False positives should go to ham@access.ironport.com

False negatives (missed spam) should be sent to spam@access.ironport.com

Can I just forward such a (non) SPAM-Mail to the above adresses?
Do I have to add some information about the number of recipients, my serial-number or something else?

Part of the analysis is done based on the IPAS X-header signature tags as to why the message was process wrong (spam vs. ham when it should have been the other).

Often, new rules take care of false positives.

However, if a false positive is critical to your business or are not resolved by new rules within a reasonable amount of time, please contact IronPort Support.

To send a missed spam or incorrectly marked as not-spam email to IronPort Systems for examination, there are a number of ways to submit messages.

Unless submitted through a plug in (MS Outlook, not MS outlook Express), messages forwarded must be RFC-822 compliant attachments.
Please note: forwards of previously forwarded messages cannot be processed at this time.
The preferred method is to use the plug in for Outlook, found on the IronPort Anti-Spam page of our portal, but for customers using clients other than Microsoft Outlook, there are other alternatives. Details for ensuring RFC-822 compliant attachments for MS Outlook (including Express), Lotus Notes, (Mac) Entourage, Thunderbird, are detailed in the link below.

Go to your email program and follow the instructions to attach the email as an RFC-822 MIME encoded attachment. See article 472.

Send false negative (missed spam) to spam@access.ironport.com.
Send false positive (mail marked as spam, but is actually ham) email to IronPort Systems to ham@access.ironport.com.

Each message is reviewed by a team of human analysts and used to enhance the accuracy and effectiveness of the product.

Note: Although every report sent as an RFC-822 attachment to this address will be reviewed, most submissions will not receive an actual physical reply from IronPort.


Symantec provides two email addresses specifically to receive false positive and false negative reports.

Messages that have been scanned by Brightmail and resulted in false positives should be sent with all headers to gfeedback@feedback-1.brightmail.com.
Messages that have been scanned and are false negatives should be sent, with all headers, to gsubmit@submit-1.brightmail.com.
Important - You must send FULL HEADERS and BODY in the message as a RFC-822 MIME encoded attachment when submitting messages to these addresses. Symantec must receive false positives and negatives within 24 hours from the date initially sent to effectively write rules and filter the spam.


Note - If you can't see the Brightmail header "X-BrightmailFiltered: true" in the message you're sending to Symantec, then either the message was not filtered through Brightmail or you aren't forwarding all headers. If you don't have all headers available to you because of a defective email client, you should not submit the message to Symantec, as it will not be reviewed.

The preferred method is to use the plug in for Outlook, found on the IronPort Anti-Spam  page of our portal

...but there are other alternatives. ...are detailed in the link below.

See article 472.

Pat, which version of the outlook plug-in are you using ?

The newest officially available v 1.7 - is there any other version around?

There is an other version. But this is an older one (version 1.5)

And this older version (1.5) works with a non-english Outlook like my german one?

I don't know but it is worth trying it I think.

The link to the kb is https://ironport.custhelp.com/cgi-bin/ironport.cfg/php/enduser/std_adp.php?p_faqid=472&p_sid=cA4In5Fi&p_lva=119&p_sp=cF9zcmNoPTEmcF9zb3J0X2J5PWRmbHQmcF9ncmlkc29ydD0mcF9yb3dfY250PTY1JnBfcHJvZHM9MCZwX2NhdHM9MCZwX3B2PSZwX2N2PSZwX3NlYXJjaF90eXBlPWFuc3dlcnMuc2VhcmNoX25sJnBfcGFnZT0xJnBfc2VhcmNoX3RleHQ9YnJpZ2h0bWFpbA%2A%2A&p_li=cF91c2VyaWQ9cGV0ZXIudmFuLmRlbi5iZXJnQG1haWwuaW5nLm5sJnBfcGFzc3dkPU9EdXRHUUQxJnBfbGlfZXhwaXJ5PTExODI4Njg2Njc%2A

If I understand this article, my most important steps are:

a) Hold down the control key (Ctrl) and highlight at least two (spam- or not-spam-)messages.

b) Right Click on the highlighted messages, choose Forward.
(This "forces" outlook to use RFC-822 - really?)

If I only have one spam-mail to report, I delete the other attachment.

c) I send attachment(s) for false negative (missed spam) to spam@access.ironport.com
and for false positive (mail marked as spam, but is actually ham) email to IronPort Systems to ham@access.ironport.com.

That's all? And this attachments can be analyzed by IronPort?

In Outlook 2007 when you right mouse click the menu will say "Forward Items" not just "Forward".

Basically you need to send the examples as attachments.

You can also open a new email spam@access.ironport.com or ham@access.ironport.com which ever is the case and "drag n' drop" the examples into the new email. This will make them an attachment in the correct format.

The problem is a standard "Forward" does not include the original email in it's orginal format, it removes the email headers.

Erich