Submitting a false positive or false negative - F-Secure Community
<main> <article class="userContent"> <p> </p> Submitting a false positive or false negative <p>This article explains how you can send false spam positives and false spam negatives to Proofpoint for further analysis. </p> <p>Both administrators and end users can report false positives and false negatives. For end users, the administrator must first enable end user digests. End users can then report false positives and false negatives from the digest. Reporting false negatives requires the use of the Audit folder in the Quarantine. </p> <p>It also requires setting up a Spam Reporting Group. </p> <p><strong>False negatives</strong> </p> <p>False negatives are messages that are considered spam by the end user, but since they were scored below 50 by the MLX engine, they were delivered to the end user. By reporting these messages to the Proofpoint Attack Response Center (PARC), you can help improve spam effectiveness against that specific type of message. </p> <p>In order to fully examine the reported message, PARC requires the entire original/unaltered message. Since the best way to capture the original message is in the quarantine (before it arrives at your mail server), we use the "Audit Messages" feature to store Not Spam messages in the Audit folder. </p> <p>There are two steps required to enable the reporting of false negatives: </p> <div> <ul><li>Enable Auditing in all Spam Policies </li> <li>Enable Audit Messages for users </li> </ul></div> <p><strong>Enable Auditing in all Spam Policies</strong> </p> <p>This option will quarantine (into the Audit folder) any message (<200K) marked as Not Spam that is also not being quarantined by any other rule. </p> <ol><li> Click <strong>Spam Detection</strong> > <strong>Policies</strong>. </li> <li> Edit the <strong>Default</strong> policy. </li> <li> Edit the <strong>Not Spam</strong> rule. </li> <li> Select the <strong>Include in Audit folder</strong> box. </li> <li> Click <strong>Save Changes</strong>. </li> <li> Repeat these steps for all other spam policies. <p><strong>Note:</strong> The "Not Spam" messages will not be copied into the Audit folder until the "Audit Message" feature is actually enabled for one or more users (next step). </p> </li> </ol><p><strong>Enable Audit Messages for users</strong> </p> <p>Navigate to Groups and Users / Users and select the checkbox next to each user who will use this feature. </p> <div> <ol><li>Click the <strong>Groups</strong> button. </li> <li>Under "Available Groups" column, click <strong>Spam Reporting</strong>, then click <strong>>></strong> to move it under the "Add" column. </li> <li>Click <strong>Save Changes</strong>. </li> </ol></div> <p>Once these steps have been completed, mail marked as "Not Spam" will begin appearing in the Audit folder in the quarantine. </p> <p>For performance reasons, we do not recommend that you enable Audit Messages for all users. If you do decide to enable it for all users, do so on Groups and Users / Global. </p> <p><strong>False positives</strong> </p> <p>False positives are messages are scored as spam but are considered valid e-mail by the end user. False positives are very rare and are treated with the highest priority by Proofpoint. Digests allow for the reporting of false positives in the default configuration. Users click the <strong>Not Spam</strong> link next to an individual message and that e-mail is then delivered directly from the Quarantine to the Proofpoint Attack Response Center. </p> <p>If this link does not appear in your digest, check the following: </p> <div> <ol><li>Click <strong>Digest</strong> / <strong>Commands</strong> / <strong>Display Spam False-Positive Link</strong> (on). </li> <li>Click <strong>Digest</strong> / <strong>Filters</strong> / <strong>Modules</strong>. Click <strong>Spam</strong>, <strong>Options</strong> and then <strong>Digest Commands</strong>. "Report False Positive Spam" should be on the right-hand side. </li> <li>Digest / Content / Labels. Verify the name assigned to "Report False Positive Spam". </li> </ol></div> <p><strong>Reporting directly from the Quarantine</strong> </p> <p>An administrator can perform the same reporting function, but directly from the Quarantine: </p> <div> <ol><li>Navigate to Quarantine / Messages. </li> <li>Search for message by Subject, Sender, Recipient, etc. </li> <li>Select the checkbox next to the message and click <strong>Options</strong> / <strong>Report</strong>. </li> </ol></div> <p>If you do not want your users to be able to report messages directly from their digest, and wish to only have administrators report directly from the quarantine, change the following options: </p> <div> <ul><li>Digest > Commands. Disable "Report False Positive Spam". </li> <li>Digest > Commands. Disable "Report False Negative Spam". </li> <li>Groups and Users > Groups. Select the checkbox next to <strong>Spam Reporting</strong> and click <strong>Attributes</strong>. Set "Include Audit Messages in Digest" to "Default" and save. </li> </ul></div> <p>These changes will still store both spam and not spam in the quarantine, but the end users will no longer see the Audit section in their digest and they will no longer see the "Not Spam" option in the Quarantine section. </p> </article> </main>