Email anti-phishing inspector
First Claim
Patent Images
1. A method for determining a phishing email, comprising the steps of:
- a. receiving an email message;
b. scoring the email message based on one or more factors, wherein at least one factor is based on the level of trust associated with a URL extracted from the email;
c. comparing the score with a predetermined phishing threshold; and
d. determining if the email is a phishing email based on the comparison.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system, and computer program product are provided for implementing embodiments of an EScam Server, which are useful for determining phishing emails. Methods, systems, and program products are also provided to implement embodiments of a Trusted Host Miner, useful for determining servers associated with a Trusted URL, a Trusted Host Browser, useful for communicating to a user when links are Trusted URLs, and a Page Spider, useful for determining on-site links to documents which request a user'"'"'s confidential information.
164 Citations
56 Claims
-
1. A method for determining a phishing email, comprising the steps of:
-
a. receiving an email message;
b. scoring the email message based on one or more factors, wherein at least one factor is based on the level of trust associated with a URL extracted from the email;
c. comparing the score with a predetermined phishing threshold; and
d. determining if the email is a phishing email based on the comparison. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. A method for determining a phishing email, comprising the steps of:
-
a. storing descriptive content associated with one or more entities, the content including at least domain names and keywords;
b. receiving an email;
c. extracting descriptive content from the email;
d. determining a first entity that the email may be associated with based on a comparison between the extracted descriptive content and stored descriptive content;
e. extracting a URL from the email;
f. determining a second entity associated with the URL; and
g. determining if the email is a phishing email based on a comparison between the first entity and the second entity. - View Dependent Claims (20, 21, 22, 23)
-
-
24. A method for associating one or more Internet Protocol (IP) addresses of a trusted server with a trusted Uniform Resource Locator (URL), comprising the steps of:
-
a. receiving the trusted URL;
b. submitting a first query containing the trusted URL to a Domain Name Server (DNS);
c. receiving from the DNS a first IP address;
d. associating the first IP address with the trusted URL, and storing the association;
e. submitting a second query containing the trusted URL to the DNS after a first predetermined amount of time has passed, wherein the first predetermined amount of time is a function of a time-to-live (TTL) value received from the DNS;
f. receiving from the DNS a second IP address; and
g. associating the second IP address with the trusted URL, and storing the association. - View Dependent Claims (25, 26, 27, 28, 29, 30, 31)
-
-
32. A method for communicating to a user the level of trust associated with a host of a Uniform Resource Locator (URL), comprising the steps of:
-
a. receiving the URL;
b. determining an Internet Protocol (IP) address associated with the URL;
c. determining the level of trust associated with the host of the URL based on one or more factors, wherein at least one factor is based on the IP address; and
d. communicating to the user the level of trust associated with the host. - View Dependent Claims (33, 34, 35, 36, 37, 38, 39)
-
-
40. A method for processing links in documents, comprising the steps of:
-
a. retrieving a first document available at a first link, the first link containing a first host name;
b. parsing the first document to identify a second link to a second document, wherein the second link contains the same host name as the first host name;
c. inspecting the second document to determine if it requests confidential information such as a login, password, or financial information; and
d. storing the second link in a first list if the second document requests confidential information. - View Dependent Claims (41, 42, 43, 44, 45, 46, 47)
-
-
48. A method for processing links in documents, comprising the steps of:
-
a. retrieving a first document available at a first link, the first link containing a first host name;
b. parsing the first document to identify one or more links to other documents, wherein each identified link contains an identified host name, and wherein the one or more identified links include at least a second link containing a second host name;
c. determining, for the one or more identified links, if the first host name and the identified host name are the same;
d. if the first host name and the identified host name are the same, storing the identified link in a first list; and
e. if the first host name and the identified host name are not the same, storing the identified link in a second list. - View Dependent Claims (51, 52, 53, 54, 55, 56)
-
- 49. The method of claim 49, further comprising the step of inspecting one or more links in the first list to determine if the inspected link references a document which requests confidential information such as a login, password, or financial information.
Specification