Managing connections, messages, and directory harvest attacks at a server

US 7,849,142 B2
Filed: 05/27/2005
Issued: 12/07/2010
Est. Priority Date: 05/29/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method for managing a mail transfer agent (MTA), comprising:

based on a plurality of connections received at said MTA, determining a number of connections that are associated with a first sender identifier;

based on said number of connections being less than or equal to a specified number of connections, accepting an additional connection that is associated with said first sender identifier;

based on said number of connections being greater than said specified number of connections, rejecting said additional connection;

determining message information for a plurality of email messages that are received at said MTA;

based on said message information, determining that a second sender identifier of said plurality of sender identifiers is associated with at least one email message of said plurality of email messages;

based on said at least one email message, determining a number of recipients of email messages that are associated with said second sender identifier and that are being received at said MTA in a first time period; and

based on said number of recipients of email messages being greater than a maximum number of recipients of email messages,refusing to accept email messages that are associated with said second sender identifier until said first time period expires; and

after expiration of said first time period of time, accepting email messages that are associated with said second sender identifier;

determining that a third sender identifier of said plurality of sender identifiers is associated with a subset of email messages of said plurality of email messages;

based on said subset of email messages, determining a number of invalid recipient email addresses for a second time period;

receiving an additional email message that is associated with said third sender identifier;

determining that said additional email message is addressed to one or more invalid recipient email addresses for said MTA;

based on said number of invalid recipient email addresses being less than or equal to a maximum number of invalid recipient email addresses, generating and sending a message rejection response for said additional email message; and

based on said number of invalid recipient email addresses being greater than said maximum number of invalid recipient email addresses,dropping said additional email message without sending said message rejection response; and

after expiration of said second time period, accepting one or more additional email messages that are both associated with said third sender identifier and addressed to one or more invalid recipient email addresses for said MTA; and

for at least one electronic message from the plurality of email messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses;

for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action;

wherein said mapping associates said plurality of recipient identifiers with said plurality of actions;

wherein said first sender identifier, said second sender identifier, and said third sender identifier are each selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block;

based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections;

wherein the method is performed by one or more computing devices.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for managing connections, email messages, and directory harvest attacks at a server is disclosed. The server maintains a count of a parameter and compares the count to a specified maximum value, such that when the specified maximum value is met or exceeded, an action is taken by the server to limit the connections, email messages, or directory harvest attack. Actions include controlling the number of connections to the server from senders, controlling the flow of email messages injected to the server by senders, and controlling when rejection response messages are sent for invalid recipient email addresses to thwart a directory harvest attack. Senders are identified by one or more sender identifiers, which can be used to group senders together so that the same maximum value is applied collectively to all senders in the group.

268 Citations

46 Claims

1. A method for managing a mail transfer agent (MTA), comprising:
- based on a plurality of connections received at said MTA, determining a number of connections that are associated with a first sender identifier;
  
  based on said number of connections being less than or equal to a specified number of connections, accepting an additional connection that is associated with said first sender identifier;
  
  based on said number of connections being greater than said specified number of connections, rejecting said additional connection;
  
  determining message information for a plurality of email messages that are received at said MTA;
  
  based on said message information, determining that a second sender identifier of said plurality of sender identifiers is associated with at least one email message of said plurality of email messages;
  
  based on said at least one email message, determining a number of recipients of email messages that are associated with said second sender identifier and that are being received at said MTA in a first time period; and
  
  based on said number of recipients of email messages being greater than a maximum number of recipients of email messages,refusing to accept email messages that are associated with said second sender identifier until said first time period expires; and
  
  after expiration of said first time period of time, accepting email messages that are associated with said second sender identifier;
  
  determining that a third sender identifier of said plurality of sender identifiers is associated with a subset of email messages of said plurality of email messages;
  
  based on said subset of email messages, determining a number of invalid recipient email addresses for a second time period;
  
