1. Features

Halon provides a threat detection add-on from Eleven. It detects email-borne spam and malware in real-time, with classification already in the first minutes after a new outbreak is launched. It is designed to minimize the exposure of users to the high magnitude of email-borne threats and to deliver nearly 100% protection against massive spam and virus attacks with a very low false positive rate.

Eleven’s classification methodology identifies threat patterns in real-time as they are released to the Internet within an outbreak. It can be used for incoming email filtering to protect customers or users from receiving spam. It can also be used to enable service providers the ability to detect and block outbound spam messages, thereby protecting their business reputation and avoid being blocklisted by other servers.

1.1. Anti-spam detection

While most anti-spam solutions rely on a form of lexical analysis, Eleven offers detection services that are content-agnostic and therefore able to detect spam in all languages, message formats and encoding (single byte and double byte), even in messages containing only images. It analyzes messages and returns accurate spam classifications to Halon Protect to apply an action (such as reject with a notification to the sender, quarantine for second opinion or delayed decision, etc.).

Eleven identifies message patterns (similarity codes) in spam attacks as they emerge on the Internet. Any message containing one or more of these unique patterns can be assumed with a great deal of certainty to be part of the same mass-mailing and Eleven distinguishes solicited from unsolicited bulk emails patterns.

1.2. Virus outbreak detection

In the case of email-borne malware outbreaks or new instances of already-known viruses, Eleven delivers zero-hour virus protection detecting if and when new unknown viruses and worms have infiltrated through the defenses of existing signature-based or heuristics/sandboxing-based antivirus scanners. It protects during the first critical hours of the outbreak before new signatures or heuristics rules have been prepared and distributed by the anti-virus vendors to their customers.

1.3. Solution components

The solution involves the following components:

  • Eleven datacenters

  • eXcached deamon

  • eXpurgate daemon

  • Halon module

1.3.1. Eleven datacenters

The datacenter monitors global email traffic in real-time (24/7) from various sources on an ongoing basis and maintains a vast database of classifications that are determined based on numerous dynamically changing parameters. The datacenters are operated in Germany.

1.3.2. eXcached deamon

The eXcached deamon is an optional component that runs at the client’s premises, and maintains a full copy of the entire Eleven spam outbreak signature database. It increases performance and resillience, while minimizing the amount of communication to the central Eleven datacenters.

1.3.3. eXpurgate deamon

The eXpurgate daemon (expurgate-spamd) is the main component, scanning email to determining the spam and/or virus outbreak detection classifications. Halon Protect connects to the eXpurgate deamon(s) which in turn connects to eXcached daemon(s) or the Eleven datacenter directly. It is provided as a Linux package for Ubuntu or RHEL-compatible distributions (.deb or .rpm) via a software repository provided to customers. Halon also provides a Docker template and Kubernetes sample configurations. Please see https://github.com/halon/halon-docker for more information.

1.3.4. Halon module

Halon provides an open-source module for integration with Eleven eXpurgate to provide anti-spam and virus outbreak detection by sending queries to those daemons. They are available pre-compiled in Halon’s software repositories, and installed using the Linux distributions’ package managers. Please see https://github.com/halon-extras/eleven for more information.