How RPD Works

Commtouch's email protection strategy is based on the most fundamental characteristic of all spam and malware - their mass distribution over the Internet.

Rather than evaluating each individual message, Recurrent Pattern DetectionT (RPDT) technology analyzes large volumes of Internet traffic in real-time. New spam and malware outbreaks are identified as soon as they emerge, and recorded in the Commtouch Detection Center.

Commtouch engines, deployed within partner products at their customers worldwide, query the Commtouch Detection Center and receive message classification in real-time. The result is instant protection from new outbreaks - far ahead of signatures or software updates.

Leading messaging and security vendors have licensed or embedded Commtouch's RPD technology, which protects millions of users worldwide. RPD is recognized by key industry analysts as a leading technology in email outbreak detection. It achieves the industry's best detection/accuracy performance (Osterman Research) and "detects and blocks spam in the first few minutes of an outbreak, unlike other anti-spam approaches" (IDC).

Commtouch technology is equally effective against spam, fraud, phishing and malware. As long as the threat or spam is mass-distributed over the Internet, Commtouch's RPD technology can detect and block it. Technology benefits include:


How GlobalView Mail Reputation Works

The sending SMTP host attempts to connect over port 25 to your mail transfer agent (MTA). The MTA delays the connection and queries the Commtouch GlobalView Mail Reputation service about the reputation of the source and how to handle it. The query is generated over HTTP, UDP or RBL/RBL+ protocol to a locally deployed daemon (ctIPd). The daemon is responsible for collecting real-time and dynamically updated reputation data about the source by communicating to the Commtouch Datacenter.

The source data is gathered by monitoring its global email sending behavior and is composed of the volume of sent emails in several time frames,the spam ratio of its sent emails, a calculated risk level, computed IP class and other relevant information. Additionally, ctIPd maintains local data in several time-based windows about all the previous times that it was already queried about this source. All of this information is used to generate a recommended action to apply on the source.

The response to the MTA (or a security device querying about the source on behalf of the MTA) includes the raw reputation data and the recommended action, which can be either to accept the connection, refuse with a permfail or to tempfail it as part of a throttling logic that was calculated for this source.

GlobalView Components