  receiving an additional email message that is associated with said third sender identifier;
  
  determining that said additional email message is addressed to one or more invalid recipient email addresses for said MTA;
  
  based on said number of invalid recipient email addresses being less than or equal to a maximum number of invalid recipient email addresses, generating and sending a message rejection response for said additional email message; and
  
  based on said number of invalid recipient email addresses being greater than said maximum number of invalid recipient email addresses,dropping said additional email message without sending said message rejection response; and
  
  after expiration of said second time period, accepting one or more additional email messages that are both associated with said third sender identifier and addressed to one or more invalid recipient email addresses for said MTA; and
  
  for at least one electronic message from the plurality of email messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses;
  
  for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action;
  
  wherein said mapping associates said plurality of recipient identifiers with said plurality of actions;
  
  wherein said first sender identifier, said second sender identifier, and said third sender identifier are each selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block;
  
  based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections;
  
  wherein the method is performed by one or more computing devices.

2. A method for managing connections for receiving electronic messages at a server, comprising:
- receiving at said server a plurality of connections;
  
  identifying a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one connection of said plurality of connections;
  
  receiving a plurality of email messages at the server;
  
  for at least one email message from said plurality of email messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses; and
  
  for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action;
  
  wherein said mapping associates said plurality of recipient identifiers with said plurality of actions;
  
  based on said plurality of connections, determining a number of connections that are associated with said particular sender identifier;
  
  receiving at said server an incoming connection that is associated with said particular sender identifier;
  
  based on said number of connections satisfying a specified relationship with a specified number of connections, accepting said incoming connection; and
  
  based on said number of connections not satisfying said specified relationship with said specified number of connections, rejecting said incoming connection;
  
  wherein said number of connections satisfies said specified relationship with said specified number of connections when said number of connections is less than or equal to said specified number of connections;
  
  wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block;
  
  based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (3, 4, 5)
- - 3. The method as recited in claim 2, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 4. The method as recited in claim 2, wherein:
    - accepting said incoming connection comprises;
      
      creating an additional connection based on said incoming connection; and
      
      accepting one or more electronic messages over said additional connection;
      
      rejecting said incoming connection comprises;
      
      creating said additional connection based on said incoming connection;
      
      refusing to accept any electronic messages over said additional connection; and
      
      terminating said additional connection.
  - 5. The method as recited in claim 2, wherein rejecting said incoming connection further comprises:
    - creating an additional connection based on said incoming connection;
      
      based on an electronic message that is received over said additional connection, identifying an additional particular recipient identifier of a plurality of recipient identifiers;
      
      inspecting a mapping to identify an action of a plurality of actions, wherein said mapping associates said plurality of recipient identifiers with said plurality of actions, and wherein said action is associated said additional recipient identifier of said plurality of recipient identifiers;
      
      based on said additional particular recipient identifier matching said additional specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections; and
      
      based on said additional particular recipient identifier not matching said additional specified recipient identifier, dropping said electronic message and terminating said additional connection;
      
      wherein said number of connections satisfies said specified relationship with said specified number of connections when said number of connections is less than or equal to said specified number of connections.

6. A method for managing a plurality of electronic messages received at a server, comprising:
- determining message information for said plurality of electronic messages;
  
  based on said message information, determining a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one electronic message of said plurality of electronic messages;
  
  based on said at least one electronic message, determining a current value that is associated with said particular sender identifier; and
  
  based on said current value satisfying a specified relationship with a specified value, limiting how many electronic messages that are associated with said particular sender identifier are accepted by said server;
  
  for said at least one electronic message, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses;
  
  for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action;
  
  wherein said mapping associates said plurality of recipient identifiers with said plurality of actions;
  
  wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block;
  
  based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method as recited in claim 6, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 8. The method as recited in claim 6, wherein:
    - said current value is a number of recipients of electronic messages that are received at said server in a current time period and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of recipients of electronic messages; and
      
