Identifying IP addresses for spammers

US 7,849,146 B2
Filed: 02/21/2008
Issued: 12/07/2010
Est. Priority Date: 02/21/2008
Status: Active Grant

First Claim

Patent Images

1. A method for use in managing delivery of content over a network, comprising:

determining a plurality of IP address groups from a plurality of messages received from a plurality of different IP addresses, the plurality of messages being grouped based on message volumes received during a given time period for each of the different IP addresses;

determining an entropy for each IP address group determined to be associated with non-spam messages;

determining a distribution of messages for a plurality of messages received from a given IP address by distributing the messages from the given IP address across a plurality of message buckets based on a size of each message;

determining a percentage of messages within each message bucket within the plurality of message buckets by determining a number of messages in a given message bucket divided by a total number of messages for the given IP address;

determining a message entropy for the given IP address by summing the percentages of messages times a log of the percentages of messages over all message buckets;

selecting an entropy as a threshold value from an IP address group associated with non-spam messages based on a comparison of a message volume for the given IP address;

if the message entropy for the given IP address is determined to be statistically significant from the selected entropy threshold value, then classifying the given IP address as a potential spammer; and

selectively inhibit sending of messages from the given IP address to message recipients.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Detecting and blocking spam messages using statistical analysis on distributions of message sizes for a given IP address. Mail volumes are examined to model a distribution of volumes to cluster IP addresses. The messages sizes may distributed across ranges of message sizes, which is then used to determine an entropy of message sizes for the given IP address. The entropy of the given IP address may be compared to entropies of known good IP addresses, and if a difference between the entropies is statistically significant, then the given IP address may be determined to be an IP spammer. User feedback may also be employed to further characterize an IP address. For example, a number of messages from the IP address may be sent to intended recipients. User feedback may then be monitored to determine whether to the IP address should be reclassified.

44 Citations

View as Search Results

17 Claims

1. A method for use in managing delivery of content over a network, comprising:
- determining a plurality of IP address groups from a plurality of messages received from a plurality of different IP addresses, the plurality of messages being grouped based on message volumes received during a given time period for each of the different IP addresses;
  
  determining an entropy for each IP address group determined to be associated with non-spam messages;
  
  determining a distribution of messages for a plurality of messages received from a given IP address by distributing the messages from the given IP address across a plurality of message buckets based on a size of each message;
  
  determining a percentage of messages within each message bucket within the plurality of message buckets by determining a number of messages in a given message bucket divided by a total number of messages for the given IP address;
  
  determining a message entropy for the given IP address by summing the percentages of messages times a log of the percentages of messages over all message buckets;
  
  selecting an entropy as a threshold value from an IP address group associated with non-spam messages based on a comparison of a message volume for the given IP address;
  
  if the message entropy for the given IP address is determined to be statistically significant from the selected entropy threshold value, then classifying the given IP address as a potential spammer; and
  
  selectively inhibit sending of messages from the given IP address to message recipients.
- View Dependent Claims (2, 3, 4)
- - 2. The method of claim 1, further comprising:
    - if the given IP address is classified as a potential spammer, then;
      
      selectively sending a percentage of messages from the given IP address to intended recipients of the messages;
      
      preventing another percentage of messages from the given IP address to be sent to the intended recipients of the messages;
      
      monitoring for feedback from the recipients regarding the sent messages; and
      
      if recipient feedback indicates that the messages are spam, reclassifying the given IP address as a spammer, and preventing delivery of subsequent messages from the given IP address.
  - 3. The method of claim 1, if a message entropy is determined to be statistically significant further comprises:
    - if the determined message entropy is below the selected threshold value, then determining that the given IP address is a potential spammer;
      
      if the determined message entropy is above the selected threshold, then determining that the given IP address is a non-spammer.
  - 4. The method of claim 1, the method further comprising:
    - if the given IP address is determined to be within a sub-network of IP addresses determined to be a spammer sub-network, then classifying the given IP address also as a spammer IP address.

