Question

How do I minimize the risk of false positives using MailMarshal SMTP?

Answer

False positives are an inconvenience of spam filtering. They occur when legitimate messages are inadvertently classified as spam and filtered out, potentially becoming "lost".

False negatives (spam which is not caught in the spam-filtering process) can also be inconvenient and annoying to end users, but rarely impact businesses if the false negative rate is low (less than one percent). False positives, however, have more dramatic consequences. If a critical email is mistakenly quarantined, there can be direct financial repercussions to a business. Often, false positives are newsletters or other similar types of communications. Email administrators should try to minimize false positives as much as possible. MailMarshal SMTP provides a range of tools to minimize false positives.

Build an Administrative Whitelist

The most effective way to reduce false positives is to create and maintain an accurate and up-to-date whitelist. This whitelist should comprise email addresses which you know to be safe. Members of the whitelist should be exempted from most content filtering checks.

Ideally,whitelist membership should include entire domains that you regularly do business with (*@acmecorp.zz). However, if a domain is commonly used for spamming or other illegal activities (for instance, domains of large banks and Hotmail), you must not whitelist the entire domain. Instead, try to white-list only legitimate email addresses within that domain (itsupport@largebank.zz).

TIP: An easy way to build a whitelist is to monitor the flow of outbound email from your users to external organizations for a few weeks and compile a list of candidates for inclusion.

If white-listed, a message should be excluded from some, but not all, content filtering checks. This is because email is easily forged, and malicious email could bypass security checks by masquerading as a trusted source. Marshal recommends that white-listed email skip spam checks, but be subjected to normal virus scanning and sender authentication checks (SPF and Sender-ID).

Have Your Users Build Their Own Whitelist

Individual users are likely to have a better idea about whom they need to communicate with than an administrator. MailMarshal SMTP's Spam Quarantine Management system allows users to build their own personal whitelists and blacklists, giving users direct control over their email. Increased user control helps reduce email administrators' workloads and ensures user whitelists are accurate and up-to-date.

Use Digests

Spam Quarantine Digests are condensed email reports which provide summary information to a user about spam messages addressed to them that have been blocked. MailMarshal SMTP can be configured to send regular digests to end users, such as once a day. With a quick glance down the table, your users should be able to identify any false positives, release them, and add the sender to their whitelists.

Digests can be configured in a variety of ways. See the MailMarshal User Guide for more information.

Automatic Adaptive IP Whitelisting

DNS blacklists, such as Spamhaus and Spamcop, include IP addresses based on reports of spam originating from the address. Generally, these lists are effective anti-spam tools, but their false positive rates can be higher than other detection technologies. These organizations have wildly different policies on what behavior merits a listing, and some organizations can be overly aggressive and blacklist an innocent company. In addition, simple mistakes can be made by an organization, causing innocent parties to be inadvertently blacklisted.

MailMarshal SMTP 6.4 introduces automatic adaptive IP whitelisting to significantly reduce the risk of false positives when using RBLs. This feature automatically builds and maintains an IP whitelist with rolling membership. Inclusion in the adaptive IP whitelist is based on a combination of the frequency of outgoing emails sent to IP addresses and MailMarshal's assessment of the amount of spam-like email it receives from those addresses. If white-listed, an IP address is automatically excluded from DNS blacklist checks. This feature is automatically enabled in MailMarshal SMTP 6.4.

Separate Definite Spam from Borderline Spam

MailMarshal SMTP uses a range of technologies and techniques to detect and block spam. Some technologies, such as MailMarshal's SpamCensor and RBLs, have a false positive rate below 0.001%. Other technologies, such as MailMarshal SpamProfiler, SPF and Sender-ID, have even lower false positive rates near zero. By default, MailMarshal places all spam into a single spam folder. However, it may be appropriate to separate email detected by low false positive layers and higher false positive layers. You also might want to separate any suspected spam of a pornographic or explicit nature and then deny end-user review. For example, because SpamProfiler is so unlikely to generate a false positive, it is generally safe to place email detected by it into a folder which is not checked for false positives either by users or email administrators.

Conversely, messages detected by Marshal's SpamCensor technology may occasionally be legitimate messages and should be reviewed regularly for false positives either by an email administrator or an end user using the Spam Quarantine Management system. The advantage here is that MailMarshal can detect more than ninety percent of spam as definite spam at near zero false positive rate. This means that only around ten percent of suspect spam would require review for false positives by end users. This makes it a fast and simple process.