System and method for detecting and defeating IP address spoofing in electronic mail messages

US 7,539,761 B1
Filed: 12/19/2003
Issued: 05/26/2009
Est. Priority Date: 12/19/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A method for detecting a spoofed network connection comprising:

receiving a connection from a client;

delaying sending a greeting message for a delay period, the delay period being less than or equal to a maximum tolerable delay, the maximum tolerable delay being the longest delay that would be tolerated by a valid client;

monitoring the connection during the delay period;

if a command is received from the client before the greeting is sent, then identifying the connection as the spoofed connection;

processing any electronic mail associated with the spoofed connection;

wherein a spoofed connection electronic-mail message is processed using a process selected from the group consisting of;

deleting the spoofed-connection electronic-mail message;

marking the spoofed-connection electronic-mail message; and

storing the spoofed-connection electronic-mail message in an electronic directory.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for detecting spoofed network connections comprising receiving a connection from a client, delaying sending a greeting message for a delay period, monitoring the connection during the delay period, and if a command is received from the client before the greeting is sent, then identifying the connection as a possible spoofed connection.

14 Citations

View as Search Results

16 Claims

1. A method for detecting a spoofed network connection comprising:
- receiving a connection from a client;
  
  delaying sending a greeting message for a delay period, the delay period being less than or equal to a maximum tolerable delay, the maximum tolerable delay being the longest delay that would be tolerated by a valid client;
  
  monitoring the connection during the delay period;
  
  if a command is received from the client before the greeting is sent, then identifying the connection as the spoofed connection;
  
  processing any electronic mail associated with the spoofed connection;
  
  wherein a spoofed connection electronic-mail message is processed using a process selected from the group consisting of;
  
  deleting the spoofed-connection electronic-mail message;
  
  marking the spoofed-connection electronic-mail message; and
  
  storing the spoofed-connection electronic-mail message in an electronic directory.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1 further comprising:
    - sending the greeting to the client upon completion of the delay period.
  - 3. The method of claim 1 wherein the connection is a Transmission Control Protocol (TCP) connection.
  - 4. The method of claim 1 wherein the client is a Mail Transfer Agent (MTA) or Mail User Agent (MUA).
  - 5. The method of claim 1 wherein the received command is a Simple Mail Transfer Protocol (SMTP) command.

6. A method for detecting a spoofed network connection comprising:
- receiving a first command at a server from a client;
  
  delaying, for a delay period, a transmission of a reply associated with the first command, the delay period being less than or equal to a maximum tolerable delay, the maximum tolerable delay being the longest delay that would be tolerated by a valid client;
  
  monitoring a connection between the server and the client during the delay period;
  
  if a second command is received at the server before the reply is transmitted, then identifying the connection as the spoofed connection;
  
  processing any electronic mail associated with the spoofed connection;
  
  wherein a spoofed connection electronic-mail message is processed using a process selected from the group consisting of;
  
  deleting the spoofed-connection electronic-mail message;
  
  marking the spoofed-connection electronic-mail message; and
  
  storing the spoofed-connection electronic-mail message in an electronic directory.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. The method of claim 6 further comprising:
    - sending a greeting to the client when the connection is established with the server.
  - 8. The method of claim 6 further comprising:
    - transmitting the reply upon completion of the delay period.
  - 9. The method of claim 6 wherein the connection is a Transmission Control Protocol (TCP) connection.
  - 10. The method of claim 6 wherein the client is a Mail Transfer Agent (MTA) or Mail User Agent (MUA).
  - 11. The method of claim 6 wherein the received command is a Simple Mail Transfer Protocol (SMTP) command.

12. An apparatus for detecting a spoofed connection comprising:
- means for detecting when a connection is established between the apparatus and a client device;
  
  means for transmitting a greeting message or a reply or both to the client device;
  
  means for delaying the transmitting means so that the greeting message or the reply or both are not transmitted during a delay period, the delay period being less than or equal to a maximum tolerable delay, the maximum tolerable delay being the longest delay that would be tolerated by a valid client; and
  
  means for monitoring the connection to detect commands that are sent by the client device at least during the delay period;
  
  if a command is received from the client before the greeting message or a reply or both is sent then identifying the connection as the spoofed connection;
  
  means for processing any electronic mail associated with the spoofed connection;
  
  wherein a spoofed connection electronic-mail message is processed using a process selected from the group consisting of;
  
  deleting the spoofed-connection electronic-mail message;
  
  marking the spoofed-connection electronic-mail message; and
  
  storing the spoofed-connection electronic-mail message in an electronic directory.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The apparatus of claim 12 wherein the client device is a Mail Transfer Agent (MTA) or Mail User Agent (MUA).
  - 14. The apparatus of claim 12 wherein the detecting means, the transmitting means, the delaying means, and the monitoring means comprise one or more processor-based devices running software algorithms to provide the detecting, transmitting, delaying and monitoring functions.
  - 15. The apparatus of claim 12 wherein the connection is a Transmission Control Protocol (TCP) connection.
  - 16. The apparatus of claim 12 wherein the commands are Simple Mail Transfer Protocol (SMTP) commands.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Unwired Planet LLC (JP Morgan Chase & Co)
Original Assignee
Openwave Systems Incorporated (JP Morgan Chase & Co)
Inventors
Silberman, Samuel G., Brown, Jr., Bruce L.
Primary Examiner(s)
Pwu, Jeffrey
Assistant Examiner(s)
Ali, Farhad

Application Number

US10/742,329
Time in Patent Office

1,985 Days
Field of Search

709225-227
US Class Current

709/227
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 51/48   Message addressing, e.g. ad...

H04L 63/1416   Event detection, e.g. attac...

H04L 63/1466   Active attacks involving in...

System and method for detecting and defeating IP address spoofing in electronic mail messages

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

14 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for detecting and defeating IP address spoofing in electronic mail messages

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

14 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links