Stopping and remediating outbound messaging abuse
First Claim
1. A method, comprising:
- modeling a subscriber account to construct a subscriber profile based, at least in part, on behavior data extracted from a plurality of messages originated via the subscriber account, wherein the presence of antivirus software installed on a computer positively affects reputation data associated with the subscriber profile, the subscriber profile including a metric totaled by a predetermined time interval;
detecting, at a gateway that includes a processor and a memory, a deviation from the subscriber profile by applying a content filter to an outbound message originated via the subscriber account, the content filter including a selected one of a group of first filters, the group of first filters consisting of a virus filter and a phishing filter;
determining a reputation score based, at least in part, on the deviation;
determining a disposition for the outbound message, based, at least in part, on the reputation score; and
redirecting a subsequent outbound message originated via the subscriber account to a relay pool, in response to a determination that the reputation score is lower than a predetermined threshold.
12 Assignments
0 Petitions
Accused Products
Abstract
Systems and methods are provided for allowing subscriber message sending profiles to be maintained and used in conjunction with behavior-based anomaly detection techniques and traditional content-based spam signature filtering to enable application of appropriate message disposition policies to outbound subscriber message traffic. According to one embodiment, subscriber profiles are constructed for multiple subscriber accounts associated with a service provider based on outbound message flow originated from the subscriber accounts. Then, possible subscriber account misuse may be discovered by performing behavior-based anomaly detection, including a comparison of a subscriber profile associated with the subscriber account with recent subscriber account usage information, to identify one or more behavioral anomalies in outbound message flow originated from a subscriber account, the behavior-based anomaly detection.
-
Citations
19 Claims
-
1. A method, comprising:
-
modeling a subscriber account to construct a subscriber profile based, at least in part, on behavior data extracted from a plurality of messages originated via the subscriber account, wherein the presence of antivirus software installed on a computer positively affects reputation data associated with the subscriber profile, the subscriber profile including a metric totaled by a predetermined time interval; detecting, at a gateway that includes a processor and a memory, a deviation from the subscriber profile by applying a content filter to an outbound message originated via the subscriber account, the content filter including a selected one of a group of first filters, the group of first filters consisting of a virus filter and a phishing filter; determining a reputation score based, at least in part, on the deviation; determining a disposition for the outbound message, based, at least in part, on the reputation score; and redirecting a subsequent outbound message originated via the subscriber account to a relay pool, in response to a determination that the reputation score is lower than a predetermined threshold. - View Dependent Claims (2, 3)
-
-
4. A gateway, comprising:
-
a processor; and a memory coupled to the processor, wherein the gateway is configured to model a subscriber account to construct a subscriber profile based, at least in part, on behavior data extracted from a plurality of messages originated via the subscriber account, wherein the presence of antivirus software installed on a computer positively affects reputation data associated with the subscriber profile, the subscriber profile including a metric totaled by a predetermined time interval; detect a deviation from the subscriber profile by applying a content filter to an outbound message originated via the subscriber account, the content filter including a selected one of a group of first filters, the group of first filters consisting of a virus filter and a phishing filter; determine a reputation score based, at least in part, on the deviation; determine a disposition for the outbound message, based, at least in part, on the reputation score; and redirect a subsequent outbound message originated via the subscriber account to a relay pool, in response to a determination that the reputation score is lower than a predetermined threshold. - View Dependent Claims (5, 6, 7, 8, 9, 10, 18)
-
-
11. Logic, encoded in non-transitory media, that includes instructions for execution and that, when executed by a processor, is operable to perform operations comprising:
-
modeling a subscriber account to construct a subscriber profile; detecting a deviation from the subscriber profile by applying a content filter to an outbound message originated via the subscriber account, wherein the subscriber profile is based, at least in part, on behavior data extracted from a plurality of messages originated via the subscriber account, and the presence of antivirus software installed on a computer positively affects reputation data associated with the subscriber profile, the content filter including a selected one of a group of first filters, the group of first filters consisting of a virus filter and a phishing filter, the subscriber profile including a metric totaled by a predetermined time interval; determining a reputation score based, at least in part, on the deviation; determining a disposition for the outbound message, based, at least in part, on the reputation score; and redirecting a subsequent outbound message originated via the subscriber account to a relay pool, in response to a determination that the reputation score is lower than a predetermined threshold. - View Dependent Claims (12, 13, 14, 15, 16, 17, 19)
-
Specification