Controlling a message quarantine

US 20070083929A1
Filed: 12/07/2006
Published: 04/12/2007
Est. Priority Date: 05/05/2005
Status: Active Grant

First Claim

Patent Images

1. An apparatus, comprising:

a network interface;

one or more processors coupled to the network interface;

logic coupled to the one or more processors which, when executed by the one or more processors, causes the one or more processors to perform;

receiving and storing a plurality of rules specifying characteristics of electronic messages that indicate threats associated with the messages, wherein each rule has a priority value, wherein each rule is associated with a message element type;

receiving an electronic mail message having a destination address for a recipient account, wherein the message comprises a plurality of message elements;

extracting a first message element;

determining a threat score value for the message by matching only the first message element to only selected rules having a message element type corresponding to the first message element, and according to an order of the priorities of the selected rules;

when the threat score value is greater than a specified threshold, outputting the threat score value.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Controlling a message quarantine is disclosed. A message scanning method is described in which early exit from parsing and scanning can occur by matching threat rules only to selected message elements and stopping rule matching as soon as a match on one message element exceeds a threat threshold.

Citations

19 Claims

1. An apparatus, comprising:
- a network interface;
  
  one or more processors coupled to the network interface;
  
  logic coupled to the one or more processors which, when executed by the one or more processors, causes the one or more processors to perform;
  
  receiving and storing a plurality of rules specifying characteristics of electronic messages that indicate threats associated with the messages, wherein each rule has a priority value, wherein each rule is associated with a message element type;
  
  receiving an electronic mail message having a destination address for a recipient account, wherein the message comprises a plurality of message elements;
  
  extracting a first message element;
  
  determining a threat score value for the message by matching only the first message element to only selected rules having a message element type corresponding to the first message element, and according to an order of the priorities of the selected rules;
  
  when the threat score value is greater than a specified threshold, outputting the threat score value.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The apparatus of claim 1 or 10, further comprising logic for determining an updated threat score value for the message by matching other message elements to other rules only when the threat score value is less than a specified threshold.
  - 3. The apparatus of claim 1 or 10, wherein the message elements comprise one or more message headers, a message body, and one or more HTML elements in the message body.
  - 4. The apparatus of claim 1 or 10, wherein the first message element comprises one or more message headers, the selected rules comprise only header rules, and the plurality of rules includes the header rules, raw body rules, and HTML body rules.
  - 5. The apparatus of claim 1 or 10, further comprising logic for determining the threat score value for the message by matching only the first message element to only the selected rules having a message element type corresponding to the first message element, and according to an order of the priorities of the selected rules;
    - after matching each rule among the selected rules, testing whether the threat score value is greater than the specified threshold; and
      
      when the threat score value is greater than a specified threshold, outputting the threat score value.
  - 6. The apparatus of claim 1 or 10, further comprising logic for determining an updated threat score value for the message by decoding a body of the message and matching the body to one or more raw body rules only when the threat score value is less than a specified threshold.
  - 7. The apparatus of claim 1 or 10, further comprising logic for determining an updated threat score value for the message by rendering markup language message elements and matching the rendered markup language message elements to one or more body rules only when the threat score value is less than a specified threshold.
  - 8. The apparatus of claim 1 or 10, wherein the logic comprises an anti-spam scanning engine.
  - 9. The apparatus of claim 1 or 10, wherein the threats comprise any one of a virus, spam, or a phishing attack.

10. An apparatus, comprising:
- means for receiving and storing a plurality of rules specifying characteristics of electronic messages that indicate threats associated with the messages, wherein each rule has a priority value, wherein each rule is associated with a message element type;
  
  means for receiving an electronic mail message having a destination address for a recipient account, wherein the message comprises a plurality of message elements;
  
  means for extracting a first message element;
  
  means for determining a threat score value for the message by matching only the first message element to only selected rules having a message element type corresponding to the first message element, and according to an order of the priorities of the selected rules;
  
  means for outputting the threat score value when the threat score value is greater than a specified threshold.

11. A method, comprising:
- a network interface;
  
  one or more processors coupled to the network interface;
  
  logic coupled to the one or more processors which, when executed by the one or more processors, causes the one or more processors to perform;
  
  receiving and storing a plurality of rules specifying characteristics of electronic messages that indicate threats associated with the messages, wherein each rule has a priority value, wherein each rule is associated with a message element type;
  
  receiving an electronic mail message having a destination address for a recipient account, wherein the message comprises a plurality of message elements;
  
  extracting a first message element;
  
  determining a threat score value for the message by matching only the first message element to only selected rules having a message element type corresponding to the first message element, and according to an order of the priorities of the selected rules;
  
  when the threat score value is greater than a specified threshold, outputting the threat score value.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
- - 12. The method of claim 11, further comprising logic for determining an updated threat score value for the message by matching other message elements to other rules only when the threat score value is less than a specified threshold.
  - 13. The method of claim 11, wherein the message elements comprise one or more message headers, a message body, and one or more HTML elements in the message body.
  - 14. The method of claim 11, wherein the first message element comprises one or more message headers, the selected rules comprise only header rules, and the plurality of rules includes the header rules, raw body rules, and HTML body rules.
  - 15. The method of claim 11, further comprising logic for determining the threat score value for the message by matching only the first message element to only the selected rules having a message element type corresponding to the first message element, and according to an order of the priorities of the selected rules;
    - after matching each rule among the selected rules, testing whether the threat score value is greater than the specified threshold; and
      
      when the threat score value is greater than a specified threshold, outputting the threat score value.
  - 16. The method of claim 11, further comprising logic for determining an updated threat score value for the message by decoding a body of the message and matching the body to one or more raw body rules only when the threat score value is less than a specified threshold.
  - 17. The method of claim 11, further comprising logic for determining an updated threat score value for the message by rendering markup language message elements and matching the rendered markup language message elements to one or more body rules only when the threat score value is less than a specified threshold.
  - 18. The method of claim 11, wherein the logic comprises an anti-spam scanning engine.
  - 19. The method of claim 11, wherein the threats comprise any one of a virus, spam, or a phishing attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Charles Slater, Craig Sprosts, Daniel Quinlan, Larry Rosenstein, Scot Kennedy
Original Assignee
Charles Slater, Craig Sprosts, Daniel Quinlan, Larry Rosenstein, Scot Kennedy
Inventors
Sprosts, Craig, Quinlan, Daniel, Slater, Charles, Kennedy, Scot, Rosenstein, Larry

Granted Patent

US 7,712,136 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/22
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 51/234   for tracking messages

H04L 61/4511   using domain name system [DNS]

H04L 63/123   received data contents, e.g...

H04L 63/126   the source of the received ...

H04L 63/145   the attack involving the pr...

Controlling a message quarantine

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Controlling a message quarantine

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links