Generating phish messages

US 20070294352A1
Filed: 11/23/2004
Published: 12/20/2007
Est. Priority Date: 05/02/2004
Status: Active Grant

First Claim

Patent Images

1. A method of inciting unsolicited email messages, the method comprising:

searching a listing of domain registration records for a domain registration record associated with a candidate domain that would be suitable for attracting unsolicited email messages;

monitoring the listing of domain registration records for an expiration of the domain registration record;

registering the candidate domain; and

accepting with a computer at least one received email message addressed to a userid at the candidate domain.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Various embodiments of the invention provide solutions (including inter alia, systems, methods and software) for dealing with online fraud. In particular, various embodiments of the invention provide ways to incite unsolicited email messages (such as spam messages, phish messages, etc.). In accordance with some embodiments, a bait email address may be planted in a particular location on the Internet. In particular embodiments, the location of the planted email address may be tracked in order to determine which locations are relatively more likely to generate unsolicited email messages. In other embodiments, domains likely to host the bait email addresses receiving unsolicited messages may be obtained. In some cases, unsolicited messages may be analyzed and/or otherwise processed to determine whether the messages are possibly associated with a fraudulent activity. Such analysis may lead to the investigation of one or more web sites and/or to the initiation of a response against a fraudulent activity.

205 Citations

59 Claims

1. A method of inciting unsolicited email messages, the method comprising:
- searching a listing of domain registration records for a domain registration record associated with a candidate domain that would be suitable for attracting unsolicited email messages;
  
  monitoring the listing of domain registration records for an expiration of the domain registration record;
  
  registering the candidate domain; and
  
  accepting with a computer at least one received email message addressed to a userid at the candidate domain.
- View Dependent Claims (2, 3, 4)
- - 2. A method of inciting unsolicited email messages as recited in claim 1, the method further comprising:
    - generating a bait email address for planting.
  - 3. A method of inciting unsolicited email messages as recited in claim 2, wherein generating a bait email address for planting comprises:
    - generating with a computer a userid component of a bait email address; and
      
      combining the userid component with a domain name associated with the registered candidate domain to generate a bait email address.
  - 4. A method of inciting unsolicited email messages as recited in claim 2, the method further comprising:
    - planting the bait email address at a location on the Internet likely to generate unsolicited email messages.

5. A method of inciting unsolicited email messages, the method comprising:
- planting at least one bait email address at a location on a computer network, the location being a likely target for a third party attempting to harvest email addresses;
  
  receiving an email message addressed to the bait email address; and
  
  analyzing with a computer the received email message to determine whether the received email message is an unsolicited email message.
- View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 6. A method of inciting unsolicited email messages as recited in claim 5, the method further comprising:
    - generating a bait email address for planting.
  - 7. A method of inciting unsolicited email messages as recited in claim 6, wherein generating a bait email address for planting comprises:
    - generating with a computer a userid component of a bait email address;
      
      selecting with a computer a domain component of a bait email address; and
      
      combining the userid component and the domain component to generate a bait email address.
  - 8. A method of inciting unsolicited email messages as recited in claim 7, wherein generating a userid component comprises:
    - selecting from a first userid element from a first list;
      
      selecting a second userid element from a second list; and
      
      wherein the userid component comprises the first userid element and the second userid element.
  - 9. A method of inciting unsolicited email messages as recited in claim 5, the method further comprising:
    - tracking the bait email address, along with the location at which the bait email address was planted.
  - 10. A method of inciting unsolicited email messages as recited in claim 9, the method further comprising:
    - correlating the received email message with the tracked bait email address and location.
  - 11. A method of inciting unsolicited email messages as recited in claim 10, wherein the bait email address is a first bait email address, the method further comprising:
    - planting at least one additional bait email address at the location on the Internet at which the first bait email address was planted.
  - 12. A method of inciting unsolicited email messages as recited in claim 5, the method further comprising:
    - forwarding the received email message to a correlation engine for analysis.
  - 13. A method of inciting unsolicited email messages as recited in claim 5, the method further comprising:
    - determining that the received email message is a fraudulent email message.
  - 14. A method of inciting unsolicited email messages as recited in claim 13, wherein the received email message including a uniform resource locator (“
    - URL”
      
