Sender reputations for spam prevention
First Claim
1. A method, comprising:
- evaluating, by a mail transfer agent (MTA) independent of a mail recipient, a sender of an email, using multiple characteristics of an email delivery to establish a reputation for the sender of the email, wherein the sender of the email is connecting to the MTA,wherein evaluating comprises;
monitoring, real-time, traffic patterns between the sender of the email and the MTA,collecting sender-specific information and heuristics from the email delivery, wherein the collecting occurs real-time at a conclusion of a Simple Mail Transfer Protocol (SMTP) session, and wherein the sender-specific information and heuristics include;
whether a domain name provided includes one of .edu, .gov, or .mil;
or whether the domain appears to point to a private computer,applying, in combination with the sender-specific information and heuristics, a machine learning process to generate an integer, the integer representative of a probabilistic reputation for the sender of the email, wherein the machine learning process classifies results of the evaluation of the delivery characteristics to establish the reputation,establishing a baseline reputation for the sender, comprising;
evaluating a content of each email message from the sender;
evaluating a ratio of emails that include favorable content to emails that include unfavorable content, per unit of time; and
evaluating changes in the ratio over multiple units of time,comparing a first group of the evaluated delivery characteristics evaluated during a first time period with a second group of the evaluated delivery characteristics evaluated during a second time period to detect a change in a delivery behavior of the sender, wherein detecting a sudden change in the delivery behavior of the sender is an indication of malicious activity, malicious activity including a machine or a mail server being compromised,wherein the sudden change in the delivery behavior of the sender comprises;
an abrupt onset or an abrupt abandonment of malicious spamming behavior; and
using a trainable filter to perform the evaluating multiple characteristics of an email delivery to establish the reputation for the sender;
training the trainable filter by analyzing email delivery used by multiple senders, the training occurring offline, outside of a system using the filter; and
controlling a connection with the sender based on the reputation.
2 Assignments
0 Petitions
Accused Products
Abstract
Techniques are presented for assigning reputations to email senders. In one implementation, real-time statistics and heuristics are constructed, stored, analyzed, and used to formulate a sender reputation level for use in evaluating and controlling a given sender'"'"'s connection to an message transfer agent or email recipient. A sender with an unfavorable reputation may be denied a connection before resources are spent receiving and processing email messages from the sender. A sender with a favorable reputation may be rewarded by having safeguards removed from the connection, which also saves system resources. The statistics and heuristics may include real-time analysis of traffic patterns and delivery characteristics used by an email sender, analysis of content, and historical or time-sliced views of all of the above.
138 Citations
42 Claims
-
1. A method, comprising:
-
evaluating, by a mail transfer agent (MTA) independent of a mail recipient, a sender of an email, using multiple characteristics of an email delivery to establish a reputation for the sender of the email, wherein the sender of the email is connecting to the MTA, wherein evaluating comprises; monitoring, real-time, traffic patterns between the sender of the email and the MTA, collecting sender-specific information and heuristics from the email delivery, wherein the collecting occurs real-time at a conclusion of a Simple Mail Transfer Protocol (SMTP) session, and wherein the sender-specific information and heuristics include;
whether a domain name provided includes one of .edu, .gov, or .mil;
or whether the domain appears to point to a private computer,applying, in combination with the sender-specific information and heuristics, a machine learning process to generate an integer, the integer representative of a probabilistic reputation for the sender of the email, wherein the machine learning process classifies results of the evaluation of the delivery characteristics to establish the reputation, establishing a baseline reputation for the sender, comprising;
evaluating a content of each email message from the sender;
evaluating a ratio of emails that include favorable content to emails that include unfavorable content, per unit of time; and
evaluating changes in the ratio over multiple units of time,comparing a first group of the evaluated delivery characteristics evaluated during a first time period with a second group of the evaluated delivery characteristics evaluated during a second time period to detect a change in a delivery behavior of the sender, wherein detecting a sudden change in the delivery behavior of the sender is an indication of malicious activity, malicious activity including a machine or a mail server being compromised, wherein the sudden change in the delivery behavior of the sender comprises;
an abrupt onset or an abrupt abandonment of malicious spamming behavior; andusing a trainable filter to perform the evaluating multiple characteristics of an email delivery to establish the reputation for the sender; training the trainable filter by analyzing email delivery used by multiple senders, the training occurring offline, outside of a system using the filter; and controlling a connection with the sender based on the reputation. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A sender reputation level engine, comprising:
-
a traffic monitor to connect to an email network and monitor delivery of email; a sender analysis engine to gather heuristic indications associated with the email delivery process used by each sender of email, wherein each heuristic indication relates a probability that a sender sends malicious email or unsolicited commercial email, the gathering occurring real-time at a conclusion of a Simple Mail Transfer Protocol (SMTP) session, wherein the heuristic indications include;
whether a domain name provided includes one of .edu, .gov, or .mil;
or whether the domain appears to point to a private computer,the sender analysis engine further configured to compare a first group of delivery characteristics evaluated during a first time period with a second group of delivery characteristics evaluated during a second time period to detect a change in a delivery behavior of the sender, wherein detecting a sudden change in the delivery behavior of the sender is an indication of malicious activity, malicious activity including a machine or a mail server being compromised, wherein the sudden change in the delivery behavior of the sender comprises;
an abrupt onset or an abrupt abandonment of malicious spamming behavior; anda statistics engine to determine a reputation level for each sender from statistical analysis of the gathered heuristic indications, the statistics engine comprising a machine learning process to generate an integer, the integer representative of a probabilistic reputation for a sender of an email, wherein a sender of malicious email or unsolicited commercial email is allotted an unfavorable reputation level. - View Dependent Claims (22, 23, 24)
-
-
25. A system, comprising:
-
memory; one or more processors operatively coupled to the memory; means for evaluating, by a mail transfer agent (MTA) independent of a mail recipient, a sender of an email, using multiple characteristics of an email delivery to establish a reputation for the sender of the email based on the evaluated characteristics; means for monitoring, real-time, traffic patterns between the sender of the email and the MTA, means for collecting sender-specific information and heuristics from the email delivery, wherein the collecting occurs real-time at a conclusion of a Simple Mail Transfer Protocol (SMTP) session, and wherein the sender-specific information and heuristics include;
whether a domain name provided includes one of .edu, .gov, or .mil;
or whether the domain appears to point to a private computer,means for comparing a first group of delivery characteristics evaluated during a first time period with a second group of delivery characteristics evaluated during a second time period to detect a change in a delivery behavior of the sender, wherein detecting a sudden change in the delivery behavior of the sender is an indication of malicious activity, malicious activity including a machine or a mail server being compromised, wherein the sudden change in the delivery behavior of the sender comprises;
an abrupt onset or an abrupt abandonment of malicious spamming behavior;means for applying, in combination with the said sender-specific information and heuristics, a machine learning process to generate an integer, the integer representative of a probabilistic reputation for the sender of the email; and means for controlling a connection with the sender based on the reputation. - View Dependent Claims (26, 27, 28, 29, 30, 31, 32)
-
-
33. A computer-readable storage medium including instructions capable of being read by a computing device to execute actions, including:
-
evaluating, by a mail transfer agent (MTA) independent of a mail recipient, a sender of email messages, using aspects of email delivery used by the sender of email messages; monitoring, real-time, traffic patterns between the sender of the email messages and the MTA, collecting sender-specific information and heuristics from the email delivery, wherein the collecting occurs real-time at a conclusion of a Simple Mail Transfer Protocol (SMTP) session, counting, by a message counter, the number of messages received from the sender; once a first administrator-specified number of messages has been counted by the message counter, applying, in combination with the said sender-specific information and heuristics, a machine learning process to generate an integer, the integer representative of a probabilistic reputation for the sender of the email messages; comparing a statistical distribution of the evaluated aspects with a profile of delivery characteristics associated with a sender of unsolicited commercial email; comparing a first group of delivery characteristics evaluated during a first time period with a second group of delivery characteristics evaluated during a second time period to detect a change in a delivery behavior of the sender, wherein detecting a sudden change in the delivery behavior of the sender is an indication of malicious activity, malicious activity including a machine or a mail server being compromised, wherein the sudden change in the delivery behavior of the sender comprises;
an abrupt onset or an abrupt abandonment of malicious spamming behavior;establishing a reputation for the sender based on said applying and said comparing; and once a second administrator-specified number of messages has been counted by the message counter, controlling a connection with the sender based on the reputation. - View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42)
-
Specification