WO2006014804A2 - Messaging spam detection - Google Patents

Messaging spam detection Download PDF

Info

Publication number
WO2006014804A2
WO2006014804A2 PCT/US2005/026069 US2005026069W WO2006014804A2 WO 2006014804 A2 WO2006014804 A2 WO 2006014804A2 US 2005026069 W US2005026069 W US 2005026069W WO 2006014804 A2 WO2006014804 A2 WO 2006014804A2
Authority
WO
WIPO (PCT)
Prior art keywords
message
call
action pattern
messages
spam
Prior art date
Application number
PCT/US2005/026069
Other languages
French (fr)
Other versions
WO2006014804A3 (en
Inventor
John Henry Kuhlmann
Eric E. Lofdahl
Curtis L. Miller
David N. Hoogerwerf
Kristine G. Siebert
Larry A. Setlow
Alan C. Lindsay
Original Assignee
Wireless Services Corp.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Wireless Services Corp. filed Critical Wireless Services Corp.
Publication of WO2006014804A2 publication Critical patent/WO2006014804A2/en
Publication of WO2006014804A3 publication Critical patent/WO2006014804A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking

Definitions

  • the present invention is directed to controlling unsoliticted messages, commonly referred to as spam, and more specifically to detecting unsolicited messages transmitted to multiple recipients according to one or more protocols within communication services and between communication services.
  • Text messages have become an increasingly popular method of communication, especially with mobile devices such as cellular telephones, personal data assistants (PDAs), and the like. Such messages are generally inexpensive to send and receive relative to some voice communications, graphics-intensive communications, and other forms of communication that require a large amount of communication resources. Messages can be exchanged across a variety of protocols, including those for web-based message portals, telephones, and email systems.
  • FIGURE l shows a functional block diagram of an exemplary server according to one embodiment of the invention.
  • FIGURE 2 is a functional block diagram illustrating an overall architecture of an exemplary embodiment of the present invention.
  • FIGURE 3 is a flow diagram illustrating exemplary logic for evaluating a message to determine whether it is spam.
  • FIGURE l shows a functional block diagram of an exemplary server 10, according to one embodiment of the invention.
  • server 10 is a typical modern server computer, and may have many high performance components to provide the necessary performance to handle millions of messages daily.
  • server io may include many more components than those shown. The components shown, however, are sufficient to disclose an illustrative embodiment for practicing the invention.
  • Client devices can be similarly configured. Client devices can include, but are not limited to, other servers, personal computers (PCs), PDAs, mobile terminals (e.g., cell phones), unified mail systems, and the like.
  • a recipient can also receive messages via other forms of communication, such as fax, voice mail, postal mail, and the like.
  • Server 10 includes a processing unit 12, a video display adapter 14, and a mass memory, all in communication with each other via a bus 22.
  • the mass memory generally includes RAM 16, ROM 30, and one or more permanent mass storage devices, such as an optical drive 26, a hard disk drive 28, a tape drive, and/or a floppy disk drive.
  • the mass memory stores an operating system 50 for controlling the operation of server 10. Any general-purpose operating system may be employed.
  • a basic input/output system (“BIOS”) 32 is also provided for controlling low-level operation of server 10.
  • the mass memory also includes computer-readable media, sometimes called computer storage media.
  • Computer storage media may include volatile, nonvolatile, removable, and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. Examples of computer storage media include RAM, ROM, EEPROM, flash memory, or other memory technology, CD- ROM, digital versatile disks (DVD), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage, or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computing device.
  • the mass memory also stores program code and data.
  • One or more applications 58 are loaded into mass memory and run on operating system 50. Examples of application programs include database programs, schedulers, transcoders, email programs, calendars, web services, word processing programs, spreadsheet programs, and so forth.
  • Mass storage may further include applications such as a request handler 52 for managing communication requests from senders, an authenticator for authenticating a sender, a message transmitter 56 for communicating with a recipient, and the like.
  • Server l O also includes input/output interface 24 for communicating with external devices, such as a mouse, keyboard, scanner, or other input devices not shown in FIGURE l .
