View All Resources

False Positive and False Negative Junk Submission

Summary

Foolproof email sanitation is difficult. Spammers constantly change their tactics to get around the private heuristics of mail sanitation services. Mail sanitation services constantly change their heuristics to address the ever-changing tactics of spammers. Email delivery is imperfect by nature. Penn's O365 environment is complicated by the fact we have multiple mail sanitation services.

Submitting mis-flagged messages provides mail sanitation vendors feedback that will make their services better, and consequently, our service will be better.

 

Definitions

False Positive - a legitimate message that was incorrectly flagged as junk

False Negative - a spam or phishing message that was not flagged as junk.
 
 

Self-reporting
 

False Positive Reporting:
 
  1. Analyze headers using the Microsoft Message Header Analyzer or the Google Messageheader tool.
    • Look for one of the following to determine where it was flagged:
      • Proofpoint header: X-Spam-Flag: Yes
      • Microsoft header: X-MS-Exchange-Organization-SCL: 5 (or greater)
  1. If the ProofPoint header is present, submit to ISC Client Care.
    • See To have ISC report section below. There is currently no way to submit samples to ProofPoint directly.
  1. If the Microsoft header is present, submit to Microsoft by one of the following methods:
False Negative Reporting:
 
  1. Use the Report Message add-in to report the message as Junk or Phishing, accordingly.
  2. Mark the message as Junk in Outlook on the Web.
 

To have ISC report:
 

ISC needs the full message, body and headers, to analyze and submit. The process for saving, ZIPing, and submitting message samples is also documented here.
 
  1. Save the message as a file.
    1. In Outlook, open the message in a new window by double-clicking on it
    2. File -> Save as
  1. ZIP message files.
    1. Windows 10
      1. right-click on saved message file
      2. Send to -> Compressed (zipped) folder
    2. Mac
      1. right-click on saved message file
      2. select Compress<filename>
  1. Submit to Client Care
    1. Attach ZIP file to an email to Client Care at help@isc.upenn.edu, or to Remedy if a ticket is already open.
    2. Explain briefly what kind of submission this is, false positive, or false negative, and if you need status updates.
    3. Client Care will take care of the rest.
 

Resources