Methods, systems, and computer program products for mitigating email address harvest attacks by positively acknowledging email to invalid email addresses

US 8,381,291 B2
Filed: 12/10/2009
Issued: 02/19/2013
Est. Priority Date: 12/10/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A method of detecting and responding to an email address harvest attack at an Internet service provider email system, comprising:

counting a number of failed email address look-ups during a single simple mail transfer protocol session associated with an originating Internet protocol address;

responding to the originating Internet protocol address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold;

creating a fake email inbox for each otherwise invalid email address responded to with the positive acknowledgement, each fake email inbox having a spam folder associated therewith; and

processing email addressed to each fake email inbox using a spam filter;

wherein responding to the originating Internet protocol address with the positive acknowledgement comprises;

responding to the originating Internet protocol address with the positive acknowledgement that the otherwise invalid email address exists at a response percentage rate for subsequent failed email address look-ups responsive to the number of failed email address lookups exceeding the threshold.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting and responding to an email address harvest attack at an Internet Service Provider (ISP) email system includes counting a number of failed email address look-ups during a single Simple Mail Transfer Protocol (SMTP) session associated with an originating Internet Protocol (IP) address and responding to the originating IP address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold.

28 Citations

View as Search Results

15 Claims

1. A method of detecting and responding to an email address harvest attack at an Internet service provider email system, comprising:
- counting a number of failed email address look-ups during a single simple mail transfer protocol session associated with an originating Internet protocol address;
  
  responding to the originating Internet protocol address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold;
  
  creating a fake email inbox for each otherwise invalid email address responded to with the positive acknowledgement, each fake email inbox having a spam folder associated therewith; and
  
  processing email addressed to each fake email inbox using a spam filter;
  
  wherein responding to the originating Internet protocol address with the positive acknowledgement comprises;
  
  responding to the originating Internet protocol address with the positive acknowledgement that the otherwise invalid email address exists at a response percentage rate for subsequent failed email address look-ups responsive to the number of failed email address lookups exceeding the threshold.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - defining a plurality of email system categories ranging from a least likely to engage in an email address harvest attack to a most likely to engage in an email address harvest attack;
      
      determining which of the plurality of email system categories the originating Internet protocol address is associated with; and
      
      setting the threshold and the response percentage rate based on the email system category associated with the originating Internet protocol address.
  - 3. The method of claim 2, wherein the threshold is less for the email system categories more likely to engage in an email address harvest attack than the threshold is for the email system categories less likely to engage in an email address harvest attack and wherein the response percentage rate is greater for the email system categories more likely to engage in an email address harvest attack than the response percentage rate is for the email system categories less likely to engage in an email address harvest attack.
  - 4. The method of claim 1, further comprising:
    - storing email addressed to each fake email inbox in the fake email inbox when the email is not determined to be spam by the spam filter; and
      
      storing email addressed to each fake email inbox in the respective spam folder associated therewith that is determined to be spam by the spam folder.
  - 5. The method of claim 4, further comprising:
    - generating a new spam filtering signature as a result of processing email stored in each fake email inbox;
      
      applying the new spam filtering signature to email directed to valid email addresses on the Internet service provider email system; and
      
      moving any email directed to valid email addresses on the Internet service provider email system and determined to be spam due to application of the new spam filtering signature to respective spam folders associated with the valid email addresses.
  - 6. The method of claim 4, further comprising:
    - maintaining a count of email addressed to all fake email inboxes for the originating IP address;
      
      determining if the count of email addressed to all fake email inboxes for the originating Internet protocol address exceeds a spam blocking threshold; and
      
      blocking all communication traffic from the originating Internet protocol address when the count of email addressed to all fake email inboxes for the originating Internet protocol address exceeds a spam blocking threshold.
  - 7. The method of claim 1, farther comprising:
    - processing email addressed to each fake email inbox using a virus filter.
  - 8. The method of claim 4, further comprising:
    - calculating a spam filtration rate for each fake email inbox by dividing a count of a number of email messages in the spam folder by a sum of the count of the number of email messages in the spam folder and a count of a number of messages in the associated fake email inbox.

