What happens when I report uncaught spam to the spam auditing or support team?

This is where the frequently asked questions, and responses are kept. You should do a quick search on any questions before posting to the general forum. Your question may already be answered.

Moderators: wizard, magicspam

Post Reply
magicspam
Posts: 1562
Joined: Tue Oct 28, 2008 2:27 pm

What happens when I report uncaught spam to the spam auditing or support team?

Post by magicspam » Mon Jul 24, 2023 11:34 am

Spam (aka Unsolicited Bulk Email) definitions are often quite complex. Remember the old adage, one man's spam is another persons reading material.

However, we take EVERY case seriously. There are many forms of spam, some of which are simply annoying email marketing, or solicitations, while others are more dangerous (e.g. links to fraudulent services, fake notifications, scams, phishing, or even malware) so the approach taken and the speed on which they act, are often based on the danger to the public.

Firstly, IP reputation is reviewed. With only 4 billion IPs out there, IP reputation is the MOST effective form for stopping dangerous operators, compromised servers, spam friendly networks, or even simply operators who can't get a handle on outbound spam.

All information provided can help in mapping IP reputation across the internet, and verified information is often shared with our IP reputation partners. Some of those reputation services are designed to be used for outright blocking, while others are more subtle (is this an email marketing friendly operation, but with poor practices) meant to 'flag' messages as possibly Unwanted Bulk email.

By doing this, we help not only our own customers, but world wide email operators. However, we do have to make sure we aren't catching the 'too big to block', e.g. in spite of the large amount of unwanted spam and dangerous phishing from operations like Microsoft or Gmail, you would not want to block ALL email from those operations, even for a short time.

Which is why message then get processed by our content analysis teams.

They are the ones that not only decide how to ensure that our filters and other techniques stop future similar messages, but also to identify the actors, tools, and methods used by the spammers. And when it reaches that stage, complex internal analysis has to be made, to identify the best and most productive ways to
create a more permanent solution to stop not only that specific spam, but also future spam and threat campaigns from similar actors, tools and methods.

No one wants to play 'whack-a-mole' with spam, and spammers are getting trickier all the time. Sometimes they might only run a single campaign for a couple of hours, and other times they like using historically successful campaigns for a very long time.

But often, our team will immediately make new 'filters' for previously unseen spam and techniques, so they can immediately monitor the activity, and see if it is prevalent enough for 'automation'.

The key is always automation. Engineers are expensive, and while we have an incredible team of threat experts, we don't want them making rules for every variant of the content, we want our automated systems to recognize them.

But we CANNOT do this in a way that generates false positives.

So, sometimes some 'none dangerous' spam will take a little longer to be addressed, unless the volumes are VERY high, while the more dangerous spam is
worked on first.

Think of this as 'threat' triage.

With modern day AI now being used to create email content and lures, spammers understanding how to thwart Bayesian checks, and using compromised email accounts to appear legitimate, it is a constant evolving landscape.

And EVERY uncaught message you provides, helps our threat researchers.

But read the following FIRST before sending over samples.
  • You MUST send the email 'as an attachment' only
Our threat teams need to see the exact message as it was delivered to your mailbox, including ALL headers. Some email clients strip valuable information, (such as Outlook) needed to assess the threats and methods used.
  • Make sure your are using our recommended policies
Our recommended policies are there for a reason, and chosen to be VERY safe. Before turning off a policy, please check with the support team. Often it
isn't the policy that is at fault, even though it may seem like that to you. Maybe, it is simply an email client/server configuration error. And of course ANY policy that can possibly catch legitimate email is usually set to 'flag as spam' and can be found in the customers 'Spam' folder. Remember, it COULD be the fault of the sending server/company not following industry best practices for sending email, that sometimes happens. That is what 'whitelisting' is for.
  • If using our custom filters for SpamAssassin, make sure that your installation is using the recommended plugins, AND that the default score for inbound SA filtering is set to 5.0, and outbound to 8.0
  • Try to avoid sending multiple copies of the same email, in the same report.
Our dedicated team takes this very seriously, and are all in-house engineers.

Remember, we NEVER share any Private or Personal information contained in the email examples you send over, but make sure that your policies allow for the sharing of data with 3rd parties, for the use in threat protection.
-- MagicSpam Support Team --

Post Reply

Return to “Frequently Asked Questions (FAQ)”

Who is online

Users browsing this forum: No registered users and 1 guest