Identifying malicious messages based on received message data of the sender

US 10,419,478 B2
Filed: 07/05/2017
Issued: 09/17/2019
Est. Priority Date: 07/05/2017
Status: Active Grant

First Claim

Patent Images

1. A data processing method providing an improvement in computer security and comprising:

receiving, at a security computing device executing one or more message security applications, an electronic digital message that is directed to a receiving account;

using the security computing device, identifying a sending account associated with the electronic digital message and from which the electronic digital message was sent;

transmitting, to a message server, a request to obtain a count of messages received by any of a plurality of primary recipient accounts from a plurality of secondary sending accounts where the sending account was a secondary recipient, and receiving the count of messages in response to the request;

using the security computing device, determining that the sending account satisfies one or more received message criteria by determining that the count of messages is less than a threshold number of messages;

in response to the determining, using the security computing device, performing a responsive action relating to the electronic digital message.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for providing an improvement to computer security relating to electronic digital messages are provided. In an embodiment, a computing device receives an electronic digital message that is sent to a receiving account. The computing device identifies a sending account associated with the electronic digital message and from which the electronic digital message was sent. The computing device obtains metadata relating to the sending account, the metadata including received message data that is related to a number of messages that have been received by the sending account. The computing device determines that the sending account satisfies a received message criteria based, at least in part, on the received message data and, in response, performs a responsive action relating to the electronic digital message.

17 Citations

View as Search Results

21 Claims

1. A data processing method providing an improvement in computer security and comprising:
- receiving, at a security computing device executing one or more message security applications, an electronic digital message that is directed to a receiving account;
  
  using the security computing device, identifying a sending account associated with the electronic digital message and from which the electronic digital message was sent;
  
  transmitting, to a message server, a request to obtain a count of messages received by any of a plurality of primary recipient accounts from a plurality of secondary sending accounts where the sending account was a secondary recipient, and receiving the count of messages in response to the request;
  
  using the security computing device, determining that the sending account satisfies one or more received message criteria by determining that the count of messages is less than a threshold number of messages;
  
  in response to the determining, using the security computing device, performing a responsive action relating to the electronic digital message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising identifying one or more spam messages received by the sending account;
    - wherein the determining that the count of messages is less than the threshold number of messages is performed based only on messages that do not include the one or more spam messages.
  - 3. The method of claim 1, further comprising:
    - identifying a provider of the sending account;
      
      transmitting, to the provider of the sending account, a request for the metadata;
      
      receiving, from the provider of the sending account, data identifying a number of messages received by the sending account;
      
      determining that the sending account satisfies the received message criteria based, at least in part, on the data identifying the number of messages received by the sending account.
  - 4. The method of claim 1, further comprising:
    - transmitting, to a recipient account data source, a request for data identifying a plurality of recipient accounts;
      
      receiving, from the recipient account data source, data identifying the plurality of recipient accounts;
      
      determining that the sending account is not identified in the data identifying a plurality of recipient accounts and, in response, determining that the sending account satisfies the received message criteria.
  - 5. The method of claim 1, the responsive action comprising causing the electronic digital message to be quarantined.
  - 6. The method of claim 1, the responsive action comprising identifying the sending account as a potential phishing account.
  - 7. The method of claim 1, the responsive action comprising increasing a value identifying a likelihood that the sending account is a phishing account.
  - 8. The method of claim 1, the responsive action comprising analyzing one or more hyperlinks in the electronic digital message.
  - 9. The method of claim 1, the responsive action comprising causing scanning one or more attachments in the electronic digital message for viruses.

