Overview
You may have a bulk filter with the following configuration:
- Threshold = 20
- Window Size = 3
Based on that, you perform the following test: you send four messages in less than 20 seconds using the same originator to the same recipient. The result is that the bulk filter blocks the fourth message, as you expected. You still do not understand what the Window Size field is used for.
Solution
The Window Size parameter is a damping factor used to smooth out sudden peaks. It is used to calculate the average time span between messages. A low window size (for example 2) will cause the filter to follow traffic patterns more quickly. A higher window size (for example 30) allows for some temporary bursts caused by concatenated messages.
The graph below shows how a low window setting responds more quickly than higher window size.
The X-axis represents the message number, the Y-axis represents the time (in second) between two messages). The graph above represents the timespan between a series of messages with a matching field (in red with circle marks).
The timespan is calculated like this:
Δn = Tn+1 – Tn
The average time at a specific moment for each window size. Average is calculated like this:
An = An-1*C+ Δn * (1-C)
Where C is
C=exp(-Δn / window)
And A0 is A0 = 2*threshold
To configure a bulk filter, please follow the following sections from the FAF Operator Manual:
- 6.4.1 Create an Advanced Filter
- 6.4.2.1 Add a Content Condition: For the EC Rule Name condition
- 6.4.2.5 Add a Bulk Condition: For the Bulk Filter Condition
Testing
Rerun the test to confirm that the system behaves as expected.