METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR MITIGATING EMAIL ADDRESS HARVEST ATTACKS BY POSITIVELY ACKNOWLEDGING EMAIL TO INVALID EMAIL ADDRESSES

US 20110145922A1
Filed: 12/10/2009
Published: 06/16/2011
Est. Priority Date: 12/10/2009
Status: Active Grant

First Claim

Patent Images

1. A method of detecting and responding to an email address harvest attack at an Internet Service Provider (ISP) email system, comprising:

counting a number of failed email address look-ups during a single Simple Mail Transfer Protocol (SMTP) session associated with an originating Internet Protocol (IP) address; and

responding to the originating IP address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting and responding to an email address harvest attack at an Internet Service Provider (ISP) email system includes counting a number of failed email address look-ups during a single Simple Mail Transfer Protocol (SMTP) session associated with an originating Internet Protocol (IP) address and responding to the originating IP address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold.

36 Citations

View as Search Results

20 Claims

1. A method of detecting and responding to an email address harvest attack at an Internet Service Provider (ISP) email system, comprising:
- counting a number of failed email address look-ups during a single Simple Mail Transfer Protocol (SMTP) session associated with an originating Internet Protocol (IP) address; and
  
  responding to the originating IP address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein responding to the originating IP address with the positive acknowledgement comprises:
    - responding to the originating IP address with the positive acknowledgement that the otherwise invalid email address exists at a response percentage rate for subsequent failed email address look-ups responsive to the number of failed email address lookups exceeding the threshold.
  - 3. The method of claim 2, further comprising:
    - defining a plurality of email system categories ranging from a least likely to engage in an email address harvest attack to a most likely to engage in an email address harvest attack;
      
      determining which of the plurality of email system categories the originating IP address is associated with; and
      
      setting the threshold and the response percentage rate based on the determined email system category associated with the originating IP address.
  - 4. The method of claim 3, wherein the threshold is less for the email system categories more likely to engage in an email address harvest attack than the threshold is for the email system categories less likely to engage in an email address harvest attack and wherein the response percentage rate is greater for the email system categories more likely to engage in an email address harvest attack than the response percentage rate is for the email system categories less likely to engage in an email address harvest attack.
  - 5. The method of claim 2, further comprising:
    - creating a fake email inbox for each otherwise invalid email address responded to with a positive acknowledgement, each fake email inbox having a spam folder associated therewith; and
      
      processing email addressed to each fake email inbox using a spam filter.
  - 6. The method of claim 5, further comprising:
    - storing email addressed to each fake email inbox in the fake email inbox when the email is not determined to be spam by the spam filter; and
      
      storing email addressed to each fake email inbox in the respective spam folder associated therewith that is determined to be spam by the spam folder.
  - 7. The method of claim 6, further comprising:
    - generating a new spam filtering signature as a result of processing email stored in each fake email inbox;
      
      applying the new spam filtering signature to email directed to valid email addresses on the ISP email system; and
      
      moving any email directed to valid email addresses on the ISP email system and determined to be spam due to application of the new spam filtering signature to respective spam folders associated with the valid email addresses.
  - 8. The method of claim 6, further comprising:
    - maintaining a count of email addressed to all fake email inboxes for the originating IP address;
      
      determining if the count of email addressed to all fake email inboxes for the originating IP address exceeds a spam blocking threshold; and
      
      blocking all communication traffic from the originating IP address when the count of email addressed to all fake email inboxes for the originating IP address exceeds a spam blocking threshold.
  - 9. The method of claim 5, further comprising:
    - processing email addressed to each fake email inbox using a virus filter.
  - 10. The method of claim 6, further comprising:
    - calculating a spam filtration rate for each fake email inbox by dividing a count of a number of email messages in the spam folder by a sum of the count of the number of email messages in the spam folder and a count of a number of messages in the associated fake email inbox.

