Message classification based on likelihood of spoofing
First Claim
Patent Images
1. A method of classifying a message transmitted over a network, the method comprising:
- maintaining a reputation table in memory, the reputation table including information regarding a plurality of address-domain pairs, each of the plurality of address-domain pairs indicating an IP address and an associated domain of a previously received message, the information regarding each of the plurality of address-domain pairs including a score based on one or more classification variables, the one or more classification variables decaying with time;
receiving the message transmitted over the network and addressed to a recipient; and
executing instructions stored in a non-transitory computer readable storage medium to;
determine an associated domain from which the received message is purported to be sent,identify that the determined domain appears on a whitelist associated with the recipient,determine an IP address corresponding to a device from which the received message was relayed,associate the determined domain with the IP address to create an address-domain pair for the received message;
assign a score to the received message, the score comprising a ratio of a first classification variable of the address-domain pair to a second classification variable of the address-domain pair as indicated by the reputation table, wherein the score is indicative of spam;
determine whether the domain has been spoofed based on whether a common classification appears across a plurality of IP addresses associated with the domain, wherein;
the domain is determined not to be spoofed if the received message is on the whitelist but has common spam classification appearing across the plurality of IP addresses, andthe domain is determined to be spoofed if the received message is on the whitelist but has different classifications appearing across the plurality of IP addresses, andclassify the received message based on the determination whether the domain has been spoofed, whereinthe spam score is overridden and the received message is classified as good in accordance with the whitelist, the good classification based on the determination that the domain has not been spoofed, andthe whitelist is overridden and the received message is classified as spam in accordance with the spam score assigned to the address-domain pair, the spam classification based on different classifications appearing across the plurality of IP addresses associated with the determination that the domain has been spoofed.
24 Assignments
0 Petitions
Accused Products
Abstract
A technique for classifying a message is disclosed. The technique includes determining the domain from which the message is purported to be sent, determining an IP address from which the message was relayed at some point in its transmission, associating the domain with the IP address, and classifying the message based on the associated domain and IP address.
-
Citations
31 Claims
-
1. A method of classifying a message transmitted over a network, the method comprising:
-
maintaining a reputation table in memory, the reputation table including information regarding a plurality of address-domain pairs, each of the plurality of address-domain pairs indicating an IP address and an associated domain of a previously received message, the information regarding each of the plurality of address-domain pairs including a score based on one or more classification variables, the one or more classification variables decaying with time; receiving the message transmitted over the network and addressed to a recipient; and executing instructions stored in a non-transitory computer readable storage medium to; determine an associated domain from which the received message is purported to be sent, identify that the determined domain appears on a whitelist associated with the recipient, determine an IP address corresponding to a device from which the received message was relayed, associate the determined domain with the IP address to create an address-domain pair for the received message; assign a score to the received message, the score comprising a ratio of a first classification variable of the address-domain pair to a second classification variable of the address-domain pair as indicated by the reputation table, wherein the score is indicative of spam; determine whether the domain has been spoofed based on whether a common classification appears across a plurality of IP addresses associated with the domain, wherein; the domain is determined not to be spoofed if the received message is on the whitelist but has common spam classification appearing across the plurality of IP addresses, and the domain is determined to be spoofed if the received message is on the whitelist but has different classifications appearing across the plurality of IP addresses, and classify the received message based on the determination whether the domain has been spoofed, wherein the spam score is overridden and the received message is classified as good in accordance with the whitelist, the good classification based on the determination that the domain has not been spoofed, and the whitelist is overridden and the received message is classified as spam in accordance with the spam score assigned to the address-domain pair, the spam classification based on different classifications appearing across the plurality of IP addresses associated with the determination that the domain has been spoofed. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A non-transitory computer-readable storage medium having embodied thereon a program, the program being executable by a processor to perform a method for classifying a message transmitted over a network the method comprising:
-
determining an associated domain from which a received message is purported to be sent; identifying that the determined domain appears on a whitelist associated with a recipient of the received message, determining an IF address from which the received message was relayed; associating the determined domain with the IP address to create an address-domain pair for the received message; assigning a score to the received message, the score indicative of spam and comprising a ratio of a first classification variable of the address-domain pair to a second classification variable of the address-domain pair, the first classification variable and the second classification variable indicated by a reputation table including information regarding a plurality of address-domain pairs, each of the plurality of address-domain pairs indicating an IP address and an associated domain of a previously received message, the information regarding each of the plurality of address-domain pairs including a score based on one or more classification variables, the one or more classification variables decaying with time, determining whether the domain has been spoofed based on whether a common classification appears across a plurality of IP addresses associated with the domain, wherein; the domain is determined not to be spoofed if the received message is on the whitelist but has common spam classification appearing across the plurality of IP addresses, and the domain is determined to be spoofed if the received message is on the whitelist but has different classifications appearing across the plurality of IP addresses, and classifying the received message based on the determination whether the domain has been spoofed, wherein; the spam score is overridden and the received message is classified as good in accordance with the whitelist, the good classification based on the determination that the domain has not been spoofed, and the whitelist is overridden and the received message is classified as spam in accordance with the spam score assigned to the address-domain pair, the spam classification based on the determination that the domain has been spoofed.
-
Specification