About detecting suspected spim

Article:HOWTO15241  |  Created: 2009-01-23  |  Updated: 2010-01-20  |  Article URL http://www.symantec.com/docs/HOWTO15241
Article Type
How To

Product(s)

Environment


About detecting suspected spim

Symantec Brightmail Gateway uses heuristic-based technology to detect and block the IM messages that contain content that is suspected of being spim.

Symantec Brightmail Gateway uses predefined settings from Symantec Security Response to scan each IM message for the content that is characteristic of spim. These settings define the number of times that particular content (such as a URL) appears in multiple IM messages during a specified number of seconds. For example, the URL www.geocities.com/some_recent.pictures is suspected of being spim if it is detected 5 times within a 75-second interval.

Suspected spim is uploaded to Symantec Security Response and subsequently downloaded by other Symantec Brightmail Gateway systems that are configured to detect heuristic-based spim. However, suspected spim is blocked only for a pre-configured length of time. (The default is 4 hours.) If the suspected spim does not continue to violate the heuristic-based spim settings during this time, it is no longer suspected of being spim. Its new status is then uploaded to Symantec Security Response and subsequently downloaded to the other Symantec Brightmail Gateway systems.

Additionally, you also receive suspected spim from other Symantec Brightmail Gateway systems that are configured to detect heuristic-based spim.

See About detecting spim.


Legacy ID



320024


Article URL http://www.symantec.com/docs/HOWTO15241


Terms of use for this information are found in Legal Notices