5. A network device for managing delivery of messages over a network, comprising:
- a transceiver to send and receive data over the network; and
  
  a processor that is operative to perform actions, including;
  
  determining a plurality of IP address groups from a plurality of messages received from a plurality of different IP addresses, the plurality of messages being grouped based on message volumes received during a given time period for each of the different IP addresses;
  
  determining an entropy for each IP address group determined to be associated with non-spam messages;
  
  receiving a plurality of messages, each message being from a given IP address of a message sender;
  
  determining a distribution of messages for the plurality of messages received from the given IP address by distributing the messages from the given IP address across a plurality of message buckets based on a size of each message;
  
  determining a percentage of messages within each message bucket within the plurality of message buckets by determining a number of messages in a given message bucket divided by a total number of messages for the given IP address;
  
  determining a message entropy for the given IP address by summing the percentages of messages times a log of the percentages of messages over all message buckets;
  
  selecting an entropy as a threshold from an IP address group associated with non-spam messages based on a comparison of message volumes for the given IP address and the IP address group; and
  
  if the message entropy indicates that the given IP address is a bulk mailer based on a comparison of the selected entropy threshold value, selectively inhibit sending of a subsequent message from the given IP address to a message recipient.
- View Dependent Claims (6, 7, 8, 9, 10, 11)
- - 6. The network device of claim 5, further comprising:
    - if the given IP address is determined to be a bulk mailer, then;
      
      selectively sending a percentage of messages from the given IP address to intended recipients; and
      
      based on recipient feedback regarding the received messages, classifying the given IP address as a known spammer, or a non-spammer.
  - 7. The network device of claim 5, wherein the processor is operative to perform actions, further comprising:
    - monitoring feedback regarding the given IP address;
      
      classifying the given IP address as a spammer or non-spammer based on the monitored feedback; and
      
      if the given IP address is classified as a non-spammer based on the monitored feedback, placing the given IP address on a white list, such that a subsequent message from the given IP address is allowed to be delivered to an intended recipient.
  - 8. The network device of claim 5, wherein if the message entropy indicates that the given IP address is a bulk mailer further comprises, employing a message entropy threshold for comparison of the message entropy for the given IP address based on a number of messages the given IP address is detected as sending within a defined time period.
  - 9. The network device of claim 5, wherein if the message entropy indicates that the given IP address is a bulk mailer further comprises:
    - if the message entropy for the given IP address is below the entropy threshold determining that the given IP address is a bulk mailer; and
      
      if the message entropy for the given IP address is above the entropy threshold determining that the given IP address is not a bulk mailer.
  - 10. The network device of claim 5, wherein the processor is operative to perform actions, further comprising:
    - if the given IP address is associated with a sub-network that is classified as a spammer sub-network, then classifying the given IP address as a spammer IP address.
  - 11. The network device of claim 5, wherein the processor is operative to perform actins, further comprising:
    - if the message entropy is over the entropy threshold, determining that the given IP address is a non-spammer, and enabling messages from the given IP address to be sent to their intended recipients.

12. A system for use in managing delivery of messages over a network, comprising:
- a message server that is configured to receive messages from a plurality of different IP addresses, each message being destined to at least one message recipient; and
  
  a message spam detector configured and arranged to communicate with the message server and to perform actions, including;
  
  determining a plurality of IP address groups from a plurality of messages received from the plurality of different IP addresses, the plurality of messages being grouped based on message volumes received during a given time period for each of the different IP addresses;
  
  determining an entropy for each IP address group determined to be associated with non-spam messages;
  
  receiving a plurality of messages from a given IP address within the plurality of IP addresses;
  
  determining a distribution of messages for the plurality of messages from the given IP address by distributing the messages from the given IP address across a plurality of message buckets based on ranges of sizes of messagesdetermining a percentage of messages within each message bucket within the plurality of message buckets by determining a number of messages in a given message bucket divided by a total number of messages for the given IP address;
  
