured in the mail client interface to allow end users to submit missed spam directly. Administrators should work with their mail client provider to do this. An alias should be configured for the appropriate submission address above. The action of the button should be to forward the original spam message to the alias as an RFC 822 email attachment with full headers and body preserved. A copy of the message may also be sent to the customer’s internal support desk.

False Positives Submissions

A legitimate email which has been incorrectly given a verdict of spam can be submitted to Symantec for analysis and filter review. As explained above, messages with a suspect spam verdict are not considered false positives and these will not be reviewed.

To analyze a false positive message, Symantec must receive the original false positive message:

  • As an "message/rfc822" email attachment*
  • One email attachment per submission**

Send the false positive message as an email attachment to the appropriate address for your region:

Americas: gfeedback@feedback-1.brightmail.com
EMEA: eurofeedback@feedback-23.brightmail.com
APAC: apacfeedback@feedback-22.brightmail.com
Japan: jpnfeedback@feedback-47.brightmail.com

Instructions on how to attach messages for common email clients are provided below. For all other email clients, please check the documentation or contact the service provider for help.

What happens to false positive submissions?

Only messages sent following the procedure above will be accepted for analysis.
Messages that have a spam verdict will be processed within 24 hours. Each false positive submission is examined individually to assess what caused the message to be detected as spam and what corrective action, if any, needs to be taken. Note that Symantec does not guarantee that each submission will result in an alteration of our filters.

Feedback on false positives submissions

Symantec does not acknowledge messages submitted to the above addresses. Ensure that you are following the procedure outlined above to submit in a correct format. If this fails to resolve the matter please contact your administrator or Symantec support.

What happens if the false positive email was deleted?

If the action for a spam verdict is to delete and you are aware of a legitimate email getting deleted due to a spam verdict, plus you can work with the original sender to re-send their email:

  • You can create a temporary whitelist for the sender’s address in order to obtain the sample message from the recipient for submission.
  • The whitelist should be removed after the sample message has been obtained as email addresses are often spoofed by spammers and this could lead to messages bypassing spam scanning.

In Symantec Brightmail Gateway it is possible to submit messages directly from the quarantine:

  • Create a new group policy for the recipient of the email and change the action to quarantine
  • Ensure the option to send Misidentified Messages to Symantec Security Response is enabled on the Spam -> Settings -> Quarantine Settings page.
  • Ask the sender to resend their email
  • Release the email from the quarantine.

 

Submitting Messages for Customer Specific Spam Rules

You can obtain custom spam rules specifically for your organization based on the missed spam messages and false positive messages that administrators and end users submit.

This feature provides the following benefits:

  • It improves Symantec Messaging Gateway's ability to detect spam and helps administrators control false positive incidents
  • It makes it easier to submit missed spam messages or false positive messages to Symantec for analysis and ruleset creation
  • It provides visibility into the submission status and ruleset creation

See the following documents for additional info on Customer Specific Spam Rules:

Setting up customer-specific spam submissions: www.symantec.com/docs/HOWTO77719

About submitting messages for customer-specific spam rules:www.symantec.com/docs/HOWTO77718

 

 

Mail client instructions for submitting valid samples (missed spam and false positives):

Microsoft Outlook 2010

Select sample message, right click the sample message More Actions choose Forward as attachment 

Microsoft Outlook 2007

Select the sample message and press Ctrl + Alt + F
OR
Open a new message and drag the sample message you want to forward out of the "messages" pane into the body of the new message window
OR
Open a new message, select the “Attach Item” icon and choose 'Item' from the drop down list. Then select the sample message you wish to attach from the "Insert Item" dialogue box
OR
Always forward messages as attachments. Select Tools -> Options -> Preferences Tab ->E-Mail Options. In the ‘On replies and forwards’ section, select “Attach original message“ from the “When forwarding a message” drop down list. Click OK twice. Then select the sample message and click the forward button.

Microsoft Outlook 2003

Open a new message and drag the sample message you want to forward out of the "messages" pane into the body of the new message window
OR
Open a new message, select the attachment icon and choose 'Item' from the drop down list. Then select the sample message you wish to attach from the "Insert Item" dialogue box
OR
Always forward messages as attachments. Select Tools -> Options -> Preferences Tab ->E-Mail Options. In the ‘On replies and forwards’ section, select “Attach original message from the “When forwarding a message” drop down list. Click OK twice. Then select the sample message and click the forward button

Windows Live Mail/ Microsoft Outlook Express 6

Right-click the sample message > Forward as an attachment.

Netscape Messenger

Right-click the sample message > Forward as an attachment.

Mozilla Thunderbird

Select the sample message (message is highlighted). Click Message -> Forward As -> “Attachment". (Message" is at the top, next to "File Edit View Go")


Mac OS X Mail

Highlight the sample message. Click Message > “Forward as Attachment” from the menu.

Lotus Notes

For information on using Lotus Notes, read How To Export Messages From IBM Lotus Notes.

--------------------------------------------------------------------------------

Technical Information

* Email attachments should be in "message/rfc822" attachment format. RFC 822 is a mime subtype, specified here: http://www.ietf.org/rfc/rfc2046.txt. Section 5.2 of RFC 2046 addresses the "Message Media Type", and section 5.2.1 addresses the "RFC 822 subtype". The full internet headers and body of the message should be retained exactly as the message was received and forwarded intact as an attachment.

As a general guideline, email attachments should be in the same file format that the mail client uses. For example, .msg attachments will work from Outlook providing the step-by-step instructions above are followed; .eml attachments will work from mail clients such as Windows Live Mail / Microsoft Outlook Express / Hotmail etc.

NOTE: Please notice that Symantec DOES NOT see submissions as valid if email attachment is in different file format that the mail client uses. For example, submissions with eml attachments from Outlook or submissions with msg attachments from Outlook Express will be seen as invalid submission.

** Multiple sample emails may be attached to one submission email providing the overall size limit of 2MB per submission, including attachments, is not exceeded.

Note that any false positive or missed spam messages that you submit to Symantec Corporation may contain personally identifiable information such as email addresses and information in email message body and/or enclosures. Symantec uses this information globally only for creating spam detection rules. We encourage the submission of false positives or missed spam, because it makes our product more effective and enables us to serve you better. Access to this information is not shared with any third party and it is restricted to Symantec personnel involved in spam rule creation. For any question regarding your personal information you may read our Privacy Policy or contact us at privacy@symantec.com





Article URL http://www.symantec.com/docs/TECH83081


Terms of use for this information are found in Legal Notices