As mentioned previously, the Symantec Brightmail Gateway 8.0 release had three main goals:
1. Re-architect our core MTA infrastructure.
2. Increase antispam effectiveness.
3. Increase message throughput.
In this article, you'll read about the new antispam effectiveness features in Brightmail Gateway 8.0 under Adaptive Reputation Management
In a
previous post I explained how the new and improved architecture has resulted in some pretty huge performances gains over the previous releases.
These performance gains were all about messages accepted and processed by SBG and don't include increased performance related to spam blocked by reputation.
As I mentioned before, different people measure statistics in different ways. At Symantec, we do not make any assumptions when we talk about connection level anti-spam. Rather than guess or try and use the average number of messages per connection, we only talk about single connections rejected or deferred.
Of course, it's highly likely that these sending sources would send far more than one message per connection but because anti-spam at connection time filters before the SMTP conversation, there is no way to know how many messages it would attempt to send.
What is Adaptive Reputation Management?
Adaptive Reputation Management can be thought of at a high level, in a three step process:
--BLOCK--
With this release, we've put a major investment in our Global Reputation system.
Combining data from multiple Symantec sources such as the Probe Network and Global Intelligence Network, we are able to use our unrivaled visibility to provide Brightmail Gateway with a first line of defence now known as the Symantec Global Bad Senders list.
Prior to version 7.6, the SMTP Traffic Shaping covered around 600k distinct IP addresses that were known to be sending nothing but spam or a large percentage of spam. This led to between 40% and 50% of spam being blocked by reputation. With the release of 7.6, we increased visibility to 1.6 million IP addresses leading to 60-70% of spam blocked by reputation.
With the 3rd Gen Global reputation in the 8.0 release, this number has been increased again. We now cover tens of millions of IP addresses. This includes information from service providers around the world on their IP ranges that should NEVER send mail.
--LIMIT and ADAPT--
In addition to blocking spam with the Global Bad Senders data, we have a replaced SMTP Traffic Shaping with some proven technology from the Symantec Brightmail Traffic Shaper.
This 2nd Generation of local reputation adapts to each sites local mail stream, using the accuracy of our Brightmail content scanning engines to sample and monitor inbound traffic. The connecting IP addresses are tracked locally and used in the new Connection Classification system to provide a granular Quality of Service style system to inbound senders, depending on what YOUR site knows about them.
Connection Classification uses ten resource classes, or buckets, to control access to resources.
Bucket 1 - the best class, allows a connecting IP address 200 concurrent connections and an unlimited number of messages per connection.
Bucket 9 - the worst class, allows one connection at a time per IP address and only one message per connection. IP addresses in this bucket are also subject to a 60 second timeout.
In addition to these 9 buckets, there is also what is called the Default bucket.
The first time an IP address connects, they’re put straight into this Default bucket and given a middle-of-the-road batch of resources. When the Brightmail content scanning has sampled enough mail to make a positive or negative decision on the IP at which point it will be moved to the appropriate bucket.
When an IP address has exceeded a bucket limit, further connection attempts are deferred until the criteria expires.
Messages continue to be sampled at content time so IP addresses can move up or down the scale as their message profile changes over time.
Of course, there are provisions to alter the resources allocated to connecting IPs but we're confident that the default settings will be applicable to 99% of customers.
I talked about Fastpass previously and outlined how it provides known good senders with even more resources to deliver their legitimate mail. Combining Fastpass with Adaptive Reputation Management has really shows how this release of Brightmail Gateway is a huge step forward not only in performance but also in antispam effectiveness.
Throughout the beta program, we consistently saw real world figures showing more than 90% of spam is blocked or deferred at connection time.
With the Brightmail Adaptive Reputation Management in Brightmail Gateway 8.0, not only have we increased scalability, but we also always preserve top resource priority for legitimate email – this means that even under spam attack, the good email gets through with little or no latency – this is a big change from the prior architecture.
//ian