Reporting on spoofed e-mail

US 7,950,047 B2
Filed: 02/22/2008
Issued: 05/24/2011
Est. Priority Date: 02/22/2008
Status: Active Grant

First Claim

Patent Images

1. A method for use in managing delivery of messages over a network, comprising:

receiving a plurality of messages over the network;

for each message in the plurality of messages;

determining an outbound message server for the respective message by identifying a last hop network address as the outbound message server based on a last network hop of the message prior to being received by a message server associated with a message recipient;

if the respective message is digitally signed, authenticating the respective message, at least by verifying that the digitally signed message originated from a domain associated with a sender'"'"'s address of the message by using a public component of a public/private key pair that is accessible to a domain name server (DNS) associated with the domain; and

generating a report about the plurality of messages, wherein the report indicates for each outbound message server at least a number of messages that are digitally signed and authenticated, a number of messages that are unsigned, and a number of messages that are digitally signed but determined to be unauthentic based on the digital signature; and

employing the report to selectively block messages allegedly from the domain associated with digitally signed messages.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments are directed towards detecting and reporting use by a domain of a message authentication mechanism, such as DomainKeys (DK), and/or DomainKeys Identified Mail (DKIM), and enabling subsequent blocking of messages based, in part, on its usage. When a message is received by an inbound message server, a message source is determined for the message. In one embodiment, the message source is a domain name associated with the sender of the message. Statistics are recorded about the message, including the message source, whether the message is suspect, includes a forged source identifier, employs DK/DKIM message authentication, and the like. The reports may ten be sent to various message sources to enable them to determine the extent of use of DK/DKIM message authentication, and to selectively block, re-direct, or forward the messages based, in part, on the use of DK/DKIM message authentication mechanism.

Citations

17 Claims

1. A method for use in managing delivery of messages over a network, comprising:
- receiving a plurality of messages over the network;
  
  for each message in the plurality of messages;
  
  determining an outbound message server for the respective message by identifying a last hop network address as the outbound message server based on a last network hop of the message prior to being received by a message server associated with a message recipient;
  
  if the respective message is digitally signed, authenticating the respective message, at least by verifying that the digitally signed message originated from a domain associated with a sender'"'"'s address of the message by using a public component of a public/private key pair that is accessible to a domain name server (DNS) associated with the domain; and
  
  generating a report about the plurality of messages, wherein the report indicates for each outbound message server at least a number of messages that are digitally signed and authenticated, a number of messages that are unsigned, and a number of messages that are digitally signed but determined to be unauthentic based on the digital signature; and
  
  employing the report to selectively block messages allegedly from the domain associated with digitally signed messages.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein selectively blocking messages further comprises:
    - if the message is unsigned but indicates that it is from the domain associated with digitally signed messages, blocking the message from being delivered to a recipient.
  - 3. The method of claim 1, wherein selectively blocking messages further comprises:
    - if the message is digitally signed but is determined to be unauthentic, blocking delivery of the message to a recipient.
  - 4. The method of claim 1, wherein selectively blocking messages further comprises:
    - generating a good outbound message server list or a bad outbound message server based on the report.
  - 5. The method of claim 1, wherein at least one of the determined outbound message servers is a mail server associated with the domain to employ the private component of the key pair to digitally sign at least one message.

6. A network device for managing delivery of messages over a network, comprising:
- a transceiver to send and receive data over the network; and
  
  a processor that is operative to perform actions, including;
  
  receiving a message over the network;
  
  determining an outbound message server for the message by identifying a last hop network address as the outbound message server based on a last network hop of the message prior to being received by a message server associated with a message recipient;
  
  if the message is digitally signed, authenticating the message, at least by verifying that the digitally signed message originated from a domain associated with a sender'"'"'s address of the message by using a public component of a public/private key pair that is accessible to a domain name server (DNS) associated with the domain;
  
  generating a report about the message, wherein the report indicates for each determined outbound message server whether the message is digitally signed and authenticated, whether the message is unsigned, or whether the message is digitally signed but determined to be unauthentic based on the digital signature; and
  
  enabling the report to be useable to selectively block other messages allegedly from the domain associated with digitally signed messages.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The network device of claim 6, wherein authenticating the message further comprises determining whether the message is digitally signed but is modified.
  - 8. The network device of claim 6, wherein the network device is configured to operate as an inbound mail server associated with a message recipient for the message.
  - 9. The network device of claim 6, wherein the network device is associated with the domain.
  - 10. The network device of claim 6, wherein the report is configured to provide information about outbound message servers operating as mail servers in a plurality of mail servers associated with the domain and indicates if each mail server in the plurality of mail servers is employing digitally signed messaging.

