US20050204159A1 - System, method and computer program to block spam - Google Patents

System, method and computer program to block spam Download PDF

Info

Publication number
US20050204159A1
US20050204159A1 US10/796,161 US79616104A US2005204159A1 US 20050204159 A1 US20050204159 A1 US 20050204159A1 US 79616104 A US79616104 A US 79616104A US 2005204159 A1 US2005204159 A1 US 2005204159A1
Authority
US
United States
Prior art keywords
source
mail
address
unwanted
addresses
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US10/796,161
Inventor
John Davis
Kevin Himberger
Clark Jeffries
Garreth Jeremiah
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
International Business Machines Corp
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US10/796,161 priority Critical patent/US20050204159A1/en
Assigned to INTERNATIONAL BUSINESS MACHINES CORPORATION reassignment INTERNATIONAL BUSINESS MACHINES CORPORATION ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JEREMIAH, GARRETH J., DAVIS, JOHN F., HIMBERGER, KEVIN D., JEFFRIES, CLARK D.
Publication of US20050204159A1 publication Critical patent/US20050204159A1/en
Priority to US13/532,061 priority patent/US8468208B2/en
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0263Rule management

Definitions

  • the invention relates generally to computer systems, and deals more particularly with a technique to effectively block spam.
  • the Internet is well known today, and comprises a network of user computers and servers.
  • One role of the Internet is to provide a vehicle to exchange e-mail.
  • a common problem today is “spam”, where a server sends commercial e-mails to numerous (thousands, even millions of) user computers via the Internet. The spam clogs the Internet and the mail boxes of the user computers, and wastes user time in identifying the spam and deleting it.
  • Spam detectors and filters are well known today such as “Spam Assasin” (trademark of ______) program.
  • a spam detector and filter are installed at an edge router or a firewall for a server.
  • the server provides an e-mail transfer function for multiple user computers.
  • the spam detector reviews incoming e-mail to detect when the same e-mail (i.e. same or substantially the same text) is addressed to multiple different users.
  • the spam detector may ignore e-mails sent from entities known to be bona fide correspondents, such as employees of the same corporation to which the e-mails are sent. These entities can be recorded on a list accessible to the spam detector. But, the same e-mails sent from another entity to multiple different users are assumed to be spam. For those cases where the e-mails are assumed to be spam, the spam detector reads the IP address of the sender, and then blocks subsequent e-mails from the same IP address by creating a spam filter rule. Each spam filter rule may specify a source IP address from which e-mail will not be accepted. The filter rule is enforced at the firewall or router, or the gateway server in the absence of a firewall or router. The blockage or filter rule may be in effect for a predetermined amount of time, or can be periodically removed when there filter becomes too complex.
  • the problem with the foregoing spam blocking technique is that the “spammers”, i.e. the servers sending the spam, learn when their e-mails are being blocked. They can learn this by observing the TCP response to each of their e-mails. In the case of an e-mail being blocked, there will not be any acknowledgment.
  • the spammers use a different server with a different IP address or a different IP address from the same server to send the spam. This will defeat the spam filter for a time until the spam filter identifies this new IP address as that of a spammer, and then blocks subsequent e-mails from this new IP address with a new filter rule.
  • the foregoing iterative process can continue indefinitely, with the result that the spammer succeeds in getting a large amount of spam past the spam filter (between generation of the appropriate filter rules).
  • An object of the present invention is to improve spam detection and blocking.
  • the invention resides in a system, method and program product for blocking unwanted e-mails.
  • An e-mail is identified as unwanted.
  • a source IP address of the unwanted e-mail is determined.
  • Other source IP addresses owned or registered by an owner or registrant of the source IP address of the unwanted e-mail are determined.
  • Subsequent e-mails from the source IP address and the other IP addresses are blocked. This will thwart a spammer who shifts to a new source IP address when its spam is blocked from one source IP address.
  • the other source IP addresses owned or registered by an owner or registrant of the source IP address of the unwanted e-mail are determined by first determining an owner or registrant of the source IP address of the unwanted e-mail.
  • the owner or registrant of the source IP address of the unwanted e-mail and the other IP addresses owned or registered by this owner or registrant are determined by querying an entity that manages registration of IP addresses. This entity may be the Internet Assigned Number Authority.
  • An email can be identified as unwanted when it has the same text or subject line as other e-mails sent from the same source IP address.
  • FIG. 1 is a block diagram illustrating a computer system which incorporates the present invention.
  • FIGS. 2 (A) and 2 (B) form a flow chart of a spam detection and blocking within the computer system of FIG. 1 , according to the present invention.
  • FIG. 1 illustrates a distributed computer system generally designated 100 .
  • System 100 comprises a firewall or router 110 , a server 112 coupled to the firewall or router 110 in a subnet 103 , and a multiplicity of client/user computers such as computer 114 coupled to server 112 via a Local Area Network (LAN) 105 .
  • the firewall or router 110 performs typical functions of known firewalls such as blocking e-mails with Source Addresses (SAs) known to be currently malicious.
  • SAs Source Addresses
  • firewall or router 110 also includes a spam filter program 119 which reviews each incoming e-mail and ascertains from its header its source IP address, i.e. the IP address of the sender of the e-mail.
  • SAs Source Addresses
  • the firewall or router 110 includes a set of filter rules 117 each defined to block e-mail from a respective IP address or range of IP addresses (typically for a finite period of time). So, if the IP address of the sender of the e-mail matches one of the filter rules (and the filter rule is still in effect), then the firewall or router 110 “blocks” the e-mail, i.e. prevents it from passing through to the server 112 .
  • FIG. 1 illustrates four filter rules (SA 1 , SA 2 , SA 3 and SA 4 ) in firewall or router 110 . Each of the filter rules blocks e-mails from a respective range of source IP addresses (for a finite period of time).
  • the server 112 includes a message transfer agent (“MTA”) 129 , i.e. a program function which forwards e-mail, determined not to be spam, received from the firewall or router 110 to the intended recipient/user.
  • MTA 129 can be that of Postfix (trademark of Postfix Corporation) program.
  • the server 112 also includes a known spam detector 121 such as “Spam Assassin” spam detector program.
  • the spam detector 121 may be part of the MTA 129 or a separate program.
  • the spam detector reviews incoming e-mail to detect when the same e-mail (i.e. the same or substantially the same text) is addressed to multiple different recipients/users.
  • the spam detector may ignore e-mails sent from bona fide correspondents, such as employees of a corporation to which the e-mails are sent, such that these e-mails are not considered to be spam.
  • the “bona fide correspondents” may be recorded on a list accessible to the spam detector. But, the same e-mails sent from another entity to multiple recipients/users are assumed to be spam.
  • the user computer 114 may also include an optional spam detector program 123 which identifies spam based on host-based screening software or preferences of the user.
  • the source IP addresses identified by this optional spam detector program 123 result in additional filter rules (each blocking e-mail from a single IP address or range of IP addresses) that can be applied at the firewall or router 110 .
  • FIGS. 2 (A) and 2 (B) form a flow chart illustrating operation of the spam filter program 119 , spam detector 121 , optional spam detector 123 , range finder program 130 and monitor program 132 in accordance with the present invention.
  • step 180 an incoming e-mail 125 is received by the firewall or router 110 .
  • the spam filter program 119 determines if the source IP address of the e-mail matches any of the active filter rules 117 (decision 182 ).
  • Any existing filter rules 117 may have been created in previous iterations of the steps of FIGS. 2 (A) and 2 (B).
  • An “active” filter rule is one that has been created and started, but not yet lapsed.
  • a filter rule when a filter rule is created, it is assigned a start time (which is usually immediate upon creation) and a duration/period during which the filter rule is active, i.e. will be enforced. If there is an active filter rule which matches the source IP address of the current e-mail, then the e-mail is blocked, i.e. it is discarded and not permitted to pass through the firewall or router 110 to the server 112 (step 184 ).
  • the spam filter program 119 determines if the source IP address of the e-mail matches a lapsed/suspended filter rule, i.e. a filter rule which has not yet been deleted but whose duration/period of activity has lapsed (decision 186 ). If so, the spam filter program 119 refreshes the start time of the lapsed filter rule to the current time to make it active once again, and defines a new duration/period that was longer than the previous one, for example, twice as long or “x” minutes longer (step 188 ).
