Managing connections, messages, and directory harvest attacks at a server
First Claim
1. A method for managing a mail transfer agent (MTA), comprising:
- based on a plurality of connections received at said MTA, determining a number of connections that are associated with a first sender identifier;
based on said number of connections being less than or equal to a specified number of connections, accepting an additional connection that is associated with said first sender identifier;
based on said number of connections being greater than said specified number of connections, rejecting said additional connection;
determining message information for a plurality of email messages that are received at said MTA;
based on said message information, determining that a second sender identifier of said plurality of sender identifiers is associated with at least one email message of said plurality of email messages;
based on said at least one email message, determining a number of recipients of email messages that are associated with said second sender identifier and that are being received at said MTA in a first time period; and
based on said number of recipients of email messages being greater than a maximum number of recipients of email messages, refusing to accept email messages that are associated with said second sender identifier until said first time period expires; and
after expiration of said first time period of time, accepting email messages that are associated with said second sender identifier;
determining that a third sender identifier of said plurality of sender identifiers is associated with a subset of email messages of said plurality of email messages;
based on said subset of email messages, determining a number of invalid recipient email addresses for a second time period;
receiving an additional email message that is associated with said third sender identifier;
determining that said additional email message is addressed to one or more invalid recipient email addresses for said MTA;
based on said number of invalid recipient email addresses being less than or equal to a maximum number of invalid recipient email addresses, generating and sending a message rejection response for said additional email message; and
based on said number of invalid recipient email addresses being greater than said maximum number of invalid recipient email addresses, dropping said additional email message without sending said message rejection response; and
after expiration of said second time period, accepting one or more additional email messages that are both associated with said third sender identifier and addressed to one or more invalid recipient email addresses for said MTA; and
wherein said first sender identifier, said second sender identifier, and said third sender identifier are each selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a reputation score, and a second range of reputation scores.
2 Assignments
0 Petitions
Accused Products
Abstract
A method and apparatus for managing connections, email messages, and directory harvest attacks at a server is disclosed. The server maintains a count of a parameter and compares the count to a specified maximum value, such that when the specified maximum value is met or exceeded, an action is taken by the server to limit the connections, email messages, or directory harvest attack. Actions include controlling the number of connections to the server from senders, controlling the flow of email messages injected to the server by senders, and controlling when rejection response messages are sent for invalid recipient email addresses to thwart a directory harvest attack. Senders are identified by one or more sender identifiers, which can be used to group senders together so that the same maximum value is applied collectively to all senders in the group.
236 Citations
55 Claims
-
1. A method for managing a mail transfer agent (MTA), comprising:
-
based on a plurality of connections received at said MTA, determining a number of connections that are associated with a first sender identifier;
based on said number of connections being less than or equal to a specified number of connections, accepting an additional connection that is associated with said first sender identifier;
based on said number of connections being greater than said specified number of connections, rejecting said additional connection;
determining message information for a plurality of email messages that are received at said MTA;
based on said message information, determining that a second sender identifier of said plurality of sender identifiers is associated with at least one email message of said plurality of email messages;
based on said at least one email message, determining a number of recipients of email messages that are associated with said second sender identifier and that are being received at said MTA in a first time period; and
based on said number of recipients of email messages being greater than a maximum number of recipients of email messages, refusing to accept email messages that are associated with said second sender identifier until said first time period expires; and
after expiration of said first time period of time, accepting email messages that are associated with said second sender identifier;
determining that a third sender identifier of said plurality of sender identifiers is associated with a subset of email messages of said plurality of email messages;
based on said subset of email messages, determining a number of invalid recipient email addresses for a second time period;
receiving an additional email message that is associated with said third sender identifier;
determining that said additional email message is addressed to one or more invalid recipient email addresses for said MTA;
based on said number of invalid recipient email addresses being less than or equal to a maximum number of invalid recipient email addresses, generating and sending a message rejection response for said additional email message; and
based on said number of invalid recipient email addresses being greater than said maximum number of invalid recipient email addresses, dropping said additional email message without sending said message rejection response; and
after expiration of said second time period, accepting one or more additional email messages that are both associated with said third sender identifier and addressed to one or more invalid recipient email addresses for said MTA; and
wherein said first sender identifier, said second sender identifier, and said third sender identifier are each selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a reputation score, and a second range of reputation scores.
-
-
2. A method for managing connections for receiving electronic messages at a server, comprising:
-
receiving at said server a plurality of connections;
identifying a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one connection of said plurality of connections;
based on said plurality of connections, determining a number of connections that are associated with said particular sender identifier;
receiving at said server an incoming connection that is associated with said particular sender identifier;
based on said number of connections satisfying a specified relationship with a specified number of connections, accepting said incoming connection; and
based on said number of connections not satisfying said specified relationship with said specified number of connections, rejecting said incoming connection. - View Dependent Claims (3, 4, 5, 6)
-
-
7. A method for managing a plurality of electronic messages received at a server, comprising:
-
determining message information for said plurality of electronic messages;
based on said message information, determining a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one electronic message of said plurality of electronic messages;
based on said at least one electronic message, determining a current value that is associated with said particular sender identifier; and
based on said current value satisfying a specified relationship with a specified value, limiting how many electronic messages that are associated with said particular sender identifier are accepted by said server. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A method for limiting a directory harvest attack against a server, comprising:
-
accepting a plurality of electronic messages that are associated with a plurality of sender identifiers;
identifying a particular sender identifier of said plurality of sender identifiers, wherein said particular sender identifier is associated with a subset of electronic messages of said plurality of electronic messages;
based on said subset of electronic messages, determining a current value that is based on those electronic messages that are addressed to one or more invalid recipient electronic addresses for said server;
receiving an additional electronic message that is associated with said particular sender identifier;
determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server;
based on said current value satisfying a specified relationship with a specified value, generating and sending a message rejection response to a sender of said additional electronic message; and
based on said current value not satisfying said specified relationship with said specified value, dropping at least said additional electronic message without sending said message rejection response to said sender. - View Dependent Claims (15, 16, 17, 18, 19)
-
-
20. A machine-readable medium carrying one or more sequences of instructions for managing connections for receiving electronic messages at a server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
receiving at said server a plurality of connections;
identifying a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one connection of said plurality of connections;
based on said plurality of connections, determining a number of connections that are associated with said particular sender identifier;
receiving at said server an incoming connection that is associated with said particular sender identifier;
based on said number of connections satisfying a specified relationship with a specified number of connections, accepting said incoming connection; and
based on said number of connections not satisfying said specified relationship with said specified number of connections, rejecting said incoming connection. - View Dependent Claims (21, 22, 23, 24)
-
-
25. A machine-readable medium carrying one or more sequences of instructions for managing a plurality of electronic messages received at a server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
determining message information for said plurality of electronic messages;
based on said message information, determining a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one electronic message of said plurality of electronic messages;
based on said at least one electronic message, determining a current value that is associated with said particular sender identifier; and
based on said current value satisfying a specified relationship with a specified value, limiting how many electronic messages that are associated with said particular sender identifier are accepted by said server. - View Dependent Claims (26, 27, 28, 29, 30, 31)
-
-
32. A machine-readable medium carrying one or more sequences of instructions for limiting a directory harvest attack against a server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
-
accepting a plurality of electronic messages that are associated with a plurality of sender identifiers;
identifying a particular sender identifier of said plurality of sender identifiers, wherein said particular sender identifier is associated with a subset of electronic messages of said plurality of electronic messages;
based on said subset of electronic messages, determining a current value that is based on those electronic messages that are addressed to one or more invalid recipient electronic addresses for said server;
receiving an additional electronic message that is associated with said particular sender identifier;
determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server;
based on said current value satisfying a specified relationship with a specified value, generating and sending a message rejection response to a sender of said additional electronic message; and
based on said current value not satisfying said specified relationship with said specified value, dropping at least said additional electronic message without sending said message rejection response to said sender. - View Dependent Claims (33, 34, 35, 36, 37)
-
-
38. An apparatus comprising:
-
a processor; and
a memory coupled to the processor, the memory containing one or more sequences of instructions for managing connections for receiving electronic messages at a server, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of;
receiving at said server a plurality of connections;
identifying a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one connection of said plurality of connections;
based on said plurality of connections, determining a number of connections that are associated with said particular sender identifier;
receiving at said server an incoming connection that is associated with said particular sender identifier;
based on said number of connections satisfying a specified relationship with a specified number of connections, accepting said incoming connection; and
based on said number of connections not satisfying said specified relationship with said specified number of connections, rejecting said incoming connection. - View Dependent Claims (39, 40, 41, 42)
-
-
43. An apparatus comprising:
-
a processor; and
a memory coupled to the processor, the memory containing one or more sequences of instructions for managing a plurality of electronic messages received at a server, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of;
determining message information for said plurality of electronic messages;
based on said message information, determining a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one electronic message of said plurality of electronic messages;
based on said at least one electronic message, determining a current value that is associated with said particular sender identifier; and
based on said current value satisfying a specified relationship with a specified value, limiting how many electronic messages that are associated with said particular sender identifier are accepted by said server. - View Dependent Claims (44, 45, 46, 47, 48, 49)
-
-
50. An apparatus comprising:
-
a processor; and
a memory coupled to the processor, the memory containing one or more sequences of instructions for limiting a directory harvest attack against a server, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of;
accepting a plurality of electronic messages that are associated with a plurality of sender identifiers;
identifying a particular sender identifier of said plurality of sender identifiers, wherein said particular sender identifier is associated with a subset of electronic messages of said plurality of electronic messages;
based on said subset of electronic messages, determining a current value that is based on those electronic messages that are addressed to one or more invalid recipient electronic addresses for said server;
receiving an additional electronic message that is associated with said particular sender identifier;
determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server;
based on said current value satisfying a specified relationship with a specified value, generating and sending a message rejection response to a sender of said additional electronic message; and
based on said current value not satisfying said specified relationship with said specified value, dropping at least said additional electronic message without sending said message rejection response to said sender. - View Dependent Claims (51, 52, 53, 54, 55)
-
Specification