Reputation-based method and system for determining a likelihood that a message is undesired

US 8,527,592 B2
Filed: 10/31/2006
Issued: 09/03/2013
Est. Priority Date: 10/31/2006
Status: Active Grant

First Claim

Patent Images

1. A method, comprising the steps of:

receiving a plurality of tuples at a reputation engine operating on a computing device coupled to a network, each of said tuples comprising pre-selected set of identifiers relating to an origin of a message received at a server of a messaging system, wherein each tuple comprises an identifier that is deemed to be trusted by the reputation engine, each of said tuples having a different granularity of identification of the origin of the received message;

accessing, by the reputation engine, two or more reputation metrics in a database, each reputation metric associated with one of the plurality of tuples;

associating each of the plurality of tuples with a different, respective granularity of identification of the origin of the received message, wherein a tuple comprising a combination of a user identifier and an Internet Protocol (IP) address is assigned a higher granularity than a tuple comprising a combination of a domain name and an IP address;

calculating, at the reputation engine, a first value indicative of a likelihood that the received message is undesired using the two or more reputation metrics, wherein calculating the first value comprises overriding a first one of the two or more reputation metrics with a second one of the two or more reputation metrics, in response to the tuple of the second reputation metric being associated with a more finely grained identification of the origin of the received message than the tuple of the first reputation metric.

View all claims

15 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for providing a reputation service for use in messaging environments employs a reputation of compiled statistics, representing whether SPAM messages have previously been received from respective a selected set of identifiers for the origin of the message, in a decision making process for newly received messages. In a preferred embodiment, the set of identifiers includes the IP address, a tuple of the domain and IP address and a tuple of the user and IP address and the set of identifiers allows for a relatively fine grained set of reputation metrics to be compiled and used when making a determination of a likelihood as to whether a received message is undesired in accordance with the invention.

Citations

23 Claims

1. A method, comprising the steps of:
- receiving a plurality of tuples at a reputation engine operating on a computing device coupled to a network, each of said tuples comprising pre-selected set of identifiers relating to an origin of a message received at a server of a messaging system, wherein each tuple comprises an identifier that is deemed to be trusted by the reputation engine, each of said tuples having a different granularity of identification of the origin of the received message;
  
  accessing, by the reputation engine, two or more reputation metrics in a database, each reputation metric associated with one of the plurality of tuples;
  
  associating each of the plurality of tuples with a different, respective granularity of identification of the origin of the received message, wherein a tuple comprising a combination of a user identifier and an Internet Protocol (IP) address is assigned a higher granularity than a tuple comprising a combination of a domain name and an IP address;
  
  calculating, at the reputation engine, a first value indicative of a likelihood that the received message is undesired using the two or more reputation metrics, wherein calculating the first value comprises overriding a first one of the two or more reputation metrics with a second one of the two or more reputation metrics, in response to the tuple of the second reputation metric being associated with a more finely grained identification of the origin of the received message than the tuple of the first reputation metric.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 14, 15, 16, 17)
- - 2. The method according to claim 1, further comprising the steps of:
    - calculating a second value indicative of a likelihood that the received message is undesired without using the two or more reputation metrics; and
      
      updating the two or more respective reputation metrics using the second value.
  - 3. The method of claim 1, wherein the identifier that is deemed to be trusted by the reputation engine in one of the plurality of tuples is a portion of an Internet Protocol (IP) address of an originator of the received message.
  - 4. The method of claim 3, wherein one of the plurality of tuples comprises an IP address from which the received message originated;
    - the domain at which the message allegedly originated; and
      
      the user who allegedly originated the message.
  - 5. The method of claim 1, further comprising accessing a spoof metric indicative of a likelihood that one or more of the identifiers in the plurality of tuples is spoofed, wherein the first value is calculated using the spoof metric.
  - 6. The method of claim 1, wherein the messaging system is an email messaging system.
  - 7. The method of claim 1, wherein the messaging system is a Session Initiation Protocol (SIP)-based voice communication system.
  - 8. The method of claim 1, wherein one or more of the identifiers comprising the plurality of tuples are created using a one-way function.
  - 14. The method of claim 1, wherein a reputation metric associated with a tuple assigned a higher granularity contributes to the first value more than a reputation metric associated with a tuple assigned a lower granularity.
  - 15. The method of claim 1, wherein a reputation metric of a tuple is based upon a total of received messages corresponding to the tuple and a total of received messages corresponding to the tuple that have been identified as undesired.
  - 16. The method of claim 15, wherein the received message is associated with a tuple when the received message comprises the identifiers comprising the tuple.
  - 17. The method of claim 5, wherein one of the plurality of tuples comprises domain name and Internet Protocol (IP) address identifiers, and wherein the spoof metric is based upon whether a message has previously been received from the identified domain name and IP address.

