1. Field of the Invention
The present invention relates to scanning emails using a “scanner-driven” model, in which each scanner requests the amount of decomposition it requires to make a decision on the binary stream.
2. Description of the Related Art
The prevalence of unsolicited commercial email, commonly known as spam has grown rapidly and still growing. The corporate world and individual home users are spending millions of dollars to combat spam. Internet Service Providers (ISPs) have to cope with greatly increasing day-to-day amounts of network traffic due to the increase in spam emails. If spam traffic continues to grow, it may become unmanageable in the near future.
Another common and growing problem is the spread of computer malwares. A typical computer malware is a program or piece of code that is loaded onto a computer and/or performs some undesired actions on a computer without the knowledge or consent of the computer operator. The most widespread, well-known and dangerous type of computer malware are computer viruses, that is, programs or pieces of code that replicate themselves and load themselves onto other connected computers. Once the virus has been loaded onto the computer, it is activated and may proliferate further and/or damage the computer or other computers.
Typically, incoming emails may be scanned for a variety of undesirable contents. For example, emails may be scanned to determine whether or not they are spam, whether or not they include viruses or other malware, or whether or not they include inappropriate or other “bad” content.
Typically, spam has been fought by the use of software that scans incoming email messages to determine whether each message is spam, includes malware, or includes bad content. If so, the messages are accordingly marked as ***SPAM*** or quarantined. When a data stream is presented for scanning it is often a compound object such as a MIME stream or archive file. This stream is decomposed into its constituent files before being presented to the AntiVirus, AntiSpam, bad conent, and other scanners. Traditionally this process has been “decomposition-driven”. That is, the binary stream is decomposed into as many different parts as possible and then each of these parts is been presented to the scanners.
However, a large ISP can receive millions of emails each day, each of which must be scanned. Other large organizations may receive thousand of emails each day. On an average each mail takes from 15 milliseconds to 400 milliseconds to scan for such spam content. Thus consumes a huge amount of email server time and can in turn create a loss in the productivity of the organization.