GBUdb

How do the GBUdb and the Pattern Finder work together?

The GBUdb and the pattern matching engine work together. In general, the pattern finder trains the GBUdb. When the GBUdb has a strong indication that the pattern finder has missed something then it will step in and adjust the result.

On the training side, any non-zero result from the pattern finder is counted as a "bad" mark in the GBUdb. Any zero or specifically white result is counted as a "good" mark in the GBUdb.

In the training section of the GBUdb configuration, you can specify result codes that will count as "white/good". Normally this section is intended to integrate custom white rules that may have been added to the rulebase.

On the scanning side, there are 3 special result codes that can come from the GBUdb. Normally if the pattern finder identifies a spam then the pattern finder's result code is returned.

If the GBUdb has identified the source IP in either the caution or black range AND the pattern engine did not find a pattern match then the GBUdb will change the result to either 40 (by default Caution), or 63 (by default Black).

Note that the 63 result code is also used for IP Black Rules in the pattern finder.

If the GBUdb has identified the source IP in the truncate range then it will terminate (truncate) the pattern scan and force a result code of 20. This indicates that the IP is "sufficiently black" that there is no need to scan the message for patterns.

Similarly, on the white side, if the GBUdb finds that the source IP is in the white range AND the pattern matching system produces a non-white non-zero result code then the GBUdb will override that result and force it to 0.

Also - if the GBUdb White Override occurs on a pattern rule that is relatively new then the pattern rule will be "auto-panicked" -- that is, the rule is added to the internal panic rule list so that it is effectively neutralized and a notification is sent to us via telemetry so that we can investigate and presumably remove the rule.