10. A data processing method providing an improvement in computer security and comprising:
- receiving, at a security computing device implemented to execute one or more message security applications an e-mail message that is directed to a receiving account;
  
  identifying, by the security computing device, a sending account associated with the e-mail message and from which the e-mail message was sent;
  
  transmitting, to a host computer of the sending account, a request to obtain a count of messages received by any of a plurality of primary recipient accounts from a plurality of secondary sending accounts where the sending account was a secondary recipient, and receiving the count of messages in response to the request;
  
  using the security computing device, in response to determining that the count of messages is less than a specified number, performing a responsive action relating to the e-mail message, the responsive action comprising one or more of;
  
  causing the e-mail message to be quarantined;
  
  marking the sending account as a potential phishing account;
  
  increasing a value identifying a likelihood that the sending account is a phishing account;
  
  analyzing one or more hyperlinks in the e-mail message;
  
  scanning one or more attachments in the e-mail message for viruses;
  
  dropping and not delivering the e-mail message to the receiving account;
  
  transmitting one or more notifications or alerts relating to the e-mail message.
- View Dependent Claims (11, 12)
- - 11. The method of claim 10, further comprising:
    - identifying one or more spam messages received by the sending account;
      
      modifying the count of messages received by the sending account, as received in response to the request, by decrementing the one or more spam messages from the count.
  - 12. The method of claim 10, further comprising:
    - receiving data identifying a plurality of recipient accounts;
      
      determining that the sending account is not identified in the data identifying a plurality of recipient accounts and, in response, performing the responsive action.

13. A system comprising:
- one or more processors;
  
  a memory communicatively coupled to the one or more processors storing instructions which, when executed by the one or more processors, cause performance of;
  
  receiving an electronic digital message that is directed to a receiving account;
  
  identifying a sending account associated with the electronic digital message and from which the electronic digital message was sent;
  
  transmitting, to a message server, a request to obtain a count of messages received by any of a plurality of primary recipient accounts from a plurality of secondary sending accounts where the sending account was a secondary recipient, and receiving the count of messages in response to the request;
  
  determining that the sending account satisfies one or more received message criteria by determining that the count of messages is less than a threshold number of messages;
  
  in response to the determining, performing a responsive action relating to the electronic digital message.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
- - 14. The system of claim 13, wherein the instructions, when executed by the one or more processors, further cause performance of identifying one or more spam messages received by the sending account;
    - wherein the determining that the count of messages is less than the threshold number of messages is performed based only on messages that do not include the one or more spam messages.
  - 15. The system of claim 13, wherein the instructions, when executed by the one or more processors, further cause performance of:
    - identifying a provider of the sending account;
      
      transmitting, to the provider of the sending account, a request for the metadata;
      
      receiving, from the provider of the sending account, data identifying a number of messages received by the sending account;
      
      determining that the sending account satisfies the received message criteria based, at least in part, on the data identifying the number of messages received by the sending account.
  - 16. The system of claim 13, wherein the instructions, when executed by the one or more processors, further cause performance of:
    - transmitting, to a recipient account data source, a request for data identifying a plurality of recipient accounts;
      
      receiving, from the recipient account data source, data identifying the plurality of recipient accounts;
      
      determining that the sending account is not identified in the data identifying a plurality of recipient accounts and, in response, determining that the sending account satisfies the received message criteria.
  - 17. The system of claim 13, the responsive action comprising causing the electronic digital message to be quarantined.
  - 18. The system of claim 13, the responsive action comprising identifying the sending account as a potential phishing account.
  - 19. The system of claim 13, the responsive action comprising increasing a value identifying a likelihood that the sending account is a phishing account.
  - 20. The system of claim 13, the responsive action comprising analyzing one or more hyperlinks in the electronic digital message.
  - 21. The system of claim 13, the responsive action comprising causing scanning one or more attachments in the electronic digital message for viruses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CloudFlare Incorporated
Original Assignee
Area 1 Security, Inc.
Inventors
Syme, Philip, Falkowitz, Oren, Flester, Michael
Primary Examiner(s)
Leung, Robert B

Application Number

US15/642,018
Publication Number

US 20190014143A1
Time in Patent Office

804 Days
Field of Search
US Class Current
CPC Class Codes

H04L 51/08   Annexed information, e.g. a...

H04L 51/18   Commands or executable codes

H04L 51/212   using filtering or selectiv...

H04L 63/101   Access control lists [ACL]

H04L 63/126   the source of the received ...

H04L 63/1441   Countermeasures against mal...

H04L 63/145   the attack involving the pr...

H04L 63/1483   service impersonation, e.g....

Identifying malicious messages based on received message data of the sender

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying malicious messages based on received message data of the sender

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links