  • Server 10 can communicate with the internet, a telephone network, or other communications network via network interface units 20a and 20b, which are constructed for use with various communication protocols including transmission control protocol / Internet protocol (TCP/IP), user datagram protocol (UDP), and the like.
  • Network interface units 2 ⁇ a and 20b are sometimes known as transceivers, transceiving devices, network interface cards (NICs), and the like.
  • Network interface units can facilitate inter-carrier communications between networks that conform to the same or differing communication protocols.
  • network interface unit 20a is illustrated as communicating with a network A 21 a, such as a network that communicates messages according to the wireless access protocol (WAP), or the like.
  • WAP wireless access protocol
  • Network A 21 a provides communication services for conforming client devices, such as a PDA/Phone 40a. 5
  • network interface unit 20b is illustrated as communicating with a network B 2 Ib, such as a network that communicates messages according to the short message protocol (SMS), or the like.
  • Carrier network B 21 b provides communication services for conforming client devices, such as a cellular phone 40b.
  • FIGURE 2 is a functional block diagram illustrating an overall architecture of an exemplary embodiment of the present invention.
  • a message 60 is received by a message receiver 62.
  • the message generally comprises delivery information and message content.
  • the delivery information includes a delivery destination recipient, or multiple
  • the spam detection system of the present invention is capable of identifying messages that may likely be spam, based on information detected in messages to multiple recipients, which is not generally known to individual recipients.
  • Message receiver 62 is configured to receive messages conforming to at least one of a plurality of communication protocols. There may be multiple message receivers, each corresponding to a different communication protocol. Alternatively, message receiver 62 can be a central receiver that can detect and conform to the protocol of an 0 incoming message. Message receiver 62 engages in a protocol-specific interchange with the sender, and converts the message into a format that is compatible with a spam filter 64. Spam filter 64 includes one or more modules that can evaluate the content of the message for spam.
  • a known spam checker 66 can evaluate the content of individual message 60 for known indicators of spam such as a known spammer's email address, a portion of content likely to indicate a spam message (e.g., the word Viagra), a network domain or address known to be a source of spam, and the like.
  • known spam checker 66 should not be considered limited to currently known techniques for detecting spam, instead, known spam checker 66 determines whether a message includes a previously identified indication of spam messages.
  • Known spam checker 66 includes a user interface that enables an administrator to enter known spam information such as the types of information listed above. The administrator can also enter a range of IP addresses to filter any and all messages coming from sources within the range of IP addresses.
  • the spam information is stored in a spam database 68 that is in communication with known spam checker 66.
  • Spam filter 64 also includes a pattern identifier 70, which tracks information over a number of messages to identify patterns that are not detectable by looking at a single message alone. For example, pattern identifier 70 can detect that a number of messages have a sequence of target addresses, phone numbers, and the like, which indicates that an automated system sent messages to a sequence of target recipients. Pattern identifier 70 can also detect a large number of messages coming from a single source, which suggests a new source of spam. Conversely, pattern identifier 70 can detect a large number of messages sent to a single target, which suggests a denial of service attack. A number of other techniques can be used individually, or in combination, to analyze multiple messages and assess whether the messages comprise spam.
  • Some of the techniques include detecting a large number of recipients in a message, detecting a large number of repeated words in a message, detecting a long source address, and detecting other characteristics.
  • the characteristics can be statistically analyzed, such as with Bayesian techniques. Alternatively, or in addition, the characteristics can be assigned weighted scores, voted on, or otherwise evaluated for indications of spam.
  • Pattern identifier 70 is capable of recognizing classes of call to action patterns, including Uniform Resource Locators (URLs), domain names, IP addresses, email addresses, text message addresses, phone numbers, fax numbers, push-to-talk addresses, or any other call to action pattern with defined and understood characteristics. In addition to identifying identical call to action patterns in multiple messages, pattern identifier 70 can evaluate sets of call to action patterns for equivalency.
  • URLs Uniform Resource Locators
  • a URL in each individual message may change slightly, but pattern identifier 70 can consider them to be part of the same call to action pattern for detection and blocking purposes.
  • Call to action patterns in addition to having consistent characteristics, generally consist of a communication technology value that is independent of local human languages and/or human symbologies such as number systems. Although different localities may have some differing communication technologies, such as different phone number patterns, a minimum of localization is required to allow pattern identifier 70 to detect a call to action pattern in any locale or human language.
  • Pattern identifier 70 can automatically notify a human operator and direct them to evaluate one or more messages that fall within one of the detected patterns to determine whether the pattern represents spam messages.
  • One or more messages that conform to a detected pattern can be stored by a quarantine module 72 that is in communication with spam filter 64 and spam database 68.
  • Quarantine module 72 temporarily stores messages for a human operator to evaluate, and processes messages that the human operator does not have time to evaluate.
  • the human operator can interact with quarantine module 72 through an 5 administrator user interface 74.
  • the human operator can also use administrator user interface 74 to interact with spam database 68 to manually enter and/or modify information related to spam detection.
  • Non-spam messages that were temporarily quarantined, or that previously passed through spam filer 64, can be released for delivery by l O a message transmitter 76 to one or more service carriers that can deliver the messages to target client devices.
  • message transmitter 76 conforms to at least one of a plurality of communication protocols. There may be multiple message transmitters, each corresponding to a different communication protocol. Alternatively,
  • message transmitter 76 can be a central transmitter that can detect and conform to the protocol(s) of the intended service carrier(s). If necessary, message transmitter 76 can convert the content of an outgoing message to a format that is compatible with protocol(s) of the intended service carrier(s).
  • FIGURE 3 is a flow diagram illustrating exemplary logic for filtering messages for spam.
  • the message receiver receives an inbound message conforming to the corresponding message protocol, such as an email protocol, a mobile messaging protocol, a paging message protocol, and the like.
  • the message receiver performs 5 the protocol-specific interaction with the sender to construct an entire message.
  • the message receiver converts the message to a common format that other processing modules can understand. A single format can be used for all processing modules, or multiple formats can be used for different processing modules.
  • the message receiver can also parse 0 the message header and/or content for further modular processing.
  • the spam filter determines whether the message includes a secret safe code that a recipient, enterprise, and/or service has selected to indicate that the message is not spam.
  • a receiving enterprise can specify a password, an encoded value, or other special content that is used to inform the spam filter that a bulk message is not spam to all members of the enterprise.
  • an individual recipient can specify a secret safe code, that the recipient can distribute to those individuals and/or message sources from which the recipient is willing accept messages.
  • the spam filter can access the spam database to determine whether the secret safe code is associated with the recipient, and if so, immediately release the message for delivery to the recipient.
  • the spam filter can also refer to ists of safe contacts (sometimes referred to as white lists) in the spam database, so that the spam filter will not consider as spam messages received from members of the safe contact lists.
  • White lists may be defined for individual recipients, a group or recipients, and/or all recipients. Messages from white listed contacts skip the remaining spam detection processing and are passed to a target carrier service, at an operation 120, for delivery to the recipient's client device.
  • the spam filter determines whether the message includes a known spam indicator at a decision operation 104. For example, the spam filter can compare the message sender address to a list of stored addresses known to distribute spam (sometimes referred to as a black list). In addition, the spam filter parses the message for call to action patterns and determines whether the message includes a call to action pattern that was previously identified as an indicator of spam. For instance, the spam filter can compare a URL in the message to a list of LJRLs that were previously identified as call to actions patterns of spam messages conforming to the same or different message protocols. If the message includes a known spam indicator, such as a black listed sender address or a previously determined call to action, the spam filter deletes the message at an operation 124.
  • a known spam indicator such as a black listed sender address or a previously determined call to action
  • the spam filter determines whether the message comprises only previously released patterns at a decision operation 106. If the spam filter or a human operator previously analyzed a detected pattern and determined that the pattern does not indicate spam, the pattern can be stored in the l O- database with an indication that subsequent messages including the pattern need not be delayed or deleted. Subsequent messages that include multiple patterns can be released automatically at operation 120 if all of the patterns in the message were previously determined not to indicate spam.
  • a previously released call to action pattern is distinguished from a widely recognized pattern that some filtering systems consider a white list entry. For example, some filtering systems consider a URL to a well known retail Web site as an indication that the message is not spam. In these filtering systems, the well known retail Web site is part of a 0 predefined white list. However, clever spammers can exploit these widely recognized patterns by including them in spam messages to slip through filtering systems that include widely recognized patterns in a white list. The present invention does not include a predefined white list of widely recognized patterns that would be considered safe codes. 5 Instead, the present invention treats a widely recognized pattern as a potential indicator of spam until the spam filter or human operator analyzes the widely recognized pattern and determines that it is not a call to action that indicates spam.
  • a 0 subsequent message includes only previously released patterns (or no patterns)
  • the subsequent message can be release automatically at operation 120.
  • the message includes a call to action pattern that was not previously released and was not affirmatively identified as an indicator of spam
  • the pattern is stored for further comparison with other messages at an operation 108. For each message that includes the same call to action pattern, a count is incremented for this pattern.
  • the spam filter determines whether the detected call to action pattern was found in more than a threshold number (X) of messages. This number can be based actual messages received and/or a single message that is addressed to a threshold number of recipients. In addition, or alternatively, this decision can be based on other evaluations, such as statistical analyses, voting, and the like.
  • One such evaluation includes detecting a consistent sequence of call to action patterns. For example, a number of messages might include a domain name that differs in a consistent or inconsequential manner. To illustrate this situation, a sample sequence of domain names is listed below:
  • the above samples include a sequentially incrementing random word in a portion of the domain name, but they all specify the same domain type (e.g., .com).
  • a corresponding domain name service could resolve the sequence of domain names to a single network and/or device, which could be the directed destination of spam.
  • DNS domain name service
  • a sequence of consistently or inconsequentially changing domain names may specify the same file name, which may also suggest spam.
  • the current message is passed to the target service at operation 120.
  • the threshold frequency is reached for the detected call to action pattern. The frequency can be adjusted to modulate spam detection relative to traffic loads and/or for other reasons.
  • the spam detection system sends a notification message to one or more human operators.
  • the notification identifies the message, the message content, the call to action pattern, the frequency of the call to action pattern, and/or other information.
  • a human operator responds by reviewing the quarantined message and subsequent messages with the same call to action pattern that may have arrived after quarantine was imposed.
  • the administrator is given a limited time to evaluate the message to prevent undue delay in delivering the message, especially an instant message, an SMS message, or other near-real-time message. This time limitation can be adjusted or determined based on message characteristics, such as the type of message, the source of the message, the target service, a paid priority level, and the like.
  • the spam filter determines whether the allowed time has lapsed. If the allowed time has lapsed, the message is passed to the target service at operation 120 for delivery to the intended recipient's client device. Until the pattern is determined to be a spam indicator, or not, by a human operator, messages that contain the pattern will continue to be quarantined for the time limit, and, if not acted upon, released to be delivered.
  • the administrator determines at a decision operation 1 18 whether the message is spam. If the administrator concludes that the message is not spam or that the call to action pattern is not a good indicator of spam, the administrator can flag the call to action pattern, so that the spam filter will not use that pattern to subsequently divert 5 messages to quarantine.
  • the administrator can manually release the message for delivery without flagging and/or storing the call to action pattern. Any subsequent message with the same call to action pattern would again be quarantined l O for another review. Conversely, the administrator can manually delete the message, or group of messages with the same call to action pattern. Again, a subsequent message with the same call to action pattern would be quarantined for another review. However, if the administrator indicates with certainty that the message is spam, and/or that the call to
  • action pattern is a good spam indicator
  • the spam filter stores the call to action pattern as a spam indicator at an operation 122. All messages in quarantine that contain that call to action pattern are then deleted at operation 122. The call to action pattern is automatically loaded into the database and subsequent messages with that call to action pattern will 0 be automatically deleted without human intervention. After the message is deleted or passed to the target service, control returns to operation ioo to await another message.

Abstract

Detecting unsolicited messages (spam) by aggregating information across multiple recipients and/or across the same or differing messaging protocols. Multiple messages are analyzed to detect a call to action pattern that specifies a target communication address with which the recipients are requested to communicate, such as an email address, an Internet address, a telephone number, and the like. Once a frequency threshold of messages containing the call to action pattern is reached, subsequent messages are temporarily quarantined for evaluation by a human operator. If the human determines that the messages are not spam, the human can release the quarantined messages, and indicate that future messages with the call to action pattern are not to be delayed. Conversely, if the human determines that the messages are spam, the human can delete the messages in quarantine, and indicate that all future messages with that call to action pattern are to be deleted automatically.

Description

TITLE OF INVENTION MESSAGING SPAM DETECTION
CROSS-REFERENCE TO RELATED APPLICATIONS This application claims priority to U.S. Patent Application
10/902,799, filed July 30, 2004, the specification of which is incorporated by reference in its entirety.
FIELD OF THE INVENTION
The present invention is directed to controlling unsoliticted messages, commonly referred to as spam, and more specifically to detecting unsolicited messages transmitted to multiple recipients according to one or more protocols within communication services and between communication services.
BACKGROUND OF THE INVENTION Text messages have become an increasingly popular method of communication, especially with mobile devices such as cellular telephones, personal data assistants (PDAs), and the like. Such messages are generally inexpensive to send and receive relative to some voice communications, graphics-intensive communications, and other forms of communication that require a large amount of communication resources. Messages can be exchanged across a variety of protocols, including those for web-based message portals, telephones, and email systems.
Because messages can be transmitted easily, a significant risk exists that unsolicited messages will be sent to client devices, in addition to consuming communication resources, spam can create additional expenses for recipients, including time and inconvenience. To protect their clients from these expenses, some messaging network providers perform spam filtering. As spam purveyors create more sophisticated methods to avoid detection, the spam filtering systems must become more sophisticated. BRIEF DESCRIPTION OF THE DRAWINGS FIGURE l shows a functional block diagram of an exemplary server according to one embodiment of the invention;
FIGURE 2 is a functional block diagram illustrating an overall architecture of an exemplary embodiment of the present invention; and
FIGURE 3 is a flow diagram illustrating exemplary logic for evaluating a message to determine whether it is spam.
DETAILED DESCRIPTION OF THE INVENTION The present invention will now be described with reference to the accompanying drawings, which form a part hereof, and which show, by way of illustration, specific exemplary embodiments by which the invention may be practiced. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiments set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the invention to those skilled in the art. Among other things, the present invention may be embodied as methods or devices. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. The following detailed description is, therefore, not to be taken in a limiting sense.
Throughout the specification, the term "connected" means a direct connection between the things that are connected, without any intermediary devices or components. The term "coupled," or "in communication with" means a direct connection between the things that are connected, or an indirect connection through one or more either passive or active intermediary devices or components. The meaning of "a," "an," and "the" include plural references. The meaning of "in" includes "in" and "on." Briefly stated, the invention is direct to a method and system for detecting and controlling spam by adaptively aggregating information about messages to multiple recipients, including messages communicated across multiple protocols. FIGURE l shows a functional block diagram of an exemplary server 10, according to one embodiment of the invention. In general, server 10 is a typical modern server computer, and may have many high performance components to provide the necessary performance to handle millions of messages daily. Thus, server io may include many more components than those shown. The components shown, however, are sufficient to disclose an illustrative embodiment for practicing the invention. Client devices can be similarly configured. Client devices can include, but are not limited to, other servers, personal computers (PCs), PDAs, mobile terminals (e.g., cell phones), unified mail systems, and the like. A recipient can also receive messages via other forms of communication, such as fax, voice mail, postal mail, and the like.
