Managing connections, messages, and directory harvest attacks at a server
First Claim
1. A method for managing a mail transfer agent (MTA), comprising:
- based on a plurality of connections received at said MTA, determining a number of connections that are associated with a first sender identifier;
based on said number of connections being less than or equal to a specified number of connections, accepting an additional connection that is associated with said first sender identifier;
based on said number of connections being greater than said specified number of connections, rejecting said additional connection;
determining message information for a plurality of email messages that are received at said MTA;
based on said message information, determining that a second sender identifier of said plurality of sender identifiers is associated with at least one email message of said plurality of email messages;
based on said at least one email message, determining a number of recipients of email messages that are associated with said second sender identifier and that are being received at said MTA in a first time period; and
based on said number of recipients of email messages being greater than a maximum number of recipients of email messages,refusing to accept email messages that are associated with said second sender identifier until said first time period expires; and
after expiration of said first time period of time, accepting email messages that are associated with said second sender identifier;
determining that a third sender identifier of said plurality of sender identifiers is associated with a subset of email messages of said plurality of email messages;
based on said subset of email messages, determining a number of invalid recipient email addresses for a second time period;
receiving an additional email message that is associated with said third sender identifier;
determining that said additional email message is addressed to one or more invalid recipient email addresses for said MTA;
based on said number of invalid recipient email addresses being less than or equal to a maximum number of invalid recipient email addresses, generating and sending a message rejection response for said additional email message; and
based on said number of invalid recipient email addresses being greater than said maximum number of invalid recipient email addresses,dropping said additional email message without sending said message rejection response; and
after expiration of said second time period, accepting one or more additional email messages that are both associated with said third sender identifier and addressed to one or more invalid recipient email addresses for said MTA; and
for at least one electronic message from the plurality of email messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses;
for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action;
wherein said mapping associates said plurality of recipient identifiers with said plurality of actions;
wherein said first sender identifier, said second sender identifier, and said third sender identifier are each selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block;
based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections;
wherein the method is performed by one or more computing devices.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for managing connections, email messages, and directory harvest attacks at a server is disclosed. The server maintains a count of a parameter and compares the count to a specified maximum value, such that when the specified maximum value is met or exceeded, an action is taken by the server to limit the connections, email messages, or directory harvest attack. Actions include controlling the number of connections to the server from senders, controlling the flow of email messages injected to the server by senders, and controlling when rejection response messages are sent for invalid recipient email addresses to thwart a directory harvest attack. Senders are identified by one or more sender identifiers, which can be used to group senders together so that the same maximum value is applied collectively to all senders in the group.
268 Citations
46 Claims
-
1. A method for managing a mail transfer agent (MTA), comprising:
-
based on a plurality of connections received at said MTA, determining a number of connections that are associated with a first sender identifier; based on said number of connections being less than or equal to a specified number of connections, accepting an additional connection that is associated with said first sender identifier; based on said number of connections being greater than said specified number of connections, rejecting said additional connection; determining message information for a plurality of email messages that are received at said MTA; based on said message information, determining that a second sender identifier of said plurality of sender identifiers is associated with at least one email message of said plurality of email messages; based on said at least one email message, determining a number of recipients of email messages that are associated with said second sender identifier and that are being received at said MTA in a first time period; and based on said number of recipients of email messages being greater than a maximum number of recipients of email messages, refusing to accept email messages that are associated with said second sender identifier until said first time period expires; and after expiration of said first time period of time, accepting email messages that are associated with said second sender identifier; determining that a third sender identifier of said plurality of sender identifiers is associated with a subset of email messages of said plurality of email messages; based on said subset of email messages, determining a number of invalid recipient email addresses for a second time period; receiving an additional email message that is associated with said third sender identifier; determining that said additional email message is addressed to one or more invalid recipient email addresses for said MTA; based on said number of invalid recipient email addresses being less than or equal to a maximum number of invalid recipient email addresses, generating and sending a message rejection response for said additional email message; and based on said number of invalid recipient email addresses being greater than said maximum number of invalid recipient email addresses, dropping said additional email message without sending said message rejection response; and after expiration of said second time period, accepting one or more additional email messages that are both associated with said third sender identifier and addressed to one or more invalid recipient email addresses for said MTA; and for at least one electronic message from the plurality of email messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses; for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action; wherein said mapping associates said plurality of recipient identifiers with said plurality of actions; wherein said first sender identifier, said second sender identifier, and said third sender identifier are each selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block; based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections; wherein the method is performed by one or more computing devices.
