Submitting a false positive or false negative

Submitting a false positive or false negative - F-Secure Community

This article explains how you can send false spam positives and false spam negatives to Proofpoint for further analysis.

Both administrators and end users can report false positives and false negatives. For end users, the administrator must first enable end user digests. End users can then report false positives and false negatives from the digest. Reporting false negatives requires the use of the Audit folder in the Quarantine.

It also requires setting up a Spam Reporting Group.

False negatives

False negatives are messages that are considered spam by the end user, but since they were scored below 50 by the MLX engine, they were delivered to the end user. By reporting these messages to the Proofpoint Attack Response Center (PARC), you can help improve spam effectiveness against that specific type of message.

In order to fully examine the reported message, PARC requires the entire original/unaltered message. Since the best way to capture the original message is in the quarantine (before it arrives at your mail server), we use the "Audit Messages" feature to store Not Spam messages in the Audit folder.

There are two steps required to enable the reporting of false negatives:

Enable Auditing in all Spam Policies
Enable Audit Messages for users

Enable Auditing in all Spam Policies

This option will quarantine (into the Audit folder) any message (<200K) marked as Not Spam that is also not being quarantined by any other rule.

Click Spam Detection > Policies.
Edit the Default policy.
Edit the Not Spam rule.
Select the Include in Audit folder box.
Click Save Changes.
Repeat these steps for all other spam policies.
Note: The "Not Spam" messages will not be copied into the Audit folder until the "Audit Message" feature is actually enabled for one or more users (next step).

Enable Audit Messages for users

Navigate to Groups and Users / Users and select the checkbox next to each user who will use this feature.

Click the Groups button.
Under "Available Groups" column, click Spam Reporting, then click >> to move it under the "Add" column.
Click Save Changes.

Once these steps have been completed, mail marked as "Not Spam" will begin appearing in the Audit folder in the quarantine.

For performance reasons, we do not recommend that you enable Audit Messages for all users. If you do decide to enable it for all users, do so on Groups and Users / Global.

False positives

False positives are messages are scored as spam but are considered valid e-mail by the end user. False positives are very rare and are treated with the highest priority by Proofpoint. Digests allow for the reporting of false positives in the default configuration. Users click the Not Spam link next to an individual message and that e-mail is then delivered directly from the Quarantine to the Proofpoint Attack Response Center.

If this link does not appear in your digest, check the following:

Click Digest / Commands / Display Spam False-Positive Link (on).
Click Digest / Filters / Modules. Click Spam, Options and then Digest Commands. "Report False Positive Spam" should be on the right-hand side.
Digest / Content / Labels. Verify the name assigned to "Report False Positive Spam".

Reporting directly from the Quarantine

An administrator can perform the same reporting function, but directly from the Quarantine:

Navigate to Quarantine / Messages.
Search for message by Subject, Sender, Recipient, etc.
Select the checkbox next to the message and click Options / Report.

If you do not want your users to be able to report messages directly from their digest, and wish to only have administrators report directly from the quarantine, change the following options:

Digest > Commands. Disable "Report False Positive Spam".
Digest > Commands. Disable "Report False Negative Spam".
Groups and Users > Groups. Select the checkbox next to Spam Reporting and click Attributes. Set "Include Audit Messages in Digest" to "Default" and save.

These changes will still store both spam and not spam in the quarantine, but the end users will no longer see the Audit section in their digest and they will no longer see the "Not Spam" option in the Quarantine section.