Using IP address and domain for email spam filtering
First Claim
1. A method, comprising:
- receiving an email message that is assumed to be non-spam;
determining an IP address associated with a sender of the email message;
generating an IP address set comprising a combination of portions of the IP address;
determining a domain from which the email message appears to have been sent;
generating a domain address set comprising a combination of portions of the domain name;
generating an IP/domain set by computing a cross-product of the IP address set and the domain set, the IP/domain set comprising elements of the cross-product;
determining an IP/domain spam score that represents a likelihood that an email message received from the IP address and the domain is spam;
associating the IP/domain spam score with the IP/domain set based at least in part on the elements of the cross-product;
storing the IP/domain spam score in association with the IP/domain set in a spam score data repository;
identifying, in the spam score data repository, a previously generated spam score associated with the domain;
determining a message spam score that is based on the email message assumed to be non-spam;
combining the message spam score with the previously generated spam score to generate the IP/domain spam score; and
determining whether to treat the email message as spam based on the message spam score.
2 Assignments
0 Petitions
Accused Products
Abstract
Email spam filtering is performed based on a combination of IP address and domain. When an email message is received, an IP address and a domain associated with the email message are determined. A cross product of the IP address (or portions of the IP address) and the domain (or portions of the domain) is calculated. If the email message is known to be either spam or non-spam, then a spam score based on the known spam status is stored in association with each (IP address, domain) pair element of the cross product. If the spam status of the email message is not known, then the (IP address, domain) pair elements of the cross product are used to lookup previously determined spam scores. A combination of the previously determined spam scores is used to determine whether or not to treat the received email message as spam.
-
Citations
17 Claims
-
1. A method, comprising:
-
receiving an email message that is assumed to be non-spam; determining an IP address associated with a sender of the email message; generating an IP address set comprising a combination of portions of the IP address; determining a domain from which the email message appears to have been sent; generating a domain address set comprising a combination of portions of the domain name; generating an IP/domain set by computing a cross-product of the IP address set and the domain set, the IP/domain set comprising elements of the cross-product; determining an IP/domain spam score that represents a likelihood that an email message received from the IP address and the domain is spam; associating the IP/domain spam score with the IP/domain set based at least in part on the elements of the cross-product; storing the IP/domain spam score in association with the IP/domain set in a spam score data repository; identifying, in the spam score data repository, a previously generated spam score associated with the domain; determining a message spam score that is based on the email message assumed to be non-spam; combining the message spam score with the previously generated spam score to generate the IP/domain spam score; and determining whether to treat the email message as spam based on the message spam score. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method implemented by at least one processor, the method comprising:
-
receiving an email message; determining an IP address associated with a sender of the email message; determining a domain from which the email message appears to have been sent; generating an IP address set comprising combination of multiple portions of the IP address; generating a domain address set comprising combination of one or more portions of the domain name; generating, by the at least one processor, an IP/domain set by computing a cross-product of the IP address set and the domain set, each element of the IP/domain set representing a unique pair of a portion of the IP address and portion of the domain name; for each element of the IP/domain set, identifying a previously determined element spam score that represents a likelihood that an email message received from an IP address and domain that matches the element is spam; determining a message spam score by combining the previously determined element spam scores; and determining whether to treat the email message as spam based on the message spam score. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A system, comprising:
-
a processor; a memory; a sender IP determination module stored in the memory and executed by the processor, the sender IP determination module configured to determine an IP address from which a received email message was sent; a sender domain determination module configured to determine a domain from which the received email message appears to have been sent; an IP X domain generation module configured to; expand the IP address into a set of partial IP addresses; expand the domain into a set of domain portions; and generate a cross product, (IP X Domain), of the set of partial IP addresses and the set of domain portions; a machine learning algorithm configured to calculate a spam score to be associated with an element of (IP X Domain); and a data repository configured to maintain an association between the element of (IP X Domain) and the spam score. - View Dependent Claims (16, 17)
-
Specification