How it Works (in general)

When a message is processed by SNF the source IP of the message is determined and evaluated by the GBUdb. Then the message is scanned by the pattern matching engine in the usual way.

If the IP is white listed (Good), black listed (Bad), or confidence in the learned behavior of the IP is high then the scan result will be influenced by the GBUdb information. If the GBUdb doesn't have any strong evidence about a given IP then the SNF pattern scanner operates normally.

Some examples

  • Caution / Black - If a message fails to match a black SNF pattern rule but the IP is known to be bad then a nonzero result will be returned so that the message will be considered spam. This mode reduces false negatives (leakage).
  • White - If a message matches a black SNF pattern rule but the IP is known to be good then the result will be forced to zero (typ) so that the message will not be considered spam. This mode reduces false positives.

 

Special cases

  • Truncate - If the IP is known to be very, very bad, then the SNF pattern scan will be interrupted as soon as the source IP can be determined and a special result code will be returned to indicate that the message was truncated. This saves CPU cycles for other work and improves system throughput. This mode can also reduce leakage since there is no chance that a message coming from a truncated source will fail to match a pattern rule and slip past the scanner.
  • Auto Panic - If the IP is known to be good and the SNF pattern scan matches a new black rule then the system will "auto-panic". This causes the new pattern rule to be put into a temporary rule-panic list so that it becomes inert. Telemetry from the system will notify us of the conflict so that we can correct the troublesome rule.

 

The system is designed so that each individual SNF node retains its own unique perspective on the IPs it encounters while sharing that information with all other SNF nodes and gathering additional information from them.

Related Topics