Learn how to submit spam email that was not blocked (false negative) for the following Symantec.cloud email services:
If you are using Messaging Gateway, Messaging Gateway for Service Providers, or Mail Security for Microsoft Exchange, see Submit false negatives (missed spam) or false positives (legitimate email) to Symantec Security Response.
For spam email that was not blocked by Symantec.cloud anti-spam filters, and which match the definition of spam, you can submit these to Symantec for analysis (and possible filter creation).
A false negative occurs when an email containing spam has been incorrectly identified as being clean of security threats. An example of a threat may be links that appear to be for familiar websites, but in fact lead to phishing web sites.
You can now use the following submission method, available in the Symantec.cloud Portal under Tools > Email Submissions > Email Submission Service Settings.
To analyze a missed spam message, Symantec must receive the original spam message:
To submit a false negative
Send sample spam messages as an email attachment to firstname.lastname@example.org.
For more information about attaching messages, see Email client instructions.
Additional information and a FAQ can be found in Information about Email Security.cloud Submission Service.
WARNING: Do not attach false negative samples directly to support cases. This is not a valid method of delivering mail samples to Symantec Security Response. For security reasons, all samples attached directly to support cases will be deleted.
Alternatively, you can use the following submission methods, available in the Symantec.cloud portal.
Only messages sent following the procedure above will be accepted for analysis and possible spam filter creation.
Symantec's Security Response Center processes the received message using a sophisticated algorithm which groups the message with other messages. These may be received from customers or gathered through the extensive Probe Network. When a group of messages that are similar enough reaches a threshold, it becomes an attack. At this point, an automated process or a Security Response technician will create a filter to respond to the attack as accurately as possible without creating a potential False Positive. Adding the filter to the appropriate ruleset completes the process in our Security Response Center. Your Inbox becomes protected from that attack after the ruleset is updated on the Brightmail filtering mail server.
Due to the volume of submissions received, Symantec does not acknowledge missed spam messages and cannot offer any guarantee that filters will be written. Should you face a situation where feedback is required, or the complexity of the attack demands interaction with our Anti-Spam team, please prepare all of the information required below and open a case with our Technical Support team either through the service portal or by phone.
Sample/s submission Details:
* Submitter email address:
* Date/Time of submission:
* Submission method/address:
* Did you submit a single spam or multiple samples?
* Provide the following details from at least 1 of the submitted samples: Envelope From address, Recipient Address, Subject, Delivery Date
* When was the spam from this particular attack first seen?
* Are the sample/s recent, within 5 days (Y/N)?
Customer Impact/Scope of the issue:
* Scope/Pain point of the issue: how many users does this impact, does it involve CEO/VIP, is it a random incident?
* What type of spam did you receive? (URL, Phish, Attachment, ReplyTo, etc.)
* What is the volume of missed messages? (How many spam messages are your users seeing)
Note: For email software not listed, please check the software's documentation, or contact your service provider.
Select the sample message and press Ctrl + Alt + F on the keyboard or
Select the sample message and press Ctrl + Alt + F
- OR -
Open a new message and drag the sample message you want to forward out of the "messages" pane into the body of the new message window
- OR -
Open a new message, select the "Attach Item" icon and choose 'Item' from the drop-down list. Then select the sample message you wish to attach from the "Insert Item" dialogue box
- OR -
Always forward messages as attachments. Select Tools -> Options -> Preferences Tab ->E-Mail Options. In the 'On replies and forwards' section, select "Attach original message" from the "When forwarding a message" drop-down list. Click OK twice. Then select the sample message and click the forward button.
Open a new message and drag the sample message you want to forward out of the "messages" pane into the body of the new message window.
- OR -
Open a new message, select the attachment icon and choose 'Item' from the drop-down list. Then select the sample message you wish to attach from the "Insert Item" dialogue box.
- OR -
Always forward messages as attachments.
For information on using Lotus Notes, read How To Export Messages From IBM Lotus Notes.
Symantec defines spam as unsolicited bulk email. This includes unsolicited commercial email. Many end users, customers and even analysts are referring to spam in a broader sense as all unwanted communication. Symantec does not include the following in its definition of spam:
Details for blocking Newsletters can be found in the following article on How to manage newsletter / marketing email filtering with Symantec Cloud Email Security.
If an email contains a phishing or malicious link (for example, an attached document that contains no code but attempts to social engineer the recipient into visiting a phishing page) it falls into the category of spam. Syamntec classifies these mails or attachments as Threat Artifacts rather than Malware. Anti-Spam tools have proven to be the most effective defence, rather than Anti-Malware.
Malware is software that is intended to damage or disable computers and computer systems. Symantec will add detection for Malware email attachments.
If an email contains a suspicious/malicious attachment(s) which have code, these are classified as possible malware. To report these, please follow our Anti-Malware False Negative Process.
* Email attachments should be in "message/rfc822" attachment format. RFC 822 is a mime subtype, specified in RFC 2046. Section 5.2 of RFC 2046 addresses the "Message Media Type," and section 5.2.1 addresses the "RFC 822 subtype". The full internet headers and body of the message should be retained exactly as the message was received and forwarded intact as an attachment.
As a general guideline, email attachments should be in the same file format that the mail client uses. For example, .msg attachments will work from Outlook providing the step-by-step instructions above are followed; .eml attachments will work from mail clients such as Windows Live Mail / Microsoft Outlook Express / Hotmail, etc.
NOTE: Please notice that Symantec DOES NOT see submissions as valid if an email attachment is in a different file format that the mail client uses. For example, submissions with EML attachments from Outlook or submissions with msg attachments from Outlook Express will be seen as invalid submission.
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.