IDENTIFYING IP ADDRESSES FOR SPAMMERS
First Claim
1. A method for use in managing delivery of content over a network, comprising:
- determining, based on message size, a distribution of messages for a plurality of messages received from an IP address;
determining from the distribution of messages a message entropy for the IP address;
if the message entropy is determined to be statistically significant from message entropies of at least one known non-spammer IP address, then classifying the IP address as a potential spammer; and
selectively inhibit sending of messages from the IP address to message recipients.
9 Assignments
0 Petitions
Accused Products
Abstract
Detecting and blocking spam messages using statistical analysis on distributions of message sizes for a given IP address. Mail volumes are examined to model a distribution of volumes to cluster IP addresses. The messages sizes may distributed across ranges of message sizes, which is then used to determine an entropy of message sizes for the given IP address. The entropy of the given IP address may be compared to entropies of known good IP addresses, and if a difference between the entropies is statistically significant, then the given IP address may be determined to be an IP spammer. User feedback may also be employed to further characterize an IP address. For example, a number of messages from the IP address may be sent to intended recipients. User feedback may then be monitored to determine whether to the IP address should be reclassified.
-
Citations
20 Claims
-
1. A method for use in managing delivery of content over a network, comprising:
-
determining, based on message size, a distribution of messages for a plurality of messages received from an IP address; determining from the distribution of messages a message entropy for the IP address; if the message entropy is determined to be statistically significant from message entropies of at least one known non-spammer IP address, then classifying the IP address as a potential spammer; and selectively inhibit sending of messages from the IP address to message recipients. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A network device for managing delivery of messages over a network, comprising:
-
a transceiver to send and receive data over the network; and a processor that is operative to perform actions, including; receiving a plurality of messages, each message being from an IP address of a message sender; determining, based on message sizes, a distribution of messages for the plurality of messages received from the IP address; determining, based on the distribution of message sizes, a message entropy; and if the message entropy indicates that the IP address is a bulk mailer, selectively inhibit sending of a subsequent message from the IP address to a message recipient. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A system for use in managing delivery of messages over a network, comprising:
-
a message server that is configured to receive messages from a plurality of different IP addresses, each message being destined to at least one message recipient; and a message spam detector configured and arranged to communicate with the message server and to perform actions, including; receiving a plurality of messages from an IP address within the plurality of IP addresses; determining a distribution of messages for the plurality of messages based on message sizes of each of the messages in the plurality of messages; determining, based on the distribution of messages, a message entropy for the messages from the IP address; and if the message entropy indicates the IP address is a bulk mailer, selectively inhibit sending of a subsequent message from the IP address to a message recipient. - View Dependent Claims (15, 16, 17)
-
-
18. A mobile device for managing received messages, comprising:
-
a transceiver to send and receive data over the network; and a processor that is operative to perform actions, including; receiving a plurality of messages, each message being from an IP address of a message sender; determining a distribution of messages for the plurality of messages received from the IP address based on a messages size of each message; determining, based on the distribution of message sizes, a message entropy for the IP address; if the message entropy indicates that the IP address is a bulk mailer, selectively inhibiting messages from the IP address to be moved to a message inbox; and if the message entropy indicates that the IP address is a non-bulk mailer, moving the messages to a message inbox. - View Dependent Claims (19, 20)
-
Specification