Que Dios se acuerde de nosotros

Bulk Analysis utilizes a set of servers that maintain databases of message checksums derived from numeric values that uniquely identify a message. Mail users and ISPs all over the world submit checksums of all messages received. The database records how many of each message is submitted. If requested, the Bulk Analysis server can return a count of how many instances of a message have been received. ePrism uses this count to determine the disposition of a message.

A Bulk Analysis server receives no mail, address, headers, or any similar information, but only the cryptographically secure checksums of such information. A Bulk Analysis server cannot determine the text or other information that corresponds to the checksums it receives. It only acts as a clearinghouse of counts of checksums computed by clients. This Bulk Analysis provides a simple but very effective way to successfully identify spam and control its disposition while updating its database with new spam message types.

The weight assigned to Bulk Analysis in the Intercept advanced settings will be the score used by Intercept processing if the message is considered bulk.

You must allow a connection on UDP port 6277 on your firewall or router to allow communications with a Bulk Analysis server. If this port is not available, Bulk Analysis server calls will fail and slow down mail delivery.

Bulk Analysis Considerations

When implementing Bulk Analysis, consider the following:

• Educate your user community about this tool and request them to submit mailing lists and other bulk mail sources that need to be trusted. This step is crucial if Bulk Analysis and Token Analysis are to work properly.

• Set your Intercept spam dispositions so that users can recognize that a mail has been mistakenly identified as spam. This will allow users to report back false positives. The Modify Subject Header disposition is well suited for this task.

159 Configuring Bulk Analysis

Select Mail Delivery ➝ Anti-Spam ➝ Intercept on the menu, and then select Bulk Analysis to configure its options.

Threshold Settings

The threshold is used to determine what should happen to mail when it has been classified.

• If bulk exceeds — Bulk Analysis returns a number showing how many times the message has been identified. This can be zero (unique and therefore not bulk) or another number, such as 1352, indicating that the message has been reported as bulk this many times.

It may also return the value "many". This is a special Bulk Analysis value returned when Bulk Analysis has seen a certain message in such volumes and in such a frequency that it is most certainly considered "bulk".

For Bulk Analysis to be useful, you need to specify a threshold that will trigger an action. It is recommended that you enter either "many" or a value of 50 or 100.

Body1, Fuz1, and Fuz2 are settings that specify which checksums will be calculated and sent in. It is recommended that you leave the default settings. These settings effectively counter the efforts of spammers to randomize message content and evade detection as bulk. Results of the various counts can be viewed in the transport logs.

Click the Advanced button to reveal additional settings such as From, ID, and IP. The selected checksums must be supported by the Bulk Analysis server to work properly and it is recommended that you use the default settings.

These additional settings should be used with caution, as they may increase the risk of false positives.

Intercept Anti-Spam

160

• Bulk Analysis Warning Threshold — The threshold for the expected Bulk Analysis successful response rate, as a percentage of total number of Bulk Analysis queries

performed. If the successful response rate falls below this value, an alarm will be generated.

It is acceptable to have some value of loss depending on network connectivity. This feature is used to determine whether communication between ePrism and the Bulk Analysis network is occurring properly.

Bulk Analysis Servers

Click Edit in the Bulk Analysis Servers section to configure your server settings, if required.

he default Bulk Analysis server supplied will cover most cases and should not be changed without careful consideration.

You must allow a connection on UDP port 6277 on your firewall or router to allow communications with a Bulk Analysis server. If this port is not available, Bulk Analysis server calls will fail and slow down mail delivery.

Bulk Analysis Trusted and Blocked Entry List

Administrators can create exceptions to bulk classifications by using the Trusted and Blocked List. In many cases, it may be easier to specify such exceptions using Pattern Based Message Filters, in which case the mail bypasses all anti-spam settings. It is recommended that Pattern Based Message Filters be used for creating exceptions. The Bulk Analysis trusted and blocked entry list feature is useful for removing legitimate bulk mail, such as mailing lists, from

consideration as bulk while letting it be scanned by Intercept for other spam characteristics.

Click Edit to add entries to the Trusted and Block Entry lists. Click Apply to add the new entry.

161