Systems and methods for managing directory harvest attacks via electronic messages

US 20060195537A1
Filed: 05/03/2006
Published: 08/31/2006
Est. Priority Date: 02/19/2003
Status: Active Grant

First Claim

Patent Images

1. A method of managing the transmission of electronic messages from sending mail servers to receiving mail servers, the method comprising:

receiving a plurality of delivery attempts of electronic messages from a sending mail server to a receiving mail server;

detecting a number of the plurality of delivery attempts made to invalid destination addresses associated with the receiving mail server; and

refusing a connection from the sending mail server based at least in part on the detected number of delivery attempts made to the invalid destination addresses.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention provides an electronic message management system (EMS) that includes a real-time feedback loop where data is collected from the electronic messages on incoming connection attempts, outgoing delivery attempts, and message content analysis, and written to a centralized data matrix. A separate process accesses the data matrix and analyzes trends in that data. The detected data patterns, trends or behavior is based on configuration parameters for the recipient. Based on these determinations, the process is able to instruct components in the EMS to accept, redirect, refuse, modify, defer, or otherwise dispose of the connection request, the delivery attempt, or the message. Associated methods for managing the transmission of electronic messages are also disclosed.

93 Citations

View as Search Results

32 Claims

1. A method of managing the transmission of electronic messages from sending mail servers to receiving mail servers, the method comprising:
- receiving a plurality of delivery attempts of electronic messages from a sending mail server to a receiving mail server;
  
  detecting a number of the plurality of delivery attempts made to invalid destination addresses associated with the receiving mail server; and
  
  refusing a connection from the sending mail server based at least in part on the detected number of delivery attempts made to the invalid destination addresses.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method according to claim 1, wherein detecting comprises determining that the number of the plurality of delivery attempts made to invalid destination addresses is a statistically significant percentage of delivery attempts made to valid addresses associated with the receiving mail server.
  - 3. A method according to claim 1, wherein refusing a connection from the sending mail comprises extracting source data associated with the sending mail server.
  - 4. A method according to claim 3, wherein refusing a connection from the sending mail further comprises extracting the source data from at least one of the electronic messages attempted for delivery to an invalid destination address.
  - 5. A method according to claim 4, wherein the source data comprises the source IP address of the sending mail server.
  - 6. A method according to claim 4, wherein the source data comprises domain data based on the sending mail server.
  - 7. A method according to claim 1, further comprising:
    - storing the detected number of the plurality of delivery attempts made to invalid destination addresses in a data structure; and
      
      managing the transmission of the electronic messages based on the data structure.
  - 8. A method according to claim 1, wherein the detected number of the plurality of delivery attempts made to invalid destination addresses comprises metadata.
  - 9. A method according to claim 8, wherein the data structure comprises a data table mapping source data for the plurality of electronic messages against destination data for the plurality of electronic messages, the method further comprising supplementing the source and destination data with the metadata.
  - 10. A method according to claim 1, wherein detecting a number of the plurality of delivery attempts made to invalid destination addresses comprises intercepting at least one incoming electronic message between the sending mail server and the receiving mail server.
  - 11. A method according to claim 10, wherein the intercepting comprises intercepting the at least one incoming electronic message within an intermediate mail server.
  - 12. A method according to claim 11, wherein the intermediate mail server is geographically located with the receiving mail server.
  - 13. A method according to claim 11, wherein the intermediate mail server refuses the connection from the sending mail server.
  - 14. A method according to claim 11, wherein the intercepting comprises intercepting the at least one the electronic messages by associating a new delivery address with the original delivery address associated with the at least one electronic message.
  - 15. A method according to claim 1, wherein refusing the connection from the sending mail server comprises refusing an SMTP connection from the sending mail server.
  - 16. A method according to claim 1, wherein the invalid destination addresses are substantially similar to valid destination addresses associated with the receiving mail server.
  - 17. A method according to claim 16, wherein the valid destination addresses are e-mail addresses.

18. An electronic message management system for use in managing the transmission of electronic messages from sending mail servers to receiving mail servers, the system comprising:
- an intermediate service configured to intercept at least one of the electronic messages between a sending mail server and a receiving mail server; and
  
  a connection management module associated with the intermediate service, the connection management module configured to;
  
  detect a number of the plurality of delivery attempts made to invalid destination addresses associated with the receiving mail server, and refuse a connection from the sending mail server based at least in part on the detected number of delivery attempts made to the invalid destination addresses.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 19. A system according to claim 18, wherein the detected number of the plurality of delivery attempts made to invalid destination addresses is a statistically significant percentage of delivery attempts made to valid addresses associated with the receiving mail server.
  - 20. A system according to claim 18, wherein the connection management module is further configured to extract source data associated with the sending mail server in order to refuse a connection from the sending mail comprises.
  - 21. A system according to claim 20, wherein the source data is extracted from at least one of the electronic messages attempted for delivery to an invalid destination address.
  - 22. A system according to claim 21, wherein the source data comprises the source IP address of the sending mail server.
  - 23. A system according to claim 21, wherein the source data comprises domain data based on the sending mail server.
  - 24. A system according to claim 18, further comprising:
    - a data structure associated with the intermediate service for storing the detected number of the plurality of delivery attempts made to invalid destination addresses, the connection management module refusing a connection from the sending mail server based on the data structure.
  - 25. A system according to claim 18, wherein the detected number of the plurality of delivery attempts made to invalid destination addresses comprises metadata.
  - 26. A system according to claim 25, wherein the data structure comprises a data table mapping source data for the plurality of electronic messages against destination data for the plurality of electronic messages, wherein the connection management module is further configured to supplement the source and destination data with the metadata.
  - 27. A system according to claim 18, wherein the intermediate service is within an intermediate mail server.
  - 28. A system according to claim 27, wherein the intermediate mail server is geographically located with the receiving mail server.
  - 29. A system according to claim 18, wherein the intermediate service is configured to intercept the at least one the electronic messages by associating a new delivery address with the original delivery address associated with the at least one electronic message.
  - 30. A system according to claim 18, wherein the refused connection from the sending mail server comprises a refused SMTP connection from the sending mail server.
  - 31. A system according to claim 18, wherein the invalid destination addresses are substantially similar to valid destination addresses associated with the receiving mail server.
  - 32. A system according to claim 31, wherein the valid destination addresses are e-mail addresses.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Postini, Inc. (Alphabet Inc.)
Inventors
Cox, Fred, Akamine, Shinya, Petry, Scott M., Lund, Peter Kevin, Oswall, Michael John

Granted Patent

US 7,958,187 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/206
CPC Class Codes

H04L 51/00   User-to-user messaging in p...

H04L 51/04   Real-time or near real-time...

H04L 63/1408   by monitoring network traff...

Systems and methods for managing directory harvest attacks via electronic messages

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

93 Citations

32 Claims

Specification

Use Cases

Quick Links

Others

Systems and methods for managing directory harvest attacks via electronic messages

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

93 Citations

32 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others