Method and system for employing automatic reply systems to detect e-mail scammer IP addresses

US 7,917,593 B1
Filed: 10/23/2009
Issued: 03/29/2011
Est. Priority Date: 10/23/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A computing system implemented process for employing automatic reply systems to detect e-mail scammer IP addresses comprising:

providing one or more decoy e-mail addresses associated with one or more computing systems;

receiving a given e-mail at one of the one or more decoy e-mail addresses associated with one or more computing systems;

performing an initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems;

as a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems is a given scam e-mail;

transforming data indicating a status of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems to data indicating a status of scam e-mail;

extracting one or more e-mail addresses from the header or body of the given scam e-mail;

generating a fabricated reply e-mail to the given scam e-mail, the fabricated reply e-mail to the given scam e-mail including one or more mechanisms for determining at least an IP address of the sender of the given scam e-mail;

sending the fabricated reply e-mail to the given scam e-mail to the one or more e-mail addresses extracted from the header or body of the given scam e-mail;

capturing at least an IP address of the sender of the given scam e-mail via the one or more mechanisms for determining at least an IP address of the sender of the given scam e-mail sender included in fabricated reply e-mail to the given scam e-mail; and

using the captured IP address of the sender of the given scam e-mail to identify future scam emails from the sender of the given scam e-mail.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for employing automatic reply systems to detect e-mail scammer IP addresses whereby a decoy system to receive illegitimate e-mails, also known as a “honeypot” is established. E-mails sent to the honeypot decoy e-mail addresses are initially scanned and preliminarily identified as scam e-mails and the fact that the scammer must make contact with the intended user/victim is exploited by analyzing the scam e-mail to identify one or more e-mail addresses in either the header or the body of the preliminarily identified scam e-mail. The one or more identified e-mail addresses are then extracted and fabricated reply e-mails are generated that include one or more mechanisms for ascertaining the IP address of the scammer. The fabricated reply e-mails are then sent to the one or more identified e-mail addresses and when the scammer takes the necessary action, the IP address and browser information associated with scammer is obtained.

Citations

20 Claims

1. A computing system implemented process for employing automatic reply systems to detect e-mail scammer IP addresses comprising:
- providing one or more decoy e-mail addresses associated with one or more computing systems;
  
  receiving a given e-mail at one of the one or more decoy e-mail addresses associated with one or more computing systems;
  
  performing an initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems;
  
  as a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems is a given scam e-mail;
  
  transforming data indicating a status of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems to data indicating a status of scam e-mail;
  
  extracting one or more e-mail addresses from the header or body of the given scam e-mail;
  
  generating a fabricated reply e-mail to the given scam e-mail, the fabricated reply e-mail to the given scam e-mail including one or more mechanisms for determining at least an IP address of the sender of the given scam e-mail;
  
  sending the fabricated reply e-mail to the given scam e-mail to the one or more e-mail addresses extracted from the header or body of the given scam e-mail;
  
  capturing at least an IP address of the sender of the given scam e-mail via the one or more mechanisms for determining at least an IP address of the sender of the given scam e-mail sender included in fabricated reply e-mail to the given scam e-mail; and
  
  using the captured IP address of the sender of the given scam e-mail to identify future scam emails from the sender of the given scam e-mail.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computing system implemented process for employing automatic reply systems to detect e-mail scammer IP addresses of claim 1, wherein:
    - the one or more decoy e-mail addresses associated with one or more computing systems are provided via one or more honeypots.
  - 3. The computing system implemented process for employing automatic reply systems to detect e-mail scammer IP addresses of claim 1, wherein:
    - as a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems is a given scam e-mail includes preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems is a given scam e-mail based on the fact that the given scam e-mail was sent to one of the one or more decoy e-mail addresses associated with one or more computing systems.
  - 4. The computing system implemented process for employing automatic reply systems to detect e-mail scammer IP addresses of claim 1, wherein:
    - a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems is a given scam e-mail comprises establishing that given e-mails was sent from a webmail service known to be used by scammers.
  - 5. The computing system implemented process for employing automatic reply systems to detect e-mail scammer IP addresses of claim 1, wherein:
    - a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems is a given scam e-mail includes establishing that the given e-mail sent via an ISP known to be used by scammers.
  - 6. The computing system implemented process for employing automatic reply systems to detect e-mail scammer IP addresses of claim 1, wherein:
    - a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems is a given scam e-mail includes establishing that the given e-mail includes language, keywords, and/or symbols typically associated with scam e-mails.
  - 7. The computing system implemented process for employing automatic reply systems to detect e-mail scammer IP addresses of claim 1, wherein:
    - the fabricated reply e-mail to the given scam e-mail includes a fabricated challenge/response e-mail that requires the scammer to click a link, further wherein;
      
      the website to which the link directs the scammer is controlled by a security system that logs the IP addresses and browser information associated with the sender of the given scam e-mail.
  - 8. The computing system implemented process for employing automatic reply systems to detect e-mail scammer IP addresses of claim 1, wherein:
    - the fabricated reply e-mail to the given scam e-mail includes a hidden image with a URL unique to the fabricated reply e-mail, further wherein;
      
      when the fabricated reply e-mail is opened the image is retrieved by linking to a web server controlled by a security system that logs the IP addresses and browser information of the sender of the given scam e-mail.

9. A system for employing automatic reply systems to detect e-mail scammer IP addresses comprising:
- one or more honeypots associated with one or more decoy e-mail addresses;
  
  at least one computing system;
  
  a least one processor associated with the at least one computing system, the at least one processor associated with the at least one computing system executing at least part of a computing system implemented process for employing automatic reply systems to detect e-mail scammer IP addresses, the computing system implemented process for employing automatic reply systems to detect e-mail scammer IP addresses comprising;
  
  receiving a given e-mail at one of the one or more decoy e-mail addresses associated with the one or more honeypots;
  
  performing an initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots;
  
  as a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots is a given scam e-mail;
  
  transforming data indicating a status of the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots to data indicating a status of scam e-mail;
  
  extracting one or more e-mail addresses from the header or body of the given scam e-mail;
  
  generating a fabricated reply e-mail to the given scam e-mail, the fabricated reply e-mail to the given scam e-mail including one or more mechanisms for determining at least an IP address of the sender of the given scam e-mail;
  
  sending the fabricated reply e-mail to the given scam e-mail to the one or more e-mail addresses extracted from the header or body of the given scam e-mail;
  
  capturing at least an IP address of the sender of the given scam e-mail via the one or more mechanisms for determining at least an IP address of the sender of the given scam e-mail sender included in fabricated reply e-mail to the given scam e-mail; and
  
  using the captured IP address of the sender of the given scam e-mail to identify future scam emails from the sender of the given scam e-mail.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The system for employing automatic reply systems to detect e-mail scammer IP addresses of claim 9, wherein:
    - as a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots is a given scam e-mail includes preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots is a given scam e-mail based on the fact that the given scam e-mail was sent to one of the one or more decoy e-mail addresses associated with the one or more honeypots.
  - 11. The system for employing automatic reply systems to detect e-mail scammer IP addresses of claim 9, wherein:
    - a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots is a given scam e-mail comprises establishing that given e-mails was sent from a webmail service known to be used by scammers.
  - 12. The system for employing automatic reply systems to detect e-mail scammer IP addresses of claim 9, wherein:
    - a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots is a given scam e-mail includes establishing that the given e-mail sent via an ISP known to be used by scammers.
  - 13. The system for employing automatic reply systems to detect e-mail scammer IP addresses of claim 9, wherein:
    - a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with the one or more honeypots is a given scam e-mail includes establishing that the given e-mail includes language, keywords, and/or symbols typically associated with scam e-mails.
  - 14. The system for employing automatic reply systems to detect e-mail scammer IP addresses of claim 9, wherein:
    - the fabricated reply e-mail to the given scam e-mail includes a fabricated challenge/response e-mail that requires the scammer to click a link, further wherein;
      