9. A system, comprising:
- a reputation engine operating on a computing device and coupled to a network; and
  
  a message server coupled to the network and configured to provide a plurality of tuples to the reputation engine responsive to receiving a message, each of the tuples comprising a combination of pre-selected identifiers relating to an originator of the received message, wherein each tuple comprises an identifier that is deemed to be trusted by the reputation engine, and wherein each of said tuples is assigned a different granularity of identification of the originator of the received message;
  
  wherein the reputation engine is configured to access two or more reputation metrics in a database, each of the two or more reputation metrics corresponding to one of the plurality of tuples;
  
  wherein the reputation engine is configured to associate each of the two or more reputation metrics with a respective granularity of identification of the originator of the received message, wherein a tuple comprising a combination of a user identifier and an Internet Protocol (IP) address is assigned a higher granularity than a tuple comprising a combination of a domain name and an IP address, andwherein the reputation engine is configured to calculate a first value indicative of a likelihood that the received message is undesired using the two or more reputation metrics, wherein calculating the first value comprises overriding a first one of the two or more reputation metrics with a second one of the two or more reputation metrics, in response to the tuple of the second reputation metric being associated with a more finely grained identification of the origin of the received message than the tuple of the first reputation metric.
- View Dependent Claims (10, 11, 12, 13, 18, 19, 20, 21, 22)
- - 10. The system according to claim 9, wherein a second value indicative of a likelihood that the received message is undesired is calculated independently of the two or more reputation metrics, and wherein the reputation engine is configured to update the two or more reputation metrics using the second value.
  - 11. The system according to claim 9, wherein the pre-selected set of identifiers includes the Internet Protocol (IP) address from which the message was received, the domain from which the message was allegedly sent and the user who allegedly sent the message.
  - 12. The system according to claim 9, wherein at least some of the identifiers are created from message information by a one-way function.
  - 13. The system according to claim 9, wherein the messaging system is an email system.
  - 18. The system of claim 9, wherein a reputation metric associated with a tuple assigned a higher granularity contributes to the first value more than a reputation metric associated with a tuple assigned a lower granularity.
  - 19. The system of claim 9, wherein a reputation metric of a tuple is based upon a total of received messages corresponding to the tuple and a total of received messages corresponding to the tuple that have been identified as undesired.
  - 20. The system of claim 19, wherein the received message is associated with a tuple when the received message comprises the identifiers comprising the tuple.
  - 21. The system of claim 9, wherein the reputation engine is configured to calculate a spoof metric indicative of the likelihood that one or more of the identifiers in the plurality of tuples is spoofed, wherein the first value is calculated using the spoof metric.
  - 22. The system of claim 21, wherein one of the plurality of tuples comprises domain name and Internet Protocol (IP) address identifiers, and wherein the spoof metric is based upon whether a message has previously been received from the identified domain name and IP address.

23. A method, comprising:
- receiving a message through a network interface of a message server;
  
  accessing a plurality of identifiers indicative of the origin of the received message;
  
  forming a plurality of tuples from the identifiers, at a reputation engine operating on a computing device, each tuple comprising a combination of two or more of the identifiers, wherein one of the two or more identifiers is deemed to be that is deemed to be trusted by the reputation engine;
  
  assigning a different granularity to each of the plurality of tuples, wherein the granularity assigned to a tuple is indicative of a granularity of identification of the origin of the received message provided by the tuple, wherein a tuple comprising a combination of a user identifier and an Internet Protocol (IP) address is assigned a higher granularity than a tuple comprising a combination of a domain name and an IP address;
  
  accessing two or more reputation metrics in a database, each of the two or more reputation metrics being associated with one of the tuples; and
  
  calculating a likelihood that the received message is undesired using the two or more reputation metrics, wherein calculating the first value comprises overriding a first one of the two or more reputation metrics with a second one of the two or more reputation metrics, in response to the tuple of the second reputation metric being associated with a more finely grained identification of the origin of the received message than the tuple of the first reputation metric.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Borderware Technologies Incorporated (Gladiator Corporation)
Original Assignee
WatchGuard Technologies Incorporated (Gladiator Corporation)
Inventors
Gabe, Christopher John
Primary Examiner(s)
GOLDBERG, ANDREW C

Application Number

US11/554,746
Publication Number

US 20080104180A1
Time in Patent Office

2,499 Days
Field of Search

709/206
US Class Current

709/206
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/1408   by monitoring network traff...

Reputation-based method and system for determining a likelihood that a message is undesired

First Claim

15 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

Reputation-based method and system for determining a likelihood that a message is undesired

First Claim

15 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links