  • a lapsed/suspended filter rule i.e. a filter rule which has not yet been deleted but whose duration/period of activity has lapsed
  • the spam filter program 119 also resets a “time to delete” by advancing it an amount equal to the difference between the original start time and the refreshed start time. The purpose of the “time to delete” is described below.) Also, the spam filter program 119 will block this e-mail corresponding to the lapsed/suspended filter rule, and discard it so that it will not pass through the firewall or router 110 to server 112 (step 189 ). Referring back to decision 186 , no branch, if the current e-mail does not match a lapsed/suspended filter rule (or an active filter rule), then firewall or router 110 passes the e-mail through to the mail server 112 with its MTA 129 and spam detector 121 (step 190 ).
  • the spam detector 121 within server 112 determines if the e-mail appears to be spam, i.e. the same text as other e-mail sent by the same unknown IP source address (decision 204 ).
  • the spam detector 121 makes this determination by any of numerous well known methods such as comparing text from the same source IP address. This comparison can be made using a hash function on some or all the lines of text of the different e-mails from the same source IP address. Spam may also be assumed when the subject lines of the e-mails from the same IP address are all the same.
  • the spam detector 121 notifies MTA 129 which forwards the e-mail to its intended recipient indicated in the header of the e-mail, such as client computer 114 (step 205 ).
  • MTA 129 which forwards the e-mail to its intended recipient indicated in the header of the e-mail, such as client computer 114.
  • e-mails with source addresses SA 5 , SA 6 and SAA were passed from the firewall or router 110 to the mail server 112 , and spam detector 121 identified the e-mail from SA 5 as spam.
  • the spam detector 121 extracts the source IP address of the e-mail and sends it to a range finder program 130 (step 208 ).
  • spam detector 121 sent source address SA 5 to range finder program 130 .
  • the server 112 forwards the e-mail to the user computer 114 .
  • MTA 129 forwarded e-mails with source addresses SA 6 and SAA to user computer 114 .
  • the spam detector 123 determines if the e-mail appears to be spam, i.e. the same text as other e-mail sent by the same unknown IP source address (decision 206 ). The spam detector 123 makes this determination by, for example, comparing the source IP address to a list of forbidden source IP addresses as specified by the user or an administrator.
  • the spam detector 123 can also make this determination by searching for forbidden words in the subject line or text, where the forbidden words are specified by the user or administrator. If the e-mail does not appear to be spam, then the spam detector 123 notifies the user that the e-mail is waiting to be read (step 207 ). (In the example illustrated in FIG. 1 , spam detector 123 determined that the e-mail from source IP address SAA was not spam, and therefore, presented it to the user.) However, if the e-mail appears to be spam, then the spam detector 123 extracts the source IP address of the e-mail and sends it to the ranger finder program 130 (step 209 ). (In the example illustrated in FIG. 1 , spam detector program 123 determined that the e-mail from source IP address SA 6 was spam, and therefore, did not present the e-mail to the user, and instead send the source IP address SA 6 to the range finder program 130 .)
  • the range finder program 130 may reside in server 112 or in another server coupled to server 112 by a network.
  • the range finder program 130 is also coupled by a network to an existing/known Internet service company called “Internet Assigned Number Authority” company or “IANA” 138 (or a similar Internet service).
  • IANA 138 currently maintains a database of all (that is, the range 60.70.80.0 through 60.70.80.127) addresses and the entity that “owns” or registers each block of IP addresses.
  • IANA 138 obtains its IP address ownership information based on the following process. Each entity that desires to use an IP source address on the Internet must first register it with IANA.
  • the range finder program 130 contacts “IANA” (or a similar Internet service) by e-mail and supplies the source IP address of the suspected spammer.
  • IANA or a similar Internet service
  • the range finder program supplies source IP addresses SA 5 and SA 6 to IANA, although the notification of each source IP address can be done at different times.
  • the range finding program 130 also asks IANA to state who owns each source IP address and what other IP addresses are owned by this same entity (step 208 ). IANA supplies the requested information from its registration database. (In the example illustrated in FIG.
  • IANA returns a range of source IP addresses owned/registered by the registrant of SA 5 , and a range of source IP addresses owned/registered by the registrant of SA 6 .
  • the ranger finder program defines ranges of source IP addresses from which e-mail should be blocked (step 212 ). Each “range” is a list of all the IP addresses owned by the owner of the source IP address identified as a spammer by the spam detector in step 204 . Because the entire range will be blocked, and not just the source IP address of the single spam e-mail, this will thwart block a spammer who shifts to another of its registered source IP addresses to send new spam.
  • the “range” can be a sequential range of source IP addresses or a grouping of non-sequential source IP addresses, as the case may be.
  • the blocked range can be limited to a smaller range of addresses that contains the detected source IP address and are owned by the owner of the spam e-mail, where the smaller range is a size typically used for spamming, such as a range of thirty two addresses for example, 60.70.80.0 through 60.70.80.31.
  • the range finding program 130 determines the range of blocked source IP addresses as a range of addresses (such as 60.70.80.0 through 60.70.80.256) that contain the source IP address of the spam and are not within the set of source IP addresses known by the manager of the computer system to be of interest.
  • the range finding program 130 passes the ranges of blocked, source IP addresses to monitor program 132 .
  • the monitor program 132 can reside in server 112 or another server which contains the range finder program 130 (if the range finder program 130 does not reside on server 112 ).
  • the monitor program 132 creates the filter rule(s) to be used by firewall or router 110 (step 220 ).
  • the filter rule(s) specifies the range of blocked, source IP addresses obtained from the range finder program 130 .
  • the monitor program 132 also specifies a start time to begin enforcing the filter rule and a duration/period for enforcing the filter rule as described above.
  • the monitor program 132 After defining the filter rule (including its time parameters) in step 220 for each range of blocked IP addresses, the monitor program 132 stores the filter rules in an actions database 134 , and notifies the firewall or router 110 that a new filter rule has been added to the data base. In response, the spam filter program 119 copies the new filter rule into its local data base, filter rules 117 . (In the example illustrated in FIG. 1 , there will be new filter rules for source IP ranges SA 5 and SA 6 added to filter rules database 117 .) As explained above, when each new e-mail is received by the firewall or router 110 in step 180 , the spam filter program 119 reads all the filter rules from the database 117 to determine which are active, and therefore should be enforced (decision 182 ).
  • the spam filter program 119 enforces the filter rule, i.e. blocks e-mail with a source IP address within the specified range, so that the e-mail will not proceed to mail server 112 (step 184 ). Also, as explained above, the spam filter program 119 also determines if spam has arrived from a source IP address corresponding to a lapsed/suspended filter rule, in which case the spam filter program 119 restarts/reactivates the filter rule for a longer duration/period, and blocks the current e-mail.
  • the monitor program 132 when a new filter rule is created, the monitor program 132 also defines a “time to delete” the filter rule (step 220 ).
  • the “time to delete” the filter rule specifies when to delete the filter rule if spam ceases from the entire range of IP addresses after the duration/period lapses, i.e. after the filter rule is suspended.
  • the duration/period of the filter rule is five minutes and the time to delete is fifteen minutes after start. The filter rule will go into effect immediately and last for five minutes. During those initial five minutes, all e-mails from the range of sources IP addresses specified in the filter rule will be blocked and discarded.
  • Step 250 is performed as follows. Whenever, a “time to delete” occurs, an interrupt or alert is sent to the spam filter program 119 . The interrupt or alert specifies the corresponding filter rule.
  • the spam filter program 119 confirms that the corresponding filter rule is still lapsed/suspended and if so, deletes the filter rule altogether. (If the corresponding filter rule is still active at the time to delete, then an error has occurred because the original duration/period of the filter rule should have lapsed, and the time to delete should have been advanced when the filter rule was refreshed. In such a case, an administrator will be notified.)

