Method and system to detect and prevent e-mail scams

US 8,255,572 B1
Filed: 01/22/2010
Issued: 08/28/2012
Est. Priority Date: 01/22/2010
Status: Active Grant

First Claim

Patent Images

1. A computing system implemented process for identifying 419 messages in a live message stream comprising:

subjecting a message from a live message stream directed to a user computing system to an anti-spam pipeline, the anti-spam pipeline including;

a dynamic feedback-based heuristic filter stage, the dynamic feedback-based heuristic filter stage using one or more processors associated with one or more computing systems to analyze the message using heuristics utilizing one or more feedback-based potential 419 message parameters obtained from actual 419 messages identified by historical applications of the process for identifying 419 messages in a live message stream;

if, as a result of the analysis of the message by the dynamic feedback-based heuristic filter stage, the message is determined to be a potential 419 message, removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream;

if, as a result of the analysis of the message by the dynamic feedback-based heuristic filter stage, the message is not determined to be a potential 419 message, transferring the message to a 419 text-based heuristic filter stage, the 419 text-based heuristic filter stage using one or more processors associated with one or more computing systems to analyze the message using heuristics utilizing one or more text based 419 identification parameters;

if, as a result of the analysis of the message by the 419 text-based heuristic filter stage, the message is determined to be a potential 419 message, removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream;

if, as a result of the analysis of the message by 419 text-based heuristic filter stage, the message is not determined to be a potential 419 message, transferring the message to one or more metadata creating heuristic filter stages, the one or more metadata creating heuristic filter stages using one or more processors associated with one or more computing systems to analyze the message and generate a metadata set including one or more metadata entries associated with the message;

transferring the message and the metadata set including one or more metadata entries associated with the message to a metadata analysis stage, the metadata analysis stage using one or more processors associated with one or more computing systems to analyze the metadata set including one or more metadata entries associated with the message using heuristics utilizing one or more metadata-based 419 message identification parameters;

if, as a result of the analysis of the message by the metadata analysis stage, the message is not determined to be a potential 419 message, removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream;

if, as a result of the analysis of the message by the metadata analysis stage, the message is determined to be a potential 419 message, using one or more processors associated with one or more computing systems to transform data indicating a status of the message determined to be a potential 419 message to data indicating the message is a potential 419 message;

using one or more processors associated with one or more computing systems to analyze the potential 419 message to identify one or more potential 419 message parameters associated with the message;

using one or more processors associated with one or more computing systems to transform data representing the one or more potential 419 message parameters associated with the message to data representing one or more feedback-based 419 message parameters; and

using one or more processors associated with one or more computing systems to transfer the data representing one or more feedback-based 419 message parameters to the dynamic feedback-based heuristic filter stage of the anti-spam pipeline for use with one or more heuristics.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for identifying 419 messages in a live message stream whereby an incoming message in a live message stream is subjected to an anti-spam pipeline made up of multiple anti-spam stages or filters including a whitelist filter stage, a dynamic feedback-based heuristic filter stage, a 419 text-based heuristic filter stage, one or more metadata creating heuristic filter stages, and a metadata analysis stage. A message is removed from the live analysis of the anti-spam pipeline at any stage where the message is identified as either a potential 419 message or a potential legitimate message. Consequently, processing costs are minimized since no resources are used on messages that have already been classified as either a potential 419 message or a potential legitimate message. In addition, even when a given message is processed by the entire anti-spam pipeline, and the costs are incurred, the information obtained by the application of the entire anti-spam pipeline is used to supplement or update the dynamic feedback-based heuristic filter stage. Consequently, the cost of applying the entire anti-spam pipeline to a message is potentially offset by the valuable feedback results that are used to improve future processing speed and accuracy.

52 Citations

View as Search Results

20 Claims

1. A computing system implemented process for identifying 419 messages in a live message stream comprising:
- subjecting a message from a live message stream directed to a user computing system to an anti-spam pipeline, the anti-spam pipeline including;
  
  a dynamic feedback-based heuristic filter stage, the dynamic feedback-based heuristic filter stage using one or more processors associated with one or more computing systems to analyze the message using heuristics utilizing one or more feedback-based potential 419 message parameters obtained from actual 419 messages identified by historical applications of the process for identifying 419 messages in a live message stream;
  
  if, as a result of the analysis of the message by the dynamic feedback-based heuristic filter stage, the message is determined to be a potential 419 message, removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream;
  
  if, as a result of the analysis of the message by the dynamic feedback-based heuristic filter stage, the message is not determined to be a potential 419 message, transferring the message to a 419 text-based heuristic filter stage, the 419 text-based heuristic filter stage using one or more processors associated with one or more computing systems to analyze the message using heuristics utilizing one or more text based 419 identification parameters;
  
  if, as a result of the analysis of the message by the 419 text-based heuristic filter stage, the message is determined to be a potential 419 message, removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream;
  
  if, as a result of the analysis of the message by 419 text-based heuristic filter stage, the message is not determined to be a potential 419 message, transferring the message to one or more metadata creating heuristic filter stages, the one or more metadata creating heuristic filter stages using one or more processors associated with one or more computing systems to analyze the message and generate a metadata set including one or more metadata entries associated with the message;
  
  transferring the message and the metadata set including one or more metadata entries associated with the message to a metadata analysis stage, the metadata analysis stage using one or more processors associated with one or more computing systems to analyze the metadata set including one or more metadata entries associated with the message using heuristics utilizing one or more metadata-based 419 message identification parameters;
  
  if, as a result of the analysis of the message by the metadata analysis stage, the message is not determined to be a potential 419 message, removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream;
  
  if, as a result of the analysis of the message by the metadata analysis stage, the message is determined to be a potential 419 message, using one or more processors associated with one or more computing systems to transform data indicating a status of the message determined to be a potential 419 message to data indicating the message is a potential 419 message;
  
  using one or more processors associated with one or more computing systems to analyze the potential 419 message to identify one or more potential 419 message parameters associated with the message;
  
  using one or more processors associated with one or more computing systems to transform data representing the one or more potential 419 message parameters associated with the message to data representing one or more feedback-based 419 message parameters; and
  
  using one or more processors associated with one or more computing systems to transfer the data representing one or more feedback-based 419 message parameters to the dynamic feedback-based heuristic filter stage of the anti-spam pipeline for use with one or more heuristics.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The computing system implemented process for identifying 419 messages in a live message stream of claim 1, wherein:
    - the message is an e-mail.
  - 3. The computing system implemented process for identifying 419 messages in a live message stream of claim 1, wherein:
    - at least one feedback-based potential 419 message parameter is selected from the group of feedback-based potential 419 message parameters consisting of;
      
      defined senders;
      
      defined sender systems;
      
      defined attached URLs;
      
      defined phone numbers;
      
      defined points of message origin;
      
      defined text; and
      
      defined formatting.
  - 4. The computing system implemented process for identifying 419 messages in a live message stream of claim 1, further comprising:
    - if, as a result of the analysis of the message by the dynamic feedback-based heuristic filter stage, the message is determined to be a potential 419 message, in addition to removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream, data indicating a status of the message is transformed to data indicating a status of potential 419 message and the message is subjected to one or more protective actions.
  - 5. The computing system implemented process for identifying 419 messages in a live message stream of claim 4, wherein:
    - at least one of the one or more protective actions is selected from the group of protective actions consisting of;
      
      blocking the message from the user computing system;
      
      quarantining the message;
      
      performing further analysis of the message;
      
      labeling or tagging the message as spam/scam or potential spam/scam;
      
      redirection of the message to a specific address or location for further processing; and
      
      buffering the message.
  - 6. The computing system implemented process for identifying 419 messages in a live message stream of claim 1, wherein:
    - at least one text based 419 identification parameter is selected from the group of text based 419 identification parameters consisting of;
      
      typing errors and grammatical errors determined to be associated with 419 messages;
      
      defined words determined to be associated with 419 messages;
      
      defined phrases determined to be associated with 419 messages;
      
      defined phone numbers determined to be associated with 419 messages; and
      
      defined number or symbol sequences determined to be associated with 419 messages.
  - 7. The computing system implemented process for identifying 419 messages in a live message stream of claim 1, further comprising:
    - if, as a result of the analysis of the message by the 419 text-based heuristic filter stage, the message is determined to be a potential 419 message, in addition to removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream, data indicating a status of the message is transformed to data indicating a status of potential 419 message and the message is subjected to one or more protective actions.

