Today, in most networks, the majority of email traffic is spam. You can reduce the cost of processing by managing connection load and distinguishing between connections from senders known to send spam and legitimate senders. The Connection Classification feature dynamically manages connection load based on the local reputation data collected automatically. Connection Classification is a self-learning feature. In response to the latest changes in local reputation, Connection Classification updates its management of connection load on a just-in-time basis.
For the purposes of Connection Classification data collection, unwanted messages are not counted as spam.
Spammers routinely leverage vast networks of compromised client machines, known as botnets, to disseminate their attacks. This enables them to generate huge volumes of messages without sending enough messages from any single IP address to merit entry on a global blacklist. Connection Classification supplements global lists from Symantec, third parties and your own administrator-defined lists with an approach that is effective against botnet-driven spam and the huge overall volume of spam.
By reducing the system resources used by senders with poor local reputation, Connection Classification protects your legitimate mail flow from denial-of-service attacks. With Connection Classification enabled, spammers get fewer connections. As a result, more resources are available to your legitimate senders.
To take advantage of Connection Classification, your Symantec Messaging Gateway appliance must be deployed at the gateway.
Connection Classification works by assigning each connecting IP address to one of ten classes, based on the amount of spam sent by that IP address. Connection Classification assigns new IP addresses to the default class. Connection Classification regularly changes the classifications of senders, as it continues to learn more about sender reputation in real time.
Connection Classification allows most connections for the best senders (class 1). As one moves from the best class to the worst class (Class 9), the network resources allowed a sender decrease. For Class 9, Connection Classification defers most connections.
Senders in the Symantec Global Good Senders, Local Good Sender IPs, and Third Party Good Senders groups are always assigned to the best class (Class 1). Senders in the Symantec Global Bad Senders, Local Bad Sender IPs, and Third Party Bad Senders groups are always assigned to the worst class (Class 9).
Symantec Messaging Gateway determines class membership separately for each Scanner in your system. The same sending IP can be in Class 3 on one Scanner and Class 4 on another Scanner. Based on the amount of spam sent from each IP address, the classifications can change constantly, to dynamically reflect the latest local, per-Scanner reputation.
The restrictions placed on a sender's ability to consume system and network resources correlate directly with the sender's reputation for spamming your organization. Senders with a clean history are placed in the best class and allowed more frequent connections than those with poor records. Conversely, an IP address with a poor reputation can improve its class over time by sending less spam and more legitimate email.
Connection Classification uses the data collected in the reputation database to determine the probability that a message sent from a given IP is spam. As the appliance collects more data over time, the probabilistic determination yields more accurate results.
The only action Symantec Messaging Gateway takes based on Connection Classification is to defer some SMTP connections. Connection deferral is also known as soft rejection or a 450 SMTP error. Connection Classification defers connections during the connection phase of the inbound message flow and also during the SMTP session phase.
Symantec Messaging Gateway does not take any action based on Connection Classification until the appliance has recorded enough data to make accurate predictions. Immediately after the initial installation of a Scanner, Connection Classification is in learning mode. Learning mode ends when 50,000 messages are received and the statistics gathered from them have been added to the database. At that point, if Connection Classification is enabled, connection management begins. If you have multiple Scanners, a newly installed Scanner is initially in learning mode, while your other Scanners may already be managing connection load.
If you disable Connection Classification, the Scanner continues to record sender reputation information. This means that you can disable this feature temporarily and not miss any sender data during that time.
You can edit the connection parameters for each class.