  determining a message entropy for the given IP address as a negative sum of a percentage of messages times a log of the percentage of messages over all of the portions of the distribution;
  
  selecting an entropy as a threshold from an IP address group associated with non-spam messages based on a comparison of a message volume for the given IP address; and
  
  if the message entropy indicates the given IP address is a bulk mailer based on a comparison of the message entropy for the given IP address to the selected entropy threshold, selectively inhibit sending of a subsequent message from the given IP address to a message recipient.
- View Dependent Claims (13, 14)
- - 13. The system of claim 12, wherein the message spam detector is configured and arranged to perform actions, further comprising:
    - if the message entropy is statistically below the selected entropy threshold, then determining that the given IP address is a bulk mailer; and
      
      if the message entropy is statistically above the selected entropy threshold, then determining that the given IP address is a non-spammer.
  - 14. The system of claim 12, wherein selectively inhibit sending of a subsequent message from the given IP address to a message recipient further comprises:
    - selectively sending a percentage of messages from the given IP address to intended recipients; and
      
      based on recipient feedback regarding the received messages, classifying the given IP address as a known spammer, or a non-spammer.

15. A mobile device for managing received messages, comprising:
- a transceiver to send and receive data over the network; and
  
  a processor that is operative to perform actions, including;
  
  determining a plurality of IP address groups from a plurality of messages received from the plurality of different IP addresses, the plurality of messages being grouped based on message volumes received during a given time period for each of the different IP addresses;
  
  determining an entropy for each IP address group determined to be associated with non-spam messages;
  
  receiving a plurality of messages, each message being from a given IP address of a message sender;
  
  determining a distribution of messages for the plurality of messages received from the given IP address by distributing the messages from the given IP address across a plurality of message buckets based on a size of each messagedetermining a percentage of messages within each message bucket within the plurality of message buckets by determining a number of messages in a given message bucket divided by a total number of messages for the given IP address;
  
  determining a message entropy for the given IP address by summing the percentages of messages times a log of the percentages of messages over all message buckets;
  
  selecting an entropy as a threshold from an IP address group associated with non-spam messages based on a comparison of a message volume for the given IP address;
  
  if the message entropy indicates that the given IP address is a bulk mailer based on a comparison of the message entropy for the given IP address to the selected entropy threshold, selectively inhibiting messages from the given IP address to be moved to a message inbox; and
  
  if the message entropy indicates that the given IP address is a non-bulk mailer, moving the messages to a message inbox.
- View Dependent Claims (16, 17)
- - 16. The mobile device of claim 15, wherein if the message entropy indicates that the given IP address is a bulk mailer, further selectively moving a percentage of messages from the given IP address into a message spam or bulk message box;
    - and further classifying the given IP address as a spammer or as a non-spammer based on user input regarding the messages moved to the spam or bulk message box.
  - 17. The mobile device of claim 15, wherein determining if the message entropy indicates that the given IP address is a bulk mailer or a non-bulk mailer, further comprises:
    - if the message entropy is statistically below the threshold value, then indicating that the given IP address is a bulk mailer; and
      
      if the message entropy is statistically above the threshold value, then indicating that the given IP address is a non-bulk mailer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
R2 Solutions LLC (Acacia Research Corporation)
Original Assignee
Yahoo! Inc. (Apollo Global Management, Inc.)
Inventors
Wei, Ke, Pujara, Jay, Choi, Jaesik, Ramarao, Vishwanth Tumkur
Primary Examiner(s)
Chan; Wing F
Assistant Examiner(s)
WOO, ANDREW M

Application Number

US12/035,371
Publication Number

US 20090216841A1
Time in Patent Office

1,020 Days
Field of Search

709/204, 709/206
US Class Current

709/206
CPC Class Codes

H04L 51/212 using filtering or selectiv...

Identifying IP addresses for spammers

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

44 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying IP addresses for spammers

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

44 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links