Search

All of Symantec All of Symantec Support Viruses & Risks Home & Home Office Small Business Enterprise Partners VERITAS

Solution:
Introduction
This document provides an overview of antispam effectiveness issues, policies, and procedures related to Symantec Brightmail Gateway and other Symantec mail security products. It explains what messages should be captured as spam, what steps customers can take to communicate with us regarding effectiveness issues, and when those steps should be taken. Symantec always strives to improve its spam effectiveness over time, but it is to be expected that even Symantec’s industry leading antispam technology will miss some spam messages. The procedures outlined in this document explain what you should expect from Symantec technology and what to do if your expectations are not being met.

Effectiveness
Spam represents as much as 90% of all email sent across the Internet. The variance of this number is representative of different regions that are impacted more or less by spam senders, as well as the ever increasing deployment of IP-based solutions to deal with spam before it is allowed to reach an MTA. Symantec strives to maintain 97% anti-spam effectiveness for all spam. Anti-spam effectiveness is defined by the percentage of spam that is identified as spam by an anti-spam solution. This is separate from the ‘catch rate’ which is the measure of the percentage of all mail messages that have been identified as spam.

To illustrate this, consider a typical mail stream of 100 messages.

• 64 messages are spam (based on latest Symantec trend analysis of Internet mail.)
• Symantec Brightmail Gateway successfully identifies 60 messages as spam
• The spam effectiveness is 93.75% (60/64 spam messages)
• The catch rate is 60% (60/100 messages.)

It is critical that customers do not confuse effectiveness and catch rate when considering the performance of Symantec Brightmail Gateway solutions.

Symantec uses multiple methods to measure its anti-spam effectiveness:

• Control accounts at global service provider customers, including our Probe Network partners. These accounts provide Symantec with a direct measure of effectiveness, against a statistically significant number of accounts monitored in customer environments.
• The catch rate of the Probe Network. The Probe Network is made up of millions of email accounts that receive exclusively spam messages. Symantec Security Response measures the number of spam messages in the Probe Network that are correctly identified as spam.
• Missed spam submissions. Symantec Security Response analyzes the number of missed spam submissions from our customers. This provides direct customer feedback on the number of messages missed relative to the aggregate message flow through all mailboxes protected by Symantec mail security products.

End User Expectations
End-user experience is typically what customers refer to when discussing spam filter effectiveness. No single inbox or small group of inboxes can by themselves be an accurate gauge for measuring overall spam filtering effectiveness. One end-user may find their experience to be poor, while another finds spam filtering to be very effective. Symantec, and other antispam vendors, cannot guarantee the same effectiveness for every end-user's experience, since different users receive different kinds and volumes of spam.

End-users also have different opinions as to what constitutes spam. The definition of spam is very subjective to most end-users. Many end-users define spam as simply unwanted email (including legitimate advertisements that they no longer wish to receive). Symantec defines spam as Unsolicited bulk email (includes Unsolicited Commercial Email).

Many end-users, customers and even analysts are actually referring to spam in a broader sense as all unwanted communication.

Symantec does not include the following in its definition of spam:

• Unwanted direct marketing emails that have been solicited by the recipient
• Unwanted newsletters that have been solicited by the recipient
• Unwanted transaction emails, for example, receipts, confirmations, account statements, and similar items
• Hoaxes, urban legends, jokes, chain-letters sent by users known to the recipient
• Challenge/response emails
• Messages sent to the recipient in error
• Email bounce notifications and errant worm notifications

30-45% of all of missed spam reported by Symantec customer end-users is not spam according to Symantec’s definition.

Symantec’s antispam technology is focused on stopping true spam messages. Symantec also provides administrator and end-user tools to enable them to block unwanted messages. These tools include web based personal Allowed and Blocked Senders Lists.

Increased Spam Volume
If Symantec maintains the same effectiveness ratio (of spam caught vs. spam missed) but the total volume of spam increases, the end-user will experience a perceived drop in effectiveness. For example, one missed spam message out of ten total spam messages equates to 90% effectiveness. If the total volume of spam received increases from 10 spam messages to 100 spam messages, the effectiveness remains 90%. However the end-user perceives that the product is less effective, as there are now ten missed spam messages, compared to the one missed spam message previously. Therefore the volume of mail received by end-users is critical in understanding their perceived spam filtering effectiveness rate.

Symantec offers various solutions to reduce email volume, including the Symantec Mail Security 8160 appliance and the Symantec Brightmail Gateway appliances that dramatically reduce the overall mail volumes.

