Detecting spam from a bulk registered e-mail account

US 8,892,661 B2
Filed: 09/18/2009
Issued: 11/18/2014
Est. Priority Date: 09/19/2008
Status: Active Grant

First Claim

Patent Images

1. A network device, comprising:

a transceiver to send and receive data over a network; and

a processor that receives data from and sends data to the transceiver, and performs actions, including;

in response to a request from a new user for a registration for a message account, determining a plurality of user probability values based on at least biographical information, a username and a password for the new user, a network address that is associated with the request, and a degree of similarity of at least a portion of the new user'"'"'s contact information to at least a portion of multiple other user registration information provided for registering at least another message account within a defined time period, each user probability value is a probability that the message account will be used for abusive purposes;

if the plurality of user probability values are classified as abusive in comparison to at least a determined threshold value, inhibiting the message account from at least sending a message to another message account; and

in response to receiving a message inbound to the message account;

parsing the inbound message to identify a plurality of message characteristics, including at least a message username and message account registration information associated with the inbound message;

analyzing the plurality of message characteristics to determine a plurality of probability values for the message;

assigning a probability score to the inbound message based in part on the determined plurality of probability values and previously determined data and probability scores for a plurality of other message accounts;

classifying the inbound message and related message account as abusive based on the assigned probability score being at or above a determined threshold value; and

if the inbound message is classified as abusive, inhibiting delivery of the inbound message;

otherwise, enabling the inbound message to be delivered to the message account.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The invention provides for at least three processes for detecting the probability of abusive use of a message account for sending large amounts of unsolicited messages, such as spam, to other message accounts. For example, information provided at registration for a new message account can be processed to determine the likelihood of abusive use of that message account. Also, inbound messages can be processed to determine if the message account that sent the inbound message is abusing the use of that message account. Additionally, outbound messages can be processed to determine if the message account that is attempting to send an outbound message is abusing the use of that message account. Each of these three processes can operate separately or in any combination with each other to further improve the probability that abusive use of a message account will be detected promptly and accurately.

62 Citations

View as Search Results

20 Claims

1. A network device, comprising:
- a transceiver to send and receive data over a network; and
  
  a processor that receives data from and sends data to the transceiver, and performs actions, including;
  
  in response to a request from a new user for a registration for a message account, determining a plurality of user probability values based on at least biographical information, a username and a password for the new user, a network address that is associated with the request, and a degree of similarity of at least a portion of the new user'"'"'s contact information to at least a portion of multiple other user registration information provided for registering at least another message account within a defined time period, each user probability value is a probability that the message account will be used for abusive purposes;
  
  if the plurality of user probability values are classified as abusive in comparison to at least a determined threshold value, inhibiting the message account from at least sending a message to another message account; and
  
  in response to receiving a message inbound to the message account;
  
  parsing the inbound message to identify a plurality of message characteristics, including at least a message username and message account registration information associated with the inbound message;
  
  analyzing the plurality of message characteristics to determine a plurality of probability values for the message;
  
  assigning a probability score to the inbound message based in part on the determined plurality of probability values and previously determined data and probability scores for a plurality of other message accounts;
  
  classifying the inbound message and related message account as abusive based on the assigned probability score being at or above a determined threshold value; and
  
  if the inbound message is classified as abusive, inhibiting delivery of the inbound message;
  
  otherwise, enabling the inbound message to be delivered to the message account.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The network device of claim 1, wherein analyzing the plurality of message characteristics further comprises:
    - analyzing the message username to determine at least one or more of a length of the username, an amount of transitions in the username, an amount of numbers in the username, an amount of letters in the username, or an amount of symbols in the username; and
      
      based on the analysis of the message username, employing at least one rule to assign a probability value to the inbound message.
  - 3. The network device of claim 1, wherein analyzing the plurality of message characteristics further comprises:
    - determining a network domain corresponding to the inbound message as at least one message characteristic in the plurality of message characteristics; and
      
      determining a probability value based on the determined network domain, including at least based on whether the determined network domain is an unknown network domain or based on a relationship between the determined network domain and a network domain associated with the message account.
  - 4. The network device of claim 1, wherein analyzing the plurality of message characteristics further comprises:
    - analyzing a velocity of similar inbound messages both from the message username associated with the inbound message and from other message accounts previously classified as abusive message accounts; and
      
