Stopping and remediating outbound messaging abuse

US 9,210,111 B2
Filed: 12/25/2012
Issued: 12/08/2015
Est. Priority Date: 02/28/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

modeling a subscriber account to construct a subscriber profile based, at least in part, on behavior data extracted from a plurality of messages originated via the subscriber account, wherein the presence of antivirus software installed on a computer positively affects reputation data associated with the subscriber profile, the subscriber profile including a metric totaled by a predetermined time interval;

detecting, at a gateway that includes a processor and a memory, a deviation from the subscriber profile by applying a content filter to an outbound message originated via the subscriber account, the content filter including a selected one of a group of first filters, the group of first filters consisting of a virus filter and a phishing filter;

determining a reputation score based, at least in part, on the deviation;

determining a disposition for the outbound message, based, at least in part, on the reputation score; and

redirecting a subsequent outbound message originated via the subscriber account to a relay pool, in response to a determination that the reputation score is lower than a predetermined threshold.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods are provided for allowing subscriber message sending profiles to be maintained and used in conjunction with behavior-based anomaly detection techniques and traditional content-based spam signature filtering to enable application of appropriate message disposition policies to outbound subscriber message traffic. According to one embodiment, subscriber profiles are constructed for multiple subscriber accounts associated with a service provider based on outbound message flow originated from the subscriber accounts. Then, possible subscriber account misuse may be discovered by performing behavior-based anomaly detection, including a comparison of a subscriber profile associated with the subscriber account with recent subscriber account usage information, to identify one or more behavioral anomalies in outbound message flow originated from a subscriber account, the behavior-based anomaly detection.

244 Citations

19 Claims

1. A method, comprising:
- modeling a subscriber account to construct a subscriber profile based, at least in part, on behavior data extracted from a plurality of messages originated via the subscriber account, wherein the presence of antivirus software installed on a computer positively affects reputation data associated with the subscriber profile, the subscriber profile including a metric totaled by a predetermined time interval;
  
  detecting, at a gateway that includes a processor and a memory, a deviation from the subscriber profile by applying a content filter to an outbound message originated via the subscriber account, the content filter including a selected one of a group of first filters, the group of first filters consisting of a virus filter and a phishing filter;
  
  determining a reputation score based, at least in part, on the deviation;
  
  determining a disposition for the outbound message, based, at least in part, on the reputation score; and
  
  redirecting a subsequent outbound message originated via the subscriber account to a relay pool, in response to a determination that the reputation score is lower than a predetermined threshold.
- View Dependent Claims (2, 3)
- - 2. The method of claim 1, wherein the plurality of messages are e-mail messages.
  - 3. The method of claim 1, wherein the reputation score is included in the subscriber profile and is based on reputation data associated with e-mailing activities via the subscriber account.

4. A gateway, comprising:
- a processor; and
  
  a memory coupled to the processor, wherein the gateway is configured tomodel a subscriber account to construct a subscriber profile based, at least in part, on behavior data extracted from a plurality of messages originated via the subscriber account, wherein the presence of antivirus software installed on a computer positively affects reputation data associated with the subscriber profile, the subscriber profile including a metric totaled by a predetermined time interval;
  
  detect a deviation from the subscriber profile by applying a content filter to an outbound message originated via the subscriber account, the content filter including a selected one of a group of first filters, the group of first filters consisting of a virus filter and a phishing filter;
  
  determine a reputation score based, at least in part, on the deviation;
  
  determine a disposition for the outbound message, based, at least in part, on the reputation score; and
  
  redirect a subsequent outbound message originated via the subscriber account to a relay pool, in response to a determination that the reputation score is lower than a predetermined threshold.
- View Dependent Claims (5, 6, 7, 8, 9, 10, 18)
- - 5. The gateway of claim 4, wherein the gateway is further configured to combine reputation data generated from the outbound message with reputation data included in the subscriber profile to determine whether an action is to be taken for the subscriber account.
  - 6. The gateway of claim 5, wherein the action includes a selected one of a group of actions, the group of actions consisting of:
    - a) redirecting subsequent e-mail messages originated via the subscriber account to a relay pool;
      
      b) reducing at least one privilege associated with the subscriber account; and
      
      c) lowering a trustworthiness rating for the subscriber account.
  - 7. The gateway of claim 4, wherein the gateway is further configured to determine a message disposition based on a content filter for the outbound message, and the content filter includes a selected one of a group of second filters, the group of second filters consisting of:
    - a) a spam filter; and
      
      b) a throttle filter.
  - 8. The gateway of claim 4, wherein the gateway is further configured to provide web-based access to a plurality of e-mail message disposition policies via a graphical user interface.
  - 9. The gateway of claim 8, wherein the graphical user interface is configured to provide notifications, alerts, and traffic reports associated with e-mail traffic.
  - 10. The gateway of claim 4, wherein the plurality of messages are e-mail messages, and the reputation score is included in the subscriber profile and is based on reputation data associated with e-mailing activities via the subscriber account.
  - 18. The gateway of claim 4, wherein the disposition is a selected one of a group of dispositions, the group of dispositions consisting of:
    - a denial of the outbound message and an addition of a blind carbon copy (bcc) recipient to the outbound message.

11. Logic, encoded in non-transitory media, that includes instructions for execution and that, when executed by a processor, is operable to perform operations comprising:
- modeling a subscriber account to construct a subscriber profile;
  
  detecting a deviation from the subscriber profile by applying a content filter to an outbound message originated via the subscriber account, wherein the subscriber profile is based, at least in part, on behavior data extracted from a plurality of messages originated via the subscriber account, and the presence of antivirus software installed on a computer positively affects reputation data associated with the subscriber profile, the content filter including a selected one of a group of first filters, the group of first filters consisting of a virus filter and a phishing filter, the subscriber profile including a metric totaled by a predetermined time interval;
  
  determining a reputation score based, at least in part, on the deviation;
  
  determining a disposition for the outbound message, based, at least in part, on the reputation score; and
  
  redirecting a subsequent outbound message originated via the subscriber account to a relay pool, in response to a determination that the reputation score is lower than a predetermined threshold.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 19)
- - 12. The logic of claim 11, wherein the plurality of messages are e-mail messages, and the reputation score is included in the subscriber profile and is based on reputation data associated with e-mailing activities via the subscriber account.
  - 13. The logic of claim 11, the operations further comprising:
    - combining reputation data generated from the outbound message with reputation data included in the subscriber profile to determine whether an action is to be taken for the subscriber account.
  - 14. The logic of claim 13, wherein the action includes a selected one of a group of actions, the group of actions consisting of:
    - a) redirecting subsequent e-mail messages originated via the subscriber account to a relay pool;
      
      b) reducing at least one privilege associated with the subscriber account; and
      
      c) lowering a trustworthiness rating for the subscriber account.
  - 15. The logic of claim 11, the operations further comprising:
    - determining a message disposition based on a content filter for the outbound message, wherein the content filter includes a selected one of a group of second filters, the group of second filters consisting of;
      
      a) a spam filter; and
      
      b) a throttle filter.
  - 16. The logic of claim 11, the operations further comprising:
    - providing web-based access to a plurality of e-mail message disposition policies via a graphical user interface.
  - 17. The logic of claim 16, wherein the graphical user interface is configured to provide notifications, alerts, and traffic reports associated with e-mail traffic.
  - 19. The logic of claim 11, wherein the disposition is a selected one of a group of dispositions, the group of dispositions consisting of:
    - a denial of the outbound message and an addition of a blind carbon copy (bcc) recipient to the outbound message.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Musarubra US LLC (Musarubra US SellCo LLC)
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
Chasin, C. Scott, Lin, Wei, Kincaid-Smith, Paul
Primary Examiner(s)
Anwah, Olisa

Application Number

US13/726,607
Publication Number

US 20130117397A1
Time in Patent Office

1,078 Days
Field of Search

709206-207, 709/203, 709/202, 379 8801- 8823, 379/114.14, 379/145, 379/127.02, 379/93.24
US Class Current

1/1
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/145   the attack involving the pr...

Stopping and remediating outbound messaging abuse

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

244 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Stopping and remediating outbound messaging abuse

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

244 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links