Abstract

A system, method and program product for blocking unwanted e-mails. An e-mail is identified as unwanted. A source IP address of the unwanted e-mail is determined. Other source IP addresses owned or registered by an owner or registrant of the source IP address of the unwanted e-mail are determined. Subsequent e-mails from the source IP address and the other IP addresses are blocked. This will thwart a spammer who shifts to a new source IP address when its spam is blocked from one source IP address.

Description

    BACKGROUND OF THE INVENTION
  • The invention relates generally to computer systems, and deals more particularly with a technique to effectively block spam.
  • The Internet is well known today, and comprises a network of user computers and servers. One role of the Internet is to provide a vehicle to exchange e-mail. A common problem today is “spam”, where a server sends commercial e-mails to numerous (thousands, even millions of) user computers via the Internet. The spam clogs the Internet and the mail boxes of the user computers, and wastes user time in identifying the spam and deleting it. Spam detectors and filters are well known today such as “Spam Assasin” (trademark of ______) program. Typically, a spam detector and filter are installed at an edge router or a firewall for a server. The server provides an e-mail transfer function for multiple user computers. The spam detector reviews incoming e-mail to detect when the same e-mail (i.e. same or substantially the same text) is addressed to multiple different users. The spam detector may ignore e-mails sent from entities known to be bona fide correspondents, such as employees of the same corporation to which the e-mails are sent. These entities can be recorded on a list accessible to the spam detector. But, the same e-mails sent from another entity to multiple different users are assumed to be spam. For those cases where the e-mails are assumed to be spam, the spam detector reads the IP address of the sender, and then blocks subsequent e-mails from the same IP address by creating a spam filter rule. Each spam filter rule may specify a source IP address from which e-mail will not be accepted. The filter rule is enforced at the firewall or router, or the gateway server in the absence of a firewall or router. The blockage or filter rule may be in effect for a predetermined amount of time, or can be periodically removed when there filter becomes too complex.
  • The problem with the foregoing spam blocking technique is that the “spammers”, i.e. the servers sending the spam, learn when their e-mails are being blocked. They can learn this by observing the TCP response to each of their e-mails. In the case of an e-mail being blocked, there will not be any acknowledgment. When their e-mails are being blocked, the spammers use a different server with a different IP address or a different IP address from the same server to send the spam. This will defeat the spam filter for a time until the spam filter identifies this new IP address as that of a spammer, and then blocks subsequent e-mails from this new IP address with a new filter rule. The foregoing iterative process can continue indefinitely, with the result that the spammer succeeds in getting a large amount of spam past the spam filter (between generation of the appropriate filter rules).
  • An object of the present invention is to improve spam detection and blocking.
    • SUMMARY
  • The invention resides in a system, method and program product for blocking unwanted e-mails. An e-mail is identified as unwanted. A source IP address of the unwanted e-mail is determined. Other source IP addresses owned or registered by an owner or registrant of the source IP address of the unwanted e-mail are determined. Subsequent e-mails from the source IP address and the other IP addresses are blocked. This will thwart a spammer who shifts to a new source IP address when its spam is blocked from one source IP address.
  • According to features of the present invention, the other source IP addresses owned or registered by an owner or registrant of the source IP address of the unwanted e-mail are determined by first determining an owner or registrant of the source IP address of the unwanted e-mail. The owner or registrant of the source IP address of the unwanted e-mail and the other IP addresses owned or registered by this owner or registrant are determined by querying an entity that manages registration of IP addresses. This entity may be the Internet Assigned Number Authority. An email can be identified as unwanted when it has the same text or subject line as other e-mails sent from the same source IP address.
    • BRIEF DESCRIPTION OF THE FIGURES
  • FIG. 1 is a block diagram illustrating a computer system which incorporates the present invention.
  • FIGS. 2(A) and 2(B) form a flow chart of a spam detection and blocking within the computer system of FIG. 1, according to the present invention.
    • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
  • The present invention will now be described in detail with reference to the figures. FIG. 1 illustrates a distributed computer system generally designated 100. System 100 comprises a firewall or router 110, a server 112 coupled to the firewall or router 110 in a subnet 103, and a multiplicity of client/user computers such as computer 114 coupled to server 112 via a Local Area Network (LAN) 105. The firewall or router 110 performs typical functions of known firewalls such as blocking e-mails with Source Addresses (SAs) known to be currently malicious. In addition, firewall or router 110 also includes a spam filter program 119 which reviews each incoming e-mail and ascertains from its header its source IP address, i.e. the IP address of the sender of the e-mail. The firewall or router 110 includes a set of filter rules 117 each defined to block e-mail from a respective IP address or range of IP addresses (typically for a finite period of time). So, if the IP address of the sender of the e-mail matches one of the filter rules (and the filter rule is still in effect), then the firewall or router 110 “blocks” the e-mail, i.e. prevents it from passing through to the server 112. The example of FIG. 1 illustrates four filter rules (SA1, SA2, SA3 and SA4) in firewall or router 110. Each of the filter rules blocks e-mails from a respective range of source IP addresses (for a finite period of time).
  • The server 112 includes a message transfer agent (“MTA”) 129, i.e. a program function which forwards e-mail, determined not to be spam, received from the firewall or router 110 to the intended recipient/user. For example, MTA 129 can be that of Postfix (trademark of Postfix Corporation) program. The server 112 also includes a known spam detector 121 such as “Spam Assassin” spam detector program. The spam detector 121 may be part of the MTA 129 or a separate program. The spam detector reviews incoming e-mail to detect when the same e-mail (i.e. the same or substantially the same text) is addressed to multiple different recipients/users. The spam detector may ignore e-mails sent from bona fide correspondents, such as employees of a corporation to which the e-mails are sent, such that these e-mails are not considered to be spam. The “bona fide correspondents” may be recorded on a list accessible to the spam detector. But, the same e-mails sent from another entity to multiple recipients/users are assumed to be spam. The user computer 114 may also include an optional spam detector program 123 which identifies spam based on host-based screening software or preferences of the user. The source IP addresses identified by this optional spam detector program 123 result in additional filter rules (each blocking e-mail from a single IP address or range of IP addresses) that can be applied at the firewall or router 110.
  • FIGS. 2(A) and 2(B) form a flow chart illustrating operation of the spam filter program 119, spam detector 121, optional spam detector 123, range finder program 130 and monitor program 132 in accordance with the present invention. In step 180, an incoming e-mail 125 is received by the firewall or router 110. In response, the spam filter program 119 determines if the source IP address of the e-mail matches any of the active filter rules 117 (decision 182). (Any existing filter rules 117 may have been created in previous iterations of the steps of FIGS. 2(A) and 2(B).) An “active” filter rule is one that has been created and started, but not yet lapsed. As explained below, when a filter rule is created, it is assigned a start time (which is usually immediate upon creation) and a duration/period during which the filter rule is active, i.e. will be enforced. If there is an active filter rule which matches the source IP address of the current e-mail, then the e-mail is blocked, i.e. it is discarded and not permitted to pass through the firewall or router 110 to the server 112 (step 184). However, if the source IP address of the e-mail does not match any of the active filter rules 117, or if there are no active filter rules at this time, then the spam filter program 119 determines if the source IP address of the e-mail matches a lapsed/suspended filter rule, i.e. a filter rule which has not yet been deleted but whose duration/period of activity has lapsed (decision 186). If so, the spam filter program 119 refreshes the start time of the lapsed filter rule to the current time to make it active once again, and defines a new duration/period that was longer than the previous one, for example, twice as long or “x” minutes longer (step 188). (In step 188, the spam filter program 119 also resets a “time to delete” by advancing it an amount equal to the difference between the original start time and the refreshed start time. The purpose of the “time to delete” is described below.) Also, the spam filter program 119 will block this e-mail corresponding to the lapsed/suspended filter rule, and discard it so that it will not pass through the firewall or router 110 to server 112 (step 189). Referring back to decision 186, no branch, if the current e-mail does not match a lapsed/suspended filter rule (or an active filter rule), then firewall or router 110 passes the e-mail through to the mail server 112 with its MTA 129 and spam detector 121 (step 190). Next, the spam detector 121 within server 112 determines if the e-mail appears to be spam, i.e. the same text as other e-mail sent by the same unknown IP source address (decision 204). The spam detector 121 makes this determination by any of numerous well known methods such as comparing text from the same source IP address. This comparison can be made using a hash function on some or all the lines of text of the different e-mails from the same source IP address. Spam may also be assumed when the subject lines of the e-mails from the same IP address are all the same. If the e-mail does not appear to be spam, then the spam detector 121 notifies MTA 129 which forwards the e-mail to its intended recipient indicated in the header of the e-mail, such as client computer 114 (step 205). (In the example illustrated in FIG. 1, e-mails with source addresses SA5, SA6 and SAA were passed from the firewall or router 110 to the mail server 112, and spam detector 121 identified the e-mail from SA5 as spam.) However, if the e-mail appears to be spam, then the spam detector 121 extracts the source IP address of the e-mail and sends it to a range finder program 130 (step 208). (In the example illustrated in FIG. 1, spam detector 121 sent source address SA5 to range finder program 130.)
