System and method for protecting mail servers from mail flood attacks
First Claim
Patent Images
1. A method for controlling electronic mail flood attacks comprising:
- when an email request originated from a suspicious address class contained in a set of suspicious address classes, wherein the address class comprises a collection of at least one IP address,determining a count of active connections originating from the suspicious address class,determining a first interval of time since the count of connections has reached the predetermined number, anddetermining a second interval of time since a temporary failure was last issued to an email message originating from the suspicious address class; and
when at least one of a set of at least one failure criteria is met, issuing a temporary failure message to the email request,wherein the set of at least one failure criteria comprises a first criterion which is met when the count of active connections reaches a predetermined maximum number, a second criterion which is met when the first interval is less than a first predetermined interval of time, and a third criterion which is met when the second interval is less than a second predetermined interval of time.
1 Assignment
0 Petitions
Accused Products
Abstract
Most unsolicited commercial email (UCE) countermeasures call for a message by message analysis. However, some UCE attacks occur when a single sender of UCE floods a mail transfer agent (MTA) with a number of copies of a UCE, in a mail flood attack. The attacks rarely rise to the level of denial of service attacks but are significant enough to place a strain on MTAs and anti-UCE countermeasures. The anti-mail flood methodology disclosed herein provides a system and method for protecting mail systems from such mail flood attacks enabling anti-UCE countermeasures to work more efficiently.
-
Citations
20 Claims
-
1. A method for controlling electronic mail flood attacks comprising:
-
when an email request originated from a suspicious address class contained in a set of suspicious address classes, wherein the address class comprises a collection of at least one IP address, determining a count of active connections originating from the suspicious address class, determining a first interval of time since the count of connections has reached the predetermined number, and determining a second interval of time since a temporary failure was last issued to an email message originating from the suspicious address class; and when at least one of a set of at least one failure criteria is met, issuing a temporary failure message to the email request, wherein the set of at least one failure criteria comprises a first criterion which is met when the count of active connections reaches a predetermined maximum number, a second criterion which is met when the first interval is less than a first predetermined interval of time, and a third criterion which is met when the second interval is less than a second predetermined interval of time. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A system for controlling electronic mail flood attacks comprising:
-
a means for determining a count of active connections originating from a suspicious address class when an email request originated from a suspicious address class contained in a set of suspicious address classes, wherein the address class comprises a collection of at least one IP address; a means for determining a first interval of time since the count of connections has reached the predetermined number; a means for determining a second interval of time since a temporary failure was last issued to an email message originating from the suspicious address class; and
a means for issuing a temporary failure message to the email request;wherein the temporary failure message is issued when the email request originated from a suspicious address class and when at least one of a set of at least one failure criteria is met, issuing a temporary failure message to the email request, said set of at least one failure criteria comprises a first criterion which is met when the count of active connections reaches a predetermined maximum number, a second criterion which is met when the first interval is less than a first predetermined interval of time, and a third criterion which is met when the second interval is less than a second predetermined interval of time. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
-
-
19. An network appliance comprising:
-
a module selected from the group consisting of a content filter, anti-virus means, anti-UCE means, anti-phishing means, POP server, IMAP server, webmail server and any combination thereof; and an anti-mail flood attack system comprising; a means for determining a count of active connections originating from a suspicious address class when an email request originated from a suspicious address class contained in a set of suspicious address classes, wherein the address class comprises a collection of at least one IP address; a means for determining a first interval of time since the count of connections has reached the predetermined number; a means for determining a second interval of time since a temporary failure was last issued to an email message originating from the suspicious address class; and a means for issuing a temporary failure message to the email request; wherein the temporary failure message is issued when the email request originated from a suspicious address class and when at least one of a set of at least one failure criteria is met, issuing a temporary failure message to the email request, said set of at least one failure criteria comprises a first criterion which is met when the count of active connections reaches a predetermined maximum number, a second criterion which is met when the first interval is less than a first predetermined interval of time, and a third criterion which is met when the second interval is less than a second predetermined interval of time. - View Dependent Claims (20)
-
Specification