How Symantec Brightmail Gateway works

Article:HOWTO15258  |  Created: 2009-01-23  |  Updated: 2010-01-30  |  Article URL http://www.symantec.com/docs/HOWTO15258
Article Type
How To

Product(s)

Environment


How Symantec Brightmail Gateway works

Figure: Symantec Brightmail Gateway Architecture shows how Symantec Brightmail Gateway processes an email message. This diagram assumes that the message passes through the Filtering Engine to the Transformation Engine without being rejected. The diagram also shows the path IM traffic takes through the system.

Figure: Symantec Brightmail Gateway Architecture

Symantec Brightmail Gateway Architecture

A description of the path that email messages and instant messages take is as follows:

Email messages

The path an email message takes through the system is as follows:

  • At the gateway, Connection Classification classifies the sending IP into one of 9 classes based on local reputation. It either accepts or defers the connection based on class membership. New senders are placed in a tenth, default class. Symantec Brightmail Gateway also checks the IP address to determine if it belongs to a good sender group or bad sender group. It then blocks or permits the connection accordingly.

  • Before the MTA accepts the message, it checks the domain address and email address. The MTA determines if it belongs to the Local Good Sender Domains or Local Bad Sender Domains groups. If it does, applies the configured action to the message. If appropriate, the MTA moves the message to its inbound queue.

  • The Brightmail Engine consults the directory data service to expand the message’s distribution list.

  • The Brightmail Engine determines each recipient’s filtering policies.

  • Antivirus filters determine whether the message is infected.

  • Content filtering policy filters scan the message for restricted attachment types or words, as defined in configurable dictionaries.

  • If the sending IP is granted a pass by Fastpass, antispam filtering is bypassed. If not, the antispam filters that use the latest rules from Symantec Security Response determine whether the message is spam. The message may also be checked against user-defined Language settings.

  • The Transformation Engine performs actions according to filtering results and configurable policies and applies them to each recipient's message based on policy group membership.

Instant messages

The path an instant message takes through the IM message flow (from an external source) is as follows:

  • IM traffic enters your network and is redirected to the IM proxy by your enterprise DNS servers.

  • The IM proxy filters IM traffic according to your settings and compares the traffic with current filters Symantec Security Response publishes. These filters determine whether a message is spim or contains a virus. If a message is determined to contain spim or a virus, you can choose to block this traffic.

  • The IM traffic reaches the internal user's IM client.

  • If you have enabled outbound IM filtering, outbound messages are routed through the IM proxy before they are sent to an external user's IM client.


Note:
Symantec Brightmail Gateway does not filter any messages that do not flow through the SMTP gateway. For example, it does not filter the messages that are sent between mailboxes on the same Microsoft Exchange Server. Nor does it filter the messages on different servers within a Microsoft Exchange organization.

See About email message flow.


Legacy ID



320041


Article URL http://www.symantec.com/docs/HOWTO15258


Terms of use for this information are found in Legal Notices