Managing connections, messages, and directory harvest attacks at a server

US 20060031359A1
Filed: 05/27/2005
Published: 02/09/2006
Est. Priority Date: 05/29/2004
Status: Active Grant

First Claim

Patent Images

1. A method for managing a mail transfer agent (MTA), comprising:

based on a plurality of connections received at said MTA, determining a number of connections that are associated with a first sender identifier;

based on said number of connections being less than or equal to a specified number of connections, accepting an additional connection that is associated with said first sender identifier;

based on said number of connections being greater than said specified number of connections, rejecting said additional connection;

determining message information for a plurality of email messages that are received at said MTA;

based on said message information, determining that a second sender identifier of said plurality of sender identifiers is associated with at least one email message of said plurality of email messages;

based on said at least one email message, determining a number of recipients of email messages that are associated with said second sender identifier and that are being received at said MTA in a first time period; and

based on said number of recipients of email messages being greater than a maximum number of recipients of email messages, refusing to accept email messages that are associated with said second sender identifier until said first time period expires; and

after expiration of said first time period of time, accepting email messages that are associated with said second sender identifier;

determining that a third sender identifier of said plurality of sender identifiers is associated with a subset of email messages of said plurality of email messages;

based on said subset of email messages, determining a number of invalid recipient email addresses for a second time period;

receiving an additional email message that is associated with said third sender identifier;

determining that said additional email message is addressed to one or more invalid recipient email addresses for said MTA;

based on said number of invalid recipient email addresses being less than or equal to a maximum number of invalid recipient email addresses, generating and sending a message rejection response for said additional email message; and

based on said number of invalid recipient email addresses being greater than said maximum number of invalid recipient email addresses, dropping said additional email message without sending said message rejection response; and

after expiration of said second time period, accepting one or more additional email messages that are both associated with said third sender identifier and addressed to one or more invalid recipient email addresses for said MTA; and

wherein said first sender identifier, said second sender identifier, and said third sender identifier are each selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a reputation score, and a second range of reputation scores.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for managing connections, email messages, and directory harvest attacks at a server is disclosed. The server maintains a count of a parameter and compares the count to a specified maximum value, such that when the specified maximum value is met or exceeded, an action is taken by the server to limit the connections, email messages, or directory harvest attack. Actions include controlling the number of connections to the server from senders, controlling the flow of email messages injected to the server by senders, and controlling when rejection response messages are sent for invalid recipient email addresses to thwart a directory harvest attack. Senders are identified by one or more sender identifiers, which can be used to group senders together so that the same maximum value is applied collectively to all senders in the group.

236 Citations

55 Claims

1. A method for managing a mail transfer agent (MTA), comprising:
- based on a plurality of connections received at said MTA, determining a number of connections that are associated with a first sender identifier;
  
  based on said number of connections being less than or equal to a specified number of connections, accepting an additional connection that is associated with said first sender identifier;
  
  based on said number of connections being greater than said specified number of connections, rejecting said additional connection;
  
  determining message information for a plurality of email messages that are received at said MTA;
  
  based on said message information, determining that a second sender identifier of said plurality of sender identifiers is associated with at least one email message of said plurality of email messages;
  
  based on said at least one email message, determining a number of recipients of email messages that are associated with said second sender identifier and that are being received at said MTA in a first time period; and
  
  based on said number of recipients of email messages being greater than a maximum number of recipients of email messages, refusing to accept email messages that are associated with said second sender identifier until said first time period expires; and
  
  after expiration of said first time period of time, accepting email messages that are associated with said second sender identifier;
  
  determining that a third sender identifier of said plurality of sender identifiers is associated with a subset of email messages of said plurality of email messages;
  
  based on said subset of email messages, determining a number of invalid recipient email addresses for a second time period;
  
  receiving an additional email message that is associated with said third sender identifier;
  
  determining that said additional email message is addressed to one or more invalid recipient email addresses for said MTA;
  
  based on said number of invalid recipient email addresses being less than or equal to a maximum number of invalid recipient email addresses, generating and sending a message rejection response for said additional email message; and
  
  based on said number of invalid recipient email addresses being greater than said maximum number of invalid recipient email addresses, dropping said additional email message without sending said message rejection response; and
  
  after expiration of said second time period, accepting one or more additional email messages that are both associated with said third sender identifier and addressed to one or more invalid recipient email addresses for said MTA; and
  
  wherein said first sender identifier, said second sender identifier, and said third sender identifier are each selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a reputation score, and a second range of reputation scores.

