Electronic message source reputation information system

US 8,037,144 B2
Filed: 05/25/2005
Issued: 10/11/2011
Est. Priority Date: 05/25/2004
Status: Active Grant

First Claim

Patent Images

1. A network traffic filtering system for filtering a flow of electronic messages across a computer network, the system comprising:

one or more computing devices;

a centralized server installed on the one or more computing devices and having an engine for executing instructions stored in a memory of the one or more computing devices, the execution of the instructions configured to generate a source reputation profile based on reputation data associated with a source IP address, wherein the reputation data is received from a centralized data source comprising an electronic message traffic monitoring system that monitors electronic messages after being sent from a sending server at the source IP address and before being received by a targeted receiving server or at any gateway to a local network including a targeted receiving server, and wherein the reputation data comprises metadata derived by the electronic message traffic monitoring system from the monitoring of messages sent from the source IP address;

a profile database connected to the centralized server for storing the reputation data, the centralized server and profile database external to targeted receiving servers or any gateway to a local network including a targeted receiving server; and

wherein the engine is further configured to provide the source reputation profile to an external local system having at least one targeted receiving mail server for filtering incoming electronic messages by the at least one targeted receiving mail server, or other device within a gateway to a local network having the external local system, based on the provided source reputation profile before the incoming electronic messages can reach an intended recipient.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are filtering systems and methods that employ an electronic message source reputation system. The source reputation system maintains a pool of source Internet Protocol (IP) address information, in the form of a Real-Time Threat Identification Network (“RTIN”) database, which can provide the reputation of source IP addresses, which can be used by customers for filtering network traffic. The source reputation system provides for multiple avenues of access to the source reputation information. Examples of such avenues can include Domain Name Server (DNS)-type queries, servicing routers with router-table data, or other avenues.

117 Citations

View as Search Results

36 Claims

1. A network traffic filtering system for filtering a flow of electronic messages across a computer network, the system comprising:
- one or more computing devices;
  
  a centralized server installed on the one or more computing devices and having an engine for executing instructions stored in a memory of the one or more computing devices, the execution of the instructions configured to generate a source reputation profile based on reputation data associated with a source IP address, wherein the reputation data is received from a centralized data source comprising an electronic message traffic monitoring system that monitors electronic messages after being sent from a sending server at the source IP address and before being received by a targeted receiving server or at any gateway to a local network including a targeted receiving server, and wherein the reputation data comprises metadata derived by the electronic message traffic monitoring system from the monitoring of messages sent from the source IP address;
  
  a profile database connected to the centralized server for storing the reputation data, the centralized server and profile database external to targeted receiving servers or any gateway to a local network including a targeted receiving server; and
  
  wherein the engine is further configured to provide the source reputation profile to an external local system having at least one targeted receiving mail server for filtering incoming electronic messages by the at least one targeted receiving mail server, or other device within a gateway to a local network having the external local system, based on the provided source reputation profile before the incoming electronic messages can reach an intended recipient.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. A system according to claim 1, wherein the engine is configured to generate an updated source reputation profile in response to updated reputation data.
  - 3. A system according to claim 2, wherein the updated reputation data is provided in real-time.
  - 4. A system according to claim 1, wherein the source reputation profile comprises a list having at least one item of reputation data.
  - 5. A system according to claim 1, wherein the reputation data comprises at least one selected from the group consisting of:
    - the number of messages considered spam sent from the source IP address;
      
      the number of recipients on a message sent from the source IP address;
      
      the number of connection attempts from the source IP address;
      
      the number of connection successes from the source IP address;
      
      the number of connection failures from the source IP address;
      
      the number of connection currently open from the source IP address;
      
      the number of 400-class errors caused by messaging attempts by the source IP address;
      
      the number of 500-class errors caused by messaging attempts by the source IP address;
      
      the average message size in bytes sent from the source IP address;
      
      the average connection duration from the source IP address;
      
      the number of viruses sent from the source IP address;
      
      the number of message delivered from the source IP address; and
      
      an overall number of messages sent from the source IP address.
  - 6. A system according to claim 1, wherein the source reputation profile comprises an evaluation of the reputation data by the engine.
  - 7. A system according to claim 6, wherein the evaluation comprises generating a reputation score for the source IP address, the reputation score indicating a likelihood that electronic messages from the source IP address are unwanted.
  - 8. A system according to claim 7, wherein the engine is further configured to change the reputation score based on new reputation data associated with the source IP address.
  - 9. A system according to claim 1, wherein the engine is configured to additionally receive reputation data from a data source comprising at least one selected from the group consisting of a two-strikes system and a sudden-death system.
  - 10. A system according to claim 1, wherein the engine is configured to additionally receive reputation data from a data source comprising a customer system, and the reputation data from this data source comprises at least one list selected from the group consisting of blacklists, blocked senders lists, and gray-lists.
  - 11. A system according to claim 1, wherein the engine is configured to additionally receive reputation data from a data source comprising approved sender IP addresses selected using a business-based heuristics selection technique.
  - 12. A system according to claim 1, wherein the engine is configured to provide the reputation profile to the external system in response to a query received from the external system.
  - 13. A system according to claim 12, wherein the query comprises a DNS query corresponding to the source IP address.
  - 14. A system according to claim 12, wherein the engine is further configured to authenticate the external system before responding to the query.
  - 15. A system according to claim 1, wherein the engine provides the reputation profile to an external system in the form of electronic message path data for use in a network router table of a router associated with the customer system to redirect electronic messages from the source IP address.
  - 16. A system according to claim 1, wherein the engine comprises a server configured to query a data source for reputation data, receive reputation data from a data source, evaluate the received reputation data to develop the source reputation profile, update the profile database, and distribute the source reputation profile or reputation data to external systems.
  - 17. A system according to claim 16, wherein the engine further comprises a reputation data database associated with the server and configured to store the reputation data.
  - 18. A system according to claim 1, wherein the engine comprises a server and a controller, wherein the controller is configured to query a data source for reputation data, receive reputation data from a data source, evaluate the received reputation data to develop the source reputation profile, update the profile database, and the server is configured to distribute the source reputation profile or reputation data to external systems.
  - 19. A system according to claim 1, wherein the external system is a customer system subscribing to use the filtering system.

