Commtouch's email protection strategy is based on the most fundamental characteristic of all spam and malware - their mass distribution over the Internet.
Rather than evaluating each individual message, Recurrent Pattern DetectionT (RPDT) technology analyzes large volumes of Internet traffic in real-time. New spam and malware outbreaks are identified as soon as they emerge, and recorded in the Commtouch Detection Center.
Commtouch engines, deployed within partner products at their customers worldwide, query the Commtouch Detection Center and receive message classification in real-time. The result is instant protection from new outbreaks - far ahead of signatures or software updates.
Leading messaging and security vendors have licensed or embedded Commtouch's RPD technology, which protects millions of users worldwide. RPD is recognized by key industry analysts as a leading technology in email outbreak detection. It achieves the industry's best detection/accuracy performance (Osterman Research) and "detects and blocks spam in the first few minutes of an outbreak, unlike other anti-spam approaches" (IDC).
Commtouch technology is equally effective against spam, fraud, phishing and malware. As long as the threat or spam is mass-distributed over the Internet, Commtouch's RPD technology can detect and block it. Technology benefits include:
- Equally effective for all languages and formats
- Real-time protection from the very first moment a new outbreak emerges
- Proven +98% detection rate
- The industry's highest accuracy levels (Osterman Research)
- A future-proof method - cannot be circumvented by spam/malware senders
- Fully automated detection
- Protects against server-side polymorphic malware, to complement traditional anti-virus
The sending SMTP host attempts to connect over port 25 to your mail transfer agent (MTA). The MTA delays the connection and queries the Commtouch GlobalView Mail Reputation service about the reputation of the source and how to handle it. The query is generated over HTTP, UDP or RBL/RBL+ protocol to a locally deployed daemon (ctIPd). The daemon is responsible for collecting real-time and dynamically updated reputation data about the source by communicating to the Commtouch Datacenter.
The source data is gathered by monitoring its global email sending behavior and is composed of the volume of sent emails in several time frames,the spam ratio of its sent emails, a calculated risk level, computed IP class and other relevant information. Additionally, ctIPd maintains local data in several time-based windows about all the previous times that it was already queried about this source. All of this information is used to generate a recommended action to apply on the source.
The response to the MTA (or a security device querying about the source on behalf of the MTA) includes the raw reputation data and the recommended action, which can be either to accept the connection, refuse with a permfail or to tempfail it as part of a throttling logic that was calculated for this source.GlobalView Components
- Querying Device - The term "querying device" is used as a generic term for MTAs, security appliances, networking devices, or any device that is capable of receiving email messages or monitoring SMTP traffic and generating a query to ctIPd over HTTP, UDP, or RBL/RBL+ protocols. Once a response from ctIPd is received, the querying device is responsible for applying connection management decisions and flow control actions based on ctIPd's response.
- ctIPd - A daemon (ctIPd) that performs various functions, from receiving and processing incoming requests from querying devices to determining the reputation of specific sources and quickly responding to the querying devices with details on several key data types along with recommended action. Typically, ctIPd is deployed on-site in order to guarantee high performance and availability to local querying devices.
- ctIPd Protocol - In order to enable communication between a querying device and ctIPd, and easy integration by its OEM partners, Commtouch has developed a simple communication protocol. This protocol enables OEM partners to communicate with ctIPd and thereby to provide GlobalView reputation services to their users. Communication between ctIPd and the querying device can be accomplished over HTTP, UDP or RBL/RBL+ interfaces.
- Commtouch Datacenter - The Commtouch Datacenter monitors global email traffic in real-time (24*7*365) from various sources on an ongoing basis and maintains a vast database of reputation and classifications that are determined based on numerous dynamically changing parameters.