IDENTIFYING IP ADDRESSES FOR SPAMMERS

US 20090216841A1
Filed: 02/21/2008
Published: 08/27/2009
Est. Priority Date: 02/21/2008
Status: Active Grant

First Claim

Patent Images

1. A method for use in managing delivery of content over a network, comprising:

determining, based on message size, a distribution of messages for a plurality of messages received from an IP address;

determining from the distribution of messages a message entropy for the IP address;

if the message entropy is determined to be statistically significant from message entropies of at least one known non-spammer IP address, then classifying the IP address as a potential spammer; and

selectively inhibit sending of messages from the IP address to message recipients.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting and blocking spam messages using statistical analysis on distributions of message sizes for a given IP address. Mail volumes are examined to model a distribution of volumes to cluster IP addresses. The messages sizes may distributed across ranges of message sizes, which is then used to determine an entropy of message sizes for the given IP address. The entropy of the given IP address may be compared to entropies of known good IP addresses, and if a difference between the entropies is statistically significant, then the given IP address may be determined to be an IP spammer. User feedback may also be employed to further characterize an IP address. For example, a number of messages from the IP address may be sent to intended recipients. User feedback may then be monitored to determine whether to the IP address should be reclassified.

Citations

20 Claims

1. A method for use in managing delivery of content over a network, comprising:
- determining, based on message size, a distribution of messages for a plurality of messages received from an IP address;
  
  determining from the distribution of messages a message entropy for the IP address;
  
  if the message entropy is determined to be statistically significant from message entropies of at least one known non-spammer IP address, then classifying the IP address as a potential spammer; and
  
  selectively inhibit sending of messages from the IP address to message recipients.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising:
    - if the IP address is classified as a potential spammer, then;
      
      selectively sending a percentage of messages from the IP address to intended recipients of the messages;
      
      preventing another percentage of messages from the IP address to be sent to the intended recipients of the messages;
      
      monitoring for feedback from the recipients regarding the sent messages; and
      
      if recipient feedback indicates that the messages are spam, reclassifying the IP address as a spammer, and preventing delivery of subsequent messages from the IP address.
  - 3. The method of claim 1, wherein determining a distribution of messages comprises partitioning the messages into different buckets based on message sizes.
  - 4. The method of claim 1, wherein determining a message entropy further comprises:
    - collecting information about the plurality of messages over a defined time period;
      
      determining a percentage of messages within each message bucket within a plurality of message buckets by determining a number of messages in a given message bucket divided by a total number of messages for the IP address, wherein determining a distribution of message sizes includes distributing messages across the plurality of message buckets based on a size of each message; and
      
      determining the message entropy for the IP address by summing the percentages of messages times a log of the percentages of messages over all message buckets.
  - 5. The method of claim 1, if a message entropy is determined to be statistically significant further comprises:
    - determining a threshold value based on statistical analysis of entropy values for a plurality of known non-spammer IP address;
      
      if the determined message entropy is below the determined threshold value, then determining that the IP address is a potential spammer;
      
      if the determined message entropy is above the determined threshold, then determining that the IP address is a non-spammer.
  - 6. The method of claim 1, the method further comprising:
    - if the IP address is determined to be within a sub-network of IP addresses determined to be a spammer sub-network, then classifying the IP address also as a spammer IP address.

7. A network device for managing delivery of messages over a network, comprising:
- a transceiver to send and receive data over the network; and
  
  a processor that is operative to perform actions, including;
  
  receiving a plurality of messages, each message being from an IP address of a message sender;
  
  determining, based on message sizes, a distribution of messages for the plurality of messages received from the IP address;
  
  determining, based on the distribution of message sizes, a message entropy; and
  
  if the message entropy indicates that the IP address is a bulk mailer, selectively inhibit sending of a subsequent message from the IP address to a message recipient.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The network device of claim 7, further comprising:
    - if the IP address is determined to be a bulk mailer, then;
      
      selectively sending a percentage of messages from the IP address to intended recipients; and
      
      based on recipient feedback regarding the received messages, classifying the IP address as a known spammer, or a non-spammer.
  - 9. The network device of claim 7, wherein the processor is operative to perform actions, further comprising:
    - monitoring feedback regarding the IP address;
      
      classifying the IP address as a spammer or non-spammer based on the monitored feedback; and
      
      if the IP address is classified as a non-spammer based on the monitored feedback, placing the IP address on a white list, such that a subsequent message from the IP address is allowed to be delivered to an intended recipient.
  - 10. The network device of claim 7, wherein if the message entropy indicates that the IP address is a bulk mailer further comprises, employing a message entropy threshold for comparison of the message entropy for the IP address based on a number of messages the IP address is detected as sending within a defined time period.
  - 11. The network device of claim 7, wherein if the message entropy indicates that the IP address is a bulk mailer further comprises, employing statistical information about known non-spammers to determine an entropy threshold value, and wherein:
    - if the message entropy for the IP address is below the entropy threshold determining that the IP address is a bulk mailer; and
      
