GTI (McAfee Global Threat Intelligence) is a very powerful tool for blocking mail based upon message reputation.  However, sometimes we just plain get it wrong.  By no means should this be a common thing, but it does happen.  Sometimes, this is because we have seen a new IP come online and start sending which either wasn't sending mail before or hasn't been sending for a while but before that was sending a lot of spam.  Sometimes, this is due to a legitimate message's fingerprints happening to be associated more strongly with spam than with legitimate mail (ham).  In still other cases, this could be due to one or more URLs present in the content of the message being associated with spam mail being sent.  Regardless of the reason for the issue, GTI false positives can be a big problem for admins since the default action when the GTI threshold gets high enough is to reject the message, close the connection, and deny all further connections from that sender for 5 minutes.

 

So how can an admin report when a message has a false positive?  There's three different ways of addressing the issue.  Since many messages receiving high scores in GTI also receive high scores in anti-spam, it is a good idea to use the steps indicated in KB59415 to submit spam false positives and false negatives to our Labs team.  While this won't necessarily cause the message reputation details to be changed, it will help ensure that in future spam rules updates the message is not seen as spam.  After doing that, see KB72091.  That article talks directly about submitting the GTI false positive to our team so that the GTI reputations can be adjusted.  It also advises how to temporarily work around the issue in your MEG appliance, since the reputation adjustment requests take some time to be processed and the adjustments themselves take some time to propagate through our systems.