      ) configured to direct a recipient of the received email message to a web site referenced by the URL, wherein determining that the received email message is a fraudulent email message comprises;
      
      analyzing the received email message;
      
      based on an analysis of the received email message, categorizing the received email message as a possibly fraudulent email message; and
      
      investigating the URL included with the received email message to determine information about a server hosting the web site referenced by the URL.
  - 15. A method of inciting unsolicited email messages as recited in claim 14, the method further comprising:
    - preparing a report comprising at least some of the information about the server hosting the web site referenced by the uniform resource locator.
  - 16. A method of inciting unsolicited email messages as recited in claim 15, the method further comprising:
    - analyzing the report to determine whether the server is likely engaged in a fraudulent activity.
  - 17. A method of inciting unsolicited email messages as recited in claim 14, the method further comprising:
    - allowing a technician to initiate an action in response to the fraudulent activity.
  - 18. A method of inciting unsolicited email messages as recited in claim 14, the method further comprising:
    - pursuing an action in response to the fraudulent activity
  - 19. A method of inciting unsolicited email messages as recited in claim 14, wherein analyzing the received email message comprises:
    - parsing the received email message to identify a header portion of the received email message, a body portion of the received email message, and a uniform resource locator portion of the received email message;
      
      analyzing the header portion of the received email message;
      
      analyzing the body portion of the received email message;
      
      analyzing the uniform resource locator portion of the received email message; and
      
      categorizing the received email message as a possibly fraudulent email message.

20. A computer-implemented method of inciting unsolicited email messages, the method comprising:
- planting a bait email address at a location on the Internet;
  
  correlating the bait email address with the location at which it was planted;
  
  receiving an received email message addressed to the bait email address;
  
  determining, based on the received email message, that the location is likely to generate additional unsolicited email messages; and
  
  planting at least one additional bait email address at the location.

21. A method of inciting email messages, the method comprising:
- generating with a computer a userid component of a bait email address;
  
  selecting with a computer a domain component of a bait email address;
  
  combining the userid component and the domain component to generate a bait email address;
  
  identifying a location on the Internet likely to generate unsolicited email messages;
  
  planting the generated bait email address at the identified location; and
  
  tracking in a database the generated email address along with the identified location.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 22. A method of inciting unsolicited email messages as recited in claim 21, wherein the identified location is selected from the group consisting of a web site, an online chat room, a newsgroup, a bulletin board, a domain registration, an online commerce site, and an email list.
  - 23. A method of inciting unsolicited email messages as recited in claim 21, the method further comprising:
    - receiving an email message addressed to the generated email address.
  - 24. A method of inciting unsolicited email messages as recited in claim 23, the method further comprising:
    - investigating a domain associated with the identified location to determine whether the domain is involved in a fraudulent activity.
  - 25. A method of inciting unsolicited email messages as recited in claim 23, the method further comprising:
    - forwarding the email message to a correlation engine for analysis.
  - 26. A method of inciting unsolicited email messages as recited in claim 23, the method further comprising:
    - determining that the email message is a fraudulent email message.
  - 27. A method of inciting unsolicited email messages as recited in claim 23, the method further comprising:
    - implementing a feedback loop upon receiving the email message, the feedback loop being operable to;
      
      designate the identified location as a location likely to generate unsolicited email messages; and
      
      prioritize the identified location as a preferred location for planting at least one additional generated bait email address.
  - 28. A method of inciting unsolicited email messages as recited in claim 21, wherein generating a userid component comprises:
    - selecting from a first userid element from a first list;
      
      selecting a second userid element from a second list; and
      
      combining the first userid element with the second userid element to generate a userid component.
  - 29. A method of inciting unsolicited email messages as recited in claim 28, wherein the first list and the second list are incorporated within a single list.
  - 30. A method of inciting unsolicited email messages as recited in claim 21, the method further comprising:
    - maintaining a list of domains available to receive email messages;
      
      wherein selecting a domain component comprises selecting a domain from the list of domains available to receive email messages.
  - 31. A method of inciting unsolicited email messages as recited in claim 21, the method further comprising:
    - taking an appropriate action to enable a domain associated with the domain component to receive email messages addressed to the generated bait email address.
  - 32. A method of inciting unsolicited email messages as recited in claim 31, wherein the appropriate action is taken by an automated process.
  - 33. A method of inciting unsolicited email messages as recited in claim 31, wherein taking an appropriate action comprises creating an email account on a mail server responsible for receiving email messages directed to the domain associated with the domain component, the email account corresponding to the userid component.
  - 34. A method of inciting unsolicited email messages as recited in claim 31, wherein taking an appropriate action comprises opening an account with an Internet service provider responsible for managing the domain associated with the domain component, the account corresponding to the userid component.
  - 35. A method of inciting unsolicited email messages as recited in claim 31, wherein taking an appropriate action comprises enabling a mail server responsible for receiving email messages directed to the domain associated with the domain component to receive all messages directed to any recipient at the domain, regardless of a userid of the recipient.

