This article contains information about submitting examples of spam, malware, phishing, and false positives to Mimecast for analysis, as well as FAQs and details on configurations like MTA-STS, TLS reporting, and management during customer mergers.
Mimecast encourages our customers to submit potential spam, malware, and phishing examples for review. Using these submissions, Mimecast's filtering system can learn from the analysis of these messages. This improves the level of virus and spam detection.
- MEIR customers will get a response if the reported email is classified as malicious by the Mimecast Security team.
- Specific issues or queries that require a response should be created using the Support Hub. For more information, see the Raising a Case page.
Reporting Spam, Malware, and Phishing
Spam, malware, phishing, and false positives should be reported via the Mimecast Administration Console. This ensures the original email can be analyzed, with its full Internet message headers intact.
You can submit examples of spam, malware, phishing, and false positives to Mimecast by using the following steps:
- Log in to the Mimecast Administration Console.
- Click on the Message Center menu item for the queue containing the email.
- Select Message Tracking.
- Search for the email by populating the fields and clicking the Search button.
-
On the far right of the email, click on the three-dot menu
.
The Message can be clicked to display the message details, where the Report button can be clicked for the Reporting options: - Click on one of the following menu items:
- Report as Spam: The example is sent to the Mimecast spam mailbox for further analysis.
- Report as Malware: The example is sent to the Mimecast virus mailbox, but a support case must also be raised.
- Report as Phishing: The example is sent to the Mimecast phishing mailbox for further analysis.
- Emails with a Bounced, Deferred, Pending Delivery, or Rejected status cannot be reported as spam, malware, or phishing.
- When a message is reported as spam, malware, or phishing, a Blocked Sender entry is automatically created for the recipient in Managed Senders. To remove this entry, navigate to Email Delivery | Managed Senders in the Mimecast Administration Console.
A blocked senders policy can be used to block the sender should it be required. See the Configuring Blocked Sender Policies page for full details.
Submitting Spam Examples
The best way to manually submit a spam example is to report it via the Mimecast Administration Console.
See Misreported Spam Messages if you have incorrectly reported messages to Mimecast as spam.
Submitting Malware Examples
Files suspected to contain a malicious payload, or have wrongly been identified as malware can be submitted to Mimecast for analysis. All virus submissions must be compressed (or zipped) into an archive file and password protected.
This should be sent to Virusreports@mimecast.org (and not attached to your support case).
The Messaging Security team will conduct an analysis of submitted examples in a sandbox environment to determine whether any malicious payload is present.
Submitting Phishing Examples
The best way to manually submit a phishing example is to report it via the Mimecast Administration Console.
Submitting False Positive Examples
A false positive email message is a legitimate message that has been incorrectly identified as spam.
Reporting a false positive message is done the same way as for a spam message, by reporting it via the Mimecast Administration Console. You will need to select the spam option when reporting it.
The Messaging Security team will analyze submitted examples to determine whether messages are legitimate.
- A false positive message reported as Spam via the Mimecast Administration Console will create a Blocked Sender entry for the recipient under Managed Senders.
To ensure uninterrupted communication, remove the entry by navigating to Email and Delivery | Managed Senders. In the Managed Senders section, locate the Blocked Sender entry and delete it to restore normal message flow.
Removing the Blocked Sender entry promptly helps maintain seamless communication with trusted contacts. - Administrators can trace reports from the Mimecast Administration Console under Audit Logs. See Filtering Audit Logs for more information.
Filtering Process
Every day, obvious non-malware messages like newsletters are filtered out of the mailbox. Then, examples are analyzed to detect global trends. Mimecast analysts can quickly identify spam, malware, and phishing, determining if they are company-specific or global issues.
Regular reports monitor example submissions and their customer sources. If a customer sends high volumes, a security review of their Mimecast account is done. The Security Services team may then contact the administrator with recommendations to reduce malware.
Mimecast does not respond to every submitted example or provide customers with reports on malware activity, as many submissions are duplicates or not malware. This would skew report accuracy. However, you can generate reports from your Mimecast account for all emails sent from your users to the mailbox address.
