Managing infectious messages as identified by an attachment
First Claim
Patent Images
1. A method of evaluating a message for infectious file attachments, comprising:
- receiving a message, the message including an attachment having a file name;
comparing the file name of the attachment with a plurality of previously received legitimate messages having a legitimate attachment, the legitimate messages including a legitimate attachment file name;
identifying an anomaly in the file name of the attachment for the message with respect to a file name of the legitimate attachment for one or more of the plurality of previously received legitimate messages;
executing a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name of the attachment;
calculating a probability as to whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test; and
forwarding the message to a data store for subsequent processing, the data store associated with the probability as to whether the attachment is infectious.
23 Assignments
0 Petitions
Accused Products
Abstract
Managing electronic messages comprises receiving a message, forwarding the message, determining that the forwarded message is infectious after the message has been forwarded and preventing the infectious forwarded message from spreading.
163 Citations
22 Claims
-
1. A method of evaluating a message for infectious file attachments, comprising:
-
receiving a message, the message including an attachment having a file name; comparing the file name of the attachment with a plurality of previously received legitimate messages having a legitimate attachment, the legitimate messages including a legitimate attachment file name; identifying an anomaly in the file name of the attachment for the message with respect to a file name of the legitimate attachment for one or more of the plurality of previously received legitimate messages; executing a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name of the attachment; calculating a probability as to whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test; and forwarding the message to a data store for subsequent processing, the data store associated with the probability as to whether the attachment is infectious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for evaluating a message to detect an infectious attachment, the system comprising:
-
a mail server including a processor and a computer-readable storage medium having embodied thereon a program, the program being executable by the processor to receive a message, the message including an attachment having a file name; and a network device coupled to the mail server, the network device including a processor and a computer-readable storage medium having embodied thereon a program, the program being executable by the processor to perform the steps of; receiving the message from the mail server prior to the message being placed in a delivery queue for delivery to a recipient, comparing the file name of the attachment with a plurality of previously received legitimate messages, the legitimate messages including a legitimate attachment with a. legitimate attachment file name, identifying an anomaly in the file name of the attachment for the received message with respect to the legitimate attachment file name for one or more of the plurality of previously received legitimate messages, executing a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name, calculating a probability as to whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test, and forwarding the message to a data store for subsequent processing, the data store associated with, the probability as the whether the attachment is infectious. - View Dependent Claims (13, 14, 15)
-
-
16. A computer readable storage medium having embodied thereon a program, the program being executable by a computing device to perform a method for detecting messages with infectious file attachments, the method comprising:
-
receiving a message, the message including an attachment having a file name; comparing the file name of the attachment with a plurality of previously received legitimate messages having a legitimate attachment, the legitimate messages including a legitimate attachment file name; identifying an anomaly in the file name of the attachment for the message with respect to a file name of the legitimate attachment for one or more of the plurality of previously received legitimate messages; executing a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name of the attachment; calculating a probability as to whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test; and forwarding the message to a data store for subsequent processing, the data store associated with the probability as to whether the attachment is infectious.
-
-
17. A gateway appliance for use in a network for receiving electronic-mail, the gateway appliance including a processor and a computer-readable storage medium having embodied thereon a program, the program being executable by the processor to perform a method for evaluating a message to detect an infectious attachment prior to the message being delivered to a mail server on a local area network, the method comprising:
-
receiving the message including an attachment having a file name prior to the message being delivered to a mail server associated with a recipient of the message; comparing the file name of the attachment with a plurality of previously received legitimate messages having a legitimate attachment, the legitimate messages including a legitimate attachment file name; identifying an anomaly in the file name of the attachment for the received message with respect to a legitimate attachment file name for one or more of the plurality of previously received legitimate messages; executing a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name of the attachment; calculating a probability as to whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test; and forwarding the message to another location for subsequent processing, the other location associated with the probability as the whether the attachment is infectious. - View Dependent Claims (18, 19, 20)
-
-
21. A system for evaluating a message to detect an infectious attachment, the system comprising:
-
a network device including a processor and a computer-readably storage medium having embodied thereon a program, the program being executable by the processor to; receive the message prior to the message being delivered to a mail server associated with a recipient of the message, compare the file name of the attachment with a plurality of previously received legitimate messages, the legitimate messages including a legitimate attachment with a legitimate attachment file name, identify an anomaly in the file name of the attachment for the received message with respect to a legitimate attachment file name for one or. ore of the plurality of previously received legitimate messages, execute a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name, and calculate a probability as the whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test; and a mail server including a processor and a computer-readable storage medium embodied thereon a program, the program being executable by the processor to receive the message from the network device if the probability of the message including an attachment that is infectious is below a predefined probability threshold.
-
-
22. A gateway appliance for use in a network for receiving electronic-mail, the gateway appliance including a processor and a computer-readable storage medium having embodied thereon a program, the program being executable by the processor to perform a method for evaluating a message to detect an infectious attachment after receipt of the message by a mail server on a local area network but prior to delivery of the message to an intended recipient, the method comprising:
-
receiving the message from the mail server, the message including an attachment having a file name; comparing the file name of the attachment with a plurality of previously received legitimate messages, the legitimate messages including a legitimate attachment with a legitimate attachment file name; identifying an anomaly in the file name of the attachment for the received message with respect to the legitimate attachment file name for one or more of the plurality of previously received legitimate messages; executing a second test in response to identification of the file name anomaly, wherein the second test identifies the presence of a further anomaly related to the file name; calculating a probability as to whether the attachment is infectious based on the presence of the identified file name anomaly and the results of the second test; and forwarding the message to the mail server if the probability of the message including an attachment that is infectious is below a predefined probability threshold.
-
Specification