36. A method of inciting unsolicited email messages, the method comprising:
- providing a bait email address;
  
  identifying a plurality of locations on the Internet, each of the plurality of locations being likely to generate unsolicited email messages;
  
  planting the bait email address at each of the plurality of locations;
  
  for a particular location, the particular location being one of the plurality of locations, providing at least one piece of information associated with the bait email address, the at least one piece of information sufficient to identify the particular location at which the bait email address is planted; and
  
  tracking the particular location, along with the bait email address and the at least one piece of information sufficient to identify the particular location from other of the plurality of locations.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44)
- - 37. A method of inciting unsolicited email messages as recited in claim 36, wherein tracking comprises:
    - creating in a database a record associated with the particular location, the record comprising data about the particular location, data about the bait email address, and data about the at least one piece of information sufficient to identify the particular location from other of the plurality of locations.
  - 38. A method of inciting unsolicited email messages as recited in claim 36, the method further comprising:
    - receiving an email message addressed to the bait email address.
  - 39. A method of inciting unsolicited email messages as recited in claim 38, wherein the email message comprises the at least one piece of information sufficient to identify the particular location from other of the plurality of locations, the method further comprising:
    - identifying the particular location as a location particularly likely to generate unsolicited email messages, based on the at least one piece of information.
  - 40. A method of inciting unsolicited email messages as recited in claim 39, the method further comprising:
    - prioritizing the particular location as a preferred location for planting additional bait email addresses.
  - 41. A method of inciting unsolicited email messages as recited in claim 39, the method further comprising:
    - planting at least one additional bait email address at the particular location.
  - 42. A method of inciting unsolicited email messages as recited in claim 36, the method further comprising:
    - generating a bait email address.
  - 43. A method of inciting unsolicited email messages as recited in claim 36, wherein the at least one piece of information sufficient to identify the particular location is selected from the group consisting of a first name, a last name, a combination of first and last name, a birth date, a social security number, an email address, a telephone number, a mother'"'"'s maiden name, a password, and a subject matter interest.
  - 44. A method of inciting unsolicited email messages as recited in claim 36, the method further comprising:
    - for each of the plurality of locations, planting at least one piece of information sufficient to identify that location from other of the plurality of locations; and
      
      tracking each of the plurality of locations, along with the at least one piece of information sufficient to identify that particular location from other of the plurality of locations;
      
      wherein, for each of the plurality of locations, a distinct piece of information is planted, such that none of the plurality of locations is planted with the same piece of information.

45. A computer system for inciting unsolicited email messages, the computer system comprising a processor and a computer readable medium having instructions executable by the processor to:
- search a listing of domain registration records for a domain registration record associated with a candidate domain that would be suitable for attracting unsolicited email messages;
  
  monitor the listing of domain registration records for an expiration of the domain registration record;
  
  register the candidate domain; and
  
  accept at least one received email message addressed to a userid at the candidate domain.

46. A computer system for inciting unsolicited email messages, the computer system comprising a processor and a computer readable medium having instructions executable by the processor to:
- plant at least one bait email address at a location on a computer network, the location being a likely target for a third party attempting to harvest email addresses;
  
  receive an email message addressed to the bait email address; and
  
  analyze the received email message to determine whether the received email message is an unsolicited email message.

47. A computer system for inciting unsolicited email messages, the computer system comprising a processor and a computer readable medium having instructions executable by the processor to:
- plant a bait email address at a location on the Internet;
  
  correlate the bait email address with the location at which it was planted;
  
  receive an received email message addressed to the bait email address;
  
  determine, based on the received email message, that the location is likely to generate additional unsolicited email messages; and
  
  plant at least one additional bait email address at the location.

48. A computer system for inciting unsolicited email messages, the computer system comprising a processor and a computer readable medium having instructions executable by the processor to:
- generate a userid component of a bait email address;
  
  select a domain component of a bait email address;
  
  combine the userid component and the domain component to generate a bait email address;
  
  identify a location on the Internet likely to generate unsolicited email messages;
  
  plant the generated bait email address at the identified location; and
  
  track in a database the generated email address along with the identified location.

49. A computer system for inciting unsolicited email messages, the computer system comprising a processor and a computer readable medium having instructions executable by the processor to:
- identify a plurality of locations on the Internet, each of the plurality of locations being likely to generate unsolicited email messages;
  
  plant a bait email address at each of the plurality of locations;
  
  for a particular location, the particular location being one of the plurality of locations, provide at least one piece of information associated with the bait email address, the at least one piece of information sufficient to identify the particular location at which the bait email address is planted; and
  
  track the particular location, along with the bait email address and the at least one piece of information sufficient to identify the particular location from other of the plurality of locations.