      determining a probability value based on the analysis of the velocity.
  - 5. The network device of claim 1, wherein analyzing the plurality of message characteristics further comprises:
    - analyzing a content of similar inbound messages both from the same message username associated with the inbound message and from other message accounts previously classified as abusive message accounts; and
      
      determining a probability value based on the analysis of the content.
  - 6. The network device of claim 1, wherein the processor performs actions, further including:
    - retrieving a plurality of characteristics and probability scores associated with a plurality of other message account registrations;
      
      determining a degree of similarity of a message account registration for the message account associated with the inbound message and a plurality of other message account registrations that are identified as abusive message accounts; and
      
      based on the degree of similarity, adjusting the probability score to the inbound message.

7. A processor readable non-transitory storage medium that includes data and instructions, wherein the execution of the instructions on a computing device by enabling actions, comprising:
- in response to a request from a new user for a registration for a message account, determining a plurality of user probability values based on at least biographical information, a username and a password for the new user, a network address that is associated with the request, and a degree of similarity of at least a portion of the new user'"'"'s contact information to at least a portion of multiple other user registration information provided for registering at least another message account within a defined time period, each user probability value is a probability that the message account will be used for abusive purposes;
  
  if the plurality of user probability values are classified as abusive in comparison to at least a determined threshold value, inhibiting the message account from at least sending a message to another message account; and
  
  in response receiving a message inbound to the message account;
  
  parsing the inbound message to identify a plurality of message characteristics, including at least a message username, and message account registration information associated with the inbound message;
  
  analyzing the plurality of message characteristics to determine a plurality of probability values for the message;
  
  assigning a probability score to the inbound message based in part on the determined plurality of probability values and previously determined data and probability scores for a plurality of other message accounts;
  
  adjusting the probability score for the inbound message based in part on contributing factors indicating whether the message account related to the inbound message was previously used for abusive or fraudulent purposes;
  
  classifying the inbound message and the related message account as abusive based on the assigned probability score being at or above a determined threshold value; and
  
  if the inbound message is classified as abusive, inhibiting delivery of the inbound message;
  
  otherwise, enabling the inbound message to be delivered to the message account.
- View Dependent Claims (8, 9, 10, 11, 12, 13)
- - 8. The processor readable storage medium of claim 7, wherein adjusting the probability score further comprises:
    - identifying from the parsed plurality of message characteristics the message account;
      
      using the identified message account to retrieve related message account registration information;
      
      retrieving a plurality of characteristics and probability scores associated with the plurality of other message account registrations;
      
      clustering at least a subset of the plurality of characteristics and probability scores associated with the plurality of other message account registrations based in part on a determined similarity in characteristics between the plurality of other message account registrations and the message account registration information for the inbound message;
      
      determining an adjustment for the probability score of the inbound message based on the clustering of at least the subset of plurality of characteristics and probability scores; and
      
      applying the adjustment to the assigned probability score for the inbound message.
  - 9. The processor readable storage medium of claim 7, wherein adjusting the probability score further comprises employing at least one of a machine learning, artificial intelligence or logical decision tree analysis to adjust the probability score of the inbound message.
  - 10. The processor readable storage medium of claim 7, wherein adjusting the probability score further comprises:
    - wherein the determined contributing factors include at least one of a feature of an application used for registration of the message account associated with the inbound message; and
      
      adjusting the probability score for the inbound message based on a probability value associated with the application used.
  - 11. The processor readable storage medium of claim 7, wherein the contributing factors further comprise at least one of a similarity of contact information for the message account associated with the inbound message and other message accounts within a time period, or previous abusive use by the associated message account.
  - 12. The processor readable storage medium of claim 7, wherein the contributing factors further comprise at least one of an amount of previous inbound messages from the message account associated with the inbound message, or an amount of recipients of the inbound message sent by the associated message account.
  - 13. The processor readable storage medium of claim 7, wherein the instructions enable actions, further including:
    - employing the contributing factors, the adjusted probability score, or the plurality of message characteristics to update a probability score for at least one other message account.