-
-
2. A method for managing connections for receiving electronic messages at a server, comprising:
-
receiving at said server a plurality of connections; identifying a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one connection of said plurality of connections; receiving a plurality of email messages at the server; for at least one email message from said plurality of email messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses; and for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action; wherein said mapping associates said plurality of recipient identifiers with said plurality of actions; based on said plurality of connections, determining a number of connections that are associated with said particular sender identifier; receiving at said server an incoming connection that is associated with said particular sender identifier; based on said number of connections satisfying a specified relationship with a specified number of connections, accepting said incoming connection; and based on said number of connections not satisfying said specified relationship with said specified number of connections, rejecting said incoming connection; wherein said number of connections satisfies said specified relationship with said specified number of connections when said number of connections is less than or equal to said specified number of connections; wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block; based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections; wherein the method is performed by one or more computing devices. - View Dependent Claims (3, 4, 5)
-
-
6. A method for managing a plurality of electronic messages received at a server, comprising:
-
determining message information for said plurality of electronic messages; based on said message information, determining a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one electronic message of said plurality of electronic messages; based on said at least one electronic message, determining a current value that is associated with said particular sender identifier; and based on said current value satisfying a specified relationship with a specified value, limiting how many electronic messages that are associated with said particular sender identifier are accepted by said server; for said at least one electronic message, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses; for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action; wherein said mapping associates said plurality of recipient identifiers with said plurality of actions; wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block; based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections; wherein the method is performed by one or more computing devices. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A method for limiting a directory harvest attack against a server, comprising:
-
accepting a plurality of electronic messages that are associated with a plurality of sender identifiers; identifying a particular sender identifier of said plurality of sender identifiers, wherein said particular sender identifier is associated with a subset of electronic messages of said plurality of electronic messages; based on said subset of electronic messages, determining a current value that is based on those electronic messages that are addressed to one or more invalid recipient electronic addresses for said server; receiving an additional electronic message that is associated with said particular sender identifier; determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server; based on said current value satisfying a specified relationship with a specified value, generating and sending a message rejection response to a sender of said additional electronic message; and based on said current value not satisfying said specified relationship with said specified value, dropping at least said additional electronic message without sending said message rejection response to said sender; for said at least one electronic message, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses; for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action; wherein said mapping associates said plurality of recipient identifiers with said plurality of actions; wherein said current value satisfies said specified relationship with said specified value when said current value is less than or equal to said specified value; wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block; based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connection; wherein the method is performed by one or more computing devices. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A machine-readable non-transitory volatile or non-volatile storage medium storing one or more sequences of instructions for managing connections for receiving electronic messages at a server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
receiving at said server a plurality of connections; identifying a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one connection of said plurality of connections; based on said plurality of connections, determining a number of connections that are associated with said particular sender identifier; receiving at said server an incoming connection that is associated with said particular sender identifier; based on said number of connections satisfying a specified relationship with a specified number of connections, accepting said incoming connection; and based on said number of connections not satisfying said specified relationship with said specified number of connections, rejecting said incoming connection; receiving a plurality of electronic messages; for at least one electronic message from the plurality of electronic messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses; for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action; wherein said mapping associates said plurality of recipient identifiers with said plurality of actions; wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block; based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections. - View Dependent Claims (18, 19, 20)
-
-
21. A machine-readable non-transitory volatile or non-volatile storage medium storing one or more sequences of instructions for managing a plurality of electronic messages received at a server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
determining message information for said plurality of electronic messages; based on said message information, determining a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one electronic message of said plurality of electronic messages; based on said at least one electronic message, determining a current value that is associated with said particular sender identifier; and based on said current value satisfying a specified relationship with a specified value, limiting how many electronic messages that are associated with said particular sender identifier are accepted by said server; for said at least one electronic message, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses; for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action; wherein said mapping associates said plurality of recipient identifiers with said plurality of actions; wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block; based on a particular recipient identifier matching said specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections. - View Dependent Claims (22, 23, 24, 25, 26)
