Real-time detection and prevention of bulk messages

US 7,734,703 B2
Filed: 07/18/2006
Issued: 06/08/2010
Est. Priority Date: 07/18/2006
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for detecting unwanted messages in real-time at a message delivery host, the method comprising:

providing a plurality of statuses for keys associated with messages, the statuses indicating actions to take with messages and having a precedence order from a high priority to a low priority;

providing a key store that stores an indication of keys along with a status for each key;

receiving from a user an indication of a key and its status;

after receiving the key, storing an indication of the received key and its status in the key store;

for each of a plurality of attributes of the message, generating a key for the message based on the attribute of the message;

for each generated key, determining a status associated with the generated key as indicated by the key store; and

processing the message according to the statuses associated with the generated keys by;

selecting the status associated with a generated key that has the highest priority; and

performing the action of the selected status with the message.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for detecting and preventing bulk messages in real-time is provided. A detection server detects and prevents bulk messages in real-time by analyzing the network traffic pattern of attributes of messages, such as email messages, that are passing through the network against an expected network traffic pattern. The expected network traffic pattern may be specified as a combination of a rate and one or more thresholds, where each threshold has a corresponding status. The rate specifies a quantity of an attribute measured with respect to a quantity of time. A status associated with a threshold is attained when the rate is exceeded the requisite threshold number of times. The status indicates an action that is to be taken in processing the email message containing the attribute. An email message can then be processed in accordance with a status assigned to an attribute of the email message.

51 Citations

View as Search Results

20 Claims

1. A computer-implemented method for detecting unwanted messages in real-time at a message delivery host, the method comprising:
- providing a plurality of statuses for keys associated with messages, the statuses indicating actions to take with messages and having a precedence order from a high priority to a low priority;
  
  providing a key store that stores an indication of keys along with a status for each key;
  
  receiving from a user an indication of a key and its status;
  
  after receiving the key, storing an indication of the received key and its status in the key store;
  
  for each of a plurality of attributes of the message, generating a key for the message based on the attribute of the message;
  
  for each generated key, determining a status associated with the generated key as indicated by the key store; and
  
  processing the message according to the statuses associated with the generated keys by;
  
  selecting the status associated with a generated key that has the highest priority; and
  
  performing the action of the selected status with the message.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein the attribute of the message is an Internet Protocol (IP) address of a sender of the message.
  - 3. The method of claim 1, wherein the attribute of the message is a body part of the message.
  - 4. The method of claim 1, wherein the key is a hash print of a body part of the message.
  - 5. The method of claim 1, wherein the status is obtained from a remote detection server.
  - 6. The method of claim 1, wherein the status indicates to normally process the message.
  - 7. The method of claim 1, wherein the status indicates to reject the message.
  - 8. The method of claim 1, wherein the status indicates to send a copy of the message to a preconfigured address.
  - 9. The method of claim 1, wherein the status indicates to indicate the message as suspicious.
  - 10. The method of claim 1, wherein each status associated with a key is based on a count of a number of times a specified rate is exceeded and at least one threshold value, each threshold value specifies the number of times the rate has to be exceeded for the key to attain the corresponding status.
  - 11. The method of claim 10, wherein the count of a number of times the specified rate is exceeded is a local count.
  - 12. The method of claim 10, wherein the count of a number of times the specified rate is exceeded is a global count.

13. A computer-implemented method for assigning statuses to keys at a detection server, the keys based on attributes of messages, the method comprising:
- providing a rate indicating number of times a key is received within a specified time period;
  
  for each of a plurality of threshold values, providing an association between the threshold value and a status, wherein each threshold value specifies a number of times the rate has been exceeded;
  
  for each of a plurality of keys, providing a count of a number of times the rate of receiving the key is exceeded on the detection server;
  
  receiving from a message delivery host an indication of a key;
  
  determining whether the rate of receiving the received key is exceeded; and
  
  upon determining that the rate of receiving the received key is exceeded,incrementing the count of the number of times the rate of receiving the received key is exceeded on the detection server;
  
  determining whether the count crosses one of the threshold values; and
  
  upon determining that the count crosses one of the threshold values, assigning to the key the status associated with the threshold value that the count crossed.
- View Dependent Claims (14, 15, 16, 17)
- - 14. The method of claim 13 further comprising:
    - for each key, providing a count of a number of times the rate is exceeded globally; and
      
      upon determining that the rate is exceeded, updating the count of the number of times the rate is exceeded globally.
  - 15. The method of claim 14 further comprising:
    - receiving from a peer detection server an advertisement of a suspicious key;
      
      updating the count of the number of times the rate is exceeded globally for the suspicious key;
      
      determining whether one of the threshold values is crossed; and
      
      upon determining that one of the threshold values is crossed, assigning to the suspicious key the status associated with the threshold value that is crossed.
  - 16. The method of claim 13, wherein the status assigned to the key indicates that the key is a suspicious key.
  - 17. The method of claim 13 further comprising:
    - identifying suspicious keys; and
      
      sending an advertisement of suspicious keys to peer detection servers.

18. A detection server comprising:
- a key store that identifies keys received at the detection server and information relating to the status of each key, each key being derived from an attribute of a message and the status of a key specifying whether or not the key is considered suspicious;
  
  a host componentthat receives a request for a status of a specified key from a message delivery host,that updates the information of the key store for the specified key,that determines the status of the specified key from the information of the key store, andthat sends the status of the specified key to the message delivery host; and
  
  a peer componentthat identifies keys of the key store with statuses that are considered suspicious,that sends advertisements of the identified keys to peer detection servers,that receives advertisements of suspicious keys from peer detection servers, andthat updates the information of the key store based on the received advertisements of suspicious keysso that a detection server determines the status of a key based on an advertisement received from a peer detection server.
- View Dependent Claims (19, 20)
- - 19. The server of claim 18, wherein the peer component also assigns statuses to keys based on advertisements received from peer detection servers.
  - 20. The server of claim 18, wherein the host component also assigns statuses to keys based on requests for statuses of keys received from message delivery hosts.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Jhawar, Amit
Primary Examiner(s)
Srivastava; Vivek
Assistant Examiner(s)
Pollack; Melvin H

Application Number

US11/458,342
Publication Number

US 20080021961A1
Time in Patent Office

1,421 Days
Field of Search

709/203, 709/206, 709/207, 709/219, 709/230, 709/236, 719/315, 705/14
US Class Current

709/206
CPC Class Codes

H04L 51/212 using filtering or selectiv...

H04L 63/0227 Filtering policies mail mes...

Real-time detection and prevention of bulk messages

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

51 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

Real-time detection and prevention of bulk messages

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others