The unique system design of Symantec Mail Security 8160 helps to reduce the amount of unwanted email entering enterprise networks by analyzing the network's email flow and identifying the behavior of various network paths over time. The Symantec Mail Security 8160 identifies spammers by pinpointing the true source of each email and then limiting the bandwidth and resources that spamming sources can use, significantly decreasing the flow of spam. Using Transmission Control Protocol (TCP) traffic shaping at the TCP protocol level, the 8160 manages the quality of service that each email sender is given based on how likely it is that they are sending spam. Legitimate senders receive excellent quality of service and their mail flows quickly, while spammers are given very poor quality of service and their mail is slowed dramatically. Spammers have no way to force mail into your protected network, so their spam simply backs up on their own servers.

Symantec Brightmail Gateway appliances analyze incoming SMTP connections at the IP address level as well. Unlike the Symantec Mail Security 8160, Symantec Brightmail Gateway appliances consult only a local reputation database on the appliance, and then automatically defer or allow incoming connections based on the sending IP’s historical reputation. Whereas the 8160 manages connections at the TCP layer, Symantec Brightmail Gateway uses SMTP deferral to manage connections.

Steps to Follow if Seeing Increased Missed Spam
If spam effectiveness seems to have dropped, there are troubleshooting steps you can perform and information you can gather that can help determine where the issue may be. Please review your specific product documentation for details on how to investigate the following troubleshooting steps.

Use the following basic troubleshooting steps :

• Verify that you are running as many different antispam rule types as possible. Ensure that all rule types you have specified to use are currently running.
• Assure that the spam messages are not bypassing your Symantec servers. Check Received-from IPs.
• Confirm that the rulesets are current at the time the missed spam messages came through. Check to see that your rulesets are updating across the board.
• Verify that none of the Symantec Brightmail Gateway services (Server, Client, or Conduit) were down when these messages came through. Verify that the various components and modules are functioning with no errors reported in the logs.
• If the Allowed Senders List or Safe Senders List IP services are enabled, ensure none of the senders of the missed spam messages are on those lists. Some troubleshooting steps may require you to temporarily change the log levels to INFO or DEBUG in order to see sufficient data in the logs. Be sure to reset the log levels to lower levels once you have completed troubleshooting to avoid incurring unnecessary overhead from verbose logging. Gather the following information before contacting Support:
• Note the time period that the suspected spike in missed spam occurred and ensure that you are securing the most recent spam messages for submission.
• How you are submitting samples of missed spam to the Symantec Security Response Center? See the information below.
• How you are tracking the increase in spam?
• Are these end user inbox complaints, management complaints or statistical in nature?
• Have all available software updates or patches been installed?
• Have you made any other changes to your environment that might have contributed to effectiveness issues? This includes server, OS, or datacenter changes. It also includes changes made to Symantec or other products in the mail stream that might negatively impact effectiveness.

Installing Software Updates and Patches
Symantec mail security products have the ability to react to most new attacks via new filters that use existing technologies. However, over time, Symantec introduces new anti-spam technologies into its products to deliver new capability. It is critical that customers evaluate new versions of Symantec mail security products, since some new spam attacks can only be caught with them. If you are experiencing lower spam effectiveness, you should consider upgrading to the latest version of your Symantec technology. Customers should plan to deploy the latest release to ensure the highest levels of antispam effectiveness.

Missed Spam Submissions
If you have followed the troubleshooting and information gathering steps outlined above and determined that the increase in missed spam is not related to configuration or version issues, then you should consider making a missed spam submission. Missed spam submissions are used by Symantec for:

• Antispam technology and effectiveness research
• Emerging threat research
• Internal reporting and data mining
• Antispam filter development

The Security Response Center must receive the messages within one day from the time they were initially sent. Since spammers rarely reuse old spam, Symantec does not write filters against messages older than 24 hours. The Security Response Center processes the received message using sophisticated algorithms. This process groups the message with other messages received from customers or through the extensive probe network. When a group reaches a threshold, it becomes an attack. At this point, the automation systems or a Security Response technician create a rule to respond to the attack. Adding the rule to the rule set completes the process. Your computer becomes protected when your rule set is updated.

However, due to the volume of submissions received (approximately 3 to 4 million messages per day), Security Response cannot guarantee that filters will be written for particular submissions. Because many submissions contain a forged sender address, they cannot provide feedback for submissions.

How End Users Submit Missed Spam
The customer creates an alias for the appropriate Symantec-Brightmail missed spam address:

• North America: Gsubmit@submit-1.brightmail.com.
• EMEA: eurosubmit@submit-23.brightmail.com
• APAC: apacsubmit@submit-22.brightmail.com
• Japan: jpnsubmit@submit-47.brightmail.com

Note: Only missed spam messages are sent to this address. If your deployment is over 50,000 users, then unique submission addresses for missed spam and FP’s can be created.
The missed spam must be sent as RFC-822 MIME encoded attachments in order for Symantec Security Response to process the mail. Information on submitting messages is available below (KB
2005012415180263):
http://service1.symantec.com/SUPPORT/ent-brightmailkb.nsf/docid/2005012415180263

Repeated Spam Attacks
Many spam messages look the same from the initial appearance, but contain many hidden characteristics to make the messages unique.

A few sample characteristics include:

• Hidden HTML comments or undefined HTML tags
• Using text that is the same color as the background (or nearly the same color – camouflage)
• Use of extremely tiny fonts placed strategically throughout the message
• Images that introduce randomized changes (text moved, color changed, image rotated slightly, different borders, etc.)

If end users encounter multiple missed messages that seem to be related, they should report them to Symantec Security Response, following the procedures outlined above.

Effectiveness Escalations

Basic and Essential Support Customers
Basic and Essential Support customers should follow the steps outlined above to submit missed spam to Symantec Security Response. As stated above, there is no response to missed spam submissions.

Business Critical Customers
Symantec offers Business Critical customers an effectiveness escalation path.

Use the following procedure when a Business Critical customer experiences a significant increase in spam attacks, and requests additional analysis by the Customer Response team:

• A Frontline Technical Support Agent or Advanced Technical Support Agent or the Technical Account Manager must first ensure the customer has followed the troubleshooting steps outlined above and has sent samples of the missed spam using the missed spam submission process outlined above.
• If the customer has submitted samples of the missed spam and continues to receive the spam, and all of the troubleshooting checks have been performed, the support agent must request no more than five samples from the customer. Each sample must be received as an RFC-822 attachment from the customer.
• Support can send the samples to the Customer Response team for priority review .
• Customer Response will only analyze samples that are received as an RFC-822 attachment including the original, unmodified headers. Customer Response will analyze all submissions and will provide any additional recommendations if needed.
• Customer Response will only provide feedback - to Support - if specifically requested by the support agent.

There is no Service Level Agreement for missed spam and/or effectives issues. Escalations are not handled during weekends or non-business hours outside of U.S Pacific Time.

Note: Customers of Symantec OEM's, 3rd party vendors, and/or appliance partners that are not direct Symantec Brightmail Gateway customers need to go through their vendor who can contact the appropriate support agent to assist in this process. Those customers should not contact Symantec Support directly.

Probe Accounts and the Probe Network
Symantec’s worldwide Probe Network™ is a vast collection of email accounts. The patented Probe Network is built on a base of over 2 million accounts donated by service provider and enterprise customers, as well as accounts owned by Symantec. It is one of the key reasons why Symantec Brightmail Gateway is the leading solution for accurately stopping spam.

Why the Probe Network is Important
The Probe Network is crucial to Symantec and its antispam customers for a variety of reasons:

• Drives early detection of spam attacks. Probe accounts are the first step in the real-time detection and analysis of spam. The structure of the Probe Network essentially provides Symantec Security Response a stream of real-time spam that is being disseminated over the Internet. This virtual “net” of numerous accounts spread all over the Internet makes it easy for Symantec to verify that a given message was sent using bulk methods. When the same questionable message is caught by different probes, alarms go off and Symantec can take action.
• Speeds the development of accurate filters. The key marketplace differentiator for Symantec Brightmail AntiSpam-powered spam filtering is the near-perfect accuracy rate. Symantec Brightmail AntiSpam can boast a high accuracy rate because many of its core filters are based on actual spam. The Probe Network also provides key data that is used to develop Symantec's more predictive filters, such as heuristics. What makes all this possible is the volume, quality, and timeliness of data that flows in real time from the Probe Network to Symantec Security Response.
• Aids ongoing trend research. Spammers are constantly changing their tactics and dissemination methods to evade filtering software. Symantec’s Customer Response and Antispam Systems teams mine the data from the Probe Network to advance Symantec's antispam technology. Examples include staying abreast of the latest spam trends, evaluating the spam-catching differences between product versions, and monitoring detection rates in different languages.

Who should participate in the Symantec Probe Network?

• Domestic Enterprises with over 5,000 end users
• Domestic XSP’s with over 30,000 end users
• EMEA, APAC and JapanEnterprises with over 1,000 end users
• EMEA, APAC and Japan XSP’s with over 10,000 end users
• Managed Service Providers: All MSP customers are eligible for NDR and Domain probe participation.

Only customers exceeding 10,000 users may provide standard probes.

False Positives
Symantec Brightmail Gateway strives to maintain a false positive (FP) rate of less than one FP in one million messages scanned. Symantec utilizes several methodologies to determine our FP ratio with a conservative estimate to account for data that is not reported.

