Source reputation information system for filtering electronic messages using a network-connected computer

US 7,676,566 B2
Filed: 07/05/2007
Issued: 03/09/2010
Est. Priority Date: 05/25/2004
Status: Active Grant

First Claim

Patent Images

1. A method of filtering incoming electronic messages from a computer network at a network-connected computer system, the method comprising:

receiving a delivery attempt for an incoming electronic message at a receiving server in the network-connected computer system;

determining a source of the incoming electronic message;

requesting a reputation profile for the source from a service in the computer network that is external to the receiving server and any terminals connected thereto for receiving incoming messages from the receiving server;

receiving the reputation profile for the source at the network-connected computer system, the reputation profile based on reputation data for the source generated by a centralized electronic message traffic monitoring system evaluating messages after being sent from a sending server and before being received by the targeted receiving server; and

deciding disposition of the delivery attempt for an incoming electronic message based on the reputation profile received from the service.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are filtering systems and methods that employ an electronic message source reputation system. The source reputation system maintains a pool of source Internet Protocol (IP) address information, in the form of a Real-Time Threat Identification Network (“RTIN”) database, which can provide the reputation of source IP addresses, which can be used by customers for filtering network traffic. The source reputation system provides for multiple avenues of access to the source reputation information. Examples of such avenues can include Domain Name Server (DNS)-type queries, servicing routers with router-table data, or other avenues.

Citations

68 Claims

1. A method of filtering incoming electronic messages from a computer network at a network-connected computer system, the method comprising:
- receiving a delivery attempt for an incoming electronic message at a receiving server in the network-connected computer system;
  
  determining a source of the incoming electronic message;
  
  requesting a reputation profile for the source from a service in the computer network that is external to the receiving server and any terminals connected thereto for receiving incoming messages from the receiving server;
  
  receiving the reputation profile for the source at the network-connected computer system, the reputation profile based on reputation data for the source generated by a centralized electronic message traffic monitoring system evaluating messages after being sent from a sending server and before being received by the targeted receiving server; and
  
  deciding disposition of the delivery attempt for an incoming electronic message based on the reputation profile received from the service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. A method according to claim 1, wherein determining the source comprises extracting source information regarding the source of the incoming electronic message from the incoming electronic message.
  - 3. A method according to claim 2, wherein the source comprises a source IP address.
  - 4. A method according to claim 3, wherein the requesting comprises a reputation query to the service using the source IP address of the source.
  - 5. A method according to claim 4, wherein a server sending from the network-connected computer system the request is authenticated by the service before the reputation profile is sent.
  - 6. A method according to claim 1, wherein the requesting of the source reputation profile occurs in real-time with the delivery attempt for of the incoming electronic message.
  - 7. A method according to claim 1, wherein the source reputation profile comprises a list having at least one item of reputation data.
  - 8. A method according to claim 7, wherein the reputation data comprises at least one selected from the group consisting of:
    - the number of messages considered spam sent from the source;
      
      the number of messages considered legitimate from the source;
      
      the number of recipients on a message sent from the source;
      
      the number of connection attempts from the source;
      
      the number of connection successes from the source;
      
      the number of connection failures from the source;
      
      the number of connection currently open from the source;
      
      the number of 400-class errors caused by messaging attempts by the source;
      
      the number of 500-class errors caused by messaging attempts by the source;
      
      the average message size in bytes sent from the source;
      
      the average connection duration from the source;
      
      the number of messages containing viruses sent from the source;
      
      the number of message delivered from the source; and
      
      an overall number of messages sent from the source.
  - 9. A method according to claim 1, wherein the reputation profile comprises electronic message path data for use in a network router table of a router associated with the network-connected computer system, wherein deciding disposition comprises causing the router to provide an invalid message path for electronic messages from the source addressed to the network-connected computer system.
  - 10. A method according to claim 1, wherein the reputation profile comprises electronic message path data for use in a network router table of a router associated with the network-connected computer system, wherein deciding disposition comprises causing the router to remove one or more message paths from the source to the network-connected computer system.
  - 11. A method according to claim 1, wherein the delivery attempt for an incoming electronic message comprises receiving a TCP connection request from the source, and wherein deciding disposition comprises determining whether the to allow the TCP connection from the source.
  - 12. A method according to claim 11, wherein the requesting and deciding disposition occur substantially as the source is requesting the TCP connection.
  - 13. A method according to claim 1, further comprising:
    - receiving an updated reputation profile from the service; and
      
      deciding disposition of one or more further delivery attempts for incoming electronic messages from the source based on the received updated reputation profile.
  - 14. A method according to claim 13, wherein the reputation profile comprises a reputation score for the source and the updated reputation profile comprises an updated reputation score for the source, and wherein an updated reputation score higher than the reputation score indicates an increased likelihood that electronic messages from the source are unwanted, the method further comprising blocking the one or more further delivery attempts for incoming electronic messages based on the increased likelihood.
  - 15. A method according to claim 13, wherein receiving the updated source reputation profile from the service occurs in real-time.
  - 16. A method according to claim 1, further comprising adding the source to at least one list selected from the group consisting of blacklists, blocked senders lists, and gray-lists based on the received reputation profile.
  - 17. A method according to claim 1, wherein the electronic messages are selected from the group consisting of e-mail, instant messages, VoIP transmissions, video-over-IP transmissions, text messages.

18. A system for handling delivery attempts for incoming electronic messages from a computer network, the system comprising:
- a client system connected to the computer network and comprising a processor for executing instructions stored in a memory, the execution of the instructions configured to;
  
  receive a delivery attempt for an incoming electronic message at a receiving server in the client system, anddetermine a source of the incoming electronic message; and
  
  the client system comprising a client machine within it and configured to;
  
  request a reputation profile on the source from a service in the computer network that is external to the receiving server and any terminals connected thereto for receiving incoming messages from the receiving server,receive the reputation profile on the source at the network-connected computer system, the reputation profile based on reputation data for sources of messages generated by a centralized electronic message traffic monitoring system evaluating messages after being sent from a sending server and before being received by the targeted receiving server, anddecide disposition of the delivery attempt for an incoming electronic message based on the reputation profile received from the service.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 19. A system according to claim 18, wherein the client system is configured to extract the source information regarding the source of the incoming electronic message from the incoming electronic message.
  - 20. A system according to claim 19, wherein the source comprises a source IP address.
  - 21. A system according to claim 20, wherein the request comprises a reputation query to the service using the source IP address of the source.
  - 22. A system according to claim 21, wherein the client machine sending the request from the client system is authenticated by the service before the reputation profile is sent.
  - 23. A system according to claim 18, wherein the client machine is further configured to request the source reputation profile in real-time with the receiving of a delivery attempt for the incoming electronic message by the client system.
  - 24. A system according to claim 18, wherein the source reputation profile comprises a list having at least one item of reputation data.
  - 25. A system according to claim 24, wherein the reputation data comprises at least one selected from the group consisting of:
    - the number of messages considered spam sent from the source;
      
      the number of messages considered legitimate from the source;
      
      the number of recipients on a message sent from the source;
      
      the number of connection attempts from the source;
      
      the number of connection successes from the source;
      
      the number of connection failures from the source;
      
      the number of connection currently open from the source;
      
      the number of 400-class errors caused by messaging attempts by the source;
      
      the number of 500-class errors caused by messaging attempts by the source;
      
      the average message size in bytes sent from the source;
      
      the average connection duration from the source;
      
      the number of messages containing viruses sent from the source;
      
      the number of message delivered from the source; and
      
      an overall number of messages sent from the source.
  - 26. A system according to claim 18, wherein the reputation profile comprises electronic message path data for use in a network router table of a router associated with the client system, and the client machine decides disposition by causing the router to provide an invalid message path for electronic messages from the source addressed to the client system.
  - 27. A system according to claim 18, wherein the reputation profile comprises electronic message path data for use in a network router table of a router associated with the client system, and the client machine decides disposition by causing the router to remove one or more message paths from the source to the client system.
  - 28. A system according to claim 18, wherein the client machine is further configured to:
    - request an updated reputation profile on the source from the service; and
      
      decide disposition of one or more further delivery attempts for incoming electronic messages from the source based on the updated reputation profile received from the service.
  - 29. A system according to claim 28, wherein the reputation profile comprises a reputation score for the source and the updated reputation profile comprises an updated reputation score for the source, and wherein an updated reputation score higher than the reputation score indicates an increased likelihood that electronic messages from the source are unwanted, the client machine further configured to block the one or more further delivery attempts for incoming electronic messages based on the increased likelihood.
  - 30. A system according to claim 28, wherein the updated source reputation profile is received from the service in real-time.
  - 31. A system according to claim 18, wherein the client system is further configured to add the source to at least one list selected from the group consisting of blacklists, blocked senders lists, and gray-lists based on the received reputation profile.
  - 32. A system according to claim 18, wherein the electronic messages are selected from the group consisting of e-mail, instant messages, VoIP transmissions, video-over-IP transmissions, text messages.

33. A method of filtering a flow of electronic messages across a computer network, the method comprising:
- receiving a delivery attempt for an incoming electronic message at a receiving server in a network-connected computer system;
  
  determining a source of the incoming electronic message;
  
  requesting a reputation profile on the source from a service in the computer network that is external to the receiving sewer and any terminals connected thereto for receiving incoming messages from the receiving server;
  
  generating -message traffic information associated with the source by the service, the message traffic information generated by a centralized electronic message traffic monitoring system evaluating messages after being sent from a sending server and before being received by the targeted receiving servers;
  
  generating a source reputation profile by the service based on at least the message traffic information;
  
  providing the source reputation profile from the service to the network-connected computer system; and
  
  deciding disposition by the network-connected computer system of the delivery attempt for an incoming electronic message based on the reputation profile received from the service.
- View Dependent Claims (34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50)
- - 34. A method according to claim 33, wherein determining the source comprises extracting source information regarding the source of the incoming electronic message from the incoming electronic message.
  - 35. A method according to claim 34, wherein the source comprises a source IP address.
  - 36. A method according to claim 35, wherein the requesting comprises a reputation query to the service using the source IP address of the source.
  - 37. A method according to claim 36, wherein a server sending the request from the network-connected computer system is authenticated by the service before the reputation profile is sent.
  - 38. A method according to claim 33, wherein the requesting of the source reputation profile occurs in real-time with the receiving of the delivery attempt for an incoming electronic message.
  - 39. A method according to claim 33, wherein the source reputation profile comprises a list having at least one item of reputation data.
  - 40. A method according to claim 39, wherein the reputation data comprises at least one selected from the group consisting of:
    - the number of messages considered spam sent from the source;
      
      the number of messages considered legitimate from the source;
      
      the number of recipients on a message sent from the source;
      
      the number of connection attempts from the source;
      
      the number of connection successes from the source;
      
      the number of connection failures from the source;
      
      the number of connection currently open from the source;
      
      the number of 400-class errors caused by messaging attempts by the source;
      
      the number of 500-class errors caused by messaging attempts by the source;
      
      the average message size in bytes sent from the source;
      
      the average connection duration from the source;
      
      the number of messages containing viruses sent from the source;
      
      the number of message delivered from the source; and
      
      an overall number of messages sent from the source.
  - 41. A method according to claim 33, wherein the reputation profile comprises electronic message path data for use in a network router table of a router associated with the network-connected computer system, the network-connected computer system deciding disposition by causing the router to provide an invalid message path for electronic messages from the source addressed to the network-connected computer system.
  - 42. A method according to claim 33, wherein the reputation profile comprises electronic message path data for use in a network router table of a router associated with the network-connected computer system, the network-connected computer system deciding disposition by causing the router to remove one or more message paths from the source to the network-connected computer system.
  - 43. A method according to claim 33, further comprising:
    - receiving an updated reputation profile from the service; and
      
      deciding disposition of one or more further delivery attempts for incoming electronic messages from the source based on the received updated reputation profile.
  - 44. A method according to claim 43, wherein the reputation profile comprises a reputation score for the source and the updated reputation profile comprises an updated reputation score for the source, and wherein an updated reputation score higher than the reputation score indicates an increased likelihood that electronic messages from the source are unwanted, the method further comprising blocking the one or more further delivery attempts for incoming electronic messages based on the increased likelihood.
  - 45. A method according to claim 43, wherein receiving the updated source reputation profile from the service occurs in real-time.
  - 46. A method according to claim 33, further comprising adding the source to at least one list selected from the group consisting of blacklists, blocked senders lists, and gray-lists based on the received reputation profile.
  - 47. A method according to claim 33, wherein receiving message traffic information associated with the source by the service comprises receiving message traffic information from a data source comprising a system determining whether a predetermined amount of time has elapsed since a first suspect message was sent from a particular source when a second suspect message is detected being sent from that source.
  - 48. A method according to claim 33, wherein receiving message traffic information associated with the source by the service comprises receiving message traffic information from a data source comprising a system identifying message sources by detecting messages sent to a deliberately established invalid destination address.
  - 49. A method according to claim 33, further comprising storing the message traffic information in a profile database associated with the engine.
  - 50. A method according to claim 33, wherein the electronic messages are selected from the group consisting of e-mail, instant messages, VoIP transmissions, video-over-IP transmissions, text messages.

