System and method for protecting mail servers from mail flood attacks

US 8,180,835 B1
Filed: 10/14/2006
Issued: 05/15/2012
Est. Priority Date: 10/14/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A system for controlling electronic mail flood attacks comprising:

a network interface;

a suspicious address class in a set of suspicious address classes;

a counter associated with the suspicious address class, wherein the counter counts active connections originating from the suspicious address class to the network interface;

an SMTP handler configured to process electronic mail messages, wherein whenever the SMTP handler receives an email request from the suspicious address class and at least one of a set of at least one failure criteria is met, the SMTP hander issues a temporary failure message, wherein the set of at least one failure criteria comprises a first criterion which is met when the counter has reached a predetermined limit;

a first timer, wherein the first timer is restarted whenever the counter falls below the predetermined limit and expires after a first predetermined interval, wherein the set of at least one failure criteria further comprises a second criterion which is met when the first timer has been restarted and has not expired; and

a second timer, wherein whenever any one of the set of at least one failure criteria has been met by a previous email request originating from the suspicious address class, the second timer is restarted and expires after a second predetermined interval, wherein the set of at least one failure criteria further comprises a third criterion which is met when the second timer has been restarted and has not expired.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Most unsolicited commercial email (UCE) countermeasures call for a message by message analysis. However, some UCE attacks occur when a single sender of UCE floods a mail transfer agent (MTA) with a number of copies of a UCE, in a mail flood attack. The attacks rarely rise to the level of denial of service attacks but are significant enough to place a strain on MTAs and anti-UCE countermeasures. The anti-mail flood methodology disclosed herein provides a system and method for protecting mail systems from such mail flood attacks enabling anti-UCE countermeasures to work more efficiently.

Citations

6 Claims

1. A system for controlling electronic mail flood attacks comprising:
- a network interface;
  
  a suspicious address class in a set of suspicious address classes;
  
  a counter associated with the suspicious address class, wherein the counter counts active connections originating from the suspicious address class to the network interface;
  
  an SMTP handler configured to process electronic mail messages, wherein whenever the SMTP handler receives an email request from the suspicious address class and at least one of a set of at least one failure criteria is met, the SMTP hander issues a temporary failure message, wherein the set of at least one failure criteria comprises a first criterion which is met when the counter has reached a predetermined limit;
  
  a first timer, wherein the first timer is restarted whenever the counter falls below the predetermined limit and expires after a first predetermined interval, wherein the set of at least one failure criteria further comprises a second criterion which is met when the first timer has been restarted and has not expired; and
  
  a second timer, wherein whenever any one of the set of at least one failure criteria has been met by a previous email request originating from the suspicious address class, the second timer is restarted and expires after a second predetermined interval, wherein the set of at least one failure criteria further comprises a third criterion which is met when the second timer has been restarted and has not expired.
- View Dependent Claims (2, 3, 4)
- - 2. The system of claim 1, wherein the set of suspicious address classes is stored in a database.
  - 3. The system of claim 1, wherein the set of suspicious address classes is determined by the n most significant bits of IP addresses of known UCE.
  - 4. The system of claim 1 further comprising an anti-UCE means wherein the anti-UCE means supplies an IP address which generates a new suspicious address class in the set of suspicious address classes, if the IP address does not belong to any suspicious address class in the set of suspicious address classes.

5. An electronic mail appliance comprising:
- a module selected from the group consisting of a content filter, anti-virus means, anti-UCE means, anti-phishing means, POP server, IMAP server, webmail server and any combination thereof; and
  
  an anti-mail flood attack system comprising;
  
  a network interface;
  
  a suspicious address class in a set of suspicious address classes;
  
  a counter associated with the suspicious address class, wherein the counter counts active connections originating from the suspicious address class to the network interface; and
  
  an SMTP handler configured to process electronic mail messages;
  
  wherein whenever the SMTP handler receives an email request from the suspicious address class and at least one of a set of at least one failure criteria is met, the SMTP hander issues a temporary failure message, and wherein the set of at least one failure criteria comprises a first criterion which is met when the counter has reached a predetermined limit;
  
  a first timer, wherein the first timer is restarted whenever the counter falls below the predetermined limit and expires after a first predetermined interval, and wherein the set of at least one failure criteria further comprises a second criterion which is met when the first timer has been restarted and has not expired; and
  
  a second timer, wherein whenever any one of the set of at least one failure criteria has been met by a previous email request originating from the suspicious address class, the second timer is restarted and expires after a second predetermined interval, and wherein the set of at least one failure criteria further comprises a third criterion which is met when the second timer has been restarted and has not expired.
- View Dependent Claims (6)
- - 6. A network appliance comprising:
    - the electronic mail appliance of claim 5;
      
      network modules selected from the group consisting of routers, dynamic host configuration protocol (DHCP) servers, port forwarding means, network address translation (NAT) means, firewall, name server, proxy server, and time server, and any combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Engage Technology
Original Assignee
Engage Technology
Inventors
Lu, Haw-minn, White, Richard Paul
Primary Examiner(s)
Backer, Firmin
Assistant Examiner(s)
BUI, JONATHAN A

Application Number

US11/549,645
Time in Patent Office

2,040 Days
Field of Search

709/206
US Class Current

709/206
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

System and method for protecting mail servers from mail flood attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

6 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for protecting mail servers from mail flood attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

6 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links