Product Evaluations
Evaluations of the product provide us with accurate lab and field results as the FP rate is monitored more closely by the prospective customers. This is also done by impartial 3rd parties that compare anti spam products against one another. Although this is anecdotal data, 95% of these evaluation tests return results that fall within the 1 in a million FP rate claimed by Symantec. The 5% that do not fall within this realm usually can be attributed to subjective differences in the definition of false positives (for example: forwarded spam messages caught at spam, spam discussion newsletters containing spam examples, 3rd party mailers sending inordinate volumes of spam, newsletters that practice spamming).

Field Data
The caveat with field data is that not 100% of end-users report FP’s. The other issue is that some customers elect to delete detected spam and therefore do not have the ability to report FP’s. Understanding this we can compare an aggregate FP ratio (used to establish a baseline) to a FP ratio of only those domains that reported FP’s. We compare the total number of reported legitimate FP’s to the total number of messages scanned. These numbers usually average to approximately 1 FP for every 20-35 million messages scanned.

How End Users Forward False Positives
The mail administrator creates an alias for the address:

• North America: Gfeedback@feedback-1.brightmail.com
• EMEA: eurofeedback@feedback-23.brightmail.com
• APAC: apacfeedback@feedback-22.brightmail.com
• Japan: jpnfeedback@feedback-47.brightmail.com

Note: Only false positive messages are sent to these addresses. If the customer has more than 50,000 users, a unique submission address for missed spam and FP’s can be created End users send FULL HEADERS and BODY in the message as a RFC-822 MIME encoded attachment in order for Symantec to investigate and process the message. A copy of the message may also be forwarded to the customer’s Support Desk. Symantec investigates and adjusts filters, as necessary.

Business Critical Support Customers
Symantec offers Business Critical customers a critical false positive escalation path. Use the following procedure when a Business Critical customer experiences a critical false positive and requests additional analysis by the Security Response team:

• A Frontine Technical Support Agent or Advanced Technical Support Agent or the Technical Account Manager must first ensure the customer has followed the troubleshooting steps outlined above in the junk submission process and sent a sample of the false positive using the false positive submission process outlined above.
• If the customer has submitted samples of the false positive and continues to have the mail blocked then the support agent can send the samples to Security Response for priority review.
• Security Response only analyzes samples received as an RFC-822 attachment. Security Response analyzes all submissions and if possible will remove filters as appropriate.
• Security Response will provide feedback to support and indicate if the filter will be removed or left in place.

Security Response typically responds to all False Positive submissions within 60 minutes though there might be times when a submission can take longer to process. No guarantees are made on how long it will take to have filters written or removed and available for updates.

Note: Customers of Symantec OEM's, 3rd party vendors, and/or appliance partners that are not direct Symantec Brightmail Gateway customers must go through their vendor who can contact the appropriate Technical Account Manager to assist in this process. Those customers should not contact Symantec
support directly.

Phishing
Symantec targets the largest phishing email threats with gateway email detection. The primary differences between phishing and spam are the ability of phishing attacks to be a) very small and b) difficult to distinguish from legitimate direct e-mail communications. Phishing attacks deployed using spamming techniques are readily detected and stopped, but attacks that are targeted and presumed legitimate are difficult to discern from actual communications from banks or credit card issuers. Symantec endeavors to be as effective against these threats as we are with spam by utilizing our premium antispam technology to capture them.

Contacts
Symantec has the following teams that handle different elements of our antispam offerings:

• Support. Works directly with customers to resolve issues. Verifies that software is functioning and configured correctly, and gathers data to pass on to Symantec Security Response. Brings in
  representatives from other teams as necessary to assist customers.
• Symantec Security Response. Analyzes spam, viruses, worms, malware, and other threats in real time. Develops new antispam filters and virus definitions, which are distributed to Symantec Brightmail Gateway servers.
• Customer Response. Analyzes current spam trends and uses existing antispam technology to deliver the highest levels of effectiveness. Manages the Probe Network and researches future threat abatement techniques for antispam and other messaging security risks.
• Product Management. Responsible for the delivery of new releases of our offerings. They determine what features will be introduced into specific releases, and can present the roadmap for their products.

References:
http://service1.symantec.com/SUPPORT/ent-brightmailkb.nsf/docid/2005012415180263

Document ID: 2008100710321454
Last Modified: 06/18/2009
Date Created: 10/07/2008
Product(s): Brightmail Gateway, Brightmail Message Filter, Symantec Mail Security 8200 Series, Symantec Mail Security SMTP
Release(s): BG 2007 7.5, BG 2007 7.6, BG 2007 7.6.1, BG 7.7, BMF 6.0.0, Mail Security for SMTP 5.0.0, Mail Security for SMTP 5.0.1, SBAS 6.1

Site Index · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements