Automated message security scanner detection system

US 10,182,031 B2
Filed: 12/23/2016
Issued: 01/15/2019
Est. Priority Date: 12/22/2016
Status: Active Grant

First Claim

Patent Images

1. A method of determining whether an electronic message was delivered to an intended recipient or intercepted by a sandbox, comprising:

by a message generation server;

identifying a recipient for receiving a message,selecting a first identifier that may be actuated and a second identifier that may be actuated, wherein the first identifier comprises a hyperlink that is associated with a web page at a web address,generating an electronic message so that the message includes the hyperlink, andtransmitting the electronic message to the recipient via a communication network for delivery to an address of the recipient; and

by a web server;

hosting the web page so that the web page includes the second identifier in a format that is not visible to a human user of the web page,monitoring whether interaction occurs with the second identifier, anddetermining whether a sandbox may have intercepted the electronic message based on whether the web server detects interaction with the second identifier.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An electronic messaging system includes a messaging server that identifies a recipient for an electronic message. The messaging system sends the recipient an electronic message that includes instrumented content. A web server monitors activity and determines whether interaction occurred with the instrumented content. The web server determines whether a sandbox intercepted the message based on whether interaction occurred, or did not occur, with the instrumented content within a threshold time period or with one or more activity characteristics.

Citations

22 Claims

1. A method of determining whether an electronic message was delivered to an intended recipient or intercepted by a sandbox, comprising:
- by a message generation server;
  
  identifying a recipient for receiving a message,selecting a first identifier that may be actuated and a second identifier that may be actuated, wherein the first identifier comprises a hyperlink that is associated with a web page at a web address,generating an electronic message so that the message includes the hyperlink, andtransmitting the electronic message to the recipient via a communication network for delivery to an address of the recipient; and
  
  by a web server;
  
  hosting the web page so that the web page includes the second identifier in a format that is not visible to a human user of the web page,monitoring whether interaction occurs with the second identifier, anddetermining whether a sandbox may have intercepted the electronic message based on whether the web server detects interaction with the second identifier.
- View Dependent Claims (2)
- - 2. The method of claim 1, wherein determining whether a sandbox may have intercepted the electronic message comprises:
    - determining that the sandbox intercepted the electronic message before delivery to the recipient if the web server detects interaction with the address of the second hyperlink within a threshold period of time, otherwise determining that the electronic message has not been intercepted.

3. A method of determining whether an electronic message was intercepted by a sandbox, comprising:
- by a message generation server;
  
  selecting a first identifier that may be actuated and a second identifier that may be actuated, so that the first identifier and the second identifier share at least one common attribute, and so that the first identifier and the second identifier also include at least one attribute that is not common, andgenerating a first electronic message so that the first electronic message includes the first and second identifiers, andtransmitting the first electronic message for delivery to a first recipient address via a communication network; and
  
  by a web server;
  
  detecting interaction with the first identifier,monitoring whether interaction occurs with the second identifier within a threshold period of time after detecting interaction with the first identifier, andif interaction occurs with the second identifier within the threshold period of time, determining that the first electronic message has been intercepted by a sandbox, otherwise determining that the first electronic message has not been intercepted.
- View Dependent Claims (4, 5, 6, 7, 8)
- - 4. The method of claim 3, wherein:
    - the first identifier comprises a hyperlink and the second identifier also comprises a hyperlink; and
      
      monitoring whether interaction occurs with the first and second identifiers comprises, for each identifier, monitoring an address associated with the identifier'"'"'s hyperlink to determine whether a service request is received at the address.
  - 5. The method of claim 4, wherein the common attribute comprises a domain.
  - 6. The method of claim 3, wherein:
    - the first identifier comprises a message attachment and the second identifier also comprises a message attachment; and
      
      monitoring whether interaction occurs with the first and second identifiers comprises, for each identifier, determining whether an action that the identifier is configured to perform upon opening the message attachment has occurred.
  - 7. The method of claim 6, wherein the common attribute comprises a file extension.
  - 8. The method of claim 4, wherein:
    - the first identifier comprises an address of a first image that is stored on an image server;
      
      the second identifier comprises an address of a second image that is also stored on an image server;
      
      the common attribute comprises an address of the image server; and
      
      monitoring whether interaction occurs with the first and second identifier comprises, for each identifier, determining whether the image server has received a request for the identifier'"'"'s image.

9. A method of generating an electronic message, comprising:
- by a message generation server;
  
  selecting a first identifier that may be actuated,selecting a second identifier associated with a recipient,generating a plurality of electronic messages so that;
  
  each electronic message embeds the first identifier using one of a plurality of embedding methods, and the plurality of electronic messages collectively use more than one of the plurality of embedding messages; and
  
  each electronic message embeds the second identifier in a way that the message generation server knows is likely to be accessed;
  
  generating a recipient address associated with a recipient that the message generation server knows is invalid or that the message generation server determines is likely to be invalid, andtransmitting the plurality of electronic messages for delivery to the recipient address via a communication network; and
  
  by a web server;
  
  monitoring whether one or more interactions occur with the first and second identifiers in the plurality of electronic messages within a threshold period of time, andgenerating a cumulative fingerprint based on the one or more interactions with the first and second identifier in the plurality of electronic messages.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9, further comprising, by the message generation server:
    - generating one or more additional electronic messages, wherein each of the additional electronic messages embeds the first and second identifiers based on the cumulative fingerprint;
      
      generating another recipient address associated with a recipient that the message generation server knows is valid or that the message generation server determines is likely to be valid; and
      
      transmitting the one or more additional electronic messages for delivery to the another recipient address via a communication network.
  - 11. The method of claim 10, wherein the interactions with the first and second identifier are indicative of one or more of the following characteristics:
    - an IP address, an IP address range, a DNS name, a browser type, a browser version and a browser plugin.

