Email anti-phishing inspector

US 8,032,594 B2
Filed: 11/10/2004
Issued: 10/04/2011
Est. Priority Date: 11/10/2004
Status: Active Grant

First Claim

Patent Images

1. A method of determining a phishing email using a score, comprising:

receiving an email message;

parsing the email message into a header and a body;

extracting a URL from the body;

determining a HTML tag associated with the URL;

adjusting the score based on the determined HTML tag;

determining a geographic location of origination for the email message;

adjusting the score based on the determined geographic location of origination; and

determining if the email message is a phishing email message by comparing the score with a predetermined phishing threshold score.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An application and system for inspecting an email message to determine if the email message is being used in a phishing ploy. When an email recipient receives an email message, the email message is sent to an EScam server for inspection. During its inspection, the EScam server considers various criteria, such as an originating country for an IP address associated with a sender of the email message, and assigns a score to the email message. Based on the score of the email message and threshold levels set within the EScam server, an email client determines whether the email message is part of a phishing ploy or a legitimate email message.

Citations

31 Claims

1. A method of determining a phishing email using a score, comprising:
- receiving an email message;
  
  parsing the email message into a header and a body;
  
  extracting a URL from the body;
  
  determining a HTML tag associated with the URL;
  
  adjusting the score based on the determined HTML tag;
  
  determining a geographic location of origination for the email message;
  
  adjusting the score based on the determined geographic location of origination; and
  
  determining if the email message is a phishing email message by comparing the score with a predetermined phishing threshold score.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, wherein if the score is above the predetermined phishing threshold score, the email message is concluded to be a phishing email.
  - 3. The method of claim 1, wherein determining if the email message is a phishing email message comprises determining in real time if the email message is a phishing email message by comparing the score with a predetermined phishing threshold score.
  - 4. The method of claim 3, further comprising removing an email address from the email message that is associated with a sender of the email message.
  - 5. The method of claim 3, further comprising removing an email address from the email message that is associated with a receiver of the email message.
  - 6. The method of claim 1, wherein said email message is a HTML email message.
  - 7. The method of claim 1, wherein said email message is a text email message.
  - 8. The method of claim 1, wherein determining if the email message is a phishing email message occurs within a remote server.
  - 9. The method of claim 8, wherein the remote server uses an email scoring algorithm.
  - 10. The method of claim 1, wherein the score is comprised of a header score and a URL score.
  - 11. The method of claim 1, wherein receiving comprises receiving an email message by an email client.
  - 12. The method of claim 11, wherein determining if the email message is a phishing email comprises determining by the email client if the email message is a phishing email message.
  - 13. The method of claim 1, wherein determining if the email message is a phishing email occurs before the email message is sent to an email recipient'"'"'s Inbox.
  - 14. The method of claim 1, wherein determining a geographic location comprises determining a geographic location of origination for the email message using attributes within the email message.

15. A method of determining a phishing email using a score, comprising:
- receiving an email message comprising a header and a body;
  
  extracting a URL from the body;
  
  determining a first IP address associated with the URL;
  
  determining a markup tag associated with the URL;
  
  adjusting the score based on the determined markup tag;
  
  determining if the first IP address is associated with one of a high-risk or OFAC country, and adjusting the score based on the association;
  
  determining a geographic location of origination for the email message;
  
  determining a geographic location of a server associated with the email message;
  
  adjusting the score by comparing the geographic location of origination of the email message and the geographic location of the server, anddetermining if the email message is a phishing email message by comparing the score with a predetermined score.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 16. The method of claim 15, wherein determining if the email message is a phishing email message comprises determining in real time if the email message is a phishing email message by comparing the score with a predetermined score.
  - 17. The method of claim 15, further comprising removing an email address from the email message that is associated with a sender of the email message.
  - 18. The method of claim 15, further comprising removing an email address from the email message that is associated with a receiver of the email message.
  - 19. The method of claim 15, wherein the markup tag comprises an HTML markup tag.
  - 20. The method of claim 15, wherein the markup tag comprises an XML markup tag.
  - 21. The method of claim 15, wherein determining if the email message is a phishing email comprises determining by a remote computer if the email message is a phishing email message by comparing the score with a predetermined score.
  - 22. The method of claim 15, wherein receiving comprises receiving an email message comprising a header and a body by an email client.
  - 23. The method of claim 22, wherein determining if the email message is a phishing email comprises determining by the email client if the email message is a phishing email message by comparing the score with a predetermined score.
  - 24. The method of claim 15, wherein determining if the email message is a phishing email comprises determining if the email message is a phishing email message by comparing the score with a predetermined score before the email message is sent to an email recipient'"'"'s Inbox.

25. A method of determining a phishing email using a score, comprising:
- receiving an email message comprising a header and a body;
  
  determining a first set of one more IP addresses from the header;
  
  adjusting the score by performing the following steps for each IP address in the first set of IP addresses;
  
  determining if the IP address is associated with a trusted country or a non-trusted country;
  
  determining if the IP address is associated with a proxy server;
  
  determining if the IP address is associated with a reserved address;
  
  determining if the IP address is associated with an open relay;
  
  determining if the IP address is a dynamic server IP address; and
  
  determining if the email message is a phishing email message by comparing the score with a predetermined score.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. The method of claim 25, further comprising:
    - determining a geographic location of origination for the email message;
      
      determining a geographic location of a server associated with the email message; and
      
      adjusting the score based on a comparison between the geographic location of origination of the email message and the geographic location of the server.
  - 27. The method of claim 26, further comprising:
    - extracting a URL from the body;
      
      determining a HTML tag associated with the URL; and
      
      adjusting the score based on the determined HTML tag.
  - 28. The method of claim 27, further comprising:
    - determining a first IP address associated with the URL; and
      
      determining if the first IP address is associated with at least one of a high-risk or OFAC country, and adjusting the score based on the association.
  - 29. The method of claim 25, further comprising:
    - extracting a URL from the body;
      
      determining a HTML tag associated with the URL; and
      
      adjusting the score based on the determined HTML tag.
  - 30. The method of claim 25, further comprising:
    - extracting a URL from the body;
      
      determining a first IP address associated with the URL; and
      
      determining if the first IP address is associated with at least one of a high-risk or OFAC country, and adjusting the score based on the association.
  - 31. The method of claim 25, wherein a non-trusted country comprises at least one of a high-risk country or an OFAC country.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Digital Envoy, Inc. (Landmark Media Enterprises LLC)
Original Assignee
Digital Envoy, Inc. (Landmark Media Enterprises LLC)
Inventors
Burdette, Jeff, Friedman, Robert, Helsper, David
Primary Examiner(s)
Maung; Zarni

Application Number

US10/985,664
Publication Number

US 20060101120A1
Time in Patent Office

2,519 Days
Field of Search

709/229, 709/203, 709206-207, 726/22, 726/23, 726/25
US Class Current

709/206
CPC Class Codes

G06Q 10/109   Time management, e.g. calen...

H04L 51/212   using filtering or selectiv...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1483   service impersonation, e.g....

Email anti-phishing inspector

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Email anti-phishing inspector

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links