  • Refer again to decision 204 no branch where the server 112 forwards the e-mail to the user computer 114. (In the example illustrated in FIG. 1, MTA 129 forwarded e-mails with source addresses SA6 and SAA to user computer 114.) If the user computer 114 includes another, optional spam detector 123, then the spam detector 123 determines if the e-mail appears to be spam, i.e. the same text as other e-mail sent by the same unknown IP source address (decision 206). The spam detector 123 makes this determination by, for example, comparing the source IP address to a list of forbidden source IP addresses as specified by the user or an administrator. The spam detector 123 can also make this determination by searching for forbidden words in the subject line or text, where the forbidden words are specified by the user or administrator. If the e-mail does not appear to be spam, then the spam detector 123 notifies the user that the e-mail is waiting to be read (step 207). (In the example illustrated in FIG. 1, spam detector 123 determined that the e-mail from source IP address SAA was not spam, and therefore, presented it to the user.) However, if the e-mail appears to be spam, then the spam detector 123 extracts the source IP address of the e-mail and sends it to the ranger finder program 130 (step 209). (In the example illustrated in FIG. 1, spam detector program 123 determined that the e-mail from source IP address SA6 was spam, and therefore, did not present the e-mail to the user, and instead send the source IP address SA6 to the range finder program 130.)
  • The range finder program 130 may reside in server 112 or in another server coupled to server 112 by a network. The range finder program 130 is also coupled by a network to an existing/known Internet service company called “Internet Assigned Number Authority” company or “IANA” 138 (or a similar Internet service). IANA 138 currently maintains a database of all (that is, the range 60.70.80.0 through 60.70.80.127) addresses and the entity that “owns” or registers each block of IP addresses. IANA 138 obtains its IP address ownership information based on the following process. Each entity that desires to use an IP source address on the Internet must first register it with IANA. After the spam detector 121 or spam detector 123 notifies the range finding program 130 of a suspected spammer's source IP address, the range finder program 130 contacts “IANA” (or a similar Internet service) by e-mail and supplies the source IP address of the suspected spammer. (In the example of FIG. 1, the range finder program supplies source IP addresses SA5 and SA6 to IANA, although the notification of each source IP address can be done at different times.) The range finding program 130 also asks IANA to state who owns each source IP address and what other IP addresses are owned by this same entity (step 208). IANA supplies the requested information from its registration database. (In the example illustrated in FIG. 1, IANA returns a range of source IP addresses owned/registered by the registrant of SA5, and a range of source IP addresses owned/registered by the registrant of SA6.) After receiving the information from IANA, the ranger finder program defines ranges of source IP addresses from which e-mail should be blocked (step 212). Each “range” is a list of all the IP addresses owned by the owner of the source IP address identified as a spammer by the spam detector in step 204. Because the entire range will be blocked, and not just the source IP address of the single spam e-mail, this will thwart block a spammer who shifts to another of its registered source IP addresses to send new spam. The “range” can be a sequential range of source IP addresses or a grouping of non-sequential source IP addresses, as the case may be. Alternately, the blocked range can be limited to a smaller range of addresses that contains the detected source IP address and are owned by the owner of the spam e-mail, where the smaller range is a size typically used for spamming, such as a range of thirty two addresses for example, 60.70.80.0 through 60.70.80.31. In another embodiment of the present invention, the range finding program 130 determines the range of blocked source IP addresses as a range of addresses (such as 60.70.80.0 through 60.70.80.256) that contain the source IP address of the spam and are not within the set of source IP addresses known by the manager of the computer system to be of interest.
  • Next, the range finding program 130 passes the ranges of blocked, source IP addresses to monitor program 132. (In the example illustrated in FIG. 1, there is one range for source IP address SA5 and another range for source IP address SA6.) The monitor program 132 can reside in server 112 or another server which contains the range finder program 130 (if the range finder program 130 does not reside on server 112). Then, the monitor program 132 creates the filter rule(s) to be used by firewall or router 110 (step 220). The filter rule(s) specifies the range of blocked, source IP addresses obtained from the range finder program 130. For the filter rule(s), the monitor program 132 also specifies a start time to begin enforcing the filter rule and a duration/period for enforcing the filter rule as described above.
  • After defining the filter rule (including its time parameters) in step 220 for each range of blocked IP addresses, the monitor program 132 stores the filter rules in an actions database 134, and notifies the firewall or router 110 that a new filter rule has been added to the data base. In response, the spam filter program 119 copies the new filter rule into its local data base, filter rules 117. (In the example illustrated in FIG. 1, there will be new filter rules for source IP ranges SA5 and SA6 added to filter rules database 117.) As explained above, when each new e-mail is received by the firewall or router 110 in step 180, the spam filter program 119 reads all the filter rules from the database 117 to determine which are active, and therefore should be enforced (decision 182). This decision is based on whether the current time is less than the start time of the filter rule plus the duration/period of the rule, assuming the start time is before or equal to the current time. So, during the duration/period of the rule, the spam filter program 119 enforces the filter rule, i.e. blocks e-mail with a source IP address within the specified range, so that the e-mail will not proceed to mail server 112 (step 184). Also, as explained above, the spam filter program 119 also determines if spam has arrived from a source IP address corresponding to a lapsed/suspended filter rule, in which case the spam filter program 119 restarts/reactivates the filter rule for a longer duration/period, and blocks the current e-mail.
  • Referring again to step 220, when a new filter rule is created, the monitor program 132 also defines a “time to delete” the filter rule (step 220). The “time to delete” the filter rule specifies when to delete the filter rule if spam ceases from the entire range of IP addresses after the duration/period lapses, i.e. after the filter rule is suspended. Consider an example where the filter rule begins immediately, the duration/period of the filter rule is five minutes and the time to delete is fifteen minutes after start. The filter rule will go into effect immediately and last for five minutes. During those initial five minutes, all e-mails from the range of sources IP addresses specified in the filter rule will be blocked and discarded. Then, the filter rule will be “suspended” for the next ten minutes unless and until new spam is detected from any IP address within the range. If spam is detected during these ten minutes from any IP address within the range, then the filter rule is restarted/reactivated. However, if there is no spam from the entire range of IP addresses specified by the filter rule during these ten minutes, then the filter rule will be deleted altogether at the “time to delete” to “clean-out” the database of filter rules (step 250). Step 250 is performed as follows. Whenever, a “time to delete” occurs, an interrupt or alert is sent to the spam filter program 119. The interrupt or alert specifies the corresponding filter rule. In response to the interrupt or delete, the spam filter program 119 confirms that the corresponding filter rule is still lapsed/suspended and if so, deletes the filter rule altogether. (If the corresponding filter rule is still active at the time to delete, then an error has occurred because the original duration/period of the filter rule should have lapsed, and the time to delete should have been advanced when the filter rule was refreshed. In such a case, an administrator will be notified.)
  • Based on the foregoing, a system, method and computer program for blocking spam has been disclosed. However, numerous modifications and substitutions can be made without deviating from the scope of the present invention. For example, alternative mechanisms for identifying spam may be used. Therefore, the present invention has been disclosed by way of illustration and not limitation, and reference should be made to the following claims to determine the scope of the present invention.