      the website to which the link directs the scammer is controlled by a security system that logs the IP addresses and browser information associated with the sender of the given scam e-mail.
  - 15. The system for employing automatic reply systems to detect e-mail scammer IP addresses of claim 9, wherein:
    - the fabricated reply e-mail to the given scam e-mail includes a hidden image with a URL unique to the fabricated reply e-mail, further wherein;
      
      when the fabricated reply e-mail is opened the image is retrieved by linking to a web server controlled by a security system that logs the IP addresses and browser information of the sender of the given scam e-mail.

16. A method for employing automatic reply systems to detect e-mail scammer IP addresses comprising:
- providing one or more decoy e-mail addresses associated with one or more computing systems;
  
  receiving a given e-mail at one of the one or more decoy e-mail addresses associated with one or more computing systems;
  
  performing an initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems;
  
  as a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems is a given scam e-mail;
  
  transforming data indicating a status of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems to data indicating a status of scam e-mail;
  
  extracting one or more e-mail addresses from the header or body of the given scam e-mail;
  
  generating a fabricated reply e-mail to the given scam e-mail, the fabricated reply e-mail to the given scam e-mail including one or more mechanisms for determining at least an IP address of the sender of the given scam e-mail;
  
  sending the fabricated reply e-mail to the given scam e-mail to the one or more e-mail addresses extracted from the header or body of the given scam e-mail;
  
  capturing at least an IP address of the sender of the given scam e-mail via the one or more mechanisms for determining at least an IP address of the sender of the given scam e-mail sender included in fabricated reply e-mail to the given scam e-mail; and
  
  using the captured IP address of the sender of the given scam e-mail to identify future scam emails from the sender of the given scam e-mail.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The method for employing automatic reply systems to detect e-mail scammer IP addresses of claim 16, wherein:
    - the one or more decoy e-mail addresses associated with one or more computing systems are provided via one or more honeypots.
  - 18. The method for employing automatic reply systems to detect e-mail scammer IP addresses of claim 16, wherein:
    - as a result of the initial analysis of the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems, preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems is a given scam e-mail includes preliminarily determining that the given e-mail received at one of the one or more decoy e-mail addresses associated with one or more computing systems is a given scam e-mail based on the fact that the given scam e-mail was sent to one of the one or more decoy e-mail addresses associated with one or more computing systems.
  - 19. The method for employing automatic reply systems to detect e-mail scammer IP addresses of claim 16, wherein:
    - the fabricated reply e-mail to the given scam e-mail includes a fabricated challenge/response e-mail that requires the scammer to click a link, further wherein;
      
      the website to which the link directs the scammer is controlled by a security system that logs the IP addresses and browser information associated with the sender of the given scam e-mail.
  - 20. The method for employing automatic reply systems to detect e-mail scammer IP addresses of claim 16, wherein:
    - the fabricated reply e-mail to the given scam e-mail includes a hidden image with a URL unique to the fabricated reply e-mail, further wherein;
      
      when the fabricated reply e-mail is opened the image is retrieved by linking to a web server controlled by a security system that logs the IP addresses and browser information of the sender of the given scam e-mail.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Lee, Martin
Primary Examiner(s)
Patel; Haresh N

Application Number

US12/604,644
Time in Patent Office

522 Days
Field of Search

709/203, 709/206, 709217-228, 709/248, 726/22, 726/23, 726/4, 726/16
US Class Current

709/206
CPC Class Codes

G06Q 10/107 Computer-aided management o...

Method and system for employing automatic reply systems to detect e-mail scammer IP addresses

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for employing automatic reply systems to detect e-mail scammer IP addresses

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links