11. An Internet Service Provider (ISP) email system for detecting and responding to an email address harvest attack, comprising:
- a data processing system configured to count a number of failed email address look-ups during a single Simple Mail Transfer Protocol (SMTP) session associated with an originating Internet Protocol (IP) address and to respond to the originating IP address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold.
- View Dependent Claims (12, 13, 14, 15)
- - 12. The ISP system of claim 11, wherein the data processing system is further configured to respond to the originating IP address with the positive acknowledgement that the otherwise invalid email address exists at a response percentage rate for subsequent failed email address look-ups responsive to the number of failed email address lookups exceeding the threshold.
  - 13. The ISP system of claim 12, wherein the data processing system is further configured to define a plurality of email system categories ranging from a least likely to engage in an email address harvest attack to a most likely to engage in an email address harvest attack, to determine which of the plurality of email system categories the originating IP address is associated with, and to set the threshold and the response percentage rate based on the determined email system category associated with the originating IP address.
  - 14. The ISP system of claim 13, wherein the threshold is less for the email system categories more likely to engage in an email address harvest attack than the threshold is for the email system categories less likely to engage in an email address harvest attack and wherein the response percentage rate is greater for the email system categories more likely to engage in an email address harvest attack than the response percentage rate is for the email system categories less likely to engage in an email address harvest attack.
  - 15. The ISP system of claim 12, wherein the data processing system is further configured to create a fake email inbox for each otherwise invalid email address responded to with a positive acknowledgement, each fake email inbox having a spam folder associated therewith, to process email addressed to each fake email inbox using a spam filter, to store email addressed to each fake email inbox in the fake email inbox when the email is not determined to be spam by the spam filter, and to store email addressed to each fake email inbox in the respective spam folder associated therewith that is determined to be spam by the spam folder.

16. A computer program product for detecting and responding to an email address harvest attack, comprising:
- a computer readable storage medium having computer readable program code embodied therein, the computer readable program code comprising;
  
  computer readable program code configured to count a number of failed email address look-ups during a single Simple Mail Transfer Protocol (SMTP) session associated with an originating Internet Protocol (IP) address; and
  
  computer readable program code configured to respond to the originating IP address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The computer program product of claim 16, further comprising:
    - computer readable program code configured to respond to the originating IP address with the positive acknowledgement that the otherwise invalid email address exists at a response percentage rate for subsequent failed email address look-ups responsive to the number of failed email address lookups exceeding the threshold.
  - 18. The computer program product of claim 17, further comprising:
    - computer readable program code configured to define a plurality of email system categories ranging from a least likely to engage in an email address harvest attack to a most likely to engage in an email address harvest attack;
      
      computer readable program code configured to determine which of the plurality of email system categories the originating IP address is associated with; and
      
      computer readable program code configured to set the threshold and the response percentage rate based on the determined email system category associated with the originating IP address.
  - 19. The computer program product of claim 18, wherein the threshold is less for the email system categories more likely to engage in an email address harvest attack than the threshold is for the email system categories less likely to engage in an email address harvest attack and wherein the response percentage rate is greater for the email system categories more likely to engage in an email address harvest attack than the response percentage rate is for the email system categories less likely to engage in an email address harvest attack.
  - 20. The computer program product of claim 16, further comprising:
    - computer readable program code configured to create a fake email inbox for each otherwise invalid email address responded to with a positive acknowledgement, each fake email inbox having a spam folder associated therewith;
      
      computer readable program code configured to process email addressed to each fake email inbox using a spam filter;
      
      computer readable program code configured to store email addressed to each fake email inbox in the fake email inbox when the email is not determined to be spam by the spam filter; and
      
      computer readable program code configured to store email addressed to each fake email inbox in the respective spam folder associated therewith that is determined to be spam by the spam folder.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Wood, Stephen K.

Granted Patent

US 8,381,291 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/24
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 51/48   Message addressing, e.g. ad...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR MITIGATING EMAIL ADDRESS HARVEST ATTACKS BY POSITIVELY ACKNOWLEDGING EMAIL TO INVALID EMAIL ADDRESSES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

36 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

METHODS, SYSTEMS, AND COMPUTER PROGRAM PRODUCTS FOR MITIGATING EMAIL ADDRESS HARVEST ATTACKS BY POSITIVELY ACKNOWLEDGING EMAIL TO INVALID EMAIL ADDRESSES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

36 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links