User Reporting
- Tyler Horsford (Unlicensed)
- Matthew Sywulak
- Andy Nguyen (Unlicensed)
Summary
Every message with an INKY banner contains a “Report This Email” link which allows your end-users to report emails as either safe, spam, or phishing. These reports are sent to INKY’s security operations team and optionally a local administrator (as discussed under Custom Reporting Email Notifications). Every report INKY receives is carefully reviewed and analyzed to determine if an update to our models is necessary. INKY encourages all users to report incorrectly bannered messages when possible, as this strengthens our detection capabilities and reduces the potential for false positives.
The User Reporting tab under Settings in your INKY Dashboard allows administrators to configure how long reported messages are stored in INKY, an optional recipient to receive user reports, and the option to enable enhanced reporting for end-users.
Reporting Options
The following settings are configurable:
Setting | Description |
|---|---|
Save raw message data, encrypted at rest, to allow faster and more actionable response to feedback. | Enabling this option provides an unprocessed copy of your incoming mail to INKY’s SOC team. Messages are encrypted in a way that even INKY employees cannot decrypt until a user explicitly reports the message. |
Keep encrypted raw messages for: 3, 5, 7 days | The length of time INKY stores an unprocessed copy of your messages. |
Always send raw messages (if available) to Inky for analysis (i.e., do not allow end users to opt-out for specific messages) | Messages reported to INKY will always include the original, unprocessed message (if available). |
Allow end users the option to authenticate on the Report This Email page to unlock enhanced reporting capabilities. | Users signed in with Microsoft 365 or Google Workspace as the recipient of a reported message, a user can choose to have reported spam or phish automatically deleted from their mailbox. They can also choose to automatically block (i.e., send to quarantine) all future mail from unwanted senders. These blocked sender settings apply on a per-user basis and can be viewed on the blocklist by checking the "User-Specific" box. A user can review their settings on the User Dashboard. For more information about this feature, please see the “Per-User Allow & Block Listing” article linked below. |
If a user is authenticated, allow end users to maintain a personal allow list for a limited set of threat categories. | If a message is labeled safe, the user will be presented with allow actions for the following categories: Spam Content, Reported Spam (can be customized by request to INKY support). The actions apply on a per-user basis and can be viewed on the Allow List by checking the "User-Specific" box. A user can review their settings on the User Dashboard. |
Custom Reporting Email Notifications
Administrators who wish to receive user-reported messages can add one or multiple email addresses in this section. Multiple addresses must be separated by a comma.
Setting | Description |
|---|---|
Attach original raw message inside a .zip (application/zip) file. By default, the original mail will be attached as an RFC822-formatted .txt (text/plain) file. This is due to the fact that some mail systems automatically process/reformat incoming .eml attachments. | Reported messages will arrive to the specified recipient as an .EML inside a .ZIP file. |
Attach original raw message as a .eml (message/rfc822) file. By default, the original mail will be attached as an RFC822-formatted .txt (text/plain) file. This is due to the fact that some mail systems automatically process/reformat incoming .eml attachments. | Reported messages will arrive to the specified recipient as an attached .EML. |
Set the From: header in the notification email to match the contact email address specified on the report page (default is an Inky address). This option will cause Inky to "spoof" mail from your reporting team member and should only be used if the notifications are going into a system that expects this. Otherwise, the mail may get blocked due to suspicion of phishing. | The sending address for reported messages can be modified to any email address. By default, reports originate from: robot@verify.inky.com. |
Microsoft 365 Delivery through SecOps Mailbox
Microsoft’s secure by default feature may affect the way your organization whitelists INKY. Due to this change, you can whitelist INKY using Microsoft’s advanced delivery policies feature instead. Since INKY reports contain potentially malicious phishing emails that your users are reporting you must add your delivery mailbox to the advanced delivery settings.
Navigate to https://security.microsoft.com/advanceddelivery?viewid=SecOpsMailbox
Select Edit
Add the mailbox you’re delivering INKY reports to
It may take an hour or longer to fully propagate on the M365 side.
