Electronic message source reputation information system

US 7,792,909 B2
Filed: 05/03/2006
Issued: 09/07/2010
Est. Priority Date: 05/25/2004
Status: Active Grant

First Claim

Patent Images

1. A network traffic filtering system for filtering a flow of electronic messages across a computer network from electronic message sources to intended recipients, the system comprising:

an engine configured to generate reputation data and updated reputation data for sources of messages by evaluating messages after being sent from sending servers and before being received by any targeted receiving server associated with one or more intended recipients of one or more of the messages, the engine further configured to generate source reputation profiles of the electronic message sources using the reputation and updated reputation data;

a centralized server installed on one or more computing devices and including the engine, the centralized server external to any gateway to a network having one or more of the targeted receiving servers associated with the one or more intended recipients;

a source reputation profile of one of the message sources created by the engine and comprising;

a first reputation score for the message source calculated by the engine based on the reputation data for the message source, the first reputation score indicating a likelihood that electronic messages from the message source are unwanted by intended recipients of the messages, anda second reputation score for the message source adjusted from the first reputation score by the engine based on updated reputation data associated with the message source, the second reputation score indicating a decreased likelihood that electronic messages from the message source are unwanted by the intended recipients; and

a database connected to the centralized server and also external to any gateway to a network having one or more of the targeted receiving servers associated with the one or more intended recipients, the database configured to store the source reputation profiles.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are filtering systems and methods that employ an electronic message source reputation system. The source reputation system maintains a pool of source Internet Protocol (IP) address information, in the form of a Real-Time Threat Identification Network (“RTIN”) database, which can provide the reputation of source IP addresses, which can be used by customers for filtering network traffic. The source reputation system provides for multiple avenues of access to the source reputation information. Examples of such avenues can include Domain Name Server (DNS)-type queries, servicing routers with router-table data, or other avenues.

Citations

39 Claims

1. A network traffic filtering system for filtering a flow of electronic messages across a computer network from electronic message sources to intended recipients, the system comprising:
- an engine configured to generate reputation data and updated reputation data for sources of messages by evaluating messages after being sent from sending servers and before being received by any targeted receiving server associated with one or more intended recipients of one or more of the messages, the engine further configured to generate source reputation profiles of the electronic message sources using the reputation and updated reputation data;
  
  a centralized server installed on one or more computing devices and including the engine, the centralized server external to any gateway to a network having one or more of the targeted receiving servers associated with the one or more intended recipients;
  
  a source reputation profile of one of the message sources created by the engine and comprising;
  
  a first reputation score for the message source calculated by the engine based on the reputation data for the message source, the first reputation score indicating a likelihood that electronic messages from the message source are unwanted by intended recipients of the messages, anda second reputation score for the message source adjusted from the first reputation score by the engine based on updated reputation data associated with the message source, the second reputation score indicating a decreased likelihood that electronic messages from the message source are unwanted by the intended recipients; and
  
  a database connected to the centralized server and also external to any gateway to a network having one or more of the targeted receiving servers associated with the one or more intended recipients, the database configured to store the source reputation profiles.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. A network traffic filtering system according to claim 1, wherein the first reputation score and the second reputation score are stored at different times in the network traffic filtering system.
  - 3. A network traffic filtering system according to claim 1, and further comprising a message handling process, wherein messages sent from the message source are blocked by the message handling process from reaching the intended recipients at a first time when the first reputation score is attributed to the message source and wherein messages sent from the message source are allowed to reach the intended recipients at a second time when the second reputation score is attributed to the message source.
  - 4. A network traffic filtering system according to claim 1, wherein the message source is a source IP address.
  - 5. A network traffic filtering system according to claim 1, wherein the engine is further configured to provide the source reputation profile to an external system for its use in blocking or allowing the messages sent from the message source.
  - 6. A network traffic filtering system according to claim 5, wherein the engine provides the source reputation profile to the external system in real-time.
  - 7. A network traffic filtering system according to claim 6, wherein the source reputation profile comprises electronic message path data for use in a network router table of a router associated with the external system to redirect electronic messages from the message source.
  - 8. A network traffic filtering system according to claim 7, wherein the router table comprises a threshold value for redirecting the electronic messages from the message source.
  - 9. A network traffic filtering system according to claim 8, wherein the engine is further configured to adjust the threshold value based on the updated reputation data.
  - 10. A network traffic filtering system according to claim 5, wherein the engine is further configured to provide the source reputation profile to an external system in response to a query received from the external system.
  - 11. A network traffic filtering system according to claim 10, wherein the query comprises a DNS query corresponding to a source IP address of the message source.
  - 12. A network traffic filtering system according to claim 11, wherein the external system is authenticated before responding to the query.
  - 13. A network traffic filtering system according to claim 5, wherein the engine is further configured to provide the source reputation profile to an external system comprising a customer system subscribing to use the filtering system.
  - 14. A network traffic filtering system according to claim 1, wherein the source reputation profile comprises a list having at least one item of reputation data or updated reputation data.
  - 15. A network traffic filtering system according to claim 1, wherein the reputation data and updated reputation data are based on at least one selected from the group consisting of:
    - the number of messages considered spam sent from the message source;
      
      the number of recipients on a message sent from the message source;
      
      the number of connection attempts from the message source;
      
      the number of connection successes from the message source;
      
      the number of connection failures from the message source;
      
      the number of connections currently open from the message source;
      
      the number of 400-class errors caused by messaging attempts by the message source;
      
      the number of 500-class errors caused by messaging attempts by the message source;
      
      the average message size in bytes sent from the message source;
      
      the average connection duration from the message source;
      
      the number of viruses sent from the message source;
      
      the number of message delivered from the message source;
      
      a signature authenticating the message source; and
      
      an overall number of messages sent from the message source.
  - 16. A network traffic filtering system according to claim 1, wherein the engine is configured to receive the reputation data and updated reputation data from a data source comprising at least one selected from the group consisting of a network traffic monitoring system, a two-strikes system, and a sudden-death system.
  - 17. A network traffic filtering system according to claim 1, wherein the engine is configured to receive the reputation data and updated reputation data from a data source comprising approved sender IP addresses selected using a business-based heuristics selection technique.
  - 18. A network traffic filtering system according to claim 1, wherein the centralized server via the engine is further configured to query a data source for reputation data, receive reputation data from the data source, evaluate the received data to generate the source reputation profile, distribute the source reputation profile to external systems, receive updated reputation data from the data source, evaluate the updated reputation date to update the source reputation profile, and distribute the updated source reputation profile to the external systems.
  - 19. A network traffic filtering system according to claim 18, wherein the system further comprises a reputation data database associated with the centralized server and configured to store the reputation data.
  - 20. A network traffic filtering system according to claim 18, wherein the engine comprises a controller to query a data source for reputation data, receive reputation data from the data source, evaluate the received reputation data to develop the source reputation profile, receive updated reputation data from the data source, and evaluate the updated reputation date to update the source reputation profile.
  - 21. A network traffic filtering system according to claim 1, further comprising an initial reputation score for the source calculated by the engine before the first reputation score, the initial reputation score based on reputation data indicating a likelihood that electronic messages from the message source are not unwanted by the intended recipients, the initial reputation score allowing messages sent from the message source to reach the intended recipients, and wherein the first reputation score thereafter indicates the likelihood that the electronic messages from the message source are unwanted by the intended recipients.

22. A method of filtering a flow of electronic messages across a computer network from electronic message sources to intended recipients, a centralized server installed on one or more computing devices and including an engine, the engine performing the steps comprising:
- calculating a first reputation score for a message source based on reputation data associated with the message source generated by evaluating messages after being sent from a sending server associated with the source and before being received at any gateway to a network having one or more targeted receiving servers associated with one or more intended recipients of one or more of the messages, the reputation data indicating a likelihood that electronic messages from the message source are unwanted by the one or more intended recipients of the messages;
  
  blocking messages sent from the message source from reaching any targeted receiving servers associated with the one or more intended recipients at a first time when the first reputation score is attributed to the message source;
  
  adjusting the first reputation score to a second reputation score for the message source based on updated reputation data associated with the message source generated by evaluating additional messages after being sent from the sending server associated with the source and before being received at any gateway to a network having one of the targeted receiving servers associated with one or more intended recipients of one or more of the messages, the updated reputation data indicating a decreased likelihood that electronic messages from the message source are unwanted by the one or more intended recipients; and
  
  allowing messages sent from the message source to reach the one or more intended recipients at a second time later than the first time when the second reputation score is attributed to the message source.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
- - 23. A method according to claim 22, further comprising storing the first reputation score and the second reputation score at different times.
  - 24. A method according to claim 22, wherein the message source is a source IP address.
  - 25. A method according to claim 22, further comprising generating a source reputation profile associated with the message source and comprising the first reputation score or the second reputation score.
  - 26. A method according to claim 25, further comprising providing the source reputation profile to an external system for its use in filtering messages from the message source.
  - 27. A method according to claim 26, wherein the providing further comprises providing the source reputation profile to the external system in real-time.
  - 28. A method according to claim 26, wherein the source reputation profile comprises a list having at least one item of reputation data or updated reputation data.
  - 29. A method according to claim 26, wherein providing the source reputation profile further comprises providing the source reputation profile to a customer system in the form of electronic message path data for use in a network router table of a router associated with the customer system to redirect electronic messages from the message source.
  - 30. A method according to claim 29, wherein the router table comprises the threshold value.
  - 31. A method according to claim 30, further comprising adjusting the threshold value based on the updated reputation data.
  - 32. A method according to claim 26, wherein providing the source reputation profile further comprises providing the source reputation profile to the external system in response to a query received from the external system.
  - 33. A method according to claim 32, wherein the query comprises a DNS query corresponding to a source IP address of the message source.
  - 34. A method according to claim 33, further comprising authenticating the external system before responding to the query.
  - 35. A method according to claim 26, wherein providing the reputation profile to an external system comprises providing the reputation profile to a customer system subscribing to use the filtering method.
  - 36. A method according to claim 22, wherein the reputation data and updated reputation data comprise at least one selected from the group consisting of:
    - the number of messages considered spam sent from the message source;
      
      the number of recipients on a message sent from the message source;
      
      the number of connection attempts from the message source;
      
      the number of connection successes from the message source;
      
      the number of connection failures from the message source;
      
      the number of connection currently open from the message source;
      
      the number of 400-class errors caused by messaging attempts by the message source;
      
      the number of 500-class errors caused by messaging attempts by the message source;
      
      the average message size in bytes sent from the message source;
      
      the average connection duration from the message source;
      
      the number of viruses sent from the message source;
      
      the number of message delivered from the message source;
      
      a signature authenticating the message source; and
      
      an overall number of messages sent from the message source.
  - 37. A method according to claim 22, further comprising receiving the reputation data and the updated reputation data from at least one selected from the group consisting of a network traffic monitoring system, a two-strikes system, and a sudden-death system.
  - 38. A method according to claim 22, wherein the reputation data and updated reputation data comprises approved sender IP addresses selected using an business-based heuristics selection technique.
  - 39. A method according to claim 22, further comprising calculating an initial reputation score for the source by the engine before calculating the first reputation score, the initial reputation score based on reputation data indicating a likelihood that electronic messages from the message source are not unwanted by the intended recipients thereby allowing messages sent from the message source to reach the intended recipients based on the preliminary reputation score, and wherein the first reputation score thereafter indicates the likelihood that the electronic messages from the message source are unwanted by the intended recipients.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Lund, Peter K., Petry, Scott M., Okumura, Kenneth K., Carroll, Dorion A., Croteau, Craig S.
Primary Examiner(s)
Chan; Wing F
Assistant Examiner(s)
WILLIS, JONATHAN U

Application Number

US11/381,511
Publication Number

US 20070282952A1
Time in Patent Office

1,588 Days
Field of Search

707/3, 707/203, 707/206, 709/206, 709/207, 709/224, 709/225, 726/4, 726/11, 726/27, 726/28, 726/31
US Class Current

709/206
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/0236   Filtering by address, proto...

H04L 63/068   using time-dependent keys, ...

H04L 63/126   the source of the received ...

H04L 67/306   User profiles

H04L 67/564   Enhancement of application ...

H04L 67/63   Routing a service request d...

Electronic message source reputation information system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic message source reputation information system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links