Greg YoungGuest blog by Peter Firstbrook
While doing the research for our forthcoming secure email gateway Magic Quadrant, we are very disappointed with how few anti-spam solutions have reports that show the false positive (legit email tagged as spam) and false negative (spam that get to the inbox) rates. While there is no perfect way to measure spam accuracy exactly there are good proxies that can be easily measured; false positives can be represented by the emails that were released from quarantines, and false negatives are messages that make it into the inbox that users reported as spam. (And while we are at it, shame on any anti-spam solution that does not even offer an email client “is Spam” button.) Do anti-spam solutions have something to hide? Most brag about their “honeypot” catch rates but “honeypots” rarely get legitimate email.
Although Gartner customers almost never complain about false positive rates, I wonder if false positives are under estimated. End users rarely complain about false positives, but they are very vocal reporting Spam in their inbox. Box Sentry (www.boxsentry.com) recently did a tests in a number of organizations and found the false positive rate in some organizations using popular ant-spam tools was as high as 13% of legitimate emails. The largest proportion of false positives in their study was legitimate person-to-person traffic. While it could be that these organizations have over-tuned their systems to block more Spam at the expense of quarantining more legit email, the reality was the email administrators had no idea they had such a high false positive rate because they never checked. Have you? Organizations that do not send daily digests to end users should check their quarantine to ensure that it is not a tar pit of business critical communications. Let us know what you find.
Peter Firstbrook| Research Director| Gartner
Malware and antispam
Category: Uncategorized Tags:
2 responses so far ↓
1 Data void: False Positives « The New School of Information Security March 10, 2010 at 3:32 pm
[...] a good post at Gartner pointing out the lack of data reported by vendors or customers regarding the false [...]
2 Lawrence Janes March 26, 2010 at 7:38 pm
Hi Peter
I agree that the reporting in most solutions are pretty poor – it was one of the main reasons for partnering with Preserv8. Your post did prompt me to go and review our reports a little closer. In March so far 0.6% mails were initially marked as Spam. Of those I am sure that probably 5 of them were false positive. I must point out that in march I cannot recall 1 Spam email getting through to my Inbox.
Also Preserv8′s perimeter defence deleted the following on the perimeter
9410 mails with no valid recipient
38166 mails originating from know spamming servers
729 mails from servers with Outbound relaying denies
134 mails from blacklisted email addresses
I find that my false positives are caused by signing up for a new newsletter as the domian / email is not recorded within my ever growing whitelist.
Whilst there is not a report in Preserv8′s growing list to cover false positives they are normally very open about generating new reports for users and adding it to the standard reporting list.
Regards
Lawrence