2. A method for managing connections for receiving electronic messages at a server, comprising:
- receiving at said server a plurality of connections;
  
  identifying a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one connection of said plurality of connections;
  
  based on said plurality of connections, determining a number of connections that are associated with said particular sender identifier;
  
  receiving at said server an incoming connection that is associated with said particular sender identifier;
  
  based on said number of connections satisfying a specified relationship with a specified number of connections, accepting said incoming connection; and
  
  based on said number of connections not satisfying said specified relationship with said specified number of connections, rejecting said incoming connection.
- View Dependent Claims (3, 4, 5, 6)
- - 3. A method as recited in claim 2, wherein said particular sender identifier is selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 4. A method as recited in claim 2, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 5. A method as recited in claim 2, wherein:
    - accepting said incoming connection comprises;
      
      creating an additional connection based on said incoming connection; and
      
      accepting one or more electronic messages over said additional connection;
      
      rejecting said incoming connection comprises;
      
      creating said additional connection based on said incoming connection;
      
      refusing to accept any electronic messages over said additional connection; and
      
      terminating said additional connection.
  - 6. A method as recited in claim 2, wherein rejecting said incoming connection further comprises:
    - creating an additional connection based on said incoming connection;
      
      based on an electronic message that is received over said additional connection, identifying a particular recipient identifier of a plurality of recipient identifiers;
      
      inspecting a mapping to identify an action of a plurality of actions, wherein said mapping associates said plurality of recipient identifiers with said plurality of actions, and wherein said action is associated with a specified recipient identifier of said plurality of recipient identifiers;
      
      based on said particular recipient identifier matching said specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections; and
      
      based on said particular recipient identifier not matching said specified recipient identifier, dropping said electronic message and terminating said additional connection.

7. A method for managing a plurality of electronic messages received at a server, comprising:
- determining message information for said plurality of electronic messages;
  
  based on said message information, determining a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one electronic message of said plurality of electronic messages;
  
  based on said at least one electronic message, determining a current value that is associated with said particular sender identifier; and
  
  based on said current value satisfying a specified relationship with a specified value, limiting how many electronic messages that are associated with said particular sender identifier are accepted by said server.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. A method as recited in claim 7, wherein said particular sender identifier is selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 9. A method as recited in claim 7, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 10. A method as recited in claim 7, wherein:
    - said current value is a number of recipients of electronic messages that are received at said server in a current time period and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of recipients of electronic messages; and
      
      said current value satisfies said specified relationship with said specified value when said number of recipients of electronic messages is less than or equal to said maximum number of recipients of electronic messages.
  - 11. A method as recited in claim 10, wherein limiting how many electronic messages are accepted from said at least one network address comprises:
    - refusing to accept electronic messages from said at least one network address until said current time period expires; and
      
      after expiration of said current time period of time, accepting one or more additional electronic messages from said at least one network address.
  - 12. A method as recited in claim 7, wherein:
    - said current value is a number of electronic messages that are received at said server and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of electronic messages; and
      
      said current value satisfies said specified relationship with said specified value when said number of electronic messages is less than or equal to said maximum number of electronic messages.
  - 13. A method as recited in claim 12, wherein:
    - said number of electronic messages is determined for a specified period of time; and
      
      limiting how many electronic messages that are associated with said particular sender identifier are accepted comprises;
      
      refusing to accept electronic messages that are associated with said particular sender identifier until said specified period of time has expired; and
      
      after expiration of said specified period of time, accepting electronic messages that are associated with said particular sender identifier.

14. A method for limiting a directory harvest attack against a server, comprising:
- accepting a plurality of electronic messages that are associated with a plurality of sender identifiers;
  
  identifying a particular sender identifier of said plurality of sender identifiers, wherein said particular sender identifier is associated with a subset of electronic messages of said plurality of electronic messages;
  
  based on said subset of electronic messages, determining a current value that is based on those electronic messages that are addressed to one or more invalid recipient electronic addresses for said server;
  
  receiving an additional electronic message that is associated with said particular sender identifier;
  
  determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server;
  
  based on said current value satisfying a specified relationship with a specified value, generating and sending a message rejection response to a sender of said additional electronic message; and
  
  based on said current value not satisfying said specified relationship with said specified value, dropping at least said additional electronic message without sending said message rejection response to said sender.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. A method as recited in claim 14, wherein said particular sender identifier is selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a reputation score, and a second range of reputation scores.
  - 16. A method as recited in claim 14, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 17. A method as recited in claim 14, wherein:
    - said current value is a number of invalid recipient electronic addresses that are received at said server in a current time period and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of invalid recipient electronic addresses;
      
      said current value satisfies said specified relationship with said specified value when said number of invalid recipient electronic addresses is less than or equal to said maximum number of invalid recipient electronic addresses; and
      
      said current value does not satisfy said specified relationship with said specified value when said number of invalid recipient electronic addresses is greater than said maximum number of invalid recipient electronic addresses.
  - 18. A method as recited in claim 17, wherein dropping at least said additional electronic message comprises:
    - dropping said additional electronic message and any other additional electronic messages that are associated with said particular sender identifier until said current time period expires; and
      
      after expiration of said current time period, accepting one or more electronic messages that are both associated with said particular sender identifier and that are addressed to one or more invalid recipient electronic addresses for said server.
  - 19. A method as recited in claim 14, wherein:
    - determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server comprises determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server after completion of a simple mail transfer protocol (SMTP) conversation between said server and said sender of said additional electronic message;
      
      generating said message rejection response for said additional electronic message comprises generating a message rejection electronic message for additional electronic message after completion of said SMTP conversation; and
      
      dropping said additional electronic message comprises dropping said additional electronic message after completion of said SMTP conversation.

20. A machine-readable medium carrying one or more sequences of instructions for managing connections for receiving electronic messages at a server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- receiving at said server a plurality of connections;
  
  identifying a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one connection of said plurality of connections;
  
  based on said plurality of connections, determining a number of connections that are associated with said particular sender identifier;
  
  receiving at said server an incoming connection that is associated with said particular sender identifier;
  
  based on said number of connections satisfying a specified relationship with a specified number of connections, accepting said incoming connection; and
  
  based on said number of connections not satisfying said specified relationship with said specified number of connections, rejecting said incoming connection.
- View Dependent Claims (21, 22, 23, 24)
- - 21. A machine-readable medium as recited in claim 20, wherein said particular sender identifier is selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 22. A machine-readable medium as recited in claim 20, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 23. A machine-readable medium as recited in claim 20, wherein:
    - wherein the instructions for accepting said incoming connection further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
      
      creating an additional connection based on said incoming connection; and
      
      accepting one or more electronic messages over said additional connection;
      
      wherein the instructions for rejecting said incoming connection further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
      
      creating said additional connection based on said incoming connection;
      
      refusing to accept any electronic messages over said additional connection; and
      
      terminating said additional connection.
  - 24. A machine-readable medium as recited in claim 20, wherein the instructions for rejecting said incoming connection further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
    - creating an additional connection based on said incoming connection;
      
      based on an electronic message that is received over said additional connection, identifying a particular recipient identifier of a plurality of recipient dentifiers;
      
      inspecting a mapping to identify an action of a plurality of actions, wherein said mapping associates said plurality of recipient identifiers with said plurality of actions, and wherein said action is associated with a specified recipient identifier of said plurality of recipient identifiers;
      
      based on said particular recipient identifier matching said specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections; and
      
      based on said particular recipient identifier not matching said specified recipient identifier, dropping said electronic message and terminating said additional connection.

25. A machine-readable medium carrying one or more sequences of instructions for managing a plurality of electronic messages received at a server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- determining message information for said plurality of electronic messages;
  
  based on said message information, determining a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one electronic message of said plurality of electronic messages;
  
  based on said at least one electronic message, determining a current value that is associated with said particular sender identifier; and
  
  based on said current value satisfying a specified relationship with a specified value, limiting how many electronic messages that are associated with said particular sender identifier are accepted by said server.
- View Dependent Claims (26, 27, 28, 29, 30, 31)
- - 26. A machine-readable medium as recited in claim 25, wherein said particular sender identifier is selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 27. A machine-readable medium as recited in claim 25, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 28. A machine-readable medium as recited in claim 25, wherein:
    - said current value is a number of recipients of electronic messages that are received at said server in a current time period and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of recipients of electronic messages; and
      
      said current value satisfies said specified relationship with said specified value when said number of recipients of electronic messages is less than or equal to said maximum number of recipients of electronic messages.
  - 29. A machine-readable medium as recited in claim 28, wherein the instructions for limiting how many electronic messages are accepted from said at least one network address further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
    - refusing to accept electronic messages from said at least one network address until said current time period expires; and
      
      after expiration of said current time period of time, accepting one or more additional electronic messages from said at least one network address.
  - 30. A machine-readable medium as recited in claim 25, wherein:
    - said current value is a number of electronic messages that are received at said server and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of electronic messages; and
      
      said current value satisfies said specified relationship with said specified value when said number of electronic messages is less than or equal to said maximum number of electronic messages.
  - 31. A machine-readable medium as recited in claim 30, wherein:
    - said number of electronic messages is determined for a specified period of time; and
      
      the instructions for limiting how many electronic messages that are associated with said particular sender identifier are accepted further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of;
      
      refusing to accept electronic messages that are associated with said particular sender identifier until said specified period of time has expired; and
      
      after expiration of said specified period of time, accepting electronic messages that are associated with said particular sender identifier.

32. A machine-readable medium carrying one or more sequences of instructions for limiting a directory harvest attack against a server, wherein execution of the one or more sequences of instructions by one or more processors causes the one or more processors to perform the steps of:
- accepting a plurality of electronic messages that are associated with a plurality of sender identifiers;
  
  identifying a particular sender identifier of said plurality of sender identifiers, wherein said particular sender identifier is associated with a subset of electronic messages of said plurality of electronic messages;
  
  based on said subset of electronic messages, determining a current value that is based on those electronic messages that are addressed to one or more invalid recipient electronic addresses for said server;
  
  receiving an additional electronic message that is associated with said particular sender identifier;
  
  determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server;
  
  based on said current value satisfying a specified relationship with a specified value, generating and sending a message rejection response to a sender of said additional electronic message; and
  
  based on said current value not satisfying said specified relationship with said specified value, dropping at least said additional electronic message without sending said message rejection response to said sender.
- View Dependent Claims (33, 34, 35, 36, 37)
- - 33. A machine-readable medium as recited in claim 32, wherein said particular sender identifier is selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a reputation score, and a second range of reputation scores.
  - 34. A machine-readable medium as recited in claim 32, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 35. A machine-readable medium as recited in claim 32, wherein:
    - said current value is a number of invalid recipient electronic addresses that are received at said server in a current time period and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of invalid recipient electronic ;
      
      addresses;
      
      said current value satisfies said specified relationship with said specified value when said number of invalid recipient electronic addresses is less than or equal to said maximum number of invalid recipient electronic addresses; and
      
      said current value does not satisfy said specified relationship with said specified value when said number of invalid recipient electronic addresses is greater than said maximum number of invalid recipient electronic addresses.
  - 36. A machine-readable medium as recited in claim 35, wherein the instructions for dropping at least said additional electronic message further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the steps of:
    - dropping said additional electronic message and any other additional electronic messages that are associated with said particular sender identifier until said current time period expires; and
      
      after expiration of said current time period, accepting one or more electronic messages that are both associated with said particular sender identifier and that are addressed to one or more invalid recipient electronic addresses for said server.
  - 37. A machine-readable medium as recited in claim 32, wherein:
    - wherein the instructions for determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server after completion of a simple mail transfer protocol (SMTP) conversation between said server and said sender of said additional electronic message;
      
      wherein the instructions for generating said message rejection response for said additional electronic message further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of generating said message rejection response for said additional electronic message comprises generating a message rejection electronic message for additional electronic message after completion of said SMTP conversation; and
      
      wherein the instructions for dropping said additional electronic message further comprise instructions which, when executed by the one or more processors, cause the one or more processors to perform the step of dropping said additional electronic message comprises dropping said additional electronic message after completion of said SMTP conversation.

38. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, the memory containing one or more sequences of instructions for managing connections for receiving electronic messages at a server, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of;
  
  receiving at said server a plurality of connections;
  
  identifying a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one connection of said plurality of connections;
  
  based on said plurality of connections, determining a number of connections that are associated with said particular sender identifier;
  
  receiving at said server an incoming connection that is associated with said particular sender identifier;
  
  based on said number of connections satisfying a specified relationship with a specified number of connections, accepting said incoming connection; and
  
  based on said number of connections not satisfying said specified relationship with said specified number of connections, rejecting said incoming connection.
- View Dependent Claims (39, 40, 41, 42)
- - 39. An apparatus as recited in claim 38, wherein said particular sender identifier is selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 40. An apparatus as recited in claim 38, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 41. An apparatus as recited in claim 38, wherein:
    - wherein the instructions for accepting said incoming connection further comprise instructions which, when executed by the processor, cause the processor to perform the steps of;
      
      creating an additional connection based on said incoming connection; and
      
      accepting one or more electronic messages over said additional connection;
      
      wherein the instructions for rejecting said incoming connection further comprise instructions which, when executed by the processor, cause the proccessor to perform the steps of;
      
      creating said additional connection based on said incoming connection;
      
      refusing to accept any electronic messages over said additional connection; and
      
      terminating said additional connection.
  - 42. An apparatus as recited in claim 38, wherein the instructions for rejecting said incoming connection further comprise instructions which, when executed by the processor, cause the processor to perform the steps of:
    - creating an additional connection based on said incoming connection;
      
      based on an electronic message that is received over said additional connection, identifying a particular recipient identifier of a plurality of recipient identifiers;
      
      inspecting a mapping to identify an action of a plurality of actions, wherein said mapping associates said plurality of recipient identifiers with said plurality of actions, and wherein said action is associated with a specified recipient identifier of said plurality of recipient identifiers;
      
      based on said particular recipient identifier matching said specified recipient identifier, processing said electronic message even though said number of connections does not satisfy said specified relationship with said specified number of connections; and
      
      based on said particular recipient identifier not matching said specified recipient identifier, dropping said electronic message and terminating said additional connection.

43. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, the memory containing one or more sequences of instructions for managing a plurality of electronic messages received at a server, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of;
  
  determining message information for said plurality of electronic messages;
  
  based on said message information, determining a particular sender identifier of a plurality of sender identifiers, wherein said particular sender identifier is associated with at least one electronic message of said plurality of electronic messages;
  
  based on said at least one electronic message, determining a current value that is associated with said particular sender identifier; and
  
  based on said current value satisfying a specified relationship with a specified value, limiting how many electronic messages that are associated with said particular sender identifier are accepted by said server.
- View Dependent Claims (44, 45, 46, 47, 48, 49)
- - 44. An apparatus as recited in claim 43, wherein said particular sender identifier is selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 45. An apparatus as recited in claim 43, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain,;
      
      a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 46. An apparatus as recited in claim 43, wherein:
    - said current value is a number of recipients of electronic messages that are received at said server in a current time period and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of recipients of electronic messages; and
      
      said current value satisfies said specified relationship with said specified value when said number of recipients of electronic messages is less than or equal to said maximum number of recipients of electronic messages.
  - 47. An apparatus as recited in claim 46, wherein the instructions for limiting how many electronic messages are accepted from said at least one network address further comprise instructions which, when executed by the processor, cause the processor to perform the steps of:
    - refusing to accept electronic messages from said at least one network address until said current time period expires; and
      
      after expiration of said current time period of time, accepting one or more additional electronic messages from said at least one network address.
  - 48. An apparatus as recited in claim 43, wherein:
    - said current value is a number of electronic messages that are received at said server and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of electronic messages; and
      
      said current value satisfies said specified relationship with said specified value when said number of electronic messages is less than or equal to said maximum number of electronic messages.
  - 49. An apparatus as recited in claim 48, wherein:
    - said number of electronic messages is determined for a specified period of time; and
      
      the instructions for limiting how many electronic messages that are associated with said particular sender identifier are accepted further comprise instructions which, when executed by the processor, cause the processor to perform the steps of;
      
      refusing to accept electronic messages that are associated with said particular sender identifier until said specified period of time has expired; and
      
      after expiration of said specified period of time, accepting electronic messages that are associated with said particular sender identifier.

50. An apparatus comprising:
- a processor; and
  
  a memory coupled to the processor, the memory containing one or more sequences of instructions for limiting a directory harvest attack against a server, wherein execution of the one or more sequences of instructions by the processor causes the processor to perform the steps of;
  
  accepting a plurality of electronic messages that are associated with a plurality of sender identifiers;
  
  identifying a particular sender identifier of said plurality of sender identifiers, wherein said particular sender identifier is associated with a subset of electronic messages of said plurality of electronic messages;
  
  based on said subset of electronic messages, determining a current value that is based on those electronic messages that are addressed to one or more invalid recipient electronic addresses for said server;
  
  receiving an additional electronic message that is associated with said particular sender identifier;
  
  determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server;
  
  based on said current value satisfying a specified relationship with a specified value, generating and sending a message rejection response to a sender of said additional electronic message; and
  
  based on said current value not satisfying said specified relationship with said specified value, dropping at least said additional electronic message without sending said message rejection response to said sender.
- View Dependent Claims (51, 52, 53, 54, 55)
- - 51. An apparatus as recited in claim 50, wherein said particular sender identifier is selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a reputation score, and a second range of reputation scores.
  - 52. An apparatus as recited in claim 50, wherein:
    - said particular sender identifier is a group sender identifier that is associated with a first sender identifier and a second sender identifier; and
      
      both said first sender identifier and said second sender identifier are selected from the group consisting of a network address, an Internet Protocol (IP) address, a partial IP address, a first range of IP addresses, a primary domain, a subdomain, a fully qualified domain name (FQDN), a partial FQDN, a classless inter-domain routing (CIDR) block, a partial CIDR block, a subnet, an organization identifier, a network owner, a reputation score, and a second range of reputation scores.
  - 53. An apparatus as recited in claim 50, wherein:
    - said current value is a number of invalid recipient electronic addresses that are received at said server in a current time period and that are associated with said particular sender identifier;
      
      said specified value is a maximum number of invalid recipient electronic addresses;
      
      said current value satisfies said specified relationship with said specified value when said number of invalid recipient electronic addresses is less than or equal to said maximum number of invalid recipient electronic addresses; and
      
      said current value does not satisfy said specified relationship with said specified value when said number of invalid recipient electronic addresses is greater than said maximum number of invalid recipient electronic addresses.
  - 54. An apparatus as recited in claim 53, wherein the instructions for dropping at least said additional electronic message further comprise instructions which, when executed by the processor, cause the processor to perform the steps of:
    - dropping said additional electronic message and any other additional electronic messages that are associated with said particular sender identifier until said current time period expires; and
      
      after expiration of said current time period, accepting one or more electronic messages that are both associated with said particular sender identifier and that are addressed to one or more invalid recipient electronic addresses for said server.
  - 55. An apparatus as recited in claim 50, wherein:
    - wherein the instructions for determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server further comprise instructions which, when executed by the processor, cause the processor to perform the step of determining that said additional electronic message is addressed to one or more invalid recipient electronic addresses for said server after completion of a simple mail transfer protocol (SMTP) conversation between said server and said sender of said additional electronic message;
      
      wherein the instructions for generating said message rejection response for said additional electronic message further comprise instructions which, when executed by the processor, cause the processor to perform the step of generating said message rejection response for said additional electronic message comprises generating a message rejection electronic message for additional electronic message after completion of said SMTP conversation; and
      
      wherein the instructions for dropping said additional electronic message further comprise instructions which, when executed by the processor, cause the processor to perform the step of dropping said additional electronic message comprises dropping said additional electronic message after completion of said SMTP conversation. Docket;
      
      60063-0053

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ironport Systems (Cisco Systems, Inc.)
Original Assignee
Ironport Systems (Cisco Systems, Inc.)
Inventors
Schlampp, Peter, Sprosts, Craig, Quinlan, Daniel, Huss, Eric C., Chen, Shun, Clegg, Paul J., Brahms, Robert, Srinivasan, Krishna

Granted Patent

US 7,849,142 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/206
CPC Class Codes

H04L 51/212 using filtering or selectiv...

Managing connections, messages, and directory harvest attacks at a server

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

236 Citations

55 Claims

Specification

Use Cases

Quick Links

Others

Managing connections, messages, and directory harvest attacks at a server

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

236 Citations

55 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others