Systems and methods of probing data transmissions for detecting spam bots

US 8,606,866 B2
Filed: 02/10/2011
Issued: 12/10/2013
Est. Priority Date: 02/10/2011
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented system for detecting spam bot activity, comprising:

computer hardware, including a processor, operating memory, nonvolatile data storage, and communications facilities;

a mail server module executable on the computer hardware and adapted to respond to electronic mail requests from a plurality of email clients via the communications facilities according to an email protocol that defines proper responses to commands or events, wherein in practice certain commands or events are relatively more common and certain commands or events are relatively less common;

a session handler module executable on the computer hardware and adapted to probe a first email client of the plurality of email clients during a communications session between the first email client and the mail server module that includes message transmissions from the first email client and from the mail server module, wherein the session handler module is further adapted to;

purposefully introduce at least one irregularity into a first message transmission from the mail server module during the communications session, and to monitor a subsequent message transmission from the first email client sent after the first message transmission, wherein the at least one irregularity represents a command or event to which the email protocol defines a proper response, and that is selected from among those certain commands or events that are relatively less common;

compare the subsequent message transmission against reference criteria, the reference criteria representing a proper response to the at least one irregularity according to the email protocol; and

produce a first reputability determination for the first email client based on an extent to which the subsequent message transmission from the first email client constituted a proper response to the at least one irregularity, the reputability determination being indicative of a likelihood that the first email client conducts spam bot activity.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computer-implemented system and method for detecting, by a mail server module, spam bot activity by a client device. An email session is conducted between the mail server module and the client device according to a predetermined protocol that includes exchange of messages between the mail server module and the client device. The mail server module probes compliance with the predetermined protocol including: purposefully introducing at least one irregularity into a first message from the mail server module; monitoring a subsequent message transmission from the client device; comparing the subsequent message against reference criteria; and producing a reputability determination for the client device based on an extent to which the subsequent message was a proper response to the at least one irregularity according to the predetermined protocol, the reputability determination being indicative of a likelihood that the client device conducts spam bot activity.

16 Citations

View as Search Results

20 Claims

1. A computer-implemented system for detecting spam bot activity, comprising:
- computer hardware, including a processor, operating memory, nonvolatile data storage, and communications facilities;
  
  a mail server module executable on the computer hardware and adapted to respond to electronic mail requests from a plurality of email clients via the communications facilities according to an email protocol that defines proper responses to commands or events, wherein in practice certain commands or events are relatively more common and certain commands or events are relatively less common;
  
  a session handler module executable on the computer hardware and adapted to probe a first email client of the plurality of email clients during a communications session between the first email client and the mail server module that includes message transmissions from the first email client and from the mail server module, wherein the session handler module is further adapted to;
  
  purposefully introduce at least one irregularity into a first message transmission from the mail server module during the communications session, and to monitor a subsequent message transmission from the first email client sent after the first message transmission, wherein the at least one irregularity represents a command or event to which the email protocol defines a proper response, and that is selected from among those certain commands or events that are relatively less common;
  
  compare the subsequent message transmission against reference criteria, the reference criteria representing a proper response to the at least one irregularity according to the email protocol; and
  
  produce a first reputability determination for the first email client based on an extent to which the subsequent message transmission from the first email client constituted a proper response to the at least one irregularity, the reputability determination being indicative of a likelihood that the first email client conducts spam bot activity.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1, wherein the email protocol is the SMTP protocol and wherein the mail server module is a SMTP server.
  - 3. The system of claim 1, wherein the at least one irregularity includes a time delay.
  - 4. The system of claim 1, wherein the proper response to the at least one irregularity includes delaying transmission by the first email client.
  - 5. The system of claim 1, wherein the at least one irregularity includes a SMTP reply code indicating an error.
  - 6. The system of claim 1, wherein the at least one irregularity includes a SMTP reply code indicating that a reply includes a multiple lines.
  - 7. The system of claim 1, wherein the at least one irregularity is an incomplete message.
  - 8. The system of claim 1, wherein the session handler module is further adapted to set the first reputability determination of the first email client based on a determination of a type of protocol used by the first email client.
  - 9. The system of claim 1, wherein the session handler module is further adapted to set the first reputability determination of the first email client based on a determination of a type of error produced by the first email client in response to the at least one irregularity.
  - 10. The system of claim 1, wherein the session handler module is further adapted to set the first reputability determination of the first email client based on a determination of a quantity of similar emails sent by the first email client.
  - 11. The system of claim 1, wherein the session handler module is further adapted to issue notification or corrective action to the first email client based on the first reputability determination.
  - 12. The system of claim 1, wherein the session handler module is further adapted to issue notification or corrective action to at least one email client other than the first email client based on the first reputability determination.

13. A computer-implemented method for detecting, by a mail server module,spam bot activity by a client device, the method comprising:
- conducting, by the mail server module, an email session with a client device, the email session being conducted according to a predetermined protocol and including exchange of messages between the mail server module and the client device, wherein the protocol defines proper responses to commands or events, wherein in practice certain commands or events are relatively more common and certain commands or events are relatively less common; and
  
  probing, by the mail server module, compliance with the predetermined protocol by the client device, including;
  
  purposefully introducing at least one irregularity into a first message from the mail server module, wherein the at least one irregularity represents a command or event to which the protocol defines a proper response, and that is selected from among those certain commands or events that are relatively less common;
  
  monitoring a subsequent message transmission from the client device, the subsequent message being sent after the first message;
  
  comparing the subsequent message against reference criteria, the reference criteria representing a proper response to the at least one irregularity according to the predetermined protocol; and
  
  producing a reputability determination for the client device based on an extent to which the subsequent message was a proper response to the at least one irregularity according to the predetermined protocol, the reputability determination being indicative of a likelihood that the client device conducts spam bot activity.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The method of claim 13, wherein conducting the email session according to a predetermined protocol includes conducting the email session according to the SMTP protocol.
  - 15. The method of claim 13, wherein introducing the at least one irregularity includes introducing a time delay.
  - 16. The method of claim 13, wherein introducing the at least one irregularity includes introducing a false indicator of an error occurring at the mail server module.
  - 17. The method of claim 13, wherein introducing the at least one irregularity includes introducing an irregularity for which a proper response is a time delay by the client device.
  - 18. The method of claim 13, wherein introducing the at least one irregularity includes sending an incomplete message.
  - 19. The method of claim 13, further comprising setting the reputability determination based on at least one additional parameter of the client device'"'"'s behavior during the email session.
  - 20. The method of claim 13, further comprising issuing a notification or corrective action to at least one client device based on the reputability determination.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lab A.O. Kaspersky
Original Assignee
Kaspersky Lab ZAO
Inventors
Rybalko, Roman V.
Primary Examiner(s)
Bruckart, Benjamin R
Assistant Examiner(s)
Abedin, Normin

Application Number

US13/024,905
Publication Number

US 20120210420A1
Time in Patent Office

1,034 Days
Field of Search

726/22, 726/24, 726/26, 726/20, 709/206
US Class Current

709/206
CPC Class Codes

H04L 51/212 using filtering or selectiv...

H04L 63/1408 by monitoring network traff...

Systems and methods of probing data transmissions for detecting spam bots

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

16 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods of probing data transmissions for detecting spam bots

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

16 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links