Claims (20)

1. A method of blocking unwanted e-mails, said method comprising the steps of:
identifying an e-mail as unwanted;
determining a source IP address of the unwanted e-mail;
determining other source IP addresses owned or registered by an owner or registrant of the source IP address of said unwanted e-mail; and
subsequently blocking e-mails from said source IP address and said other IP addresses.
2. A method as set forth in claim 1 wherein the step of determining other source IP addresses owned or registered by an owner or registrant of the source IP address of said unwanted e-mail comprises the step of determining an owner or registrant of said source IP address of said unwanted e-mail.
3. A method as set forth in claim 2 wherein the step of determining other source IP addresses owned or registered by an owner or registrant of the source IP address of said unwanted e-mail is performed by querying an entity that manages registration of IP addresses.
4. A method as set forth in claim 3 wherein said entity is Internet Assigned Number Authority.
5. A method as set forth in claim 1 wherein the step of identifying an e-mail as unwanted comprises the step of identifying an e-mail which is attempted to be sent to multiple recipients where the e-mail contains the same or substantially the same text.
6. A method as set forth in claim 1 wherein the step of identifying an e-mail as unwanted comprises the step of identifying an e-mail which is attempted to be sent to multiple recipients where the e-mail contains the same or substantially the same subject line.
7. A method as set forth in claim 1 wherein the step of determining a source IP address of the unwanted e-mail comprises the step of reading the source IP address from a header of the unwanted.
8. A method as set forth in claim 1 wherein the step of subsequently blocking e-mails from said source IP address and said other IP addresses comprises the step of identifying said e-mails from said source IP address and said other IP addresses at a firewall or router, and then preventing them from passing through to a mail server(s) for their intended recipients.
9. A computer program product for blocking unwanted e-mails, said computer program product comprising:
a computer readable medium;
first program instructions to identify an e-mail as unwanted;
second program instructions to determine a source IP address of the unwanted e-mail;
third program instructions to determine other source IP addresses owned or registered by an owner or registrant of the source IP address of said unwanted e-mail; and
fourth program instructions to subsequently block e-mails from said source IP address and said other IP addresses; and wherein
said first, second, third and fourth program instructions are recorded on said medium.
10. A computer program product as set forth in claim 9 wherein said third program instructions determine an owner or registrant of said source IP address of said unwanted e-mail.
11. A computer program product as set forth in claim 10 wherein said third program instructions determine an owner or registrant of said source IP address by querying an entity that manages registration of IP addresses.
12. A computer program product as set forth in claim 11 wherein said entity is Internet Assigned Number Authority.
13. A computer program product as set forth in claim 9 wherein said first program instructions identifies an e-mail as unwanted by identifying an e-mail which is attempted to be sent to multiple recipients where the e-mail contains the same or substantially the same text.
14. A computer program product as set forth in claim 9 wherein said first program instructions identifies an e-mail as unwanted by identifying an e-mail which is attempted to be sent to multiple recipients where the e-mail contains the same or substantially the same subject line.
15. A computer program product as set forth in claim 9 wherein said second program instructions determines a source IP address of the unwanted e-mail comprises by reading the source IP address from a header of the unwanted.
16. A computer program product as set forth in claim 9 wherein said fourth program instructions blocks e-mails from said source IP address and said other IP addresses by identifying said e-mails from said source IP address and said other IP addresses at a firewall or router, and then preventing them from passing through to a mail server(s) for their intended recipients.
17. A system for blocking unwanted e-mails, said system comprising:
means for identifying an e-mail as unwanted;
means for determining a source IP address of the unwanted e-mail;
means for determining other source IP addresses owned or registered by an owner or registrant of the source IP address of said unwanted e-mail; and
means for subsequently blocking e-mails from said source IP address and said other IP addresses.
18. A system as set forth in claim 17 wherein said means for determining other source IP addresses owned or registered by an owner or registrant of the source IP address of said unwanted e-mail comprises means for determining an owner or registrant of said source IP address of said unwanted e-mail.
19. A system as set forth in claim 18 wherein said means for determining other source IP addresses owned or registered by an owner or registrant of the source IP address of said unwanted e-mail comprises means for querying an entity that manages registration of IP addresses.
20. A system as set forth in claim 19 wherein said entity is Internet Assigned Number Authority.
US10/796,161 2004-03-09 2004-03-09 System, method and computer program to block spam Abandoned US20050204159A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
US10/796,161 US20050204159A1 (en) 2004-03-09 2004-03-09 System, method and computer program to block spam
US13/532,061 US8468208B2 (en) 2004-03-09 2012-06-25 System, method and computer program to block spam

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/796,161 US20050204159A1 (en) 2004-03-09 2004-03-09 System, method and computer program to block spam

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/532,061 Continuation US8468208B2 (en) 2004-03-09 2012-06-25 System, method and computer program to block spam

Publications (1)

Publication Number Publication Date
US20050204159A1 true US20050204159A1 (en) 2005-09-15

Family

ID=34919831

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/796,161 Abandoned US20050204159A1 (en) 2004-03-09 2004-03-09 System, method and computer program to block spam
US13/532,061 Expired - Fee Related US8468208B2 (en) 2004-03-09 2012-06-25 System, method and computer program to block spam

Family Applications After (1)

Application Number Title Priority Date Filing Date
US13/532,061 Expired - Fee Related US8468208B2 (en) 2004-03-09 2012-06-25 System, method and computer program to block spam

Country Status (1)

Country Link
US (2) US20050204159A1 (en)

