System and method for protecting mail servers from mail flood attacks

US 8,301,712 B1
Filed: 05/14/2012
Issued: 10/30/2012
Est. Priority Date: 10/14/2006
Status: Expired due to Fees

First Claim

Patent Images

1. A method for controlling electronic mail flood attacks comprising:

when an email request originated from a suspicious address class contained in a set of suspicious address classes, wherein the address class comprises a collection of at least one IP address,determining a count of active connections originating from the suspicious address class,determining a first interval of time since the count of connections has reached the predetermined number, anddetermining a second interval of time since a temporary failure was last issued to an email message originating from the suspicious address class; and

when at least one of a set of at least one failure criteria is met, issuing a temporary failure message to the email request,wherein the set of at least one failure criteria comprises a first criterion which is met when the count of active connections reaches a predetermined maximum number, a second criterion which is met when the first interval is less than a first predetermined interval of time, and a third criterion which is met when the second interval is less than a second predetermined interval of time.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Most unsolicited commercial email (UCE) countermeasures call for a message by message analysis. However, some UCE attacks occur when a single sender of UCE floods a mail transfer agent (MTA) with a number of copies of a UCE, in a mail flood attack. The attacks rarely rise to the level of denial of service attacks but are significant enough to place a strain on MTAs and anti-UCE countermeasures. The anti-mail flood methodology disclosed herein provides a system and method for protecting mail systems from such mail flood attacks enabling anti-UCE countermeasures to work more efficiently.

55 Citations

View as Search Results

20 Claims

1. A method for controlling electronic mail flood attacks comprising:
- when an email request originated from a suspicious address class contained in a set of suspicious address classes, wherein the address class comprises a collection of at least one IP address,determining a count of active connections originating from the suspicious address class,determining a first interval of time since the count of connections has reached the predetermined number, anddetermining a second interval of time since a temporary failure was last issued to an email message originating from the suspicious address class; and
  
  when at least one of a set of at least one failure criteria is met, issuing a temporary failure message to the email request,wherein the set of at least one failure criteria comprises a first criterion which is met when the count of active connections reaches a predetermined maximum number, a second criterion which is met when the first interval is less than a first predetermined interval of time, and a third criterion which is met when the second interval is less than a second predetermined interval of time.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the predetermined maximum number is one.
  - 3. The method of claim 1, wherein the second predetermined interval is about 5 minutes.
  - 4. The method of claim 1, wherein the suspicious address class comprises all IP addresses belonging to an ISP from which a suspected unsolicited commercial email (UCE) originated.
  - 5. The method of claim 1, wherein the suspicious address class comprises all IP addresses excluding legitimate mail exchangers belonging to an ISP from which a suspected UCE originated.
  - 6. The method of claim 1, wherein the suspicious address class comprises all IP addresses sharing identical n most significant bits with an IP address from which a suspected UCE originated.
  - 7. The method of claim 1, wherein the suspicious address class comprises a range of IP addresses.
  - 8. The method of claim 1, wherein the set of suspicious address classes is stored in a database.
  - 9. The method of claim 1 further comprisingreceiving an IP address from an anti-UCE means;
    - andwhen the IP address does not belong to any suspicious address classes in the set of suspicious address classes, deriving a new suspicious address class based on the IP address and adding the new suspicious address class to the set of suspicious address classes.

10. A system for controlling electronic mail flood attacks comprising:
- a means for determining a count of active connections originating from a suspicious address class when an email request originated from a suspicious address class contained in a set of suspicious address classes, wherein the address class comprises a collection of at least one IP address;
  
  a means for determining a first interval of time since the count of connections has reached the predetermined number;
  
  a means for determining a second interval of time since a temporary failure was last issued to an email message originating from the suspicious address class; and
  
  a means for issuing a temporary failure message to the email request;
  
  wherein the temporary failure message is issued when the email request originated from a suspicious address class and when at least one of a set of at least one failure criteria is met, issuing a temporary failure message to the email request,said set of at least one failure criteria comprises a first criterion which is met when the count of active connections reaches a predetermined maximum number, a second criterion which is met when the first interval is less than a first predetermined interval of time, and a third criterion which is met when the second interval is less than a second predetermined interval of time.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The system of claim 10, wherein the predetermined maximum number is one.
  - 12. The system of claim 10, wherein the second predetermined interval is about 5 minutes.
  - 13. The system of claim 10, wherein the suspicious address class comprises all IP addresses belonging to an ISP from which a suspected unsolicited commercial email (UCE) originated.
  - 14. The system of claim 10, wherein the suspicious address class comprises all IP addresses excluding legitimate mail exchangers belonging to an ISP from which a suspected UCE originated.
  - 15. The system of claim 10, wherein the suspicious address class comprises all IP addresses sharing identical n most significant bits with an IP address from which a suspected UCE originated.
  - 16. The system of claim 10, wherein the suspicious address class comprises a range of IP addresses.
  - 17. The system of claim 10, wherein the set of suspicious address classes is stored in a database.
  - 18. The system of claim 10, further comprisingreceiving an IP address from an anti-UCE means;
    - andwhen the IP address does not belong to any suspicious address classes in the set of suspicious address classes, deriving a new suspicious address class based on the IP address and adding the new suspicious address class to the set of suspicious address classes.

19. An network appliance comprising:
- a module selected from the group consisting of a content filter, anti-virus means, anti-UCE means, anti-phishing means, POP server, IMAP server, webmail server and any combination thereof; and
  
  an anti-mail flood attack system comprising;
  
  a means for determining a count of active connections originating from a suspicious address class when an email request originated from a suspicious address class contained in a set of suspicious address classes, wherein the address class comprises a collection of at least one IP address;
  
  a means for determining a first interval of time since the count of connections has reached the predetermined number;
  
  a means for determining a second interval of time since a temporary failure was last issued to an email message originating from the suspicious address class; and
  
  a means for issuing a temporary failure message to the email request;
  
  wherein the temporary failure message is issued when the email request originated from a suspicious address class and when at least one of a set of at least one failure criteria is met, issuing a temporary failure message to the email request,said set of at least one failure criteria comprises a first criterion which is met when the count of active connections reaches a predetermined maximum number, a second criterion which is met when the first interval is less than a first predetermined interval of time, and a third criterion which is met when the second interval is less than a second predetermined interval of time.
- View Dependent Claims (20)
- - 20. The network appliance of claim 19 further comprising:
    - network modules selected from the group consisting of routers, dynamic host configuration protocol (DHCP) servers, port forwarding means, network address translation (NAT) means, firewall, name server, proxy server, and time server, and any combination thereof.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Engage Technology
Original Assignee
Engage Technology
Inventors
Lu, Haw-minn, White, Richard Paul
Primary Examiner(s)
Backer, Firmin
Assistant Examiner(s)
BUI, JONATHAN A

Application Number

US13/471,431
Time in Patent Office

169 Days
Field of Search

709/206
US Class Current

709/206
CPC Class Codes

H04L 51/212   using filtering or selectiv...

H04L 63/1425   Traffic logging, e.g. anoma...

H04L 63/1458   Denial of Service

System and method for protecting mail servers from mail flood attacks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

55 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for protecting mail servers from mail flood attacks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

55 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links