51. A network traffic filtering system for filtering a flow of electronic messages across a computer network, the system comprising:
- a client system connected to the computer network and configured to;
  
  receive a delivery attempt for an incoming electronic message at a receiving server in the client system, anddetermine a source of the incoming electronic message;
  
  the client system comprising a client machine within it and configured to request a reputation profile on the source from a service in the computer network that is external to the receiving server and any terminals connected thereto for receiving incoming messages from the receiving server;
  
  an engine installed on one or more computing devices affiliated with the service, the engine executing instructions stored in a memory of the one or more computing devices, the execution of the instructions configured to;
  
  generate a source reputation profile based at least on reputation data for sources of messages generated by a centralized electronic message traffic monitoring system evaluating messages after being sent from a sending server and before being received by the targeted receiving server, andprovide the source reputation profile to the client machine; and
  
  wherein the client machine is further configured to decide disposition of the delivery attempt for an incoming electronic message based on the reputation profile received from the service.
- View Dependent Claims (52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
- - 52. A system according to claim 51, wherein the client system is configured to extract the source information regarding the source of the incoming electronic message from the incoming electronic message.
  - 53. A system according to claim 52, wherein the source comprises a source IP address.
  - 54. A system according to claim 53, wherein the request comprises a reputation query to the service using the source IP address of the source.
  - 55. A system according to claim 54, wherein the client machine sending the request from the client system is authenticated by the engine before the reputation profile is sent.
  - 56. A system according to claim 51, wherein the client machine is further configured to request the source reputation profile in real-time with the receiving of the delivery attempt for an incoming electronic message by the client system.
  - 57. A system according to claim 51, wherein the source reputation profile comprises a list having at least one item of reputation data.
  - 58. A system according to claim 57, wherein the reputation data comprises at least one selected from the group consisting of:
    - the number of messages considered spam sent from the source;
      
      the number of messages considered legitimate from the source;
      
      the number of recipients on a message sent from the source;
      
      the number of connection attempts from the source;
      
      the number of connection successes from the source;
      
      the number of connection failures from the source;
      
      the number of connection currently open from the source;
      
      the number of 400-class errors caused by messaging attempts by the source;
      
      the number of 500-class errors caused by messaging attempts by the source;
      
      the average message size in bytes sent from the source;
      
      the average connection duration from the source;
      
      the number of messages containing viruses sent from the source;
      
      the number of message delivered from the source; and
      
      an overall number of messages sent from the source.
  - 59. A system according to claim 51, wherein the reputation profile comprises electronic message path data for use in a network router table of a router associated with the client system, and the client machine decides disposition by causing the router to provide an invalid message path for electronic messages from the source addressed to the client system.
  - 60. A system according to claim 51, wherein the reputation profile comprises electronic message path data for use in a network router table of a router associated with the client system, and the client machine decides disposition by causing the router to remove one or more message paths from the source to the network-connected computer system.
  - 61. A system according to claim 51, wherein the client machine is further configured to:
    - request an updated reputation profile on the source from the service; and
      
      decide disposition of one or more further delivery attempts for incoming electronic messages from the source based on the updated reputation profile received from the engine.
  - 62. A system according to claim 61, wherein the reputation profile comprises a reputation score for the source and the updated reputation profile comprises an updated reputation score for the source, and wherein an updated reputation score higher than the reputation score indicates an increased likelihood that electronic messages from the source are unwanted, the client machine further configured to block the one or more further delivery attempts for incoming electronic messages based on the increased likelihood.
  - 63. A system according to claim 61, wherein the updated source reputation profile is received from the engine in real-time.
  - 64. A system according to claim 51, wherein the client system is further configured to add the source to at least one list selected from the group consisting of blacklists, blocked senders lists, and gray-lists based on the received reputation profile.
  - 65. A system according to claim 51, wherein the engine is configured to receive the message traffic information from a data source comprising a system determining whether a predetermined amount of time has elapsed since a first suspect message was sent from a particular source when a second suspect message is detected being sent from that source.
  - 66. A system according to claim 51, wherein the engine is configured to receive the message traffic information from a data source comprising a system identifying message sources by detecting messages sent to a deliberately established invalid destination address.
  - 67. A system according to claim 51, further comprising a profile database associated with the engine for storing the message traffic information.
  - 68. A system according to claim 51, wherein the electronic messages are selected from the group consisting of e-mail, instant messages, VoIP transmissions, video-over-IP transmissions, text messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Lund, Peter K., Petry, Scott M., Okumura, Kenneth K., Carroll, Dorion A., Croteau, Craig S.
Primary Examiner(s)
Vaughn, Jr.; William C
Assistant Examiner(s)
PEREZ TORO, CARLOS RAFAEL

Application Number

US11/773,677
Publication Number

US 20080016167A1
Time in Patent Office

978 Days
Field of Search

709/206, 709/204, 709/207, 709223-226, 709/205
US Class Current

709/223
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/0236   Filtering by address, proto...

H04L 63/068   using time-dependent keys, ...

H04L 63/126   the source of the received ...

H04L 67/306   User profiles

H04L 67/564   Enhancement of application ...

H04L 67/63   Routing a service request d...

Source reputation information system for filtering electronic messages using a network-connected computer

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

68 Claims

Specification

Solutions

Use Cases

Quick Links

Source reputation information system for filtering electronic messages using a network-connected computer

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

68 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links