14. A system for enabling a communications over a network, comprising:
- a data storage device having stored thereon, a plurality of abusive message account data from at least a plurality of message account registrations; and
  
  one or more processors configured to employ data from the data storage device to perform actions, including;
  
  in response to a request from a new user for a registration for a message account, determining a plurality of user probability values based on at least biographical information, a username and a password for the new user, a network address that is associated with the request, and a degree of similarity of at least a portion of the new user'"'"'s contact information to at least a portion of multiple other user registration information provided for registering at least another message account within a defined time period, each user probability value is a probability that the message account will be used for abusive purposes;
  
  if the plurality of user probability values are classified as abusive in comparison to at least a determined threshold value, inhibiting the message account from at least sending a message to another message account; and
  
  in response to receiving a message inbound to the message account;
  
  parsing the inbound message to identify a plurality of message characteristics, including at least a message account, message username, and message account registration information associated with the inbound message;
  
  analyzing the plurality of message characteristics to determine a plurality of probability values for the message;
  
  assigning a probability score to the inbound message based in part on the determined plurality of probability values and previously determined data and probability scores for a plurality of other message accounts;
  
  classifying the inbound message and related message account as abusive based on the assigned probability score being at or above a determined threshold value; and
  
  if the inbound message is classified as abusive, inhibiting delivery of the inbound message;
  
  otherwise, enabling the inbound message to be delivered to the message account.
- View Dependent Claims (15, 16, 17, 18, 19, 20)
- - 15. The system of claim 14, wherein the one or more processors perform actions, further including:
    - determining a plurality of contributing factors from the plurality of abusive message account data from the plurality of message account registrations;
      
      determining a plurality of other contributing factors based on message account registration information associated with the inbound message;
      
      comparing the determined plurality of contributing factors with the plurality of other contributing factors; and
      
      adjusting the probability score based the comparison.
  - 16. The system of claim 14, wherein parsing the inbound message further comprises:
    - parsing a plurality of characters in the message username to determine various statistics about the message username including at least one of a length of the message username based on the plurality of characters, a number of transitions between the plurality of characters, a number of digits, a number of letters, or a number of symbols; and
      
      employing one or more rules to assign the probability score based on the statistics about the message username.
  - 17. The system of claim 16, wherein employing the one or more rules, further comprises:
    - clustering a plurality of characteristics about a username associated with the inbound message and probability scores associated with the plurality of other message account registrations based in part on a determined similarity in characteristics between the plurality of other message account registrations and message account registration information for the inbound message;
      
      determining an adjustment for the probability score of the inbound message based on the clustering of at least the subset of plurality of characteristics and probability scores; and
      
      applying the adjustment to the assigned probability score for the inbound message.
  - 18. The system of claim 14, wherein if the inbound message is classified as abusive, further classifying the message account associated with the inbound message as abusive.
  - 19. The system of claim 14, wherein analyzing the plurality of message characteristics further comprises:
    - determining a network domain corresponding to the inbound message as at least one message characteristic in the plurality of message characteristics; and
      
      determining a probability value based on the determined network domain, including at least based on whether the determined network domain is an unknown network domain and a relationship between the determined network domain and a network domain associated with the message account.
  - 20. The system of claim 14, wherein the classification of the inbound message is employed to continuously re-evaluate a classification of at least one other previously classified message account.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Yahoo Assets LLC
Original Assignee
Yahoo! Inc. (Apollo Global Management, Inc.)
Inventors
Ramarao, Vishwanath Tumkur, Risher, Mark E., Xi, Xiaopeng
Primary Examiner(s)
Dharia, Rupal
Assistant Examiner(s)
MCADAMS, BRAD

Application Number

US12/562,792
Publication Number

US 20100077043A1
Time in Patent Office

1,887 Days
Field of Search

709/206, 726/22, 726/26, 726/27
US Class Current

709/206
CPC Class Codes

G06N 20/00   Machine learning

G06N 5/01   Dynamic search techniques; ...

H04L 51/212   using filtering or selectiv...

H04L 63/1425   Traffic logging, e.g. anoma...

Detecting spam from a bulk registered e-mail account

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

62 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detecting spam from a bulk registered e-mail account

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

62 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links