Cited By (50)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040260922A1 (en) * 2003-06-04 2004-12-23 Goodman Joshua T. Training filters for IP address and URL learning
US20050193073A1 (en) * 2004-03-01 2005-09-01 Mehr John D. (More) advanced spam detection features
US20050204005A1 (en) * 2004-03-12 2005-09-15 Purcell Sean E. Selective treatment of messages based on junk rating
US20060036693A1 (en) * 2004-08-12 2006-02-16 Microsoft Corporation Spam filtering with probabilistic secure hashes
US20060168042A1 (en) * 2005-01-07 2006-07-27 International Business Machines Corporation Mechanism for mitigating the problem of unsolicited email (also known as "spam"
US20060235930A1 (en) * 2005-04-19 2006-10-19 Xerox Corporation Method to counter junk e-mail by limiting validity of e-mail addresses
US20060262867A1 (en) * 2005-05-17 2006-11-23 Ntt Docomo, Inc. Data communications system and data communications method
US20070038705A1 (en) * 2005-07-29 2007-02-15 Microsoft Corporation Trees of classifiers for detecting email spam
US20070145053A1 (en) * 2005-12-27 2007-06-28 Julian Escarpa Gil Fastening device for folding boxes
US20070208856A1 (en) * 2003-03-03 2007-09-06 Microsoft Corporation Feedback loop for spam prevention
US20080189789A1 (en) * 2007-02-01 2008-08-07 Elaine Lamontagne System, method and apparatus for the detection and capturing of technological crime instances
US20080320095A1 (en) * 2007-06-25 2008-12-25 Microsoft Corporation Determination Of Participation In A Malicious Software Campaign
US20090025077A1 (en) * 2007-07-18 2009-01-22 Bart Trojanowski Managing configurations of a firewall
US20090132669A1 (en) * 2000-06-19 2009-05-21 Walter Clark Milliken Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US20090165087A1 (en) * 2007-12-19 2009-06-25 Jacek Jachner Media registration and validation service to protect against unauthorized media sharing
US7664819B2 (en) 2004-06-29 2010-02-16 Microsoft Corporation Incremental anti-spam lookup and update service
US7711779B2 (en) 2003-06-20 2010-05-04 Microsoft Corporation Prevention of outgoing spam
US7760722B1 (en) * 2005-10-21 2010-07-20 Oracle America, Inc. Router based defense against denial of service attacks using dynamic feedback from attacked host
WO2010151493A3 (en) * 2009-06-26 2011-03-03 Microsoft Corporation Real-time spam look-up system
US7904517B2 (en) 2004-08-09 2011-03-08 Microsoft Corporation Challenge response systems
US20110196931A1 (en) * 2010-02-05 2011-08-11 Microsoft Corporation Moderating electronic communications
US8006285B1 (en) 2005-06-13 2011-08-23 Oracle America, Inc. Dynamic defense of network attacks
US20110246583A1 (en) * 2010-04-01 2011-10-06 Microsoft Corporation Delaying Inbound And Outbound Email Messages
US8046832B2 (en) 2002-06-26 2011-10-25 Microsoft Corporation Spam detector with challenges
US8065370B2 (en) 2005-11-03 2011-11-22 Microsoft Corporation Proofs to filter spam
US8126971B2 (en) 2007-05-07 2012-02-28 Gary Stephen Shuster E-mail authentication
US8224905B2 (en) 2006-12-06 2012-07-17 Microsoft Corporation Spam filtration utilizing sender activity data
US8250159B2 (en) 2003-05-02 2012-08-21 Microsoft Corporation Message rendering for identification of content features
US20120233271A1 (en) * 2011-03-11 2012-09-13 Syed Saleem Javid Brahmanapalli Intelligent prevention of spam emails at share sites
US20130166664A1 (en) * 2007-02-09 2013-06-27 Research In Motion Limited Schedulable e-mail filters
US8533270B2 (en) 2003-06-23 2013-09-10 Microsoft Corporation Advanced spam detection techniques
US9059954B1 (en) * 2011-08-03 2015-06-16 Hunter C. Cohen Extracting indirect relational information from email correspondence
US9398037B1 (en) * 2004-09-27 2016-07-19 Radix Holdings, Llc Detecting and processing suspicious network communications
US9571435B2 (en) * 2014-09-04 2017-02-14 International Business Machines Corporation Automated spam filter updating by tracking user navigation
US20170195343A1 (en) * 2016-01-04 2017-07-06 Bank Of America Corporation Systems and apparatus for analyzing secure network electronic communication and endpoints
US9948629B2 (en) 2009-03-25 2018-04-17 The 41St Parameter, Inc. Systems and methods of sharing information through a tag-based consortium
US9990631B2 (en) 2012-11-14 2018-06-05 The 41St Parameter, Inc. Systems and methods of global identification
US10021099B2 (en) 2012-03-22 2018-07-10 The 41st Paramter, Inc. Methods and systems for persistent cross-application mobile device identification
US10089679B2 (en) 2006-03-31 2018-10-02 The 41St Parameter, Inc. Systems and methods for detection of session tampering and fraud prevention
US10091312B1 (en) 2014-10-14 2018-10-02 The 41St Parameter, Inc. Data structures for intelligently resolving deterministic and probabilistic device identifiers to device profiles and/or groups
US10171396B2 (en) 2012-02-27 2019-01-01 Shutterfly, Inc. Intelligent prevention of spam emails at share sites
US10284597B2 (en) 2007-05-07 2019-05-07 Gary Stephen Shuster E-mail authentication
US10417637B2 (en) 2012-08-02 2019-09-17 The 41St Parameter, Inc. Systems and methods for accessing records via derivative locators
US10453066B2 (en) 2003-07-01 2019-10-22 The 41St Parameter, Inc. Keystroke analysis
US10726151B2 (en) 2005-12-16 2020-07-28 The 41St Parameter, Inc. Methods and apparatus for securely displaying digital images
US10902327B1 (en) 2013-08-30 2021-01-26 The 41St Parameter, Inc. System and method for device identification and uniqueness
US10999298B2 (en) 2004-03-02 2021-05-04 The 41St Parameter, Inc. Method and system for identifying users and detecting fraud by use of the internet
US11010468B1 (en) 2012-03-01 2021-05-18 The 41St Parameter, Inc. Methods and systems for fraud containment
US11301585B2 (en) 2005-12-16 2022-04-12 The 41St Parameter, Inc. Methods and apparatus for securely displaying digital images
US11314838B2 (en) 2011-11-15 2022-04-26 Tapad, Inc. System and method for analyzing user device information

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9159049B2 (en) 2007-06-08 2015-10-13 At&T Intellectual Property I, L.P. System and method for managing publications
US8626856B2 (en) 2011-04-11 2014-01-07 Microsoft Corporation Geo-data spam filter
CN114143112B (en) * 2021-12-08 2024-03-29 赛尔网络有限公司 Malicious attack mail analysis method, device, equipment and medium

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6507866B1 (en) * 1999-07-19 2003-01-14 At&T Wireless Services, Inc. E-mail usage pattern detection
US6546416B1 (en) * 1998-12-09 2003-04-08 Infoseek Corporation Method and system for selectively blocking delivery of bulk electronic mail
US20040177120A1 (en) * 2003-03-07 2004-09-09 Kirsch Steven T. Method for filtering e-mail messages
US20050080855A1 (en) * 2003-10-09 2005-04-14 Murray David J. Method for creating a whitelist for processing e-mails
US20050198159A1 (en) * 2004-03-08 2005-09-08 Kirsch Steven T. Method and system for categorizing and processing e-mails based upon information in the message header and SMTP session
US20050198160A1 (en) * 2004-03-03 2005-09-08 Marvin Shannon System and Method for Finding and Using Styles in Electronic Communications
US7072944B2 (en) * 2002-10-07 2006-07-04 Ebay Inc. Method and apparatus for authenticating electronic mail
US7174453B2 (en) * 2000-12-29 2007-02-06 America Online, Inc. Message screening system
US20070083606A1 (en) * 2001-12-05 2007-04-12 Bellsouth Intellectual Property Corporation Foreign Network Spam Blocker

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2708920B2 (en) 1990-02-02 1998-02-04 富士通株式会社 Email system
US6108702A (en) 1998-12-02 2000-08-22 Micromuse, Inc. Method and apparatus for determining accurate topology features of a network
JP3590936B2 (en) 2001-10-06 2004-11-17 テラス テクノロジーズ,インコーポレイテッド E-mail service system having dynamic IP filtering module and dynamic IP address filtering method
KR100391319B1 (en) 2001-10-06 2003-07-12 주식회사 테라스테크놀로지 Electronic Mail Service Method and System Making Use of Dynamic IP Filtering
US7469280B2 (en) * 2002-11-04 2008-12-23 Sun Microsystems, Inc. Computer implemented system and method for predictive management of electronic messages
US20050198173A1 (en) * 2004-01-02 2005-09-08 Evans Alexander W. System and method for controlling receipt of electronic messages

