E-mail usage pattern detection
First Claim
1. A method for detecting undesired e-mail usage, the method comprising:
- receiving a plurality of e-mail messages;
storing a plurality of fields, the fields including at least one field from the header of each e-mail message from a subset of the plurality of e-mail messages; and
analyzing the stored plurality of fields for at least one pattern, the at least one pattern indicating undesired e-mail usage, wherein said analyzing includes counting the number of fields in a subset of the stored plurality of fields, each field in the subset either being correlated with any other field in the subset, containing an identical entry, or containing at least one identical string.
11 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for identifying undesired e-mail messages by receiving e-mail messages, storing fields from the headers of the received e-mail messages and analyzing the stored fields for patterns indicative of undesired e-mail messages. The pattern recognition performed includes counting the number of e-mails received which have the same or similar field content within the headers. This number can be compared to an absolute threshold number, or to the total number of messages in a sample of e-mail messages. The sample may be composed of a predetermined number of received e-mail messages, or may include e-mail messages received during a predetermined time interval. Exceeding thresholds or certain ratios will trigger alarms to alert monitoring functions and update lists of known sources and types of undesired e-mail messages for filtering.
-
Citations
8 Claims
-
1. A method for detecting undesired e-mail usage, the method comprising:
-
receiving a plurality of e-mail messages;
storing a plurality of fields, the fields including at least one field from the header of each e-mail message from a subset of the plurality of e-mail messages; and
analyzing the stored plurality of fields for at least one pattern, the at least one pattern indicating undesired e-mail usage, wherein said analyzing includes counting the number of fields in a subset of the stored plurality of fields, each field in the subset either being correlated with any other field in the subset, containing an identical entry, or containing at least one identical string.
-
-
2. A method for detecting undesired e-mail usage, the method comprising:
-
receiving, during a predetermined time interval, a plurality of e-mail messages;
storing a plurality of fields, the fields including at least one field from the header of each e-mail message from a subset of the plurality of e-mail messages; and
analyzing the stored plurality of fields for at least one pattern, the at least one pattern indicating undesired undesired e-mail usage, wherein said analyzing includes counting the number of fields in a subset of the stored plurality of fields, each field in the subset either being correlated with any other field in the subset, containing an identical entry, or containing at least one identical string.
-
-
3. A method for detecting undesired e-mail usage, the method comprising:
-
receiving a plurality of e-mail messages;
storing a plurality of fields, the fields including at least one field from the header of each e-mail message from a predetermined number of e-mail messages from the plurality of e-mail messages; and
analyzing the stored plurality of fields for at least one pattern, the at least one pattern indicating undesired e-mail usage, wherein said analyzing includes counting the number of fields in a subset of the stored plurality of fields, each field in the subset either being correlated with any other field in the subset, containing an identical entry, or containing at least one identical string.
-
-
4. A method for detecting undesired e-mail usage, the method comprising:
-
receiving a plurality of e-mail messages;
storing a plurality of fields, the fields including, for each e-mail message from a subset of the plurality of e-mail messages, at least one field from either the 821 header or the 822 header of that e-mail message; and
analyzing the stored plurality of fields for at least one pattern, the at least one pattern indicating undesired e-mail usage, wherein said analyzing includes counting the number of fields in a subset of the stored plurality of fields, each field in the subset either being correlated with any other field in the subset, containing an identical entry, or containing at least one identical string.
-
-
5. An apparatus for detecting undesired e-mail usage, the apparatus comprising:
-
(a) a processor;
(b) a memory, coupled to said processor, said memory storing instructions adapted to be executed by said processor, the instructions including;
receiving a plurality of e-mail messages;
storing a plurality of fields, the fields including at least one field from the header of each e-mail message from a subset of the plurality of e-mail messages; and
analyzing the stored plurality of fields for at least one pattern, the at least one pattern indicating undesired e-mail usage, wherein the analyzing instruction in said memory includes counting the number of fields in a subset of the stored plurality of fields, each field in the subset either being correlated with any other field in the subset, containing an identical entry, or containing at least one identical string.
-
-
6. An apparatus for detecting undesired e-mail usage, the apparatus comprising:
-
(a) a processor;
(b) a memory, coupled to said processor, said memory storing instructions adapted to be executed by said processor, the instructions including;
receiving, during a predetermined time interval, a plurality of e-mail messages;
storing a plurality of fields, the fields including at least one field from the header of each e-mail message from a subset of the plurality of e-mail messages; and
analyzing the stored plurality of fields for at least one pattern, the at least one pattern indicating undesired e-mail usage, wherein the analyzing instruction in said memory includes counting the number of fields in a subset of the stored plurality of fields, each field in the subset either being correlated with any other field in the subset, containing an identical entry, or containing at least one identical string.
-
-
7. An apparatus for detecting undesired e-mail usage, the apparatus comprising:
-
(a) a processor;
(b) a memory, coupled to said processor, said memory storing instructions adapted to be executed by said processor, the instructions including;
receiving a plurality of e-mail messages;
storing a plurality of fields, the fields including at least one field from the header of each e-mail message from a predetermined number of e-mail messages from the plurality of e-mail messages; and
analyzing the stored plurality of fields for at least one pattern, the at least one pattern indicating undesired e-mail usage, wherein the analyzing instruction in said memory includes counting the number of fields in a subset of the stored plurality of fields, each field in the subset either being correlated with any other field in the subset, containing an identical entry, or containing at least one identical string.
-
-
8. An apparatus for detecting undesired e-mail usage, the apparatus comprising:
-
(a) a processor;
(b) a memory, coupled to said processor, said memory storing instructions adapted to be executed by said processor, the instructions including;
receiving a plurality of e-mail messages;
storing a plurality of fields, the fields including, for each e-mail message from a subset of the plurality of e-mail messages at least one field from either the 821 header or the 822 header of that e-mail message; and
analyzing the stored plurality of fields for at least one pattern, the at least one pattern indicating undesired e-mail usage, wherein the analyzing instruction in said memory includes counting the number of fields in a subset of the stored plurality of fields, each field in the subset either being correlated with any other field in the subset, containing an identical entry, or containing at least one identical string.
-
Specification