50. A computer program embodied on a computer readable medium, the computer program comprising instructions executable by one or more computers to:
- search a listing of domain registration records for a domain registration record associated with a candidate domain that would be suitable for attracting unsolicited email messages;
  
  monitor the listing of domain registration records for an expiration of the domain registration record;
  
  register the candidate domain; and
  
  accept at least one received email message addressed to a userid at the candidate domain.

51. A computer program embodied on a computer readable medium, the computer program comprising instructions executable by one or more computers to:
- plant at least one bait email address at a location on a computer network, the location being a likely target for a third party attempting to harvest email addresses;
  
  receive an email message addressed to the bait email address; and
  
  analyze the received email message to determine whether the received email message is an unsolicited email message.

52. A computer program embodied on a computer readable medium, the computer program comprising instructions executable by one or more computers to:
- plant a bait email address at a location on the Internet;
  
  correlate the bait email address with the location at which it was planted;
  
  receive an received email message addressed to the bait email address;
  
  determine, based on the received email message, that the location is likely to generate additional unsolicited email messages; and
  
  plant at least one additional bait email address at the location.

53. A computer program embodied on a computer readable medium, the computer program comprising instructions executable by one or more computers to:
- generate a userid component of a bait email address;
  
  select a domain component of a bait email address;
  
  combine the userid component and the domain component to generate a bait email address;
  
  identify a location on the Internet likely to generate unsolicited email messages;
  
  plant the generated bait email address at the identified location; and
  
  track in a database the generated email address along with the identified location.

54. A computer program embodied on a computer readable medium, the computer program comprising instructions executable by one or more computers to:
- identify a plurality of locations on the Internet, each of the plurality of locations being likely to generate unsolicited email messages;
  
  plant a bait email address at each of the plurality of locations;
  
  for a particular location, the particular location being one of the plurality of locations, provide at least one piece of information associated with the bait email address, the at least one piece of information sufficient to identify the particular location at which the bait email address is planted; and
  
  track the particular location, along with the bait email address and the at least one piece of information sufficient to identify the particular location from other of the plurality of locations.

55. A system comprising:
- means for searching a listing of domain registration records for a domain registration record associated with a candidate domain that would be suitable for attracting unsolicited email messages;
  
  means for monitoring the listing of domain registration records for an expiration of the domain registration record;
  
  means for registering the candidate domain; and
  
  means for accepting at least one received email message addressed to a userid at the candidate domain.

56. A system comprising:
- means for planting at least one bait email address at a location on a computer network, the location being a likely target for a third party attempting to harvest email addresses;
  
  means for receiving an email message addressed to the bait email address; and
  
  means for analyzing the received email message to determine whether the received email message is an unsolicited email message.

57. A system comprising:
- means for planting a bait email address at a location on the Internet;
  
  means for correlating the bait email address with the location at which it was planted;
  
  means for receiving an received email message addressed to the bait email address;
  
  means for determining, based on the received email message, that the location is likely to generate additional unsolicited email messages; and
  
  means for planting at least one additional bait email address at the location.

58. A system comprising:
- means for generating a userid component of a bait email address;
  
  means for selecting a domain component of a bait email address;
  
  means for combining the userid component and the domain component to generate a bait email address;
  
  means for identifying a location on the Internet likely to generate unsolicited email messages;
  
  means for planting the generated bait email address at the identified location; and
  
  means for tracking in a database the generated email address along with the identified location.

59. A system, comprising:
- means for identifying a plurality of locations on the Internet, each of the plurality of locations being likely to generate unsolicited email messages;
  
  means for planting a bait email address at each of the plurality of locations;
  
  for a particular location, the particular location being one of the plurality of locations, means for providing at least one piece of information associated with the bait email address, the at least one piece of information sufficient to identify the particular location at which the bait email address is planted; and
  
  means for tracking the particular location, along with the bait email address and the at least one piece of information sufficient to identify the particular location from other of the plurality of locations.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Opsec Online Limited
Original Assignee
MarkMonitor Inc.
Inventors
Shull, Mark, Shraim, Ihab

Granted Patent

US 8,041,769 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/206
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

H04L 63/1491   using deception as counterm...

Generating phish messages

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

205 Citations

59 Claims

Specification

Solutions

Use Cases

Quick Links

Generating phish messages

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

205 Citations

59 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links