About detecting suspected spim
|Article:HOWTO15241|||||Created: 2009-01-23|||||Updated: 2010-01-20|||||Article URL http://www.symantec.com/docs/HOWTO15241|
Symantec Brightmail Gateway uses predefined settings from Symantec Security Response to scan each IM message for the content that is characteristic of spim. These settings define the number of times that particular content (such as a URL) appears in multiple IM messages during a specified number of seconds. For example, the URL
www.geocities.com/some_recent.pictures is suspected of being spim if it is detected 5 times within a 75-second interval.
Suspected spim is uploaded to Symantec Security Response and subsequently downloaded by other Symantec Brightmail Gateway systems that are configured to detect heuristic-based spim. However, suspected spim is blocked only for a pre-configured length of time. (The default is 4 hours.) If the suspected spim does not continue to violate the heuristic-based spim settings during this time, it is no longer suspected of being spim. Its new status is then uploaded to Symantec Security Response and subsequently downloaded to the other Symantec Brightmail Gateway systems.
See About detecting spim.
Article URL http://www.symantec.com/docs/HOWTO15241