PureMessage for UNIX: Facilitating a problem-free rollout of email filtering

  • Article ID: 10185
  • Rating:
  • 2 customers rated this article 4.0 out of 6
  • Updated: 07 Jun 2012

Following the guidelines below, you can install and test the software with no impact on your existing email system. When ready, you can deploy PureMessage in your production environment. A Sophos consultant or sales engineer can provide advice on this installation and tuning.

What to do

To implement PureMessage in a live environment, do as follows:

  1. Invisible mode

    Initially, run PureMessage in an 'invisible' mode.Messages are quarantined for statistical and investigative purposes, but are also delivered in an untouched state to your end users. Invisible mode enables you to identify obvious false positives and evaluate filter accuracy. Sophos recommends using this mode for a short period while investigating your quarantine. Throughput is slowed when invisible mode is used.

  2. Tag-and-pass mode

    As tag-and-pass mode does not involve copying to the quarantine, your throughput will be faster than in invisible mode. However, improperly tagged messages will not be as visible. To combat this, Sophos recommends requesting user feedback. You can inform your users by sending an email message like the one shown below.

    After the message has been sent, you can activate the PureMessage engine to tag probable spam messages. You should also insert an X-Header to determine why these messages have been identified as spam.

    Whitelisting

    Most false positives are mailing list messages. These can be whitelisted. When whitelisting, use the 'envelope-from' header as opposed to the 'from' header as PureMessage uses 'envelope-from' to determine the actual sender rather than the more frequently forged 'from' header information.

    You should also check for patterns among false positives. All organizations have company-specific message characteristics. Some anti-spam heuristics may prove inappropriate for your organization. These heuristics can be tuned to protect organization-specific mail.

  3. Quarantine mode

    Following an initial trial of the tag-and-pass mode, Sophos recommends moving to full quarantine mode. Before you implement this, you should send another email message to your end users informing them of the changes and requesting further feedback.

Tag-and-pass mode sample email

This is an example of a message to inform users of the changes and to request feedback.

Attention: All Users

We are currently starting to deploy anti-spam software. This will assist you by identifying and removing spam from your email.

Initially, the anti-spam software will not remove any of your mail, but will 'tag' probable spam messages so they can be easily handled by your email client. PureMessage, the solution that we have chosen, tags probable spam by changing the subject line.

Example:

Subject: Buy Viagra now cheap!!! 433595

is rewritten to:

Subject: [SPAM:###] Buy Viagra now cheap!!! 433595

Each # symbol represents a higher probability that the message is spam. You can configure your mail client to place the messages in a separate folder (or delete them outright) based on this subject line. For instructions on how to do this with your mail client, click here:

Outlook instructions
Pine instructions
Etc.

If you find a message that has been improperly identified, please send it to us at either:

false-positive@yourco.com

for legitimate messages misidentified as spam or

false-negative@yourco.com

for spam message misidentified as legitimate.

Your feedback will be used to tune the filter accuracy and improve the results.

We appreciate your patience during the rollout.

Quarantine mode sample email

This is an example of an message to inform user(s) of the move to quarantine mode and to ask for continuing feedback.

Attn: All Users

We are now moving our anti-spam software from 'tag-and-pass' mode to full quarantine mode. Probable spam messages will no longer be directed to your inbox.

Instead, you will receive a daily summary report of all messages believed to be spam. You can reply to this report with your email client to retrieve any misidentified messages. You will only receive a daily report on days when you are sent messages considered to be spam.

As before, please send any misidentified email to the addresses below. We will use them to tune the PureMessage anti-spam engine:

false-positive@yourco.com

for legitimate messages misidentified as spam or

false-negative@yourco.com

for spam message misidentified as legitimate.

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments