Quarantine Emails - Score

I have notice that many emails that are not really spam, are going to the quarantine server, is there a way to increase or to decrease the level of the antispam filter?

Comments

  • James_CarsonJames_Carson Moderator, WatchGuard Representative

    Hi @anc

    It'd depend on why they're ending up there.

    -If it's for a specific sender, you can make an exception in spamblocker:
    (About spamBlocker Exceptions)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/spamblocker/spam_except_about_c.html

    -You can also report false positives into our system:
    (Report False Positives or Missed Spam)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/services/spamblocker/spam_report_false_c.html

    If the mail items that are ending up there are in the suspect category, you may wish to tag or allow those messages.

    Finally, failing the above you can open a support case so a support representative can help look at your logs and determine what might be wrong.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • Just to confirm - these quarantine emails are listed as Confirmed Spam, and not Bulk or Suspect, correct?

  • sorry for the delay replying Bruce. Yes they are confirmed as spam.

  • RalphRalph WatchGuard Representative

    Hello ANC,

    If it's an unusual amount of false positives then please open a support case and have one of our techs investigate. Is it every day business type emails or newsletters/email notifications/etc.

  • edited September 2

    Hi @Bruce_Briggs and @Ralph

    Quick question related to this scenario:

    If the message is in the quarantine server is there any way to submit it as a false positive directly from there? I see that I can save the message as a TXT file, however the instructions for submitting says the file needs to be a EML or MSG file type.

    Can I submit it as a TXT file?

  • RalphRalph WatchGuard Representative

    @jesseg

    No. Ideally you want to release the message to the end user then "Forward as Attachment", if using Outlook, to the submission address.

    Save As option saves a stripped down version of the message (similar to Outlook's Save As txt) where most main headers and message structure are stripped off.

    In email, you always want the raw message aka eml/rfc822 format to ensure complete message is preserved. Msg (Microsoft's format) works as well but it has to be converted to one of those formats first before it can be analyzed.

    Technically we could use the X-WatchGuard-Spam-ID header information but Firebox firmware =< v12.5.4 truncates the header. Known issue resolved in newer firmware.

  • Thanks for the feedback. I have put in a feature request to see if anything can be done from the quarantine server side.

    On the same note, has anyone noticed the spam filter seems to be extra "aggressive" for the last month or so?

    I would go weeks without having to release anything from the quarantine server, lately I've been having to release dozens of emails on a weekly basis. Some emails are so benign that I can't even begin to fathom why they would be flagged as confirmed spam.

  • edited September 13

    From the V12.5.4 Release Notes:

    spamBlocker Engine Update

    Starting with V12.5.4, spamBlocker now uses Cloudmark, a cloud-based service from Proofpoint, to improve spam detection.

  • @Bruce_Briggs Hmmm the date I installed 12.5.4 and the over aggressive spam filtering do seem to line up.

    I can't speak to whether it improves detection of actual spam or not, but the new engine is definitely doing a worse job in the false positive department.

    I've taken to spending about 2 hours a week lately going through the quarantine server to release legit emails. I just finished going through it now, and probably released 10 emails. I know 10 may not sound like a lot, but we're a small organization and I might have had to release 5 a month prior to going to 12.5.4.

    I've known about the quarantine server notification system for some time, but the amount of false positives was never so bad that it seemed necessary. However, lately I've been revisiting the idea of turning the daily notification system on and advising my end users on how to submit false positives.

    Am I the only one noticing this?

Sign In to comment.