Systems and methods of probing data transmissions for detecting spam bots
First Claim
1. A computer-implemented system for detecting spam bot activity, comprising:
- computer hardware, including a processor, operating memory, nonvolatile data storage, and communications facilities;
a mail server module executable on the computer hardware and adapted to respond to electronic mail requests from a plurality of email clients via the communications facilities according to an email protocol that defines proper responses to commands or events, wherein in practice certain commands or events are relatively more common and certain commands or events are relatively less common;
a session handler module executable on the computer hardware and adapted to probe a first email client of the plurality of email clients during a communications session between the first email client and the mail server module that includes message transmissions from the first email client and from the mail server module, wherein the session handler module is further adapted to;
purposefully introduce at least one irregularity into a first message transmission from the mail server module during the communications session, and to monitor a subsequent message transmission from the first email client sent after the first message transmission, wherein the at least one irregularity represents a command or event to which the email protocol defines a proper response, and that is selected from among those certain commands or events that are relatively less common;
compare the subsequent message transmission against reference criteria, the reference criteria representing a proper response to the at least one irregularity according to the email protocol; and
produce a first reputability determination for the first email client based on an extent to which the subsequent message transmission from the first email client constituted a proper response to the at least one irregularity, the reputability determination being indicative of a likelihood that the first email client conducts spam bot activity.
2 Assignments
0 Petitions
Accused Products
Abstract
A computer-implemented system and method for detecting, by a mail server module, spam bot activity by a client device. An email session is conducted between the mail server module and the client device according to a predetermined protocol that includes exchange of messages between the mail server module and the client device. The mail server module probes compliance with the predetermined protocol including: purposefully introducing at least one irregularity into a first message from the mail server module; monitoring a subsequent message transmission from the client device; comparing the subsequent message against reference criteria; and producing a reputability determination for the client device based on an extent to which the subsequent message was a proper response to the at least one irregularity according to the predetermined protocol, the reputability determination being indicative of a likelihood that the client device conducts spam bot activity.
16 Citations
20 Claims
-
1. A computer-implemented system for detecting spam bot activity, comprising:
-
computer hardware, including a processor, operating memory, nonvolatile data storage, and communications facilities; a mail server module executable on the computer hardware and adapted to respond to electronic mail requests from a plurality of email clients via the communications facilities according to an email protocol that defines proper responses to commands or events, wherein in practice certain commands or events are relatively more common and certain commands or events are relatively less common; a session handler module executable on the computer hardware and adapted to probe a first email client of the plurality of email clients during a communications session between the first email client and the mail server module that includes message transmissions from the first email client and from the mail server module, wherein the session handler module is further adapted to; purposefully introduce at least one irregularity into a first message transmission from the mail server module during the communications session, and to monitor a subsequent message transmission from the first email client sent after the first message transmission, wherein the at least one irregularity represents a command or event to which the email protocol defines a proper response, and that is selected from among those certain commands or events that are relatively less common; compare the subsequent message transmission against reference criteria, the reference criteria representing a proper response to the at least one irregularity according to the email protocol; and produce a first reputability determination for the first email client based on an extent to which the subsequent message transmission from the first email client constituted a proper response to the at least one irregularity, the reputability determination being indicative of a likelihood that the first email client conducts spam bot activity. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A computer-implemented method for detecting, by a mail server module,
spam bot activity by a client device, the method comprising: -
conducting, by the mail server module, an email session with a client device, the email session being conducted according to a predetermined protocol and including exchange of messages between the mail server module and the client device, wherein the protocol defines proper responses to commands or events, wherein in practice certain commands or events are relatively more common and certain commands or events are relatively less common; and probing, by the mail server module, compliance with the predetermined protocol by the client device, including; purposefully introducing at least one irregularity into a first message from the mail server module, wherein the at least one irregularity represents a command or event to which the protocol defines a proper response, and that is selected from among those certain commands or events that are relatively less common; monitoring a subsequent message transmission from the client device, the subsequent message being sent after the first message; comparing the subsequent message against reference criteria, the reference criteria representing a proper response to the at least one irregularity according to the predetermined protocol; and producing a reputability determination for the client device based on an extent to which the subsequent message was a proper response to the at least one irregularity according to the predetermined protocol, the reputability determination being indicative of a likelihood that the client device conducts spam bot activity. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification