Overview of Symantec Brightmail AntiSpam

The Symantec Brightmail solution consists of the Brightmail AntiSpam software along with realtime anti-spam and anti-virus rule updates downloaded to email servers.

How Symantec Brightmail Works

An organization deploys the Symantec Brightmail software at its site. Symantec has email probes set around the Internet for detection of new spam. Symantec technicians create custom rules to block this spam in realtime. These rules are downloaded to Symantec Brightmail servers, also in realtime. The Symantec Brightmail database is updated and the Symantec Brightmail server runs this database filter against the email for the specified users or domains.

Brightmail Architecture

Figure 1 depicts the Symantec Brightmail architecture.

Figure 1 Brightmail and Messaging Server Architecture

Symantec Brightmail and Messaging Server Architecture

When Symantec Security Response receives spam from email probes, operators immediately create appropriate spam filtering rules, which are downloaded to Symantec Brightmail customer machines. Similarly, Symantec Security Response sends realtime virus rules. These rules are used by customer’s Symantec Brightmail servers to catch spam and viruses.

The Sun Java System Messaging Server MTA uses the Symantec Brightmail SDK to communicate with the Symantec Brightmail server. The MTA dispatches messages based on the response from Brightmail. After the mail (1a) or (1b) is received by the MTA, the MTA sends a copy of the message contents to the Symantec Brightmail server (2). The Symantec Brightmail server uses its rules and data to determine if the message is a spam or virus (3), and returns a verdict to the MTA. Based on the verdict, the MTA either (4a) discards the message, or (4b) delivers it to a particular folder in the Message Store, or (4c) delivers it to the default INBOX folder.

Because the Symantec Brightmail SDK is third-party software, it is not included in the Messaging Server installation kit. You must obtain the Symantec Brightmail SDK and server software from Symantec. The MTA has configuration settings to tell it whether and where to load the Symantec Brightmail SDK to enable Symantec Brightmail integration.

Once the SDK is loaded, Symantec Brightmail message processing is determined by several factors and levels of granularity. Symantec Brightmail scanning can be selected in the MTA in a variety of ways, including via use of a per-user LDAP attribute, or via use of a per-domain LDAP attribute, or according to source or destination channel.

The Messaging Server MTA passes an optin variable to the Symantec Brightmail server. If a destinationspamfilternoptin optin-value or sourcespamfilternoptin optin-value marking is placed on a relevant channel in the imta.cnf file, or if a domain or user has the appropriate LDAP attribute set to some string (optin-value), then that optin-value is passed as the value of the optin variable to Brightmail. If you enable the Brightmail client-side optin, and the optin value is not set, the Brightmail default is NULL, which means that emails are not going to be filtered with any Symantec Brightmail services (spam or virus).

Symantec Brightmail offers only two distinguishable services, spam and virus. However, Symantec Brightmail supports the concept of “group policies,” enabling different actions for different users based on the same verdict. See the Symantec Brightmail AntiSpam documentation for more information. Symantec Brightmail also provides “content-filtering” service, but this functionality is provided using Sieve, so there is no added value to have Symantec Brightmail do the Sieve filtering.

When a message is determined to contain a virus, the Symantec Brightmail software can be configured to clean the virus and resubmit the cleaned message back to the MTA. (Due to some undesirable side effects caused by loss of information about the original message in a resubmitted cleaned message, do not configure Symantec Brightmail to resubmit the cleaned message back to the MTA.) When the message is spam, the verdict back from Symantec Brightmail along with the MTA configuration for how to interpret that verdict determine what happens to the message.The message can be discarded, filed into a folder, tagged as spam or virus on the subject line, passed to a Sieve rule, delivered normally in the INBOX, and so on.

The Symantec Brightmail software can be located on the same system as the MTA, or it can be on a separate host. In fact, you can have a farm of Symantec Brightmail servers serving one or more MTAs. The Symantec Brightmail SDK uses the bmiconfig_client.xml file to determine which Symantec Brightmail servers to use.

Symantec Brightmail Requirements and Performance Considerations

• Symantec Brightmail servers must run the Solaris^TM Operating System.

• Because spam and virus filtering involve significant work, adding Symantec Brightmail server (configured to perform both spam and virus filtering) to an existing Messaging Server host serving as an MTA can, due to the additional work performed, reduce overall message throughput on that host by as much as 50 percent. To allow Symantec Brightmail to perform its valuable work without reducing overall message throughput, a rule of thumb might be to add two dedicated Symantec Brightmail servers for each MTA, so that the Symantec Brightmail servers can “keep up” with the usual MTA message throughput.