      said current value satisfies said specified relationship with said specified value when said number of recipients of electronic messages is less than or equal to said maximum number of recipients of electronic messages;
      
      wherein said current time period is one minute.
  - 9. The method as recited in claim 8, wherein limiting how many electronic messages are accepted from said at least one network address comprises:
    - refusing to accept electronic messages from said at least one network address until said current time period expires; and
      
      after expiration of said current time period of time, accepting one or more additional electronic messages from said at least one network address.
  - 10. The method as recited in claim 6, wherein:
    - said current value is a number of electronic messages that are received at said server and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of electronic messages; and
      
      said current value satisfies said specified relationship with said specified value when said number of electronic messages is less than or equal to said maximum number of electronic messages.
  - 11. The method as recited in claim 10, wherein:
    - said number of electronic messages is determined for a specified period of time; and
      
      limiting how many electronic messages that are associated with said particular sender identifier are accepted comprises;
      
      refusing to accept electronic messages that are associated with said particular sender identifier until said specified period of time has expired; and
      
      after expiration of said specified period of time, accepting electronic messages that are associated with said particular sender identifier.

12. A method for limiting a directory harvest attack against a server, comprising:
- accepting a plurality of electronic messages that are associated with a plurality of sender identifiers;
  
  identifying a particular sender identifier of said plurality of sender identifiers, wherein said particular sender identifier is associated with a subset of electronic messages of said plurality of electronic messages;
  
  based on said subset of electronic messages, determining a current value that is based on those electronic messages that are addressed to one or more invalid recipient electronic addresses for said server;
  
  receiving an additional electronic message that is associated with said particular sender identifier;
  
  determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server;
  
  based on said current value satisfying a specified relationship with a specified value, generating and sending a message rejection response to a sender of said additional electronic message; and
  
  based on said current value not satisfying said specified relationship with said specified value, dropping at least said additional electronic message without sending said message rejection response to said sender;
  
  for said at least one electronic message, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses;
  
  for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action;
  
  wherein said mapping associates said plurality of recipient identifiers with said plurality of actions;
  
  wherein said current value satisfies said specified relationship with said specified value when said current value is less than or equal to said specified value;
  
  wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block;
  
  based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connection;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The method as recited in claim 12, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 14. The method as recited in claim 12, wherein:
    - said current value is a number of invalid recipient electronic addresses that are received at said server in a current time period and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of invalid recipient electronic addresses;
      
      said current value satisfies said specified relationship with said specified value when said number of invalid recipient electronic addresses is less than or equal to said maximum number of invalid recipient electronic addresses; and
      
      said current value does not satisfy said specified relationship with said specified value when said number of invalid recipient electronic addresses is greater than said maximum number of invalid recipient electronic addresses;
      
      wherein said current time period is one minute.
  - 15. The method as recited in claim 14, wherein dropping at least said additional electronic message comprises:
    - dropping said additional electronic message and any other additional electronic messages that are associated with said particular sender identifier until said current time period expires; and
      
      after expiration of said current time period, accepting one or more electronic messages that are both associated with said particular sender identifier and that are addressed to one or more invalid recipient electronic addresses for said server.
  - 16. The method as recited in claim 12, wherein:
    - determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server comprises determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server after completion of a simple mail transfer protocol (SMTP) conversation between said server and said sender of said additional electronic message;
      
      generating said message rejection response for said additional electronic message comprises generating a message rejection electronic message for additional electronic message after completion of said SMTP conversation; and
      
      dropping said additional electronic message comprises dropping said additional electronic message after completion of said SMTP conversation.

17. A machine-readable non-transitory volatile or non-volatile storage medium storing one or more sequences of instructions for managing connections for receiving electronic messages at a server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- receiving at said server a plurality of connections;
  
  identifying a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one connection of said plurality of connections;
  
  based on said plurality of connections, determining a number of connections that are associated with said particular sender identifier;
  
  receiving at said server an incoming connection that is associated with said particular sender identifier;
  
  based on said number of connections satisfying a specified relationship with a specified number of connections, accepting said incoming connection; and
  
  based on said number of connections not satisfying said specified relationship with said specified number of connections, rejecting said incoming connection;
  
  receiving a plurality of electronic messages;
  
  for at least one electronic message from the plurality of electronic messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses;
  
  for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action;
  
  wherein said mapping associates said plurality of recipient identifiers with said plurality of actions;
  
  wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block;
  
  based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections.
- View Dependent Claims (18, 19, 20)
- - 18. The machine-readable medium as recited in claim 17, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 19. The machine-readable medium as recited in claim 17, wherein:
    - wherein the instructions for accepting said incoming connection further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
      
      creating an additional connection based on said incoming connection; and
      
      accepting one or more electronic messages over said additional connection;
      
      wherein the instructions for rejecting said incoming connection further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
      
      creating said additional connection based on said incoming connection;
      
      refusing to accept any electronic messages over said additional connection; and
      
      terminating said additional connection.
  - 20. The machine-readable medium as recited in claim 17, wherein the instructions for rejecting said incoming connection further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
    - creating an additional connection based on said incoming connection;
      
      based on an electronic message that is received over said additional connection, identifying an additional particular recipient identifier of a plurality of recipient identifiers;
      
      inspecting a mapping to identify an action of a plurality of actions, wherein said mapping associates said plurality of recipient identifiers with said plurality of actions, and wherein said action is associated with said additional specified recipient identifier of said plurality of recipient identifiers;
      
      based on said additional particular recipient identifier matching said additional specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections; and
      
      based on said additional particular recipient identifier not matching said additional specified recipient identifier, dropping said electronic message and terminating said additional connection.

21. A machine-readable non-transitory volatile or non-volatile storage medium storing one or more sequences of instructions for managing a plurality of electronic messages received at a server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- determining message information for said plurality of electronic messages;
  
  based on said message information, determining a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one electronic message of said plurality of electronic messages;
  
  based on said at least one electronic message, determining a current value that is associated with said particular sender identifier; and
  
  based on said current value satisfying a specified relationship with a specified value, limiting how many electronic messages that are associated with said particular sender identifier are accepted by said server;
  
  for said at least one electronic message, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses;
  
  for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action;
  
  wherein said mapping associates said plurality of recipient identifiers with said plurality of actions;
  
  wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block;
  
  based on a particular recipient identifier matching said specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections.
- View Dependent Claims (22, 23, 24, 25, 26)
- - 22. The machine-readable medium as recited in claim 21, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 23. The machine-readable medium as recited in claim 21, wherein:
    - said current value is a number of recipients of electronic messages that are received at said server in a current time period and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of recipients of electronic messages; and
      
      said current value satisfies said specified relationship with said specified value when said number of recipients of electronic messages is less than or equal to said maximum number of recipients of electronic messages;
      
      wherein said current time period is one minute.
  - 24. The machine-readable medium as recited in claim 23, wherein the instructions for limiting how many electronic messages are accepted from said at least one network address further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
    - refusing to accept electronic messages from said at least one network address until said current time period expires; and
      
      after expiration of said current time period of time, accepting one or more additional electronic messages from said at least one network address.
  - 25. The machine-readable medium as recited in claim 21, wherein:
    - said current value is a number of electronic messages that are received at said server and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of electronic messages; and
      
      said current value satisfies said specified relationship with said specified value when said number of electronic messages is less than or equal to said maximum number of electronic messages.
  - 26. The machine-readable medium as recited in claim 25, wherein:
    - said number of electronic messages is determined for a specified period of time; and
      
      the instructions for limiting how many electronic messages that are associated with said particular sender identifier are accepted further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
      
      refusing to accept electronic messages that are associated with said particular sender identifier until said specified period of time has expired; and
      
      after expiration of said specified period of time, accepting electronic messages that are associated with said particular sender identifier.

27. A machine-readable non-transitory volatile or non-volatile storage medium storing one or more sequences of instructions for limiting a directory harvest attack against a server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- accepting a plurality of electronic messages that are associated with a plurality of sender identifiers;
  
  identifying a particular sender identifier of said plurality of sender identifiers, wherein said particular sender identifier is associated with a subset of electronic messages of said plurality of electronic messages;
  
  based on said subset of electronic messages, determining a current value that is based on those electronic messages that are addressed to one or more invalid recipient electronic addresses for said server;
  
  receiving an additional electronic message that is associated with said particular sender identifier;
  
  determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server;
  
  based on said current value satisfying a specified relationship with a specified value, generating and sending a message rejection response to a sender of said additional electronic message; and
  
  based on said current value not satisfying said specified relationship with said specified value, dropping at least said additional electronic message without sending said message rejection response to said sender;
  
  for at least one electronic message, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses;
  
  for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action;
  
  wherein said mapping associates said plurality of recipient identifiers with said plurality of actions;
  
  wherein said current value satisfies said specified relationship with said specified value when said current value is less than or equal to said specified value;
  
  wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block;
  
  based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections.
- View Dependent Claims (28, 29, 30, 31)
- - 28. The machine-readable medium as recited in claim 27, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 29. The machine-readable medium as recited in claim 27, wherein:
    - said current value is a number of invalid recipient electronic addresses that are received at said server in a current time period and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of invalid recipient electronic addresses;
      
      said current value satisfies said specified relationship with said specified value when said number of invalid recipient electronic addresses is less than or equal to said maximum number of invalid recipient electronic addresses; and
      
      said current value does not satisfy said specified relationship with said specified value when said number of invalid recipient electronic addresses is greater than said maximum number of invalid recipient electronic addresses;
      
      wherein said current time period is one minute.
  - 30. The machine-readable medium as recited in claim 29, wherein the instructions for dropping at least said additional electronic message further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
    - dropping said additional electronic message and any other additional electronic messages that are associated with said particular sender identifier until said current time period expires; and
      
      after expiration of said current time period, accepting one or more electronic messages that are both associated with said particular sender identifier and that are addressed to one or more invalid recipient electronic addresses for said server.
  - 31. The machine-readable medium as recited in claim 27:
    - wherein the instructions for determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server after completion of a simple mail transfer protocol (SMTP) conversation between said server and said sender of said additional electronic message;
      
      wherein the instructions for generating said message rejection response for said additional electronic message further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of generating said message rejection response for said additional electronic message comprises generating a message rejection electronic message for additional electronic message after completion of said SMTP conversation; and
      
      wherein the instructions for dropping said additional electronic message further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of dropping said additional electronic message comprises dropping said additional electronic message after completion of said SMTP conversation.

32. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, the memory containing one or more sequences of instructions for managing connections for receiving electronic messages at a server, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of;
  
  receiving at said server a plurality of connections;
  
  identifying a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one connection of said plurality of connections;
  
  based on said plurality of connections, determining a number of connections that are associated with said particular sender identifier;
  
  receiving at said server an incoming connection that is associated with said particular sender identifier;
  
  based on said number of connections satisfying a specified relationship with a specified number of connections, accepting said incoming connection; and
  
  based on said number of connections not satisfying said specified relationship with said specified number of connections, rejecting said incoming connection;
  
  receiving a plurality of electronic messages;
  
  for at least one electronic message from the plurality of electronic messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses;
  
  for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action;
  
  wherein said mapping associates said plurality of recipient identifiers with said plurality of actions;
  
  wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block;
  
  based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections.
- View Dependent Claims (33, 34, 35)
- - 33. The apparatus as recited in claim 32, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 34. An The apparatus as recited in claim 32, wherein:
    - wherein the instructions for accepting said incoming connection further comprise instructions which, when executed by the processor, cause the processor to perform the steps of;
      
