Electronic Message Source Reputation Information System

US 20070250644A1
Filed: 05/25/2005
Published: 10/25/2007
Est. Priority Date: 05/25/2004
Status: Active Grant

First Claim

Patent Images

1. A network traffic filtering system for filtering a flow of electronic messages across a computer network, the system comprising:

an engine configured to generate a source reputation profile based on reputation data associated with a source IP address;

a profile database associated with the engine for storing the reputation data; and

wherein the engine is further configured to provide the source reputation profile to an external system.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein are filtering systems and methods that employ an electronic message source reputation system. The source reputation system maintains a pool of source Internet Protocol (IP) address information, in the form of a Real-Time Threat Identification Network (“RTIN”) database, which can provide the reputation of source IP addresses, which can be used by customers for filtering network traffic. The source reputation system provides for multiple avenues of access to the source reputation information. Examples of such avenues can include Domain Name Server (DNS)-type queries, servicing routers with router-table data, or other avenues.

128 Citations

View as Search Results

39 Claims

1. A network traffic filtering system for filtering a flow of electronic messages across a computer network, the system comprising:
- an engine configured to generate a source reputation profile based on reputation data associated with a source IP address;
  
  a profile database associated with the engine for storing the reputation data; and
  
  wherein the engine is further configured to provide the source reputation profile to an external system.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 2. A system according to claim 1, wherein the engine is configured to generate an updated source reputation profile in response to updated reputation data.
  - 3. A system according to claim 2, wherein the updated reputation data is provided in real-time.
  - 4. A system according to claim 1, wherein the source reputation profile comprises a list having at least one item of reputation data.
  - 5. A system according to claim 1, wherein the reputation data comprises at least one selected from the group consisting of:
    - the number of messages considered spam sent from the source IP address;
      
      the number of recipients on a message sent from the source IP address;
      
      the number of connection attempts from the source IP address;
      
      the number of connection successes from the source IP address;
      
      the number of connection failures from the source IP address;
      
      the number of connection currently open from the source IP address;
      
      the number of 400-class errors caused by messaging attempts by the source IP address;
      
      the number of 500-class errors caused by messaging attempts by the source IP address;
      
      the average message size in bytes sent from the source IP address;
      
      the average connection duration from the source IP address;
      
      the number of viruses sent from the source IP address;
      
      the number of message delivered from the source IP address; and
      
      an overall number of messages sent from the source IP address.
  - 6. A system according to claim 1, wherein the source reputation profile comprises an evaluation of the reputation data by the engine.
  - 7. A system according to claim 6, wherein the evaluation comprises generating a reputation score for the source IP address, the reputation score indicating a likelihood that electronic messages from the source IP address are unwanted.
  - 8. A system according to claim 7, wherein the engine is further configured to change the reputation score based on new reputation data associated with the source IP address.
  - 9. A system according to claim 1, wherein the engine is configured to receive the reputation data from a data source comprising at least one selected from the group consisting of a network traffic monitoring system, a two-strikes system, and a sudden-death system.
  - 10. A system according to claim 1, wherein the engine is configured to receive the reputation data from a data source comprising a customer system, and the reputation data comprises at least one list selected from the group consisting of blacklists, blocked senders lists, and gray-lists.
  - 11. A system according to claim 1, wherein the engine is configured to receive the reputation data from a data source comprising approved sender IP addresses selected using a business-based heuristics selection technique.
  - 12. A system according to claim 1, wherein the engine is configured to provide the reputation profile to the external system in response to a query received from the external system.
  - 13. A system according to claim 12, wherein the query comprises a DNS query corresponding to the source IP address.
  - 14. A system according to claim 12, wherein the engine is further configured to authenticate the external system before responding to the query.
  - 15. A system according to claim 1, wherein the engine provides the reputation profile to an external system in the form of electronic message path data for use in a network router table of a router associated with the customer system to redirect electronic messages from the source IP address.
  - 16. A system according to claim 1, wherein the engine comprises a server configured to query a data source for reputation data, receive reputation data from a data source, evaluate the received reputation data to develop the source reputation profile, update the profile database, and distribute the source reputation profile or reputation data to external systems.
  - 17. A system according to claim 16, wherein the engine further comprises a reputation data database associated with the server and configured to store the reputation data.
  - 18. A system according to claim 1, wherein the engine comprises a server and a controller, wherein the controller is configured to query a data source for reputation data, receive reputation data from a data source, evaluate the received reputation data to develop the source reputation profile, update the profile database, and the server is configured to distribute the source reputation profile or reputation data to external systems.
  - 19. A system according to claim 1, wherein the external system is a customer system subscribing to use the filtering system.

20. A method of filtering a flow of electronic messages across a computer network, the method comprising:
- receiving reputation data associated with a source IP address;
  
  storing the reputation data;
  
  generating a source reputation profile based on the reputation data; and
  
  providing the source reputation profile to an external system.
- View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36)
- - 21. A method according to claim 20, further comprising updating the source reputation profile in response to receiving updated reputation data.
  - 22. A method according to claim 21, wherein the updated reputation data is provided in real-time.
  - 23. A method according to claim 20, wherein providing the source reputation profile comprises providing a list having at least one item of reputation data.
  - 24. A method according to claim 20, wherein the reputation data comprises at least one selected from the group consisting of:
    - the number of messages considered spam sent from the source IP address;
      
      the number of recipients on a message sent from the source IP address;
      
      the number of connection attempts from the source IP address;
      
      the number of connection successes from the source IP address;
      
      the number of connection failures from the source IP address;
      
      the number of connection currently open from the source IP address;
      
      the number of 400-class errors caused by messaging attempts by the source IP address;
      
      the number of 500-class errors caused by messaging attempts by the source IP address;
      
      the average message size in bytes sent from the source IP address;
      
      the average connection duration from the source IP address;
      
      the number of viruses sent from the source IP address;
      
      the number of message delivered from the source IP address; and
      
      an overall number of messages sent from the source IP address.
  - 25. A method according to claim 20, wherein providing the source reputation profile comprises providing an evaluation of the reputation data.
  - 26. A method according to claim 25, wherein the evaluation comprises generating a reputation score for the source IP address, the reputation score indicating a likelihood that electronic messages from the source IP address are unwanted.
  - 27. A method according to claim 26, further comprising changing the reputation score based on new reputation data associated with the source IP address.
  - 28. A method according to claim 20, wherein receiving reputation data comprises receiving reputation data from at least one selected from the group consisting of a network traffic monitoring system, a two-strikes system, and a sudden-death system.
  - 29. A method according to claim 20, wherein receiving reputation data comprises receiving reputation data from a customer system, and the reputation data comprises at least one list selected from the group consisting of blacklists, blocked senders lists, and gray-lists.
  - 30. A method according to claim 20, wherein receiving reputation data comprises receiving reputation data comprising approved sender IP addresses selected using an business-based heuristics selection technique.
  - 31. A method according to claim 20, wherein providing further comprises providing the source reputation profile to a customer system in response to a query received from the customer system.
  - 32. A method according to claim 31, wherein the query comprises a DNS query corresponding to the source IP address.
  - 33. A method according to claim 32, the method further comprising authenticating the customer system before responding to the query.
  - 34. A method according to claim 20, wherein providing further comprises providing the source reputation profile to a customer system in the form of electronic message path data for use in a network router table of a router associated with the customer system to redirect electronic messages from the source IP address.
  - 35. A method according to claim 34, wherein the electronic messages are redirected to a blackhole in the network.
  - 36. A method according to claim 20, wherein providing the reputation profile to an external system comprises providing the reputation profile to a customer system subscribing to use the filtering method.

37. A method of generating source IP address reputation information, the method comprising:
- receiving, from a source IP address, a current electronic message that appears to be spam;
  
  querying a database in order to retrieve a time at which a previous electronic message suspected to be spam was received from the source IP address;
  
  calculating an amount of elapsed time between receipt of the current electronic message and the time at which the previous electronic message was received;
  
  determining whether the amount of elapsed time is less than a predetermined threshold value; and
  
  identifying the source IP address as a source of spam if the amount of elapsed time is less than the predetermined threshold value.
- View Dependent Claims (38, 39)
- - 38. A method according to claim 37, further comprising providing the identification to a customer system in response to a query regarding the source IP address.
  - 39. A method according to claim 37, further comprising identifying the source IP address as not being a source of spam based on calculating an elapsed time between receipt of another electronic message that appears to be spam and a previous message suspected to be spam, and determining that the amount of elapsed time is now greater than a predetermined threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Google Inc. (Alphabet Inc.)
Inventors
Lund, Peter, Carroll, Dorion, Petry, Scott, Croteau, Craig, Okumura, Kenneth

Granted Patent

US 8,037,144 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/245
CPC Class Codes

G06Q 10/107   Computer-aided management o...

H04L 51/212   using filtering or selectiv...

H04L 63/0236   Filtering by address, proto...

H04L 63/068   using time-dependent keys, ...

H04L 63/126   the source of the received ...

H04L 67/306   User profiles

H04L 67/564   Enhancement of application ...

H04L 67/63   Routing a service request d...

Electronic Message Source Reputation Information System

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

128 Citations

39 Claims

Specification

Solutions

Use Cases

Quick Links

Electronic Message Source Reputation Information System

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

39 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links