11. A system for use in managing delivery of messages over a network, comprising:
- a plurality of mail servers associated with a domain; and
  
  a network device that is configured to receive messages from each of the plurality of mail servers and to perform actions, including;
  
  receiving a plurality of messages, wherein each message indicates that it is from a sender'"'"'s address associated with the domain;
  
  for each message;
  
  determining if the message is associated with a mail server in the plurality of mail servers identifying a last hop network address as the mail server based on a last network hop of the message prior to being received by a message server associated with a message recipient; and
  
  if the message is digitally signed, authenticating the message, at least by verifying that the digitally signed message originated from the domain by using a public component of a public/private key pair that is accessible to a domain name server (DNS) associated with the domain;
  
  generating a report for each mail server in the plurality, wherein the report indicates a number of messages sent from the mail server which are digitally signed and authentic, a number of messages that are digitally signed and determined to be unauthentic, and a number of messages from the mail server which are unsigned; and
  
  enabling the report to be useable to selectively block delivery of at least one message.
- View Dependent Claims (12, 13)
- - 12. The system of claim 11, wherein selectively blocking delivery further comprises, if the at least one message includes a digital signature that is determined to be inauthentic, blocking delivery of the message.
  - 13. The system of claim 11, wherein selectively blocking delivery further comprises, if the at least one message indicates it is associated with the domain, but is not digitally signed, blocking the delivery of the message.

14. A non-transitory, computer-readable medium configured to store data and instructions thereon, wherein the execution of the instructions on a computing device enable the computing device to perform actions for managing received messages over a network, comprising:
- receiving a plurality of messages, wherein each message indicates that it is associated with a same domain;
  
  for each message;
  
  determining if the message is associated with a mail server associated with the domain by identifying a last hop network address as the mail server based on a last network hop of the message prior to being received by a message server associated with a message recipient; and
  
  if the message is digitally signed, authenticating the message, at least by verifying that the digitally signed message originated from the domain by using a public component of a public/private key pair that is accessible to a domain name server (DNS) associated with the domain; and
  
  generating a report that indicates for each mail server associated with the domain a number of messages received from a mail server for the domain which are digitally signed and authentic, a number of messages that are digitally signed and determined to be unauthentic, and a number of messages that are unsigned; and
  
  enabling the report to be useable to selectively block delivery of at least one message.
- View Dependent Claims (15, 16, 17)
- - 15. The non-transitory, computer-readable medium of claim 14, wherein selectively blocking the at least one message further comprises, if the at least one message is digitally unsigned blocking the delivery of the message.
  - 16. The non-transitory, computer-readable medium of claim 14, wherein the instructions perform actions, further including:
    - for each message;
      
      determining an outbound server for each message;
      
      determining if the outbound server is a mail server associated with the domain; and
      
      if the outbound server is unassociated with the domain, indicating that the message is likely to be a forged or spam message.
  - 17. The non-transitory, computer-readable medium of claim 14, wherein the instructions perform actions, further including generating a list of mail servers associated with the domain employing digitally signed messaging above a threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Yahoo Assets LLC
Original Assignee
Yahoo! Inc. (Apollo Global Management, Inc.)
Inventors
Kundu, Anirban, Delany, Mark, Risher, Mark E., Taketomi, Masumi, Libbey, Miles A. IV
Primary Examiner(s)
Homayounmehr; Farid

Application Number

US12/035,941
Publication Number

US 20090216842A1
Time in Patent Office

1,187 Days
Field of Search

726/3, 709/229
US Class Current

726/3
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 51/48   Message addressing, e.g. ad...

Reporting on spoofed e-mail

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Reporting on spoofed e-mail

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links