Stopping and remediating outbound messaging abuse
First Claim
1. A method comprising:
- extracting behavior data of at least one subscriber account from outbound messages originated by said at least one subscriber account using a Sender Reputation Gateway (SRG) running on a computer system, said behavior data of said at least one subscriber account being attributes of said at least one subscriber account that are indicative of spam, virus, or worm related activity of said at least one subscriber account;
building a profile for said at least one subscriber account based on said behavior data extracted from said outbound messages originated by said at least one subscriber on said SRG running on said computer system;
tracking said behavior data extracted from said outbound messages originated by said at least one subscriber account using said SRG running on said computer system;
detecting behavior-based anomalies for said outbound messages originated by said at least one subscriber account using said SRG running on said computer system by comparing recent outbound messages originated by said at least one subscriber account with said profile of said at least one subscriber account to detect changes in said recent outbound messages originated by said at least one subscriber account in comparison to said profile of said at least one subscriber account;
determining reputation data for said at least one subscriber account based on said detected behavior-based anomalies using said SRG computer system, wherein the reputation data is added to the profile to determine a reputation score, and wherein if the reputation score falls below a threshold, then any subsequent outbound messages from the subscriber account are redirected to a server and prohibited from reaching their intended destination, and wherein the redirection to the server activity is designated for a specific time interval.
17 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are provided for allowing subscriber message sending profiles to be maintained and used in conjunction with behavior-based anomaly detection techniques and traditional content-based spam signature filtering to enable application of appropriate message disposition policies to outbound subscriber message traffic. According to one embodiment, subscriber profiles are constructed for multiple subscriber accounts associated with a service provider based on outbound message flow originated from the subscriber accounts. Then, possible subscriber account misuse may be discovered by performing behavior-based anomaly detection, including a comparison of a subscriber profile associated with the subscriber account with recent subscriber account usage information, to identify one or more behavioral anomalies in outbound message flow originated from a subscriber account, the behavior-based anomaly detection.
-
Citations
19 Claims
-
1. A method comprising:
-
extracting behavior data of at least one subscriber account from outbound messages originated by said at least one subscriber account using a Sender Reputation Gateway (SRG) running on a computer system, said behavior data of said at least one subscriber account being attributes of said at least one subscriber account that are indicative of spam, virus, or worm related activity of said at least one subscriber account; building a profile for said at least one subscriber account based on said behavior data extracted from said outbound messages originated by said at least one subscriber on said SRG running on said computer system; tracking said behavior data extracted from said outbound messages originated by said at least one subscriber account using said SRG running on said computer system; detecting behavior-based anomalies for said outbound messages originated by said at least one subscriber account using said SRG running on said computer system by comparing recent outbound messages originated by said at least one subscriber account with said profile of said at least one subscriber account to detect changes in said recent outbound messages originated by said at least one subscriber account in comparison to said profile of said at least one subscriber account; determining reputation data for said at least one subscriber account based on said detected behavior-based anomalies using said SRG computer system, wherein the reputation data is added to the profile to determine a reputation score, and wherein if the reputation score falls below a threshold, then any subsequent outbound messages from the subscriber account are redirected to a server and prohibited from reaching their intended destination, and wherein the redirection to the server activity is designated for a specific time interval. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A sender reputation gateway system, comprising:
-
a service and response system that services and responds to requests from at least one subscriber account; a behavior data extraction system that extracts behavior data of said at least one subscriber account from outbound messages originated by said at least one subscriber account, said behavior data of said at least one subscriber account being attributes of said at least one subscriber account that are indicative of spam, virus, or worm related activity; a profile builder system that builds a profile for said at least one subscriber account based on said behavior data extracted from said outbound messages originated by said at least one subscriber; a tracking system that tracks said behavior data extracted from said outbound messages originated by said at least one subscriber account; an anomaly detection system that detects behavior-based anomalies for said outbound messages originated by said at least one subscriber account by comparing recent outbound messages originated by said at least one subscriber account with said profile of said at least one subscriber account to detect changes in said recent outbound messages originated by said at least one subscriber account in comparison to said profile of said at least one subscriber account; and a reputation data determination system that determines reputation data for said at least one subscriber account based on said detected behavior-based anomalies, wherein the reputation data is added to the profile to determine a reputation score, and wherein if the reputation score falls below a threshold, then any subsequent outbound messages from the subscriber account are redirected to a server and prohibited from reaching their intended destination, and wherein the redirection to the server activity is designated for a specific time interval. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A machine-readable medium that stores instructions for a computer system to perform sender reputation gateway processes, comprising:
-
extracting behavior data of at least one subscriber account from outbound messages originated by said at least one subscriber account, said behavior data of said at least one subscriber account being attributes of said at least one subscriber account that are indicative of spam, virus, or worm related activity of said at least one subscriber account that results in outbound message abuse of the service provider; building a profile for said at least one subscriber account based on said behavior data extracted from said outbound messages originated by said at least one subscriber; tracking said behavior data extracted from said outbound messages originated by said at least one subscriber account; detecting behavior-based anomalies for said outbound messages originated by said at least one subscriber account by comparing recent outbound messages originated by said at least one subscriber account with said profile of said at least one subscriber account to detect changes in said recent outbound messages originated by said at least one subscriber account in comparison to said profile of said at least one subscriber account; determining reputation data for said at least one subscriber account based on said detected behavior-based anomalies, wherein the reputation data is added to the profile to determine a reputation score, and wherein if the reputation score falls below a threshold, then any subsequent outbound messages from the subscriber account are redirected to a server and prohibited from reaching their intended destination, and wherein the redirection to the server activity is designated for a specific time interval. - View Dependent Claims (16, 17, 18, 19)
-
Specification