Patent Citations (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6546416B1 (en) * 1998-12-09 2003-04-08 Infoseek Corporation Method and system for selectively blocking delivery of bulk electronic mail
US20070250586A1 (en) * 1998-12-09 2007-10-25 Kirsch Steven T Method and System for Selectively Blocking Delivery of Electronic Mail
US6507866B1 (en) * 1999-07-19 2003-01-14 At&T Wireless Services, Inc. E-mail usage pattern detection
US7174453B2 (en) * 2000-12-29 2007-02-06 America Online, Inc. Message screening system
US20070083606A1 (en) * 2001-12-05 2007-04-12 Bellsouth Intellectual Property Corporation Foreign Network Spam Blocker
US7072944B2 (en) * 2002-10-07 2006-07-04 Ebay Inc. Method and apparatus for authenticating electronic mail
US20040177120A1 (en) * 2003-03-07 2004-09-09 Kirsch Steven T. Method for filtering e-mail messages
US20050080855A1 (en) * 2003-10-09 2005-04-14 Murray David J. Method for creating a whitelist for processing e-mails
US20050198160A1 (en) * 2004-03-03 2005-09-08 Marvin Shannon System and Method for Finding and Using Styles in Electronic Communications
US20050198159A1 (en) * 2004-03-08 2005-09-08 Kirsch Steven T. Method and system for categorizing and processing e-mails based upon information in the message header and SMTP session

Cited By (90)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8204945B2 (en) * 2000-06-19 2012-06-19 Stragent, Llc Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US20090132669A1 (en) * 2000-06-19 2009-05-21 Walter Clark Milliken Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail
US8272060B2 (en) 2000-06-19 2012-09-18 Stragent, Llc Hash-based systems and methods for detecting and preventing transmission of polymorphic network worms and viruses
US8046832B2 (en) 2002-06-26 2011-10-25 Microsoft Corporation Spam detector with challenges
US20070208856A1 (en) * 2003-03-03 2007-09-06 Microsoft Corporation Feedback loop for spam prevention
US8250159B2 (en) 2003-05-02 2012-08-21 Microsoft Corporation Message rendering for identification of content features
US20040260922A1 (en) * 2003-06-04 2004-12-23 Goodman Joshua T. Training filters for IP address and URL learning
US20050022031A1 (en) * 2003-06-04 2005-01-27 Microsoft Corporation Advanced URL and IP features
US7665131B2 (en) 2003-06-04 2010-02-16 Microsoft Corporation Origination/destination features and lists for spam prevention
US7711779B2 (en) 2003-06-20 2010-05-04 Microsoft Corporation Prevention of outgoing spam
US8533270B2 (en) 2003-06-23 2013-09-10 Microsoft Corporation Advanced spam detection techniques
US11238456B2 (en) 2003-07-01 2022-02-01 The 41St Parameter, Inc. Keystroke analysis
US10453066B2 (en) 2003-07-01 2019-10-22 The 41St Parameter, Inc. Keystroke analysis
US8214438B2 (en) 2004-03-01 2012-07-03 Microsoft Corporation (More) advanced spam detection features
US20050193073A1 (en) * 2004-03-01 2005-09-01 Mehr John D. (More) advanced spam detection features
US11683326B2 (en) 2004-03-02 2023-06-20 The 41St Parameter, Inc. Method and system for identifying users and detecting fraud by use of the internet
US10999298B2 (en) 2004-03-02 2021-05-04 The 41St Parameter, Inc. Method and system for identifying users and detecting fraud by use of the internet
US20050204005A1 (en) * 2004-03-12 2005-09-15 Purcell Sean E. Selective treatment of messages based on junk rating
US7664819B2 (en) 2004-06-29 2010-02-16 Microsoft Corporation Incremental anti-spam lookup and update service
US7904517B2 (en) 2004-08-09 2011-03-08 Microsoft Corporation Challenge response systems
US7660865B2 (en) * 2004-08-12 2010-02-09 Microsoft Corporation Spam filtering with probabilistic secure hashes
US20060036693A1 (en) * 2004-08-12 2006-02-16 Microsoft Corporation Spam filtering with probabilistic secure hashes
US9398037B1 (en) * 2004-09-27 2016-07-19 Radix Holdings, Llc Detecting and processing suspicious network communications
US20060168042A1 (en) * 2005-01-07 2006-07-27 International Business Machines Corporation Mechanism for mitigating the problem of unsolicited email (also known as "spam"
US20060235930A1 (en) * 2005-04-19 2006-10-19 Xerox Corporation Method to counter junk e-mail by limiting validity of e-mail addresses
US20060262867A1 (en) * 2005-05-17 2006-11-23 Ntt Docomo, Inc. Data communications system and data communications method
US8001193B2 (en) * 2005-05-17 2011-08-16 Ntt Docomo, Inc. Data communications system and data communications method for detecting unsolicited communications
US8006285B1 (en) 2005-06-13 2011-08-23 Oracle America, Inc. Dynamic defense of network attacks
US20070038705A1 (en) * 2005-07-29 2007-02-15 Microsoft Corporation Trees of classifiers for detecting email spam
US7930353B2 (en) 2005-07-29 2011-04-19 Microsoft Corporation Trees of classifiers for detecting email spam
US7760722B1 (en) * 2005-10-21 2010-07-20 Oracle America, Inc. Router based defense against denial of service attacks using dynamic feedback from attacked host
US8065370B2 (en) 2005-11-03 2011-11-22 Microsoft Corporation Proofs to filter spam
US10726151B2 (en) 2005-12-16 2020-07-28 The 41St Parameter, Inc. Methods and apparatus for securely displaying digital images
US11301585B2 (en) 2005-12-16 2022-04-12 The 41St Parameter, Inc. Methods and apparatus for securely displaying digital images
US20070145053A1 (en) * 2005-12-27 2007-06-28 Julian Escarpa Gil Fastening device for folding boxes
US10535093B2 (en) 2006-03-31 2020-01-14 The 41St Parameter, Inc. Systems and methods for detection of session tampering and fraud prevention
US11195225B2 (en) 2006-03-31 2021-12-07 The 41St Parameter, Inc. Systems and methods for detection of session tampering and fraud prevention
US11727471B2 (en) 2006-03-31 2023-08-15 The 41St Parameter, Inc. Systems and methods for detection of session tampering and fraud prevention
US10089679B2 (en) 2006-03-31 2018-10-02 The 41St Parameter, Inc. Systems and methods for detection of session tampering and fraud prevention
US8224905B2 (en) 2006-12-06 2012-07-17 Microsoft Corporation Spam filtration utilizing sender activity data
US20080189789A1 (en) * 2007-02-01 2008-08-07 Elaine Lamontagne System, method and apparatus for the detection and capturing of technological crime instances
US20130166664A1 (en) * 2007-02-09 2013-06-27 Research In Motion Limited Schedulable e-mail filters
US8930477B2 (en) * 2007-02-09 2015-01-06 Blackberry Limited Schedulable e-mail filters
US8126971B2 (en) 2007-05-07 2012-02-28 Gary Stephen Shuster E-mail authentication
US10284597B2 (en) 2007-05-07 2019-05-07 Gary Stephen Shuster E-mail authentication
US8364773B2 (en) 2007-05-07 2013-01-29 Gary Stephen Shuster E-mail authentication
US7899870B2 (en) * 2007-06-25 2011-03-01 Microsoft Corporation Determination of participation in a malicious software campaign
US20080320095A1 (en) * 2007-06-25 2008-12-25 Microsoft Corporation Determination Of Participation In A Malicious Software Campaign
US8327431B2 (en) * 2007-07-18 2012-12-04 Trend Micro Incorporated Managing configurations of a firewall
US8132248B2 (en) * 2007-07-18 2012-03-06 Trend Micro Incorporated Managing configurations of a firewall
US20120042373A1 (en) * 2007-07-18 2012-02-16 Bart Trojanowski Managing configurations of a firewall
US20090025077A1 (en) * 2007-07-18 2009-01-22 Bart Trojanowski Managing configurations of a firewall
US20090165087A1 (en) * 2007-12-19 2009-06-25 Jacek Jachner Media registration and validation service to protect against unauthorized media sharing
US10616201B2 (en) 2009-03-25 2020-04-07 The 41St Parameter, Inc. Systems and methods of sharing information through a tag-based consortium
US9948629B2 (en) 2009-03-25 2018-04-17 The 41St Parameter, Inc. Systems and methods of sharing information through a tag-based consortium
US11750584B2 (en) 2009-03-25 2023-09-05 The 41St Parameter, Inc. Systems and methods of sharing information through a tag-based consortium
WO2010151493A3 (en) * 2009-06-26 2011-03-03 Microsoft Corporation Real-time spam look-up system
US9191235B2 (en) * 2010-02-05 2015-11-17 Microsoft Technology Licensing, Llc Moderating electronic communications
US20110196931A1 (en) * 2010-02-05 2011-08-11 Microsoft Corporation Moderating electronic communications
US20110246583A1 (en) * 2010-04-01 2011-10-06 Microsoft Corporation Delaying Inbound And Outbound Email Messages
US8745143B2 (en) * 2010-04-01 2014-06-03 Microsoft Corporation Delaying inbound and outbound email messages
US9838344B2 (en) 2011-03-11 2017-12-05 Shutterfly, Inc. Intelligent prevention of spam emails at share sites
US20120233271A1 (en) * 2011-03-11 2012-09-13 Syed Saleem Javid Brahmanapalli Intelligent prevention of spam emails at share sites
US9294306B2 (en) * 2011-03-11 2016-03-22 Shutterfly, Inc. Intelligent prevention of spam emails at share sites
US9059954B1 (en) * 2011-08-03 2015-06-16 Hunter C. Cohen Extracting indirect relational information from email correspondence
US11314838B2 (en) 2011-11-15 2022-04-26 Tapad, Inc. System and method for analyzing user device information
US10171396B2 (en) 2012-02-27 2019-01-01 Shutterfly, Inc. Intelligent prevention of spam emails at share sites
US10742580B2 (en) 2012-02-27 2020-08-11 Shutterfly, Llc Intelligent prevention of spam emails at share sites
US11010468B1 (en) 2012-03-01 2021-05-18 The 41St Parameter, Inc. Methods and systems for fraud containment
US11886575B1 (en) 2012-03-01 2024-01-30 The 41St Parameter, Inc. Methods and systems for fraud containment
US11683306B2 (en) 2012-03-22 2023-06-20 The 41St Parameter, Inc. Methods and systems for persistent cross-application mobile device identification
US10862889B2 (en) 2012-03-22 2020-12-08 The 41St Parameter, Inc. Methods and systems for persistent cross application mobile device identification
US10341344B2 (en) 2012-03-22 2019-07-02 The 41St Parameter, Inc. Methods and systems for persistent cross-application mobile device identification
US10021099B2 (en) 2012-03-22 2018-07-10 The 41st Paramter, Inc. Methods and systems for persistent cross-application mobile device identification
US11301860B2 (en) 2012-08-02 2022-04-12 The 41St Parameter, Inc. Systems and methods for accessing records via derivative locators
US10417637B2 (en) 2012-08-02 2019-09-17 The 41St Parameter, Inc. Systems and methods for accessing records via derivative locators
US11922423B2 (en) 2012-11-14 2024-03-05 The 41St Parameter, Inc. Systems and methods of global identification
US9990631B2 (en) 2012-11-14 2018-06-05 The 41St Parameter, Inc. Systems and methods of global identification
US10395252B2 (en) 2012-11-14 2019-08-27 The 41St Parameter, Inc. Systems and methods of global identification
US11410179B2 (en) 2012-11-14 2022-08-09 The 41St Parameter, Inc. Systems and methods of global identification
US10853813B2 (en) 2012-11-14 2020-12-01 The 41St Parameter, Inc. Systems and methods of global identification
US10902327B1 (en) 2013-08-30 2021-01-26 The 41St Parameter, Inc. System and method for device identification and uniqueness
US11657299B1 (en) 2013-08-30 2023-05-23 The 41St Parameter, Inc. System and method for device identification and uniqueness
US9571435B2 (en) * 2014-09-04 2017-02-14 International Business Machines Corporation Automated spam filter updating by tracking user navigation
US10728350B1 (en) 2014-10-14 2020-07-28 The 41St Parameter, Inc. Data structures for intelligently resolving deterministic and probabilistic device identifiers to device profiles and/or groups
US11240326B1 (en) 2014-10-14 2022-02-01 The 41St Parameter, Inc. Data structures for intelligently resolving deterministic and probabilistic device identifiers to device profiles and/or groups
US10091312B1 (en) 2014-10-14 2018-10-02 The 41St Parameter, Inc. Data structures for intelligently resolving deterministic and probabilistic device identifiers to device profiles and/or groups
US11895204B1 (en) 2014-10-14 2024-02-06 The 41St Parameter, Inc. Data structures for intelligently resolving deterministic and probabilistic device identifiers to device profiles and/or groups
US10021117B2 (en) * 2016-01-04 2018-07-10 Bank Of America Corporation Systems and apparatus for analyzing secure network electronic communication and endpoints
US20170195343A1 (en) * 2016-01-04 2017-07-06 Bank Of America Corporation Systems and apparatus for analyzing secure network electronic communication and endpoints

