In this section

• Home
• Support
• Knowledgebase
• Articles

Online support

• Knowledgebase
• Virus disinfection

Product maintenance

• Downloads and updates
• Documentation
• Software lifecycle

Contact support

• Talk to an expert
• Send a sample
• Email us

Support services

• Overview
• Technical Support
• Professional Services
• Technical Training

PureMessage for UNIX: facilitating a problem-free rollout of email filtering

To facilitate a problem-free rollout of PureMessage email filtering, PureMessage should be installed on your deployment platform in parallel with your existing sendmail platform. Following the guidelines below, you can install and test the software with no impact on your existing email system. When ready, you can deploy PureMessage to your production environment. A Sophos consultant or sales engineer can provide advice on this installation and tuning.

What to do

To implement PureMessage in a live environment, do as follows:

1. Invisible mode

   Initially, run PureMessage in an 'invisible' mode. In this mode, messages are quarantined for statistical and investigative purposes, but are also delivered in an untouched state to your end users. Invisible mode enables you to identify obvious false positives and evaluate filter accuracy. Sophos recommends using this mode for a short period while investigating your quarantine. Throughput is slowed when invisible mode is used.

2. Tag-and-pass mode

   As tag-and-pass mode does not involve copying to the quarantine, your throughput will be faster than in invisible mode. However, improperly tagged messages will not be as visible. To combat this, Sophos recommends requesting user feedback. Communicate the mechanisms to be used in an email.

   After the email has been sent, the PureMessage engine can be activated to tag probable spam messages. You should also insert an X-Header to determine why these messages have been identified as spam.

   Whitelisting

   Most false positives are mailing list emails. These can be whitelisted. When whitelisting, use the 'envelope-from' header as opposed to the 'from' header as PureMessage uses 'envelope-from' to determine the actual sender rather than the more frequently forged 'from' header information.

   You should also check for patterns among false positives. All organisations have company-specific message characteristics. Some anti-spam heuristics may prove inappropriate for your organisation. These heuristics can be tuned to protect organisation-specific mail.

3. Quarantine mode

   Following an initial trial of the tag-and-pass mode, Sophos recommends moving to full quarantine mode. Before you implement this, you should send another email to your end users informing them of the changes and requesting further feedback.

Tag-and-pass mode sample email

This is an example of an email to inform users of the changes and request feedback.

Attention: All Users

We are currently starting to deploy anti-spam software. This will assist you by identifying and removing spam from your email.

Initially, the anti-spam software will not remove any of your mail, but will 'tag' probable spam messages so they can be easily handled by your email client. PureMessage, the solution that we have chosen, tags probable spam by changing the subject line.

Example:

Subject: Buy Viagra now cheap!!! 433595

rewritten to:

Subject: [SPAM:###] Buy Viagra now cheap!!! 433595

Each # symbol represents a higher probability that the message is spam. You can configure your mail client to place the messages in a separate folder (or delete them outright) based on this subject line. For instructions on how to do this with your mail client, click here:

Outlook instructions
Pine instructions
Etc.

[The administrator will find instructions in the Documentation section in the web manager interface. These documents can also be posted to a publicly available website].

If you find a message that has been improperly identified, please send it to us at either:

false-positive@yourco.com

for legitimate messages misidentified as spam or

false-negative@yourco.com

for spam message misidentified as legitimate.

Your feedback will be used to tune the filter accuracy and improve the results.

We appreciate your patience during the rollout.

Quarantine mode sample email

This is an example of an email to inform users of the move to quarantine mode and ask for continuing feedback.

Attn: All Users

We are now moving our anti-spam software from 'tag-and-pass' mode to full quarantine mode. Probable spam messages will no longer be directed to your inbox.

Instead, you will receive a daily summary report of all messages believed to be spam. You can reply to this report with your email client to retrieve any misidentified messages. You will only receive a daily report on days when you are sent messages considered to be spam.

As before, please send any misidentified email to the addresses below. We will use them to tune the PureMessage anti-spam engine:

false-positive@yourco.com

for legitimate messages misidentified as spam or

false-negative@yourco.com

for spam message misidentified as legitimate.

If you need more information or guidance, then please contact technical support.

• Article ID: 10185
• Created: 17 Dec 2003
• Last updated: 13 Jul 2006

Rate this article Choose a rating Very useful Quite useful Moderately useful Not very useful Not useful at all

•  Read our search tips
• Contact one of our experts
• Suggest an improvement