8. A computing system implemented process for identifying 419 messages in a live message stream comprising:
- subjecting a message from a live message stream directed to a user computing system to an anti-spam pipeline, the anti-spam pipeline including;
  
  a whitelist filter stage, the whitelist filter stage using one or more processors associated with one or more computing systems to analyze the message using heuristics utilizing one or more potential legitimate message parameters;
  
  if, as a result of the analysis of the message by the whitelist filter stage, the message is determined to be a potential legitimate message, removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream;
  
  if, as a result of the analysis of the message by whitelist filter stage, the message is not determined to be a potential legitimate message, transferring the message to a dynamic feedback-based heuristic filter stage, the dynamic feedback-based heuristic filter stage using one or more processors associated with one or more computing systems to analyze the message using heuristics utilizing one or more feedback-based potential 419 message parameters obtained from actual 419 messages identified by historical applications of the process for identifying 419 messages in a live message stream;
  
  if, as a result of the analysis of the message by the dynamic feedback-based heuristic filter stage, the message is determined to be a potential 419 message, removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream;
  
  if, as a result of the analysis of the message by the dynamic feedback-based heuristic filter stage, the message is not determined to be a potential 419 message, transferring the message to a 419 text-based heuristic filter stage, the 419 text-based heuristic filter stage using one or more processors associated with one or more computing systems to analyze the message using heuristics utilizing one or more text based 419 identification parameters;
  
  if, as a result of the analysis of the message by the 419 text-based heuristic filter stage, the message is determined to be a potential 419 message, removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream;
  
  if, as a result of the analysis of the message by 419 text-based heuristic filter stage, the message is not determined to be a potential 419 message, transferring the message to one or more metadata creating heuristic filter stages, the one or more metadata creating heuristic filter stages using one or more processors associated with one or more computing systems to analyze the message and generate a metadata set including one or more metadata entries associated with the message;
  
  transferring the message and the metadata set including one or more metadata entries associated with the message to a metadata analysis stage, the metadata analysis stage using one or more processors associated with one or more computing systems to analyze the metadata set including one or more metadata entries associated with the message using heuristics utilizing one or more metadata-based 419 message identification parameters;
  
  if, as a result of the analysis of the message by the metadata analysis stage, the message is not determined to be a potential 419 message, removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream;
  
  if, as a result of the analysis of the message by the metadata analysis stage, the message is determined to be a potential 419 message, using one or more processors associated with one or more computing systems to transform data indicating a status of the message determined to be a potential 419 message to data indicating the message is a potential 419 message;
  
  using one or more processors associated with one or more computing systems to analyze the potential 419 message to identify one or more potential 419 message parameters associated with the message;
  
  using one or more processors associated with one or more computing systems to transform data representing the one or more potential 419 message parameters associated with the message to data representing one or more feedback-based 419 message parameters; and
  
  using one or more processors associated with one or more computing systems to transfer the data representing one or more feedback-based 419 message parameters to the dynamic feedback-based heuristic filter stage of the anti-spam pipeline for use with one or more heuristics.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computing system implemented process for identifying 419 messages in a live message stream of claim 8, wherein:
    - at least one feedback-based potential 419 message parameter is selected from the group of feedback-based potential 419 message parameters consisting of;
      
      defined senders;
      
      defined sender systems;
      
      defined attached URLs;
      
      defined phone numbers;
      
      defined points of message origin;
      
      defined text; and
      
      defined formatting.
  - 10. The computing system implemented process for identifying 419 messages in a live message stream of claim 8, further comprising:
    - if, as a result of the analysis of the message by the dynamic feedback-based heuristic filter stage, the message is determined to be a potential 419 message, in addition to removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream, data indicating a status of the message is transformed to data indicating a status of potential 419 message and the message is subjected to one or more protective actions.
  - 11. The computing system implemented process for identifying 419 messages in a live message stream of claim 10, wherein:
    - at least one of the one or more protective actions is selected from the group of protective actions consisting of;
      
      blocking the message from the user computing system;
      
      quarantining the message;
      
      performing further analysis of the message;
      
      labeling or tagging the message as spam/scam or potential spam/scam;
      
      redirection of the message to a specific address or location for further processing; and
      
      buffering the message.
  - 12. The computing system implemented process for identifying 419 messages in a live message stream of claim 8, wherein:
    - at least one potential legitimate message parameter is selected from the group of potential legitimate message parameters consisting of;
      
      text associated with vacation or out of office replies;
      
      text indicating the sender is unable to respond;
      
