False positives reasons explained

Recurrent pattern (RPD)

The message was classified as spam by one or more RPD patterns. The main reasons for RPD-based false positives are:

  • An RPD pattern which identifies one or more spam campaigns also happened to match a valid email message leading to false classification of it as spam.
  • A valid bulk email (i.e., newsletter) was misclassified as part of a spam outbreak. These cases are analyzed and whitelisted to ensure that this type of valid bulk will not be blocked again in the future.

Sender IP

The message was classified as spam because it was sent from a suspicious IP address.  Following your report, we usually update the reputation of the reported IP address to “No Risk”. You can verify the current reputation status of the IP address here <http://www.cyren.com/security-center/ip-reputation-check>

However, if CYREN will identify any new spam outbreak from the IP address over the next 30 days, it will get blocked again. Otherwise, the IP address’ reputation will remain clean.

Sender domain

The message was classified as spam because it was sent from a suspicious domain. The main reasons for a domain to become suspicious are:

  • Lack of valid WhoIs record.
  • Spam outbreaks appear to be sent from the domain.
  • A combination of the above reasons.

URL

The message was classified as spam because it contained a URL which was classified as suspicious.

Proactive patterns (PPM)

The message was classified as spam by a proactive pattern which was generated by CYREN spam analysts to address an emerging spam technique. When PPM causes false positives, CYREN spam analysts remove the proactive pattern to prevent any new false positives. 

False positive status explained

Fixed

Following your report, we have updated the classification and it will no longer cause any false positives.

Not blocked

The messages in question was not blocked by CYREN.

Rejected as spam

Our analysis shows that the messages in question are part of a known spam outbreak (Spam was reported as a False Positive).

Rejected as suspected

Our analysis shows that there is a strong evidence of accurate blocking and removing the block will negatively affect spam detection. (Potential spam was reported as a False Positive).

Untraceable

The provided transaction ID (RefID) is not found. Usually, it happens when a false positive is reported more than 14 days after the occurance.

Works as designed

The message in question was not blocked by pattern-based detection component and may be non-compliant with email standards or invalid. Please contact CYREN support for clarification.

Manual analysis

Automatic reclassification is not pssible and the transaction was forwarded to a detection analyst for review.

Escalated

An investigation is required and the false positive was escalated to a senior detection analysts for review.