Real-time detection and prevention of bulk messages
First Claim
1. A computer-implemented method for detecting unwanted messages in real-time at a message delivery host, the method comprising:
- providing a plurality of statuses for keys associated with messages, the statuses indicating actions to take with messages and having a precedence order from a high priority to a low priority;
providing a key store that stores an indication of keys along with a status for each key;
receiving from a user an indication of a key and its status;
after receiving the key, storing an indication of the received key and its status in the key store;
for each of a plurality of attributes of the message, generating a key for the message based on the attribute of the message;
for each generated key, determining a status associated with the generated key as indicated by the key store; and
processing the message according to the statuses associated with the generated keys by;
selecting the status associated with a generated key that has the highest priority; and
performing the action of the selected status with the message.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and system for detecting and preventing bulk messages in real-time is provided. A detection server detects and prevents bulk messages in real-time by analyzing the network traffic pattern of attributes of messages, such as email messages, that are passing through the network against an expected network traffic pattern. The expected network traffic pattern may be specified as a combination of a rate and one or more thresholds, where each threshold has a corresponding status. The rate specifies a quantity of an attribute measured with respect to a quantity of time. A status associated with a threshold is attained when the rate is exceeded the requisite threshold number of times. The status indicates an action that is to be taken in processing the email message containing the attribute. An email message can then be processed in accordance with a status assigned to an attribute of the email message.
51 Citations
20 Claims
-
1. A computer-implemented method for detecting unwanted messages in real-time at a message delivery host, the method comprising:
-
providing a plurality of statuses for keys associated with messages, the statuses indicating actions to take with messages and having a precedence order from a high priority to a low priority; providing a key store that stores an indication of keys along with a status for each key; receiving from a user an indication of a key and its status; after receiving the key, storing an indication of the received key and its status in the key store; for each of a plurality of attributes of the message, generating a key for the message based on the attribute of the message; for each generated key, determining a status associated with the generated key as indicated by the key store; and processing the message according to the statuses associated with the generated keys by; selecting the status associated with a generated key that has the highest priority; and performing the action of the selected status with the message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-implemented method for assigning statuses to keys at a detection server, the keys based on attributes of messages, the method comprising:
-
providing a rate indicating number of times a key is received within a specified time period; for each of a plurality of threshold values, providing an association between the threshold value and a status, wherein each threshold value specifies a number of times the rate has been exceeded; for each of a plurality of keys, providing a count of a number of times the rate of receiving the key is exceeded on the detection server; receiving from a message delivery host an indication of a key; determining whether the rate of receiving the received key is exceeded; and upon determining that the rate of receiving the received key is exceeded, incrementing the count of the number of times the rate of receiving the received key is exceeded on the detection server; determining whether the count crosses one of the threshold values; and upon determining that the count crosses one of the threshold values, assigning to the key the status associated with the threshold value that the count crossed. - View Dependent Claims (14, 15, 16, 17)
-
-
18. A detection server comprising:
-
a key store that identifies keys received at the detection server and information relating to the status of each key, each key being derived from an attribute of a message and the status of a key specifying whether or not the key is considered suspicious; a host component that receives a request for a status of a specified key from a message delivery host, that updates the information of the key store for the specified key, that determines the status of the specified key from the information of the key store, and that sends the status of the specified key to the message delivery host; and a peer component that identifies keys of the key store with statuses that are considered suspicious, that sends advertisements of the identified keys to peer detection servers, that receives advertisements of suspicious keys from peer detection servers, and that updates the information of the key store based on the received advertisements of suspicious keys so that a detection server determines the status of a key based on an advertisement received from a peer detection server. - View Dependent Claims (19, 20)
-
Specification