12. An electronic messaging system, comprising:
- a message generation server comprising a processor and a memory portion containing programming instructions that are configured to cause the message generation server to;
  
  identify a recipient for receiving a message,select a first identifier that may be actuated and a second identifier that may be actuated, wherein the first identifier comprises a hyperlink that is associated with a web page at a web address,generate an electronic message so that the message includes the hyperlink, andtransmit the electronic message to the recipient via a communication network for delivery to an address of the recipient; and
  
  a web server comprising a processor and a memory portion containing programming instructions that are configured to cause the web server to;
  
  host the web page so that the web page includes the second identifier in a format that is not visible to a human user of the web page,monitor whether interaction occurs with the second identifier, anddetermine whether a sandbox may have intercepted the electronic message based on whether the web server detects interaction with the second identifier.
- View Dependent Claims (13)
- - 13. The system of claim 12, wherein the instructions to determine whether a sandbox may have intercepted the electronic message comprise instructions to:
    - determine that the sandbox intercepted the electronic message before delivery to the recipient if the web server detects interaction with the address of the second hyperlink within a threshold period of time, otherwise determine that the electronic message has not been intercepted.

14. An electronic messaging system, comprising:
- a message generation server comprising a processor and a memory portion containing programming instructions that are configured to cause the message generation server to;
  
  select a first identifier that may be actuated and a second identifier that may be actuated, so that the first identifier and the second identifier share at least one common attribute, and so that the first identifier and the second identifier also include at least one attribute that is not common, andgenerate a first electronic message so that the first electronic message includes the first and second identifiers, andtransmit the first electronic message for delivery to a first recipient address via a communication network; and
  
  a web server comprising a processor and a memory portion containing programming instructions that are configured to cause the web server to;
  
  detect interaction with the first identifier,monitor whether interaction occurs with the second identifier within a threshold period of time after detecting interaction with the first identifier, andif interaction occurs with the second identifier within the threshold period of time, determine that the first electronic message has been intercepted by a sandbox, otherwise determine that the first electronic message has not been intercepted by the sandbox.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The system of claim 14, wherein:
    - the first identifier comprises a hyperlink and the second identifier also comprises a hyperlink; and
      
      the instructions to monitor whether interaction occurs with the first and second identifiers comprise instructions to, for each identifier, monitor an address associated with the identifier'"'"'s hyperlink to determine whether a service request is received at the address.
  - 16. The system of claim 15, wherein the common attribute comprises a domain.
  - 17. The system of claim 14, wherein:
    - the first identifier comprises a message attachment and the second identifier also comprises a message attachment; and
      
      the instructions to monitor whether interaction occurs with the first and second identifiers comprise instructions to, for each identifier, determine whether an action that the identifier is configured to perform upon opening the message attachment has occurred.
  - 18. The system of claim 17, wherein the common attribute comprises a file extension.
  - 19. The method of claim 14, wherein:
    - the first identifier comprises an address of a first image that is stored on an image server;
      
      the second identifier comprises an address of a second image that is also stored on an image server;
      
      the common attribute comprises an address of the image server; and
      
      the instructions to monitor whether interaction occurs with the first and second identifier comprise instructions to, for each identifier, determine whether the image server has received a request for the identifier'"'"'s image.

20. An electronic messaging system, comprising:
- a message generation server comprising a processor and a memory portion containing programming instructions that are configured to cause the message generation server to;
  
  select a first identifier that may be actuated,select a second identifier associated with a recipient,generate a plurality of electronic messages so that;
  
  each electronic message embeds the first identifier using one of a plurality of embedding methods, and the plurality of electronic messages collectively use more than one of the plurality of embedding messages, andeach electronic message embeds the second identifier in a way that the message generation server knows is likely to be accessed,generate a recipient address associated with a recipient that the message generation server knows is invalid or that the message generation server determines is likely to be invalid, andtransmit the plurality of electronic messages for delivery to the recipient address via a communication network; and
  
  a web server comprising a processor and a memory portion containing programming instructions that are configured to cause the web server to;
  
  monitor whether one or more interactions occur with the first and second identifiers in the plurality of electronic messages within a threshold period of time, andgenerate a cumulative fingerprint based on the one or more interactions with the first and second identifier in the plurality of electronic messages.
- View Dependent Claims (21, 22)
- - 21. The system of claim 20, wherein:
    - the message generation server comprises additional programming instructions that are configured to cause the message generation server to;
      
      generate one or more additional electronic messages, wherein each of the additional electronic messages embeds the first and second identifiers based on the cumulative fingerprint;
      
      generate another recipient address associated with a recipient that the message generation server knows is valid or that the message generation server determines is likely to be valid; and
      
      transmit the one or more additional electronic messages for delivery to the another recipient address via a communication network.
  - 22. The system of claim 21, wherein the interactions with the first and second identifier are indicative of one or more of the following characteristics:
    - an IP address, an IP address range, a DNS name, a browser type, a browser version and a browser plugin.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Wombat Security Technologies, Inc (Proofpoint Incorporated)
Inventors
Hawthorn, Trevor Tyler
Primary Examiner(s)
Shingles, Kristie D

Application Number

US15/390,070
Publication Number

US 20180183749A1
Time in Patent Office

753 Days
Field of Search

709206
US Class Current
CPC Class Codes

H04L 51/18   Commands or executable codes

H04L 51/212   using filtering or selectiv...

H04L 51/214   using selective forwarding

H04L 51/234   for tracking messages

Automated message security scanner detection system

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Automated message security scanner detection system

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links