-
-
27. A machine-readable non-transitory volatile or non-volatile storage medium storing one or more sequences of instructions for limiting a directory harvest attack against a server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
accepting a plurality of electronic messages that are associated with a plurality of sender identifiers; identifying a particular sender identifier of said plurality of sender identifiers, wherein said particular sender identifier is associated with a subset of electronic messages of said plurality of electronic messages; based on said subset of electronic messages, determining a current value that is based on those electronic messages that are addressed to one or more invalid recipient electronic addresses for said server; receiving an additional electronic message that is associated with said particular sender identifier; determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server; based on said current value satisfying a specified relationship with a specified value, generating and sending a message rejection response to a sender of said additional electronic message; and based on said current value not satisfying said specified relationship with said specified value, dropping at least said additional electronic message without sending said message rejection response to said sender; for at least one electronic message, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses; for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action; wherein said mapping associates said plurality of recipient identifiers with said plurality of actions; wherein said current value satisfies said specified relationship with said specified value when said current value is less than or equal to said specified value; wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block; based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections. - View Dependent Claims (28, 29, 30, 31)
-
-
32. An apparatus comprising:
-
a processor; and a memory coupled to the processor, the memory containing one or more sequences of instructions for managing connections for receiving electronic messages at a server, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of; receiving at said server a plurality of connections; identifying a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one connection of said plurality of connections; based on said plurality of connections, determining a number of connections that are associated with said particular sender identifier; receiving at said server an incoming connection that is associated with said particular sender identifier; based on said number of connections satisfying a specified relationship with a specified number of connections, accepting said incoming connection; and based on said number of connections not satisfying said specified relationship with said specified number of connections, rejecting said incoming connection; receiving a plurality of electronic messages; for at least one electronic message from the plurality of electronic messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses; for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action; wherein said mapping associates said plurality of recipient identifiers with said plurality of actions; wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block; based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections. - View Dependent Claims (33, 34, 35)
-
-
36. An apparatus comprising:
-
a processor; and a memory coupled to the processor, the memory containing one or more sequences of instructions for managing a plurality of electronic messages received at a server, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of; determining message information for said plurality of electronic messages; based on said message information, determining a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one electronic message of said plurality of electronic messages; based on said at least one electronic message, determining a current value that is associated with said particular sender identifier; and based on said current value satisfying a specified relationship with a specified value, limiting how many electronic messages that are associated with said particular sender identifier are accepted by said server; for said at least one electronic message from the plurality of email messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses; for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action; wherein said mapping associates said plurality of recipient identifiers with said plurality of actions; wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block; based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections. - View Dependent Claims (37, 38, 39, 40, 41)
-
-
42. An apparatus comprising:
-
a processor; and a memory coupled to the processor, the memory containing one or more sequences of instructions for limiting a directory harvest attack against a server, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of; accepting a plurality of electronic messages that are associated with a plurality of sender identifiers; identifying a particular sender identifier of said plurality of sender identifiers, wherein said particular sender identifier is associated with a subset of electronic messages of said plurality of electronic messages; based on said subset of electronic messages, determining a current value that is based on those electronic messages that are addressed to one or more invalid recipient electronic addresses for said server; receiving an additional electronic message that is associated with said particular sender identifier; determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server; based on said current value satisfying a specified relationship with a specified value, generating and sending a message rejection response to a sender of said additional electronic message; and based on said current value not satisfying said specified relationship with said specified value, dropping at least said additional electronic message without sending said message rejection response to said sender; for at least one electronic message from the plurality of email messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses; for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action; wherein said mapping associates said plurality of recipient identifiers with said plurality of actions; wherein said current value satisfies said specified relationship with said specified value when said current value is less than or equal to said specified value; wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block; based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections. - View Dependent Claims (43, 44, 45, 46)
-
Specification