[[False positive]] is the little-known side effect of content-based filtering. For email security professionals, it’s a cost of implementing spam filtering: that some legitimate email are caught in the spam filter. For most email users, it’s that surprise in one’s spam folder: a legitimate email in a swirl of spam, it’s the pony in the proverbial pile of s— and it’s happening more often than you’d think.


This Google Trends report shows how users are search less frequently over time for anti spam, yet the search frequency for false positive is stable. Note how in 2009 the frequencies of search cross over such that there are more searches for false positives than for anti spam.

Manish Goel, the CEO of BoxSentry, the Singapore-based email security vendor offered a briefing earlier this month and gave me his views on the question of anti spam and false positives. The company which has been reviewed on this site before, has been developing new capabilities for dealing with email integrity that are well on their way to commercialization. In addition to enterprise appliances, the company offers solutions for ISPs and cloud services for enterprises.

reducing-false-positivesThese two new capabilities, LogiQ and TrustCloud address related, but different issues in the email quality market. LogiQ is an appliance or hosted service to identify, report on and otherwise minimize false positives. Fundamentally, the service manages automated accept lists. The appliance or service sits parallel to the spam filter. All addresses that a user sends to are automatically added to the accept list (as they should be). All incoming messages are received at both the spam filter and the LogiQ server/service. If a message coming from an accepted sender is passed to the email server by the spam filter, no action is taken by the LogiQ. If a message coming from an unknown sender of dubious origin (no [[DKIM]] supported, or non-[[Sender Policy Framework]]-compliant) is blocked by the spam filter, no action is taken. If a message coming from an unknown sender, where the sending server satisfies configured DKIM and SPF support requirements is trapped by the spam filter, the LogiQ can if so configured, pass a copy of the message through to the enterprise mail server.

If a message coming from a known sender and that message is trapped by the spam filter (a false positive), the LogiQ can deliver a copy of the message to the enterprise email server, or it can merely record that it happened. In this way Corporate Security Officers can capture statistics from an independent source on the true rate of false-positives, and can act on the message handling to facilitate higher employee productivity, since so many workers spend so many hours searching through spam folders, oftentimes vainly.

The second offering is called TrustCloud. This subscription service does the opposite of Spamhaus and other rejected emailer services. TrustCloud has compiled a list of hundreds of thousands of trusted email domains and offers subscriptions for ISPs and enterprise email operations professionals. Modern filters offer mechanisms where an administrator can insist on including a check against the TrustCloud list. If the suspected emailer is on the TrustCloud list, it’s likely to be legitimate email and so the message can be cleared for delivery. In this way TrustCloud can further reduce the incidence of false positives.

It’s good to see action on overcoming the costs and annoyances of false positives. Costs in terms of lost business, declining customer satisfaction, delays in the conduct of business and unnecessary retransmissions.