System and method for filtering fraudulent email messages

US 8,271,588 B1
Filed: 09/24/2004
Issued: 09/18/2012
Est. Priority Date: 09/24/2003
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

a computer system receiving fraudulent email messages from a known email provider, wherein the fraudulent email messages misrepresent their origins as being from the email provider, and wherein the email provider is a subscriber to an anti-fraud service associated with the computer system;

the computer system receiving, from the email provider, information specifying a first set of characteristics present in valid email messages of the email provider and a second set of characteristics that are never present in valid email messages of the email provider, wherein the second set of characteristics specify that a uniform resource locator (URL) in a body of an email message has a host name that differs from a host name of the email provider; and

based on the fraudulent email messages and the first and second sets of characteristics, the computer system creating a first filter specific to the email provider, wherein the first filter is usable to determine whether a subsequently received email message is an email message that misrepresents its origin as being the email provider.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for filtering fraudulent email messages are described. In one embodiment, a method includes receiving an email message, determining whether the email message is indicative of fraud, and creating a fraud filter based on the email message if the email message is fraudulent.

142 Citations

16 Claims

1. A method, comprising:
- a computer system receiving fraudulent email messages from a known email provider, wherein the fraudulent email messages misrepresent their origins as being from the email provider, and wherein the email provider is a subscriber to an anti-fraud service associated with the computer system;
  
  the computer system receiving, from the email provider, information specifying a first set of characteristics present in valid email messages of the email provider and a second set of characteristics that are never present in valid email messages of the email provider, wherein the second set of characteristics specify that a uniform resource locator (URL) in a body of an email message has a host name that differs from a host name of the email provider; and
  
  based on the fraudulent email messages and the first and second sets of characteristics, the computer system creating a first filter specific to the email provider, wherein the first filter is usable to determine whether a subsequently received email message is an email message that misrepresents its origin as being the email provider.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, wherein the first set of characteristics include one or more IP addresses that are present in valid email messages of the email provider, and wherein the first filter is usable to identify a subsequently received email message purporting to be from the email provider as a phishing email message in response to the subsequently received email message not including at least one of the identified one or more IP addresses.
  - 3. The method of claim 1, wherein the first filter is further created based on one or more general characteristics common to fraudulent email messages.
  - 4. The method of claim 1, further comprising:
    - the computer system using the first filter to determine that the subsequently received email message misrepresents its origin as being the email provider.
  - 5. The method of claim 1, further comprising:
    - the computer system transferring the first filter to one or more computing devices, wherein the first filter is usable by each of the one or more computing devices to determine whether subsequently received email messages are phishing email messages.
  - 6. The method of claim 1, wherein the first set of characteristics include one or more valid domain names present in valid email messages of the email provider.

7. An apparatus comprising:
- a processor;
  
  a memory including program instructions executable by the processor to;
  
  receive phishing email messages from an email provider, wherein the phishing email messages purport to be from the email provider, and wherein the email provider is a subscriber to an anti-fraud service associated with the system;
  
  receive, from the email provider, information specifying a first set of characteristics of valid email messages of the email provider and a second set of characteristics that are never present in valid email messages of the email provider, wherein the second set of characteristics specify that a uniform resource locator (URL) in a body of an email message has a host name that differs from a host name of the email provider;
  
  based on the phishing email messages and the first and second sets of characteristics, create a first filter specific to the email provider, wherein the first filter is usable to determine whether a subsequently received email message identified as being from the email provider is a phishing message.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The apparatus of claim 7, wherein the first filter is further created based on one or more general characteristics common to phishing email messages.
  - 10. The apparatus of claim 7, wherein the first set of characteristics include one or more uniform resource locators (URL) present in valid email messages of the email provider, and wherein the first filter is usable to identify the subsequently received email message as being a phishing message in response to the subsequently received email message including a URL that is not one of the identified one or more URLs.
  - 11. The apparatus of claim 7, wherein the first set of characteristics include one or more IP addresses that are present in valid email messages of the email provider.
  - 12. The apparatus of claim 7, wherein the program instructions are further executable to:
    - transfer the first filter to one or more computing devices, wherein the first filter is usable by each computing device to determine whether subsequently received email messages are phishing email messages.

8. A non-transitory computer-readable memory having stored thereon program instructions that, if executed by a processing system, cause said processing system to:
- receive fraudulent email messages from a known email provider, wherein the fraudulent email messages misrepresent their origins as being from the email provider, and wherein the email provider is a subscriber to an anti-fraud service associated with the processing system;
  
  receive, from the email provider, information specifying a first set of characteristics of valid email messages of the email provider and a second set of characteristics that are never present in valid email messages of the email provider, wherein the second set of characteristics specify that a uniform resource locator (URL) in a body of an email message has a host name that differs from a host name of the email provider;
  
  based on the fraudulent email messages and the first and second sets of characteristics, create a first filter specific to the email provider, wherein the first filter is usable to determine whether a subsequently received email message identified as purporting to be from the email provider is from another email provider.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The non-transitory computer-readable memory of claim 8, wherein the first set of characteristics include one or more email addresses of the email provider, and wherein the first filter is usable to determine that the subsequently received email message is from the other email provider in response to the subsequently received email message including an email address that is not one of the identified one or more email addresses.
  - 14. The non-transitory computer-readable memory of claim 8, wherein the first set of characteristics include a signature of a mailing device of valid email messages of the email provider, and wherein the first filter is usable to determine that the subsequently received email message is from the other email provider in response to the subsequently received email message not including the signature.
  - 15. The non-transitory computer-readable memory of claim 8, wherein the first set of characteristics include one or more domains present in valid email messages of the email provider, and wherein the first filter is configured to determine that the subsequently received email message is from the other email provider in response to the subsequently received email message including a domain that is not one of the identified one or more domains.
  - 16. The non-transitory computer-readable memory of claim 8, wherein the program instructions are further executable by the processing system to:
    - transfer the first filter to one or more computing devices, wherein the first filter is usable by each computing device to determine whether subsequently received email messages are phishing email messages.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Cowings, David, Jensen, Sanford, Schneider, Ken, Bruno, Mark, Morss, Dylan
Primary Examiner(s)
Bengzon, Greg C

Application Number

US10/949,465
Time in Patent Office

2,916 Days
Field of Search

709/206, 709/219, 709202-203, 709223-229, 709231-232, 709/200, 726 3- 6, 726 17- 19, 726 21- 30, 707/50, 705 42- 44, 705304-305, 705317-318
US Class Current

709/206
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/1483   service impersonation, e.g....

System and method for filtering fraudulent email messages

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

142 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for filtering fraudulent email messages

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

142 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links