Also Published As

Publication number Publication date
US20120265834A1 (en) 2012-10-18
US8468208B2 (en) 2013-06-18

Similar Documents

Publication Publication Date Title
US8468208B2 (en) System, method and computer program to block spam
US10181957B2 (en) Systems and methods for detecting and/or handling targeted attacks in the email channel
EP1877904B1 (en) Detecting unwanted electronic mail messages based on probabilistic analysis of referenced resources
US6507866B1 (en) E-mail usage pattern detection
US9503468B1 (en) Detecting suspicious web traffic from an enterprise network
US7197539B1 (en) Automated disablement of disposable e-mail addresses based on user actions
US9177293B1 (en) Spam filtering system and method
US7359941B2 (en) Method and apparatus for filtering spam email
US7366919B1 (en) Use of geo-location data for spam detection
US7962560B2 (en) Updating hierarchical whitelists
US7921063B1 (en) Evaluating electronic mail messages based on probabilistic analysis
US20080082658A1 (en) Spam control systems and methods
US8566406B2 (en) Filtering of electronic mail messages destined for an internal network
EP2180660A1 (en) Method and system for statistical analysis of botnets
US20070226297A1 (en) Method and system to stop spam and validate incoming email
WO2005119488A2 (en) Techniques for determining the reputation of a message sender
US8166113B2 (en) Access limited EMM distribution lists
US8590002B1 (en) System, method and computer program product for maintaining a confidentiality of data on a network
US7454789B2 (en) Systems and methods for processing message attachments
US7690038B1 (en) Network security system with automatic vulnerability tracking and clean-up mechanisms
US9094236B2 (en) Methods, systems, and computer program products for collaborative junk mail filtering
US20060075099A1 (en) Automatic elimination of viruses and spam
US8312535B1 (en) System, method, and computer program product for interfacing a plurality of related applications
US8122498B1 (en) Combined multiple-application alert system and method
CN111258796A (en) Service infrastructure and method of predicting and detecting potential anomalies therein

Legal Events

Date Code Title Description
AS Assignment

Owner name: INTERNATIONAL BUSINESS MACHINES CORPORATION, NEW Y

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DAVIS, JOHN F.;HIMBERGER, KEVIN D.;JEFFRIES, CLARK D.;AND OTHERS;REEL/FRAME:014525/0642;SIGNING DATES FROM 20040301 TO 20040305

STCB Information on status: application discontinuation

Free format text: ABANDONED -- AFTER EXAMINER'S ANSWER OR BOARD OF APPEALS DECISION