      if the message entropy for the IP address is above the entropy threshold determining that the IP address is not a bulk mailer.
  - 12. The network device of claim 7, wherein the processor is operative to perform actions, further comprising:
    - if the IP address is associated with a sub-network that is classified as a spammer sub-network, then classifying the IP address as a spammer IP address.
  - 13. The network device of claim 7, wherein the processor is operative to perform actins, further comprising:
    - if the message entropy is over a defined threshold, determining that the IP address is a non-spammer, and enabling messages from the IP address to be sent to their intended recipients.

14. A system for use in managing delivery of messages over a network, comprising:
- a message server that is configured to receive messages from a plurality of different IP addresses, each message being destined to at least one message recipient; and
  
  a message spam detector configured and arranged to communicate with the message server and to perform actions, including;
  
  receiving a plurality of messages from an IP address within the plurality of IP addresses;
  
  determining a distribution of messages for the plurality of messages based on message sizes of each of the messages in the plurality of messages;
  
  determining, based on the distribution of messages, a message entropy for the messages from the IP address; and
  
  if the message entropy indicates the IP address is a bulk mailer, selectively inhibit sending of a subsequent message from the IP address to a message recipient.
- View Dependent Claims (15, 16, 17)
- - 15. The system of claim 14, wherein the message spam detector is configured and arranged to perform actions, further comprising:
    - determining if the IP address is a bulk mailer based on a comparison of the message entropy for the IP address to a message entropy for a known non-spammer IP address;
      
      if the message entropy is statistically below the message entropy for a known non-spammer IP address, then determining that the IP address is a bulk mailer; and
      
      if the message entropy is statistically above the message entropy for a known non-spammer IP address, then determining that the IP address is a non-spammer.
  - 16. The system of claim 14, wherein selectively inhibit sending of a subsequent message from the IP address to a message recipient further comprises:
    - selectively sending a percentage of messages from the IP address to intended recipients; and
      
      based on recipient feedback regarding the received messages, classifying the IP address as a known spammer, or a non-spammer.
  - 17. The system of claim 14, wherein determining the message entropy further comprises:
    - determining a percentage of messages within each portion of the distribution of messages, wherein the distribution is divided into portions based on ranges of sizes of messages; and
      
      determining the message entropy as;
      
      a negative sum of a percentage of messages times a log of the percentage of messages over all of the portions of the distribution.

18. A mobile device for managing received messages, comprising:
- a transceiver to send and receive data over the network; and
  
  a processor that is operative to perform actions, including;
  
  receiving a plurality of messages, each message being from an IP address of a message sender;
  
  determining a distribution of messages for the plurality of messages received from the IP address based on a messages size of each message;
  
  determining, based on the distribution of message sizes, a message entropy for the IP address;
  
  if the message entropy indicates that the IP address is a bulk mailer, selectively inhibiting messages from the IP address to be moved to a message inbox; and
  
  if the message entropy indicates that the IP address is a non-bulk mailer, moving the messages to a message inbox.
- View Dependent Claims (19, 20)
- - 19. The mobile device of claim 18, wherein if the message entropy indicates that the IP address is a bulk mailer, further selectively moving a percentage of messages from the IP address into a message spam or bulk message box;
    - and further classifying the IP address as a spammer or as a non-spammer based on user input regarding the messages moved to the spam or bulk message box.
  - 20. The mobile device of claim 18, wherein determining if the message entropy indicates that the IP address is a bulk mailer or a non-bulk mailer, further comprises:
    - if the message entropy is statistically below a threshold value that is determined based on an entropy of at least one known non-spammer, then indicating that the IP address is a bulk mailer; and
      
      if the message entropy is statistically above a threshold value that is determined based on an entropy of at least one known non-spammer, then indicating that the IP address is a non-bulk mailer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
R2 Solutions LLC (Acacia Research Corporation)
Original Assignee
Yahoo! Inc. (Apollo Global Management, Inc.)
Inventors
Wei, Ke, Pujara, Jay, Choi, Jaesik, Ramarao, Vishwanth Tumkur

Granted Patent

US 7,849,146 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/206
CPC Class Codes

H04L 51/212 using filtering or selectiv...

IDENTIFYING IP ADDRESSES FOR SPAMMERS

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

IDENTIFYING IP ADDRESSES FOR SPAMMERS

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links