20. A method of filtering a flow of electronic messages across a computer network, the method comprising:
- receiving, at an engine installed on one or more computing devices for executing instructions stored in a memory of the one or more computing devices, reputation data associated with a source IP address from a centralized data source comprising an electronic message traffic monitoring system that monitors electronic messages after being sent from a sending server at the source IP address and before being received by a targeted receiving server or at any gateway to a local network including a targeted receiving server, wherein the reputation data comprises metadata derived by the electronic message traffic monitoring system from the monitoring of messages sent from the source IP address;
  
  storing the reputation data in a database associated with the engine, the database and engine external to targeted receiving servers or any gateway to a local network including a targeted receiving server;
  
  generating a source reputation profile with the engine based on the reputation data; and
  
  providing the source reputation profile from the engine to an external local system having at least one targeted receiving mail server for filtering incoming electronic messages by the at least one targeted receiving mail server, or other device within a gateway to a local network having the external local system, based on the provided source reputation profile before the incoming electronic messages can reach an intended recipient.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 21. A method according to claim 20, further comprising updating the source reputation profile in response to receiving updated reputation data.
  - 22. A method according to claim 21, wherein the updated reputation data is provided in real-time.
  - 23. A method according to claim 20, wherein providing the source reputation profile comprises providing a list having at least one item of reputation data.
  - 24. A method according to claim 20, wherein the reputation data comprises at least one selected from the group consisting of:
    - the number of messages considered spam sent from the source IP address;
      
      the number of recipients on a message sent from the source IP address;
      
      the number of connection attempts from the source IP address;
      
      the number of connection successes from the source IP address;
      
      the number of connection failures from the source IP address;
      
      the number of connection currently open from the source IP address;
      
      the number of 400-class errors caused by messaging attempts by the source IP address;
      
      the number of 500-class errors caused by messaging attempts by the source IP address;
      
      the average message size in bytes sent from the source IP address;
      
      the average connection duration from the source IP address;
      
      the number of viruses sent from the source IP address;
      
      the number of message delivered from the source IP address; and
      
      an overall number of messages sent from the source IP address.
  - 25. A method according to claim 20, wherein providing the source reputation profile comprises providing an evaluation of the reputation data.
  - 26. A method according to claim 25, wherein the evaluation comprises generating a reputation score for the source IP address, the reputation score indicating a likelihood that electronic messages from the source IP address are unwanted.
  - 27. A method according to claim 26, further comprising changing the reputation score based on new reputation data associated with the source IP address.
  - 28. A method according to claim 20, wherein receiving reputation data further comprises receiving reputation data from at least one selected from the group consisting of a two-strikes system and a sudden-death system.
  - 29. A method according to claim 20, wherein receiving reputation data further comprises receiving reputation data from a customer system, and the reputation data from this data source comprises at least one list selected from the group consisting of blacklists, blocked senders lists, and gray-lists.
  - 30. A method according to claim 20, wherein receiving reputation data further comprises receiving reputation data comprising approved sender IP addresses selected using an business-based heuristics selection technique.
  - 31. A method according to claim 20, wherein providing further comprises providing the source reputation profile to a customer system in response to a query received from the customer system.
  - 32. A method according to claim 31, wherein the query comprises a DNS query corresponding to the source IP address.
  - 33. A method according to claim 32, the method further comprising authenticating the customer system before responding to the query.
  - 34. A method according to claim 20, wherein providing further comprises providing the source reputation profile to a customer system in the form of electronic message path data for use in a network router table of a router associated with the customer system to redirect electronic messages from the source IP address.
  - 35. A method according to claim 34, wherein the electronic messages are redirected to a blackhole in the network.
  - 36. A method according to claim 20, wherein providing the reputation profile to an external system comprises providing the reputation profile to a customer system subscribing to use the filtering method.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Lund, Peter K., Petry, Scott M., Okumura, Kenneth K., Carroll, Dorion A., Croteau, Craig S.
Primary Examiner(s)
DENNISON, JERRY B

Application Number

US11/569,532
Publication Number

US 20070250644A1
Time in Patent Office

2,330 Days
Field of Search

709/203, 709/206, 709/224, 709/249, 707/6, 707/7
US Class Current

709/206
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/0236   Filtering by address, proto...

H04L 63/068   using time-dependent keys, ...

H04L 63/126   the source of the received ...

H04L 67/306   User profiles

H04L 67/564   Enhancement of application ...

H04L 67/63   Routing a service request d...

Electronic message source reputation information system

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

117 Citations

36 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic message source reputation information system

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

117 Citations

36 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links