9. An Internet service provider email system for detecting and responding to an email address harvest attack, comprising:
- a data processing system to count a number of failed email address look-ups during a single simple mail transfer protocol session associated with an originating Internet protocol address, to respond to the originating Internet protocol address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold, to respond to the originating Internet protocol address with the positive acknowledgement that the otherwise invalid email address exists at a response percentage rate for subsequent failed email address look-ups responsive to the number of failed email address lookups exceeding the threshold, to create a fake email inbox for each otherwise invalid email address responded to with the positive acknowledgement, each fake email inbox having a spam folder associated therewith, to process email addressed to each fake email inbox using a spam filter, to store email addressed to each fake email inbox in the fake email inbox when the email is not determined to be spam by the spam filter, and to store email addressed to each fake email inbox in the respective spam folder associated therewith that is determined to be spam by the spam folder.
- View Dependent Claims (10, 11)
- - 10. The Internet service provider system of claim 9, wherein the data processing system is further to define a plurality of email system categories ranging from a least likely to engage in an email address harvest attack to a most likely to engage in an email address harvest attack, to determine which of the plurality of email system categories the originating Internet protocol address is associated with, and to set the threshold and the response percentage rate based on the email system category associated with the originating Internet protocol address.
  - 11. The Internet service provider system of claim 10, wherein the threshold is less for the email system categories more likely to engage in an email address harvest attack than the threshold is for the email system categories less likely to engage in an email address harvest attack and wherein the response percentage rate is greater for the email system categories more likely to engage in an email address harvest attack than the response percentage rate is for the email system categories less likely to engage in an email address harvest attack.

12. A computer program product for detecting and responding to an email address harvest attack, comprising:
- a non-transitory computer readable storage medium having computer readable program code embodied therein, the computer readable program code comprising;
  
  computer readable program code to count a number of failed email address look-ups during a single simple mail transfer protocol session associated with an originating Internet protocol address;
  
  computer readable program code to respond to the originating Internet protocol address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold;
  
  computer readable program code to create a fake email inbox for each otherwise invalid email address responded to with the positive acknowledgement, each fake email inbox having a spam folder associated therewith;
  
  computer readable program code to process email addressed to each fake email inbox using a spam filter;
  
  computer readable program code to store email addressed to each fake email inbox in the fake email inbox when the email is not determined to be spam by the spam filter; and
  
  computer readable program code to store email addressed to each fake email inbox in the respective spam folder associated therewith that is determined to be spam by the spam folder.
- View Dependent Claims (13, 14, 15)
- - 13. The computer program product of claim 12, further comprising:
    - computer readable program code to respond to the originating Internet protocol address with the positive acknowledgement that the otherwise invalid email address exists at a response percentage rate for subsequent failed email address look-ups responsive to the number of failed email address lookups exceeding the threshold.
  - 14. The computer program product of claim 13, further comprising:
    - computer readable program code to define a plurality of email system categories ranging from a least likely to engage in an email address harvest attack to a most likely to engage in an email address harvest attack;
      
      computer readable program code to determine which of the plurality of email system categories the originating Internet protocol address is associated with; and
      
      computer readable program code to set the threshold and the response percentage rate based on the email system category associated with the originating Internet protocol address.
  - 15. The computer program product of claim 14, wherein the threshold is less for the email system categories more likely to engage in an email address harvest attack than the threshold is for the email system categories less likely to engage in an email address harvest attack and wherein the response percentage rate is greater for the email system categories more likely to engage in an email address harvest attack than the response percentage rate is for the email system categories less likely to engage in an email address harvest attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Wood, Stephen K.
Primary Examiner(s)
ZIA, SYED

Application Number

US12/635,475
Publication Number

US 20110145922A1
Time in Patent Office

1,167 Days
Field of Search

None
US Class Current

726/22
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 51/48   Message addressing, e.g. ad...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

Methods, systems, and computer program products for mitigating email address harvest attacks by positively acknowledging email to invalid email addresses

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

28 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and computer program products for mitigating email address harvest attacks by positively acknowledging email to invalid email addresses

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

28 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links