REAL-TIME DETECTION AND PREVENTION OF BULK MESSAGES

US 20080021961A1
Filed: 07/18/2006
Published: 01/24/2008
Est. Priority Date: 07/18/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting unwanted messages in real-time at a message delivery host, the method comprising:

generating at least one key for a message based on an attribute of the message;

for each generated key, determining a status associated with the key; and

processing the message according to the statuses associated with the generated keys.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for detecting and preventing bulk messages in real-time is provided. A detection server detects and prevents bulk messages in real-time by analyzing the network traffic pattern of attributes of messages, such as email messages, that are passing through the network against an expected network traffic pattern. The expected network traffic pattern may be specified as a combination of a rate and one or more thresholds, where each threshold has a corresponding status. The rate specifies a quantity of an attribute measured with respect to a quantity of time. A status associated with a threshold is attained when the rate is exceeded the requisite threshold number of times. The status indicates an action that is to be taken in processing the email message containing the attribute. An email message can then be processed in accordance with a status assigned to an attribute of the email message.

Citations

20 Claims

1. A computer-implemented method for detecting unwanted messages in real-time at a message delivery host, the method comprising:
- generating at least one key for a message based on an attribute of the message;
  
  for each generated key, determining a status associated with the key; and
  
  processing the message according to the statuses associated with the generated keys.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the attribute of the message is an Internet Protocol (IP) address of a sender of the message.
  - 3. The method of claim 1, wherein the attribute of the message is a body part of the message.
  - 4. The method of claim 1, wherein the key is a hash print of a body part of the message.
  - 5. The method of claim 1, wherein the status is obtained from a remote detection server.
  - 6. The method of claim 1, wherein the status indicates to normally process the message.
  - 7. The method of claim 1, wherein the status indicates to reject the message.
  - 8. The method of claim 1, wherein the status indicates to send a copy of the message to a preconfigured address.
  - 9. The method of claim 1, wherein the status indicates to indicate the message as suspicious.
  - 10. The method of claim 1, wherein each status associated with a key is based on a count of a number of times a specified rate is exceeded and at least one threshold value, each threshold value specifies the number of times the rate has to be exceeded for the key to attain the corresponding status.
  - 11. The method of claim 10, wherein the count of a number of times the specified rate is exceeded is a local count.
  - 12. The method of claim 10, wherein the count of a number of times the specified rate is exceeded is a global count.

13. A computer-implemented method for assigning statuses to keys at a detection server, the keys based on attributes of messages, the method comprising:
- providing an association between a plurality of threshold values and corresponding statuses, wherein each threshold value specifies a number of times a rate has to be exceeded;
  
  for each key, providing a count of a number of times the rate is exceeded on the detection server;
  
  receiving from a message delivery host an indication of a key;
  
  determining whether the rate is exceeded; and
  
  upon determining that the rate is exceeded,incrementing the count of the number of times the rate is exceeded on the detection server;
  
  determining whether one of the threshold values is crossed; and
  
  upon determining that one of the threshold values is crossed, assigning to the key the status associated with the threshold value that is crossed.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13 further comprising:
    - for each key, providing a count of a number of times the rate is exceeded globally; and
      
      upon determining that the rate is exceeded, updating the count of the number of times the rate is exceeded globally.
  - 15. The method of claim 14 further comprising:
    - receiving from a peer detection server an advertisement of a suspicious key;
      
      updating the count of the number of times the rate is exceeded globally for the suspicious key;
      
      determining whether one of the threshold values is crossed; and
      
      upon determining that one of the threshold values is crossed, assigning to the suspicious key the status associated with the threshold value that is crossed.
  - 16. The method of claim 13, wherein the status assigned to the key indicates that the key is a suspicious key.
  - 17. The method of claim 13 further comprising:
    - identifying suspicious keys; and
      
      sending an advertisement of suspicious keys to peer detection servers.

18. A detection server comprising:
- a host component that receives a request for a status of a key from a message delivery host, that determines the status of the specified key, and that sends the status of the key to the message delivery host; and
  
  a peer component that sends advertisements of suspicious keys to peer detection servers, and that receives advertisements of suspicious keys from peer detection servers.
- View Dependent Claims (19, 20)
- - 19. The server of claim 18, wherein the peer component also assigns statuses to keys based on advertisements received from peer detection servers.
  - 20. The server of claim 18, wherein the host component also assigns statuses to keys based on requests for statuses of keys received from message delivery hosts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Jhawar, Amit

Granted Patent

US 7,734,703 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/206
CPC Class Codes

H04L 51/212 using filtering or selectiv...

H04L 63/0227 Filtering policies mail mes...

REAL-TIME DETECTION AND PREVENTION OF BULK MESSAGES

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

REAL-TIME DETECTION AND PREVENTION OF BULK MESSAGES

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links