The Symantec Traffic Shaping is transparent. The system identifies abusive senders - at the actual sending server or router level - and throttles their connections back at the TCP/IP protocol level. It consists of four key components:
Sampling and Sniffing - Examples the SMTP packets of inbound email traffic and determines each mail stream's true source.
Analysis - Uses a combination of established and proprietary analysis methods to determine the likelihood that a source sends spam.
History Database - Maintains a database of behavioral history of each source.
Control - Uses TCP traffic-shaping techniques to restrict the suspect traffic.
Data flows through the antispam routers, much as it would any router connecting you to the rest of the Internet. As data passes through, they sample the traffic and perform various analyses to determine the quality of the traffic from each source.
Sources with good traffic are prioritized while the sources that send spam are throttled. The result is a reduction of bandwidth that Spam uses.
What happens on the sending mail server side?
High-quality senders can get email through to you even more quickly than without Traffic Shaping. But spammers have a problem; instead of a spammer clogging email bandwidth, their systems are slowed down and the spam cannot be fully deployed.
The actual traffic shaping is done using the following measures:
Reducing the transmission capacity of a sending system's TCP/IP channels: Lower TCP/IP window size., and lower TCP/IP acceptance rate
Limiting the number of emails that are sent during a TCP/IP session: Check number of SMTP data commands
Limiting the number of parallel TCP/IP sessions: Threshold for session concurrence from a single source
Limiting the rate at which new TCP/IP sessions can be established: Threshold for bind frequency from a single source
Spam volume from single sources is considerably decreased and in the long term certain target domains are most likely to be removed from spammers' databases.
Classification of spam sources
The IP addresses of known spam sources are based on the Symantec Sender reputation service as well as ongoing protocol and content analysis. Unknown sources which have no positive reputation are throttled and can be properly classified after analysis of sending behavior and email content. Suspicious sources are the servers that display the TCP/IP or the SMTP behavior which is in direct violation of RFCs and industry standards. These sources are classified as known spam sources if there is no positive reputation. This classification is seen as gradual. This classification displays with a throttling rate (i.e. 20% for unknown or 60% for suspicious sources).
The addition of traffic shaping to our platform has both decreased the danger of spam attacks and the volume of spam attacks.
Subscribing will provide email updates when this Article is updated. Login is required.