      creating an additional connection based on said incoming connection; and
      
      accepting one or more electronic messages over said additional connection;
      
      wherein the instructions for rejecting said incoming connection further comprise instructions which, when executed by the processor, cause the processor to perform the steps of;
      
      creating said additional connection based on said incoming connection;
      
      refusing to accept any electronic messages over said additional connection; and
      
      terminating said additional connection.
  - 35. The apparatus as recited in claim 32, wherein the instructions for rejecting said incoming connection further comprise instructions which, when executed by the processor, cause the processor to perform the steps of:
    - creating an additional connection based on said incoming connection;
      
      based on an electronic message that is received over said additional connection, identifying an additional particular recipient identifier of a plurality of recipient identifiers;
      
      inspecting a mapping to identify an action of a plurality of actions, wherein said mapping associates said plurality of recipient identifiers with said plurality of actions, and wherein said action is associated with an additional specified recipient identifier of said plurality of recipient identifiers;
      
      based on said additional particular recipient identifier matching said additional specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections; and
      
      based on said additional particular recipient identifier not matching said additional specified recipient identifier, dropping said electronic message and terminating said additional connection.

36. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, the memory containing one or more sequences of instructions for managing a plurality of electronic messages received at a server, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of;
  
  determining message information for said plurality of electronic messages;
  
  based on said message information, determining a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one electronic message of said plurality of electronic messages;
  
  based on said at least one electronic message, determining a current value that is associated with said particular sender identifier; and
  
  based on said current value satisfying a specified relationship with a specified value, limiting how many electronic messages that are associated with said particular sender identifier are accepted by said server;
  
  for said at least one electronic message from the plurality of email messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses;
  
  for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action;
  
  wherein said mapping associates said plurality of recipient identifiers with said plurality of actions;
  
  wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block;
  
  based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections.
- View Dependent Claims (37, 38, 39, 40, 41)
- - 37. The apparatus as recited in claim 36, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 38. The apparatus as recited in claim 36, wherein:
    - said current value is a number of recipients of electronic messages that are received at said server in a current time period and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of recipients of electronic messages; and
      
      said current value satisfies said specified relationship with said specified value when said number of recipients of electronic messages is less than or equal to said maximum number of recipients of electronic messages;
      
      wherein said current time period is one minute.
  - 39. The apparatus as recited in claim 38, wherein the instructions for limiting how many electronic messages are accepted from said at least one network address further comprise instructions which, when executed by the processor, cause the processor to perform the steps of:
    - refusing to accept electronic messages from said at least one network address until said current time period expires; and
      
      after expiration of said current time period of time, accepting one or more additional electronic messages from said at least one network address.
  - 40. The apparatus as recited in claim 36, wherein:
    - said current value is a number of electronic messages that are received at said server and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of electronic messages; and
      
      said current value satisfies said specified relationship with said specified value when said number of electronic messages is less than or equal to said maximum number of electronic messages.
  - 41. The apparatus as recited in claim 40, wherein:
    - said number of electronic messages is determined for a specified period of time; and
      
      the instructions for limiting how many electronic messages that are associated with said particular sender identifier are accepted further comprise instructions which, when executed by the processor, cause the processor to perform the steps of;
      
      refusing to accept electronic messages that are associated with said particular sender identifier until said specified period of time has expired; and
      
      after expiration of said specified period of time, accepting electronic messages that are associated with said particular sender identifier.

42. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, the memory containing one or more sequences of instructions for limiting a directory harvest attack against a server, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of;
  
  accepting a plurality of electronic messages that are associated with a plurality of sender identifiers;
  
  identifying a particular sender identifier of said plurality of sender identifiers, wherein said particular sender identifier is associated with a subset of electronic messages of said plurality of electronic messages;
  
  based on said subset of electronic messages, determining a current value that is based on those electronic messages that are addressed to one or more invalid recipient electronic addresses for said server;
  
  receiving an additional electronic message that is associated with said particular sender identifier;
  
  determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server;
  
  based on said current value satisfying a specified relationship with a specified value, generating and sending a message rejection response to a sender of said additional electronic message; and
  
  based on said current value not satisfying said specified relationship with said specified value, dropping at least said additional electronic message without sending said message rejection response to said sender;
  
  for at least one electronic message from the plurality of email messages, determining a set of recipient email addresses to which said at least one email message was addressed and determining a set of recipient identifiers that are associated with said set of recipient email addresses;
  
  for each recipient identifier in said set of recipient identifiers inspecting a mapping to identify a particular action from a plurality of actions, and based on said mapping, processing said at least one email message according to the particular action;
  
  wherein said mapping associates said plurality of recipient identifiers with said plurality of actions;
  
  wherein said current value satisfies said specified relationship with said specified value when said current value is less than or equal to said specified value;
  
  wherein said particular sender identifier is selected from the group consisting of a classless inter-domain routing (CIDR) block, and a partial CIDR block;
  
  based on a particular recipient identifier matching a specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections.
- View Dependent Claims (43, 44, 45, 46)
- - 43. The apparatus as recited in claim 42, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 44. The apparatus as recited in claim 42, wherein:
    - said current value is a number of invalid recipient electronic addresses that are received at said server in a current time period and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of invalid recipient electronic addresses;
      
      said current value satisfies said specified relationship with said specified value when said number of invalid recipient electronic addresses is less than or equal to said maximum number of invalid recipient electronic addresses; and
      
      said current value does not satisfy said specified relationship with said specified value when said number of invalid recipient electronic addresses is greater than said maximum number of invalid recipient electronic addresses;
      
      wherein said current time period is one minute.
  - 45. The apparatus as recited in claim 44, wherein the instructions for dropping at least said additional electronic message further comprise instructions which, when executed by the processor, cause the processor to perform the steps of:
    - dropping said additional electronic message and any other additional electronic messages that are associated with said particular sender identifier until said current time period expires; and
      
      after expiration of said current time period, accepting one or more electronic messages that are both associated with said particular sender identifier and that are addressed to one or more invalid recipient electronic addresses for said server.
  - 46. The apparatus as recited in claim 42, wherein:
    - wherein the instructions for determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server further comprise instructions which, when executed by the processor, cause the processor to perform the step of determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server after completion of a simple mail transfer protocol (SMTP) conversation between said server and said sender of said additional electronic message;
      
      wherein the instructions for generating said message rejection response for said additional electronic message further comprise instructions which, when executed by the processor, cause the processor to perform the step of generating said message rejection response for said additional electronic message comprises generating a message rejection electronic message for additional electronic message after completion of said SMTP conversation; and
      
      wherein the instructions for dropping said additional electronic message further comprise instructions which, when executed by the processor, cause the processor to perform the step of dropping said additional electronic message comprises dropping said additional electronic message after completion of said SMTP conversation.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ironport Systems (Cisco Systems, Inc.)
Original Assignee
Ironport Systems (Cisco Systems, Inc.)
Inventors
Srinivasan, Krishna, Schlampp, Peter, Sprosts, Craig, Quinlan, Daniel, Huss, Eric C., Chen, Shun, Clegg, Paul J., Brahms, Robert
Primary Examiner(s)
Najjar; Saleh
Assistant Examiner(s)
SHAW, ROBERT A

Application Number

US11/139,114
Publication Number

US 20060031359A1
Time in Patent Office

2,020 Days
Field of Search

709/206
US Class Current

709/206
CPC Class Codes

H04L 51/212 using filtering or selectiv...

Managing connections, messages, and directory harvest attacks at a server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

268 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Managing connections, messages, and directory harvest attacks at a server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

268 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links