How to tune Proofpoint Essentials' Spam detection
Posted by on 01 July 2014 10:21 AM
How to tune Proofpoint Essentials' Spam detection

The Proofpoint Essentials default Spam settings should be suitable for most situations, but there are cases where some manual influence can help the system in making better decisions.  For example, marketing newsletters can be problematic in that the engine has to decide which ones are desirable and which ones are not.  Also, some accounts like 'info@mydomain' account can have a different email type profile, and can do well with some fine-tuning.  You can use the following available tools to customize the Proofpoint Essentials Spam classification:

  • Whitelist (Allow filter) rules, and the Release Always button Senders you might need to whitelist include legitimate Rolex traders in which you might have a real interest, contacts that use a very spammy template full of images for their html disclaimer, or normal contacts if you have a very sensitive Spam Slider setting.  The Release Always button from the Summary Report is an easy way to create whitelist rules for a sender, and the benefit from creating the rules is that as the system learns, over time it will need to be done less often.

  • Blacklist (Block filter) rules Senders you might want to blacklist include difficult-to-classify spam with predictable sender addresses, borderline marketing emails you can't seem to unsubscribe from, or (temporarily) your corporate website contact form which got hacked and is sending spam, which does occur occasionally. Does all your spam come from a ".ru" sender?  Then use the Sender email address filter.  Does all your spam originate from IP addresses in China?  Then use the IP Country filter (available in the Pure filter extensions, which also allows sender body text filter types and other).  Do you receive many semi-legitimate bulk emails with "Unsubscribe" links at the bottom?  Try creating a low priority body text Pure filter for "Unsubscribe", and individual whitelist filters for your real newsletters, and be careful for false alarms. Another good tip for a block rule is to block your own email address...  normally, if you really email yourself from your own account, it doesn't pass through us, but often spammers use your own email address as the sender.  We cannot take action on this en masse because many web contact forms use the same address for both sender and recipient. For more tips on using the filters, you can look at the Expanded Overview on Filters.
  • 'Report' emails using Email Logs on the Proofpoint Essentials Interface These reports are used by the nightly Proofpoint Essentials' engine maintenance jobs to update our statistical anti-spam component with a better idea of what is spam and what is innocent on a per-organization basis, in other words it controls custom learning for your type of email.  It only takes a few examples of a certain kind of email before the correction becomes strong enough to cross your spam threshold. Some common sense and care is needed in what emails are reported in this way. If you report any low priority email you don't like  or have received by accident or if you don't want to bother unsubscribing from a true mailing list, you could end up confusing the Proofpoint Essentials' anti-spam component's job of separating out the real malicious, unsolicited spam stuff from innocent email.  So, just consider the engine's responsibility to make decisions automatically, and you could really improve its performance.  And don't panic if you've reported one wrong email by accident, the system will continue to train itself. Look here to perform spam reporting from the email logs.
  • Spam Disclaimer The Spam Disclaimer is an optional organization-wide or per-user setting that adds a little footer to incoming emails with a URL you can click that will take you to the Proofpoint Essentials Interface's Permalink page where the email will immediately be marked as "Reported", and where you will also have access to quick dropdown sender filter options for faster results. Please ensure you've read the section on Reporting above before deciding which course of action to take. To turn on the Spam Disclaimer, look here. Note - the Spam Disclaimer doesn't do anything not available in the interface except to provide a shortcut, so if you do not see the Spam Disclaimer, just log in and search for that email in your Email Logs.

  • Spam Sensitivity Slider This tool adjusts where the Proofpoint Essentials engine should make that call between Clean/Innocent, and Spam which it will quarantine.  Misclassifications might, in some cases, be just on the other side of that decision line, and you could experiment with slight adjustments here.  Please bear in mind that this tool can be a big hammer, it does what it says: If you set the slider to be more sensitive, more email will get quarantined, clean or spam.  If you set it less sensitive, more emails will get passed, clean or spam.  The default setting should be fine in most cases as the system is designed around it, but the volume-of-spam versus risk-of-catching-real-emails profile can be different for different email accounts, especially for 'info@mydomain' type accounts, and the Spam Slider can be very useful there.  The Release Always button will always work here as well, so you can combine it with a more sensitive Spam Slider setting if your senders are fairly regular, but some email accounts like 'sales@mydomain' might rely on receiving emails from unknown senders all the time, so just be careful there.  Or if you're happy enough that your account receives virtually no spam you can leave the slider at a less sensitive position.
  • Spam Stamp & Forward: Most companies/users will want their Spam filters on. But if not, you can choose the Stamp & Forward option. This will mark the email as having been classified as Spam but will still deliver to the intended recipient.| For adjusting the spam sensitivity bar and stamp & forward options, look at the Spam Settings Overview.

ERROR: This domain name does not match domain registered in the license key file (cms.orlinpilot.com), allowed domains: support.excelmicro.com, please change the product path to match the domain under Admin CP > Settings > General Settings
This product will not work properly unless untill that value is changed.

For more information please contact Kayako support at https://my.kayako.com