Systems and methods for detecting email spam and variants thereof
First Claim
1. A computer-implemented spam detection method, comprising:
- receiving an electronic mail message;
converting the electronic mail message into a sequence;
comparing the sequence with a plurality of sequences stored in a spam table;
determining if the electronic mail message is spam responsive to the comparing step;
determining the email message is not spam responsive to the comparing step, receiving an indication of spam related to the email message, and adding the sequence to the plurality of sequences in the spam table;
creating an initial spam table comprising the plurality of sequences and an aging factor associated with each of the plurality of sequences;
if the sequence is within a threshold of an edit distance of one of the plurality of sequences, resetting the aging factor for the one of the plurality of sequences; and
periodically removing aged sequences in the plurality of sequences based on the aging factor.
1 Assignment
0 Petitions
Accused Products
Abstract
The present disclosure provides systems and methods for detecting email spam and variants thereof. The systems and methods are configured to detect spam messages and variations thereof for different senders and with slight differences within the message body. In an exemplary embodiment, an incoming message body (m) is converted to a sequence of successive word lengths (Sm): m->Sm, a comparison is performed between the sequence, Sm, and a plurality of stored sequences (Sk) of known spam messages, and the incoming message is flagged as spam based on the comparison. Further, the plurality of stored sequences, Sk, may be continually updated based on user feedback and other spam detection techniques. The systems and methods of the present invention may be implemented through a computer, such as a mail server, through a cloud-based security system, through a user'"'"'s computer via a software agent, and the like.
53 Citations
15 Claims
-
1. A computer-implemented spam detection method, comprising:
-
receiving an electronic mail message; converting the electronic mail message into a sequence; comparing the sequence with a plurality of sequences stored in a spam table; determining if the electronic mail message is spam responsive to the comparing step; determining the email message is not spam responsive to the comparing step, receiving an indication of spam related to the email message, and adding the sequence to the plurality of sequences in the spam table; creating an initial spam table comprising the plurality of sequences and an aging factor associated with each of the plurality of sequences; if the sequence is within a threshold of an edit distance of one of the plurality of sequences, resetting the aging factor for the one of the plurality of sequences; and periodically removing aged sequences in the plurality of sequences based on the aging factor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A spam detection system, comprising:
-
a data store; a network interface communicatively coupled to a network; a processor, wherein the data store, the network interface, and the processor are communicatively coupled therebetween, and wherein the processor is configured to; convert an email message body to a sequence of successive word lengths; compute an edit distance between the sequence and each of a plurality of known spam sequences; and flag the email message as spam based upon one of the edit distances being within a threshold; determine the email message is not spam responsive to the comparing step, receive an indication of spam related to the email message, and add the sequence of successive word lengths to the plurality of known spam sequences; receive or create an initial spam table comprising the plurality of known spam sequences and an aging factor associated with each of the plurality of known spam sequences; if the sequence of successive word lengths is within a threshold of an edit distance of one of the plurality of sequences, reset the aging factor for the one of the plurality of known spam sequences; and periodically remove aged sequences in the plurality of known spam sequences based on the aging factor. - View Dependent Claims (10, 11, 12)
-
-
13. A network security system, comprising:
-
a processing node communicatively coupled to a user and to an external network, wherein the processing node comprises a data store storing security policy data for the user, data inspection engines configured to perform threat detection classification on content to the user from the external network, and a manager communicatively coupled to the data store and the data inspection engines; and an authority node communicatively coupled to the processing node, wherein the authority node comprises a data store storing security policy data comprising a spam table; wherein the processing node and the authority node are configured to detect email spam and update the spam table based thereon; wherein the processing node is configured to; receive an electronic mail message; convert the electronic mail message into a sequence; compare the sequence with a plurality of sequences stored in a spam table; determine if the electronic mail message is spam responsive to the compare step; determine the email message is not spam responsive to the comparing step, receive an indication of spam related to the email message, and add the sequence to the plurality of sequences in the spam table; receive an initial spam table comprising the plurality of sequences and an aging factor associated with each of the plurality of sequences from the authority node; if the sequence is within a threshold of an edit distance of one of the plurality of sequences, reset the aging factor for the one of the plurality of sequences; and periodically remove aged sequences in the plurality of sequences based on the aging factor. - View Dependent Claims (14, 15)
-
Specification