How to action on FP and FN emails

1 week ago
sorb
2 minutes

Problem Statement

SCES may quarantine emails for a variety of reasons, including malware detection, spam scoring, phishing indicators, or sender reputation. In some cases, false positives may occur—legitimate emails are incorrectly quarantined—or false negatives, where malicious emails bypass scanning.

To address these scenarios, User Defined Policies and Sender ACLs (Access Control Lists) can be applied to override default behavior, allowing administrators to control how emails are handled based on specific quarantine reasons.

Solution

Reports

For the administrators, you can report the cases in Message Trace -> Mail Query under Action icon

For the users, you can report the cases in MySpace

User Defined Policy Behavior Based on Quarantine Reason

Quarantine ReasonUser Defined PolicyAction
Malware / Advanced MalwareSkip → Attachment ProtectionBypasses malware scanning
Spam / GraymailSkip → Content SecurityBypasses spam/graymail filters
PhishingSkip → Phishing ProtectionBypasses phishing filters
Poor ReputationSkip → Sender ChecksBypasses sender reputation checks
Other ReasonsSkip → Sender ChecksBypasses general sender checks
Any ReasonDeliverDelivers directly, skips all scanning

Policy Notes

  • Action: Deliver
    • This can be applied for any quarantine reason to bypass all scanning and deliver the message directly to the next hop.
    • Use with caution to avoid security exposure.
  • Sender ACL (Access Control List)
    • Can be used to bypass all scanning and deliver directly.
    • Important Note: A whitelist verification is performed before ACL evaluation.
      • If the sender domain has an SPF record but SPF authentication fails, the ACL will not be applied to avoid spoofing.
      • This is a security safeguard to prevent abuse of the whitelist mechanism.

Additions – Actions and Best Practices

  1. Evaluate False Positives:
    • Review quarantined items by reason.
    • Apply the appropriate User Defined Policy to skip the specific scan that caused the quarantine.
  2. Avoid Overbroad Bypassing:
    • Prefer specific “Skip” actions over general “Deliver” actions unless fully trusted.
    • Always validate sender identity before creating “Deliver” policies or ACLs.
  3. Use Sender ACL Carefully:
    • Verify SPF alignment before trusting ACL overrides.
    • Consider IP/domain trustworthiness and historical behavior.
  4. Monitor and Review:
    • Audit logs regularly for false positives/negatives.
    • Adjust user-defined policies based on ongoing threat intelligence.

Please reach out to wecare@sorbsecurity.com if you have any questions.