Comments
Where is this illusive option to report as a false positive?
You can report as Spam, Malware, or Phishing. Nothing Else.
Thank you for your feedback, we have reviewed your comments and updated the “Submitting False Positive Examples” section above, to clarify the steps.
False Positives need to be submitted using the Mimecast Administration Console, via Message Center, by using the Report button, and reporting as Spam.
Is there a way for users to report spam and phishing emails that get into their inbox instead of a Mimecast admin doing it?
Is there a way to do this with Outlook web and New Outlook?
Thanks
Hi Danny
Thank you for your comment.
To answer your question: Yes, Mimecast provides several ways for regular users (not just admins) to report spam and phishing emails that reach their inbox—without needing a Mimecast admin to do it for them.
Here’s how it works and what options are available:
1. https://mimecastsupport.zendesk.com/hc/en-us/articles/34000409050387-End-User-Applications-Configuring-Outlook-End-User-Reporting#h_01J9TXY3FRXW2AZCT6MZCE4HHK
2. https://mimecastsupport.zendesk.com/hc/en-us/articles/34000684158995-Mimecast-Essentials-for-Outlook-Overview#h_01JKT4GJRXKZ66GD5720MAHTZB
I hope this answer is helpful.
Thank you
Wouldn't it be better if there was a separate entry “false positive” under report. This way a blocked center entry would not be created so one would not have to go remove it.
Also, how is a false positive reported email distinguished from real spam when both have to be reported as spam?
Also, if an end user reports a false positive via the Outlook button (that he will report it as spam), how would an admin know to remove the blocked sender entry?
Also, if IT department admins cannot do anything on reported emails and message reporting is only for analysis by the mimecast teams, a user must report the same message twice: One for mimecast analysis and one for the admins of their IT department to quickly verify how dangerous an email is and possibly block it for all recipients and notify users that a dangerous email has gone through or maybe other actions. Or have the Outlook report button “notify” both Mimecast and Exchange online (in our case) which kind of beat the purpose of having the users report the emails to Mimecast.
To be honest, when I heard about this functionality (having the Outlook report button, report emails to Mimecast) I thought I would be able to go to the reported emails and sort things out. Like inspect the reported emails, and have buttons that would confirm or dismiss the user's suspicion. And on confirmation maybe an automation that would add the sender to the blacklist and send a “well done for catching that” email to the user. On false positives, maybe an email to the end of the user that would thank him for submitting it and inform him that nothing strange was found in the email.
Sorry for the long post, but this is kind of disappointing.
Hello Team,
We are submitting False Positive case, so that in future we can receive emails without any issue.But here, when we report email for False Positive case in Admin Console you are automatically adding sender to managed blocklist that means you are again stopping emails from being delivered.
You are solving problem in one-way (Reducing spam score) and creating another problem (Adding sender to managed blocklist).
Please try to provide complete solution without creating another problem.
Regards,
Mahesh
Hi Diamantis,
Thank you for your comment. To help with the above, I've prepared a few responses to your concerns:
A separate entry for false positives would be a feature request.
On the topic about how a false positive email is distinguished from spam, see Spam / Phishing - Misreported Spam Messages on the steps an Administrator needs to take to address if a message is reported accidentally.
Messages reported through End User Applications and Native Reporting in Outlook are displayed under Analysis & Response - Dashboard
The reporting functionality is available with MEIR reporting Analysis & Response - Dashboard
I'm happy to escalate any other concerns.
I hope this was helpful.
hi Mahesh,
Many thanks for your feedback. I've checked and this is expected functionality - please see the note at https://mimecastsupport.zendesk.com/hc/en-us/articles/34000392088595-Spam-Phishing-Reporting-Spam-Malware-and-Phishing?page=1#h_01J9V5F4V6GBPFDQGW720P268E
I'll follow this up with our Engineering teams for future consideration.
Please sign in to leave a comment.