Methods, systems, and computer program products for mitigating email address harvest attacks by positively acknowledging email to invalid email addresses

US 8,943,591 B2
Filed: 02/18/2013
Issued: 01/27/2015
Est. Priority Date: 12/10/2009
Status: Expired due to Fees

First Claim

Patent Images

1. A method of detecting and responding to an email address harvest attack at an Internet service provider email system, comprising:

counting a number of failed email address look-ups during a single simple mail transfer protocol session associated with an originating Internet protocol address;

responding to the originating Internet protocol address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold;

creating a fake email inbox for each otherwise invalid email address responded to with the positive acknowledgement, each fake email inbox having a spam folder associated therewith; and

processing email addressed to each fake email inbox using a spam filter.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of detecting and responding to an email address harvest attack at an Internet Service Provider (ISP) email system includes counting a number of failed email address look-ups during a single Simple Mail Transfer Protocol (SMTP) session associated with an originating Internet Protocol (IP) address and responding to the originating IP address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold.

Citations

17 Claims

1. A method of detecting and responding to an email address harvest attack at an Internet service provider email system, comprising:
- counting a number of failed email address look-ups during a single simple mail transfer protocol session associated with an originating Internet protocol address;
  
  responding to the originating Internet protocol address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold;
  
  creating a fake email inbox for each otherwise invalid email address responded to with the positive acknowledgement, each fake email inbox having a spam folder associated therewith; and
  
  processing email addressed to each fake email inbox using a spam filter.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein responding to the originating IP address with the positive acknowledgement comprises:
    - responding to the originating IP address with the positive acknowledgement that the otherwise invalid email address exists at a response percentage rate for subsequent failed email address look-ups responsive to the number of failed email address lookups exceeding the threshold.
  - 3. The method of claim 2, further comprising:
    - defining a plurality of email system categories ranging from a least likely to engage in an email address harvest attack to a most likely to engage in an email address harvest attack;
      
      determining which of the plurality of email system categories the originating Internet protocol address is associated with; and
      
      setting the threshold and the response percentage rate based on the email system category associated with the originating Internet protocol address.
  - 4. The method of claim 3, wherein the threshold is less for the email system categories more likely to engage in an email address harvest attack than the threshold is for the email system categories less likely to engage in an email address harvest attack and wherein the response percentage rate is greater for the email system categories more likely to engage in an email address harvest attack than the response percentage rate is for the email system categories less likely to engage in an email address harvest attack.
  - 5. The method of claim 1, further comprising:
    - storing email addressed to each fake email inbox in the fake email inbox when the email is not determined to be spam by the spam filter; and
      
      storing email addressed to each fake email inbox in the respective spam folder associated therewith that is determined to be spam by the spam folder.
  - 6. The method of claim 5, further comprising:
    - generating a new spam filtering signature as a result of processing email stored in each fake email inbox;
      
      applying the new spam filtering signature to email directed to valid email addresses on the Internet service provider email system; and
      
      moving any email directed to valid email addresses on the Internet service provider email system and determined to be spam due to application of the new spam filtering signature to respective spam folders associated with the valid email addresses.
  - 7. The method of claim 5, further comprising:
    - maintaining a count of email addressed to all fake email inboxes for the originating IP address;
      
      determining if the count of email addressed to all fake email inboxes for the originating Internet protocol address exceeds a spam blocking threshold; and
      
      blocking all communication traffic from the originating Internet protocol address when the count of email addressed to all fake email inboxes for the originating Internet protocol address exceeds a spam blocking threshold.
  - 8. The method of claim 1, further comprising:
    - processing email addressed to each fake email inbox using a virus filter.
  - 9. The method of claim 5, further comprising:
    - calculating a spam filtration rate for each fake email inbox by dividing a count of a number of email messages in the spam folder by a sum of the count of the number of email messages in the spam folder and a count of a number of messages in the associated fake email inbox.

10. An Internet service provider email system for detecting and responding to an email address harvest attack, comprising:
- a processor; and
  
  a memory coupled to the processor and comprising computer readable program code that when executed by the processor causes the processor to perform operations comprising;
  
  counting a number of failed email address look-ups during a single simple mail transfer protocol session associated with an originating Internet protocol address;
  
  responding to the originating Internet protocol address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold;
  
  creating a fake email inbox for each otherwise invalid email address responded to with the positive acknowledgement, each fake email inbox having a spam folder associated therewith; and
  
  processing email addressed to each fake email inbox using a spam filter.
- View Dependent Claims (11, 12, 13)
- - 11. The internet service provider system of claim 10, wherein responding to the originating IP address with the positive acknowledgement comprises:
    - responding to the originating IP address with the positive acknowledgement that the otherwise invalid email address exists at a response percentage rate for subsequent failed email address look-ups responsive to the number of failed email address lookups exceeding the threshold.
  - 12. The Internet service provider system of claim 11, wherein the operations further comprise:
    - defining a plurality of email system categories ranging from a least likely to engage in an email address harvest attack to a most likely to engage in an email address harvest attack;
      
      determining which of the plurality of email system categories the originating Internet protocol address is associated with; and
      
      setting the threshold and the response percentage rate based on the email system category associated with the originating Internet protocol address.
  - 13. The Internet service provider system of claim 12, wherein the threshold is less for the email system categories more likely to engage in an email address harvest attack than the threshold is for the email system categories less likely to engage in an email address harvest attack and wherein the response percentage rate is greater for the email system categories more likely to engage in an email address harvest attack than the response percentage rate is for the email system categories less likely to engage in an email address harvest attack.

14. A computer program product for detecting and responding to an email address harvest attack, comprising:
- a non-transitory computer readable storage medium having computer readable program code embodied in the computer readable storage medium that when executed by a processor causes a processor to perform operations comprising;
  
  counting a number of failed email address look-ups during a single simple mail transfer protocol session associated with an originating Internet protocol address;
  
  responding to the originating Internet protocol address with a positive acknowledgement that an otherwise invalid email address exists when the count of the number of failed email address look-ups exceeds a threshold;
  
  creating a fake email inbox for each otherwise invalid email address responded to with the positive acknowledgement, each fake email inbox having a spam folder associated therewith; and
  
  processing email addressed to each fake email inbox using a spam filter.
- View Dependent Claims (15, 16, 17)
- - 15. The computer program product of claim 14, wherein responding to the originating IP address with the positive acknowledgement comprises:
    - responding to the originating IP address with the positive acknowledgement that the otherwise invalid email address exists at a response percentage rate for subsequent failed email address look-ups responsive to the number of failed email address lookups exceeding the threshold.
  - 16. The computer program product of claim 15, wherein the operations further comprise:
    - defining a plurality of email system categories ranging from a least likely to engage in an email address harvest attack to a most likely to engage in an email address harvest attack;
      
      determining which of the plurality of email system categories the originating Internet protocol address is associated with; and
      
      setting the threshold and the response percentage rate based on the email system category associated with the originating Internet protocol address.
  - 17. The computer program product of claim 16, wherein the threshold is less for the email system categories more likely to engage in an email address harvest attack than the threshold is for the email system categories less likely to engage in an email address harvest attack and wherein the response percentage rate is greater for the email system categories more likely to engage in an email address harvest attack than the response percentage rate is for the email system categories less likely to engage in an email address harvest attack.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Original Assignee
AT&T Intellectual Property I LP (AT&T, Inc.)
Inventors
Wood, Stephen K.
Primary Examiner(s)
HERZOG, MADHURI R

Application Number

US13/769,638
Publication Number

US 20130160123A1
Time in Patent Office

708 Days
Field of Search

726/1, 726 22- 25, 713153-154, 713/188, 709217-229, 709238-245
US Class Current

726/23
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 51/48   Message addressing, e.g. ad...

H04L 63/1441   Countermeasures against mal...

H04L 63/1466   Active attacks involving in...

Methods, systems, and computer program products for mitigating email address harvest attacks by positively acknowledging email to invalid email addresses

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Methods, systems, and computer program products for mitigating email address harvest attacks by positively acknowledging email to invalid email addresses

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links