Managing False Positives
& False Negatives
Proofpoint Essentials
April 2015
Reporting spam (no feedback provided from Proofpoint)
Option 1: Easy Spam Reporting Disclaimer –
nd
By enabling this setting below it will add a disclaimer to all inbound email including a link (see 2 screen shot
below). The user can just click a link if they feel we missed blocking a spam email. This does not add the sender to
the blocked list, nor does the user receive any feedback regarding the spam email.
Proofpoint Essentials False Positive/Negative Reporting
Example Email below with Easy Spam Reporting Disclaimer enabled.
Proofpoint Essentials False Positive/Negative Reporting
Option 2: Spam reporting via the Log Tab (Admin) or Quarantine Tab (End User) The Admin can do a Log search of Cleared (clean) email, check any boxes of email they feel is spam and hit
apply. This does not add the senders to the blocked list nor will it provide any feedback.
Proofpoint Essentials False Positive/Negative Reporting
The End User can report spam through the Quarantine tab search. They just search Cleared (clean) email and
check the boxes and hit apply to report spam. This is not adding the sender to a blocked list nor will it provide any
feedback to the user.
Proofpoint Essentials False Positive/Negative Reporting
Reporting Spam or Malicious email getting through by
opening a support case
The customer would first contact AT&T support and provide all of the details like the permalink from log search
(below), header information and/or forward the email as an attachment. AT&T support would then open a case with
Proofpoint Support to investigate the issue.
Proofpoint Essentials False Positive/Negative Reporting
Adding Senders to the Approved/Blocked lists
Users who have a legitimate message get quarantined have several options for adding the sender to their
approved list. If they would like to investigate a particular email further, this will require opening a case with AT&T
support who in turn will need to open a case with Proofpoint Support as described above.
Daily Digest option – users can release a message and approve the sender going forward by clicking Release &
Approve within the Digest.
Proofpoint Essentials False Positive/Negative Reporting
Users can add Approved/Blocked senders in the Sender Lists tab (providing they have access to this tab).
Proofpoint Essentials False Positive/Negative Reporting
Adding approved / Blocked Senders from the Log Search or Quarantine tab:
Users or Admins can click on the Detail button of a particular message when doing a log search and add the
sender to the Approved list (if they are doing a quarantine search) and Blocked list (if they are doing a clean
search).
Proofpoint Essentials False Positive/Negative Reporting
They can also approve a sender from the Action drop down menu when doing a real time quarantine search.
Some general information from our Knowledge Base
http://support.proofpointessentials.com/index.php?/Core/Default/Index
How to ask assistance from Support to investigate
an email problem
Reporting an email problem to Proofpoint Essentials Support requires a few pieces of
information that will assist us in narrowing down and investigating the issue, or even just
for us to make useful suggestions.
First though, if this problem is regarding a misclassification, we strongly recommend that
you consult our knowledgebase article 'How to tune Proofpoint Essentials spam detection
performance'. Unless there's a real classification bug with the Proofpoint Essentials
Proofpoint Essentials False Positive/Negative Reporting
engine - which is rare - our advice would be based on the information in that
knowledgebase article because there is only this one set of tools which we all use. We
can make suggestions though, and we can investigate where something might clearly be
going wrong, and if you get stuck on a problem we'd be happy to help.
There are three things which we can use to investigate or advise on an email problem:



The Permalink is, amongst other things, a very convenient reference for us to
use to immediately find the email you're talking about. You can find it for any
email in the Email Logs section in the Proofpoint Essentials Interface, just click
on the message row and bring up the Email Detail page. If the email in
question is not in Email Logs, it didn't pass through Proofpoint Essentials (but
maybe you have a bounce problem?).
The full internet headers of the email contain some other useful information
regarding where the email came from, how it was constructed, the history of
the email's travel between mail servers, etc., and often this will contain the
answer we seek. Simply forwarding an email, either inline or as an
attachment, in most cases does not include this header information; the
procedure for obtaining the headers will differ from email client to email client,
so please refer to the help pages for that email client.
The email body might contain some final clues that would help us to determine,
“What is the most appropriate way to deal with the problem?”, and it would
certainly help us to understand what it is you expect from Proofpoint Essentials
regarding this email. Of course, some emails are private and you'd prefer not
to share the body, it might only hinder us depending on what kind of advice
you are looking for.
In general, a fully-composed support query would in other words contain a paragraph
providing the Permalink along with a description of the problem and what you've tried so
far and how it has failed you, followed by a paste of the problem email's full internet
headers, and attached would be the body of the email in question. If this is about a
series of emails, please provide as many indicative Permalinks as you think appropriate
and one good example of the headers and body, and a note describing what the linking
pattern is in this series of emails that is the problem. It all depends on the situation of
course, please use fair judgment and think from the point of view of someone trying to
assist with a problem: we want to be able to help you out faster and avoid a timeconsuming to-and-fro of us asking for more information.
Proofpoint Essentials False Positive/Negative Reporting
How to tune Proofpoint Essentials' Spam detection
The Proofpoint Essentials default Spam settings should be suitable for most situations,
but there are cases where some manual influence can help the system in making better
decisions. For example, marketing newsletters can be problematic in that the engine has
to decide which ones are desirable and which ones are not. Also, some accounts like
'info@mydomain' account can have a different email type profile, and can do well with
some fine-tuning. You can use the following available tools to customize the Proofpoint
Essentials Spam classification:

Whitelist (Allow filter) rules, and the Release Always button Senders you
might need to whitelist include legitimate Rolex traders in which you might have a
real interest, contacts that use a very spammy template full of images for their
html disclaimer, or normal contacts if you have a very sensitive Spam Slider
setting. The Release Always button from the Summary Report is an easy way to
create whitelist rules for a sender, and the benefit from creating the rules is that
as the system learns, over time it will need to be done less often.

Blacklist (Block filter) rules Senders you might want to blacklist include
difficult-to-classify spam with predictable sender addresses, borderline marketing
emails you can't seem to unsubscribe from, or (temporarily) your corporate
website contact form which got hacked and is sending spam, which does occur
occasionally. Does all your spam come from a ".ru" sender? Then use the Sender
email address filter. Does all your spam originate from IP addresses in
China? Then use the IP Country filter (available in the Pure filter extensions,
which also allows sender body text filter types and other). Do you receive many
semi-legitimate bulk emails with "Unsubscribe" links at the bottom? Try creating
a low priority body text Pure filter for "Unsubscribe", and individual whitelist filters
for your real newsletters, and be careful for false alarms. Another good tip for a
block rule is to block your own email address... normally, if you really email
yourself from your own account, it doesn't pass through us, but often spammers
use your own email address as the sender. We cannot take action on this en
masse because many web contact forms use the same address for both sender
and recipient. For more tips on using the filters, you can look at the Expanded
Overview on Filters.

'Report' emails using Email Logs on the Proofpoint Essentials Interface
These reports are used by the nightly Proofpoint Essentials' engine maintenance
jobs to update our statistical anti-spam component with a better idea of what is
spam and what is innocent on a per-organization basis, in other words it controls
Proofpoint Essentials False Positive/Negative Reporting
custom learning for your type of email. It only takes a few examples of a certain
kind of email before the correction becomes strong enough to cross your spam
threshold. Some common sense and care is needed in what emails are reported in
this way. If you report any low priority email you don't like or have received by
accident or if you don't want to bother unsubscribing from a true mailing list, you
could end up confusing the Proofpoint Essentials' anti-spam component's job of
separating out the real malicious, unsolicited spam stuff from innocent email. So,
just consider the engine's responsibility to make decisions automatically, and you
could really improve its performance. And don't panic if you've reported one
wrong email by accident, the system will continue to train itself. Look here to
perform spam reporting from the email logs.

Spam Disclaimer The Spam Disclaimer is an optional organization-wide or peruser setting that adds a little footer to incoming emails with a URL you can click
that will take you to the Proofpoint Essentials Interface's Permalink page where
the email will immediately be marked as "Reported", and where you will also have
access to quick dropdown sender filter options for faster results. Please ensure
you've read the section on Reporting above before deciding which course of action
to take. To turn on the Spam Disclaimer, look here. Note - the Spam Disclaimer
doesn't do anything not available in the interface except to provide a shortcut, so
if you do not see the Spam Disclaimer, just log in and search for that email in your
Email Logs.

Spam Sensitivity Slider This tool adjusts where the Proofpoint Essentials engine
should make that call between Clean/Innocent, and Spam which it will
quarantine. Misclassifications might, in some cases, be just on the other side of
that decision line, and you could experiment with slight adjustments here. Please
bear in mind that this tool can be a big hammer, it does what it says: If you set
the slider to be more sensitive, more email will get quarantined, clean or spam. If
you set it less sensitive, more emails will get passed, clean or spam. The default
setting should be fine in most cases as the system is designed around it, but the
volume-of-spam versus risk-of-catching-real-emails profile can be different for
different email accounts, especially for 'info@mydomain' type accounts, and the
Spam Slider can be very useful there. The Release Always button will always work
here as well, so you can combine it with a more sensitive Spam Slider setting if
your senders are fairly regular, but some email accounts like 'sales@mydomain'
might rely on receiving emails from unknown senders all the time, so just be
careful there. Or if you're happy enough that your account receives virtually no
Proofpoint Essentials False Positive/Negative Reporting
spam you can leave the slider at a less sensitive position.

Spam Stamp & Forward: Most companies/users will want their Spam filters on.
But if not, you can choose the Stamp & Forward option. This will mark the email
as having been classified as Spam but will still deliver to the intended recipient.|
For adjusting the spam sensitivity bar and stamp & forward options, look at
the Spam Settings Overview.
Proofpoint Essentials False Positive/Negative Reporting