      addresses associated with known safe senders;
      
      attached URLs associated with known safe senders;
      
      phone numbers associated with known safe senders; and
      
      points of origin associated with known safe senders.
  - 13. The computing system implemented process for identifying 419 messages in a live message stream of claim 8, further comprising:
    - if, as a result of the analysis of the message by the whitelist filter stage, the message is determined to be a potential legitimate message, in addition to removing the message from further processing by the computing system implemented process for identifying 419 messages in a live message stream, data indicating a status of the message is transformed to data indicating a status of potential legitimate message.
  - 14. The computing system implemented process for identifying 419 messages in a live message stream of claim 8, wherein:
    - at least one text based 419 identification parameter is selected from the group of text based 419 identification parameters consisting of;
      
      typing errors and grammatical errors determined to be associated with 419 messages;
      
      defined words determined to be associated with 419 messages;
      
      defined phrases determined to be associated with 419 messages;
      
      defined phone numbers determined to be associated with 419 messages; and
      
      defined number or symbol sequences determined to be associated with 419 messages.

15. A system for identifying 419 messages in a live message stream comprising:
- a user computing system;
  
  a live message stream;
  
  a message in the live message stream directed to the user computing system; and
  
  one or more processors associated with one or more computing systems, the one or more processors implementing an anti-spam pipeline, the anti-spam pipeline including;
  
  a dynamic feedback-based heuristic filter stage, the dynamic feedback-based heuristic filter stage using one or more of the one or more processors associated with one or more computing systems to analyze the message using heuristics utilizing one or more feedback-based potential 419 message parameters obtained from actual 419 messages identified by historical uses of the anti-spam pipeline;
  
  a 419 text-based heuristic filter stage, the 419 text-based heuristic filter stage using one or more of the one or more processors associated with one or more computing systems to analyze the message using heuristics utilizing one or more text based 419 identification parameters; and
  
  one or more metadata creating heuristic filter stages, the one or more metadata creating heuristic filter stages using one or more of the one or more processors associated with one or more computing systems to analyze the message and generate a metadata set including one or more metadata entries associated with the message.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The system for identifying 419 messages in a live message stream of claim 15, wherein:
    - the message is an e-mail.
  - 17. The system for identifying 419 messages in a live message stream of claim 15, wherein:
    - at least one feedback-based potential 419 message parameter is selected from the group of feedback-based potential 419 message parameters consisting of;
      
      defined senders;
      
      defined sender systems;
      
      defined attached URLs;
      
      defined phone numbers;
      
      defined points of message origin;
      
      defined text; and
      
      defined formatting.
  - 18. The system for identifying 419 messages in a live message stream of claim 15, wherein:
    - at least one text based 419 identification parameter is selected from the group of text based 419 identification parameters consisting of;
      
      typing errors and grammatical errors determined to be associated with 419 messages;
      
      defined words determined to be associated with 419 messages;
      
      defined phrases determined to be associated with 419 messages;
      
      defined phone numbers determined to be associated with 419 messages; and
      
      defined number or symbol sequences determined to be associated with 419 messages.
  - 19. The system for identifying 419 messages in a live message stream of claim 15, wherein the anti-spam pipeline further comprises:
    - a whitelist filter stage implemented by one or more of the one or more processors associated with the one or more computing systems before the one or more metadata creating heuristic filter stages, the whitelist filter stage using one or more of the one or more processors associated with the one or more computing systems to analyze the message using heuristics utilizing one or more potential legitimate message parameters.
  - 20. The system for identifying 419 messages in a live message stream of claim 19, wherein:
    - at least one potential legitimate message parameter is selected from the group of potential legitimate message parameters consisting of;
      
      text associated with vacation or out of office replies;
      
      text indicating the sender is unable to respond;
      
      addresses associated with known safe senders;
      
      attached URLs associated with known safe senders;
      
      phone numbers associated with known safe senders; and
      
      points of origin associated with known safe senders.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Coomer, Graham
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Woldemariam, Nega

Application Number

US12/692,283
Time in Patent Office

949 Days
Field of Search

726/22, 726/23, 726/4, 726/16, 709/203, 709/206, 709217-228, 709/248, 713/150, 713/152
US Class Current

709/248
CPC Class Codes

G06Q 10/107 Computer-aided management o...

Method and system to detect and prevent e-mail scams

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

52 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system to detect and prevent e-mail scams

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

52 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links