Preventing data from being submitted to a remote system in response to a malicious e-mail

US 7,516,488 B1
Filed: 02/23/2005
Issued: 04/07/2009
Est. Priority Date: 02/23/2005
Status: Active Grant

First Claim

Patent Images

1. A computer implemented method for preventing data from being submitted to a remote system responsive to a malicious electronic message, the method comprising the steps of:

examining incoming electronic messages;

determining whether an incoming electronic message comprises at least one suspect link associated with a remote system;

responsive to determining that the incoming message comprises at least one suspect link, replacing each suspect link with a redirection link; and

responsive to a user attempting to connect to the remote system by clicking on the redirection link, directing the request to connect to the remote system to a remote analysis site for deciding whether that incoming message comprises a phishing message.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An electronic message manager (100) examines (210) incoming electronic messages and determines (220) whether an incoming electronic message comprises at least one suspect link associated with a remote system. In response to the determination (220) that the incoming message comprises at least one suspect link, the electronic message manager (100) replaces (230) each suspect link with a redirection link. In response to a user attempting (240) to connect to the remote system by clicking on the redirection link, the electronic message manager directs the user to a remote analysis site for deciding (260) whether that incoming message comprises a phishing message.

79 Citations

View as Search Results

26 Claims

1. A computer implemented method for preventing data from being submitted to a remote system responsive to a malicious electronic message, the method comprising the steps of:
- examining incoming electronic messages;
  
  determining whether an incoming electronic message comprises at least one suspect link associated with a remote system;
  
  responsive to determining that the incoming message comprises at least one suspect link, replacing each suspect link with a redirection link; and
  
  responsive to a user attempting to connect to the remote system by clicking on the redirection link, directing the request to connect to the remote system to a remote analysis site for deciding whether that incoming message comprises a phishing message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 wherein the directing step further comprises:
    - comparing each remote system associated with the suspect link to a list concerning known remote systems.
  - 3. The method of claim 2 wherein the list concerning known remote systems comprises a blacklist comprising addresses of known illegitimate remote systems.
  - 4. The method of claim 3 further comprising the step of:
    - responsive to each remote system associated with the suspect link not matching a known illegitimate remote system on the blacklist, concluding that the incoming message is not a phishing message.
  - 5. The method of claim 4 further comprising the step of:
    - responsive to concluding that the message does not comprise a phishing message, allowing user access to the remote system.
  - 6. The method of claim 3 further comprising the step of:
    - responsive to each remote system associated with the suspect link matching at least one known illegitimate remote system on the blacklist, concluding that the incoming message is a phishing message.
  - 7. The method of claim 6 further comprising the step of:
    - responsive to concluding that the incoming message is a phishing message, performing at least one step from the group of steps consisting of;
      
      blocking user access to the remote system; and
      
      outputting an alert concerning the remote system.
  - 8. The method of claim 2 wherein the list concerning known remote systems comprises a whitelist containing addresses of known legitimate remote systems.
  - 9. The method of claim 8 further comprising the step of:
    - responsive to each remote system associated with the suspect link matching a known legitimate remote system on the whitelist, concluding that the incoming message is not a phishing message.
  - 10. The method of claim 9 further comprising the step of:
    - responsive to concluding that the message does not comprise a phishing message, allowing user access to the remote system.
  - 11. The method of claim 1 wherein the step of examining incoming messages comprises:
    - scanning an e-mail stream targeted to an e-mail client.
  - 12. The method of claim 1 wherein the step of examining incoming messages comprises:
    - filtering incoming messages on a server.
  - 13. The method of claim 1 wherein the step of determining whether an incoming electronic message comprises at least one suspect link associated with a remote system comprises:
    - analyzing each suspect link for known deceptive characteristics.

14. At least one computer-readable medium containing a computer program product for preventing data from being submitted to a remote system responsive to a malicious message, the computer program product comprising:
- program code for examining incoming messages;
  
  program code for determining whether an incoming message comprises at least one suspect link associated with a remote system;
  
  program code for replacing the at least one suspect link with a redirection link responsive to determining that the incoming message comprises at least one suspect link; and
  
  program code for directing the request to connect to the remote system to a remote analysis site for deciding whether that incoming message comprises a phishing message responsive to a user attempting to connect to the remote system by clicking on the redirection link.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 15. The at least one computer-readable medium of claim 14 wherein the computer program product for the directing step further comprises:
    - program code for comparing each remote system associated with the suspect link to a list concerning remote systems.
  - 16. The at least one computer-readable medium of claim 15 wherein the computer program product for the list concerning known remote systems comprises program code for a blacklist comprising addresses of known illegitimate remote systems.
  - 17. The at least one computer-readable medium of claim 16 wherein the computer program product further comprises:
    - program code for concluding that the incoming message is not a phishing message responsive to each remote system associated with the suspect link not matching a known illegitimate remote system on the blacklist.
  - 18. The at least one computer-readable medium of claim 17 wherein the computer program product further comprises:
    - program code for allowing user access to the remote system responsive to concluding that the message does not comprise a phishing message.
  - 19. The at least one computer-readable medium of claim 16 wherein the computer program product further comprises:
    - program code for concluding that the incoming message is a phishing message responsive to each remote system associated with the suspect link matching at least one known illegitimate remote system on the blacklist.
  - 20. The at least one computer-readable medium of claim 19 wherein the computer program product further comprises:
    - program code for performing at least one step from the group of stepsresponsive to concluding that the incoming message is a phishing message, the group of steps consisting of;
      
      blocking user access to the remote system; and
      
      outputting an alert concerning the remote system.
  - 21. The at least one computer-readable medium of claim 15 wherein the computer program product for the list concerning known remote systems comprises program code for a whitelist comprising addresses of known legitimate remote systems.
  - 22. The at least one computer-readable medium of claim 21 wherein the computer program product further comprises:
    - program code for concluding that the incoming message is not a phishing message responsive to each remote system associated with the suspect link matching a known legitimate remote system on the whitelist.
  - 23. The at least one computer-readable medium of claim 22 wherein the computer program product further comprises:
    - program code for allowing user access to the remote system responsive to concluding that the message does not comprise a phishing message.
  - 24. The at least one computer-readable medium of claim 14 wherein the computer program product for the step of examining incoming messages comprises:
    - program code for scanning a stream targeted to a client.
  - 25. The at least one computer-readable medium of claim 14 wherein the computer program product for the step of examining incoming messages comprises:
    - program code for filtering incoming messages on a server.

26. A computer system for preventing data from being submitted to a remote system responsive to a malicious electronic message, the computer system comprising:
- a monitor module configured to examine incoming electronic messages, and determine whether an incoming message comprises at least one suspect link associated with a remote system;
  
  a replacement module configured to replace each suspect link with a redirection link responsive to determining that the incoming message comprises at least one suspect link; and
  
  a comparison module configured to direct the request to connect to the remote system to a remote analysis site for deciding whether that incoming message comprises a phishing message responsive to a user attempting to connect to the remote system by clicking on the redirection link.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NortonLifeLock Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Croall, James, Kienzle, Darrell
Primary Examiner(s)
Song; Hosuk

Application Number

US11/064,170
Time in Patent Office

1,504 Days
Field of Search

726 11- 13, 726 22- 24, 713/170, 713150-154
US Class Current

726/22
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/0236   Filtering by address, proto...

H04L 63/1441   Countermeasures against mal...

H04L 63/1483   service impersonation, e.g....

Preventing data from being submitted to a remote system in response to a malicious e-mail

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

79 Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Preventing data from being submitted to a remote system in response to a malicious e-mail

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

79 Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links