Help! False Positives
Help! Spam Leakage
Policies and Practices
- All submitted messages are reviewed by some combination of human and/or automated systems. We do our best to create
rules that will filter all submitted spam and malware without creating false positives. If you have submitted spam through
normal channels and it keeps getting through; or if you require a response about a particular spam; or if you want to add
special black rules to your rulebase; then those cases are handled differently (see below).
- All spam submissions are treated anonymously. We do not respond to individuals submitting
spam and we generally do not attempt to discover nor recognize how the spam was submitted except to apply
guidelines that help to improve accuracy. For example, we treat spam submitted by people differently than spam that
was submitted through entirely automated (predictable) means.
- We may not add rules for some spam that is submitted through normal channels. We will not add rules to the core rulebase:
- If we feel that a spam submission was an error;
- or that other SNF subscribers would disagree that the submission is spam (blocking the submitted message
would cause false positives);
- or that we cannot create rules sufficient to block the submitted message without causing false positives.
- If we feel that a spam submission was an error;
- We may (but usually do not) attempt to unsubscribe the recipient in some cases.
Ordinary Submission Methods
POP3 approach for submitting spam:
The best way to submit spam to us is to create a pop3 mailbox on your system that our spam-bots can visit to collect samples. Our spam-bots will download and delete messages from the mailbox every few minutes and submit them to our system for processing.
There are two kinds of spam collection boxes. SpamTraps and UserTraps.
A SpamTrap is a mailbox that contains messages that were captured automatically without any human intervention. These are virtually guaranteed to receive only spam and have a very predictable collection policy. For example, messages you might forward to a SpamTrap mailbox might be arriving at clean spamtrap addresses that you already have setup, fake (never used) addresses that were harvested by spammers, or messages from special filters (such as those that failed other virus scanners but did not fail SNF for some reason).
A UserTrap is a mailbox that contains messages that have been identified as spam or malware by users, administrators, or staffers in some way. For example, if you collect spam submissions from a button on your customer's email clients or if you allow trusted users to forward spam to a special mailbox then those messages might be forwarded to a UserTrap.
If you want to set up a SpamTrap or UserTrap on your system (or several if they are sufficiently different) then please send an email to support@ with the following information:
- Your license ID (so we know you are an authorized user).
- The type of mailbox (either SpamTrap or UserTrap).
- The email address (login id) of the mailbox.
- The password for the pop3 account.
- The FQDN of the pop3 server (such as: pop3.example.com).
- A description of how the messages arrive at this mailbox.
The other way to submit spam to us for filtering is to simply forward the unwanted message to firstname.lastname@example.org. This is fine for occasional submission by you and/or your staff. Please do not instruct your users to submit spam to this address directly. If you wish to do something like that then your best option would be to set up a UserTrap as described above. If for some reason you are unable or unwilling to set up a pop3 UserTrap, then you can set up an alias on your system where your users can forward their spam and then have that alias redirect those messages to our spam@ address.
Technical Issues / Submission Format:
We are sometimes asked about the best format for submitting spam. Here are some guidelines:
- Submit each message individually. Do not batch submissions. Our system will very likely filter out the entire
batch after catching only one piece of one message in the batch. As a result we will most likely never see the rest
of the batch. Also, it is much more difficult to examine messages that have been re-encoded as batched attachments. One
at a time please for best results.
- It is best for us to receive spam submissions exactly as they arrived at your server with their headers and mime
structure in its original condition. Remember that SNF will see the messages in their
raw SMTP format as they are arriving at your server. Any additional processing makes it more difficult for us to create
rules that will match what SNF will see coming into your server.
- Do not simply submit message headers. Submit the entire message in SMTP format. Long ago it was common for messages to be filtered by headers (we never did it that way!). This was because most filtering was done by black-listing the IP address of the message source. While this is still done on many systems it is not the SNF way! Message Sniffer looks at the entire content, header, and structure of the message. Often the rules that matter most are the ones that take advantage of how the message was put together. SNF rules most frequently match content or structure -- these things are lost if you only submit message headers. Please submit the entire message as it was received.
When in doubt it is usually ok to simply foward spam to our email@example.com address.
Chronic Spam and Special Black Rules
If you have submitted a particular spam through regular channels and it is still getting past SNF, then you can send us a sample of that message in a special support request:
- Put your license ID and the words "Chronic Spam" in the subject of your message.
- ZIP one or more samples of the message and attach the ZIP file. Zipping the messages will ensure
that your submission to us is not filtered out by existing filters. Please send copies of the message in their
raw SMTP format -- if at all possible avoid proprietary binary message formats. If you can open the message file
and read it in a text editor (like vim or notepad) before you zip it then we will also be able to see it :-)
- Describe what you can about the spam, how long and how often you have submitted the spam through normal
channels, and any special information you might have about it -- such as any special black rules you might be willing
to add to your rulebase or any observations you have made that might make it simpler to filter out this message.
- Send the message to firstname.lastname@example.org from your registered email address or an authorized alias or role account. We will respond to you once we have reviewed the message samples.
Special Black Rules:
The rules we put into our core rulebase are generally accepted by all SNF systems. However, some systems have different policies that can afford to be more strict. For example, we have one system that has asked us to block any message that contains "the F word". Other systems have asked for special black rules to block specific character sets or any message that appears to be bulk mail of any kind.
We do not offer general switches for enabling this kind of filtering at this time but we do provide customization services. If you would like to add special black rules to support your system policies then please send a note to us at support@ and tell us what you would like to block. Please do not include spam or fragments of spam in your message or it will be filtered out before we can see it. If you need to send us a sample then please ZIP the sample and attach it to your message as described above.
We will work with you to customize your rulebase so that it supports your system policy.