Server 10 includes a processing unit 12, a video display adapter 14, and a mass memory, all in communication with each other via a bus 22. The mass memory generally includes RAM 16, ROM 30, and one or more permanent mass storage devices, such as an optical drive 26, a hard disk drive 28, a tape drive, and/or a floppy disk drive. The mass memory stores an operating system 50 for controlling the operation of server 10. Any general-purpose operating system may be employed. A basic input/output system ("BIOS") 32 is also provided for controlling low-level operation of server 10.
The mass memory also includes computer-readable media, sometimes called computer storage media. Computer storage media may include volatile, nonvolatile, removable, and non-removable media implemented in any method or technology for storage of information, such as computer readable instructions, data structures, program modules, or other data. Examples of computer storage media include RAM, ROM, EEPROM, flash memory, or other memory technology, CD- ROM, digital versatile disks (DVD), or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage, or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computing device.
The mass memory also stores program code and data. One or more applications 58 are loaded into mass memory and run on operating system 50. Examples of application programs include database programs, schedulers, transcoders, email programs, calendars, web services, word processing programs, spreadsheet programs, and so forth. Mass storage may further include applications such as a request handler 52 for managing communication requests from senders, an authenticator for authenticating a sender, a message transmitter 56 for communicating with a recipient, and the like.
Server l O also includes input/output interface 24 for communicating with external devices, such as a mouse, keyboard, scanner, or other input devices not shown in FIGURE l . Server 10 can communicate with the internet, a telephone network, or other communications network via network interface units 20a and 20b, which are constructed for use with various communication protocols including transmission control protocol / Internet protocol (TCP/IP), user datagram protocol (UDP), and the like. Network interface units 2θa and 20b are sometimes known as transceivers, transceiving devices, network interface cards (NICs), and the like. Multiple private and public portals and/or other network services can communicate through these interface cards, and can communicate messages with the server through a variety of higher level protocols including, but not limited to, simple mail transfer protocol (SMTP), Tl access partitioning (TAP) protocol, simple network paging protocol (SNPP), hypertext transfer protocol (HTTP), multimedia messaging service (MMS) protocol, instant messaging and presence protocol (IMPP), and the like. The network interface units can facilitate inter-carrier communications between networks that conform to the same or differing communication protocols. For example, network interface unit 20a is illustrated as communicating with a network A 21 a, such as a network that communicates messages according to the wireless access protocol (WAP), or the like. Network A 21 a provides communication services for conforming client devices, such as a PDA/Phone 40a. 5 Similarly, network interface unit 20b is illustrated as communicating with a network B 2 Ib, such as a network that communicates messages according to the short message protocol (SMS), or the like. Carrier network B 21 b provides communication services for conforming client devices, such as a cellular phone 40b.
l O FIGURE 2 is a functional block diagram illustrating an overall architecture of an exemplary embodiment of the present invention. A message 60 is received by a message receiver 62. The message generally comprises delivery information and message content. The delivery information includes a delivery destination recipient, or multiple
15 delivery destination recipients. If the recipient has not solicited this message, or if the message does not come from a trusted source, the message might be spam. However, an unsolicited message, or a message from an unknown source is not always spam. Another determining aspect is whether a recipient desired the message. In 0 general, whether the recipient desired the message is completely subjective. Nevertheless, the spam detection system of the present invention is capable of identifying messages that may likely be spam, based on information detected in messages to multiple recipients, which is not generally known to individual recipients.
5 Message receiver 62 is configured to receive messages conforming to at least one of a plurality of communication protocols. There may be multiple message receivers, each corresponding to a different communication protocol. Alternatively, message receiver 62 can be a central receiver that can detect and conform to the protocol of an 0 incoming message. Message receiver 62 engages in a protocol-specific interchange with the sender, and converts the message into a format that is compatible with a spam filter 64. Spam filter 64 includes one or more modules that can evaluate the content of the message for spam. For instance, a known spam checker 66 can evaluate the content of individual message 60 for known indicators of spam such as a known spammer's email address, a portion of content likely to indicate a spam message (e.g., the word Viagra), a network domain or address known to be a source of spam, and the like. Known spam checker 66 should not be considered limited to currently known techniques for detecting spam, instead, known spam checker 66 determines whether a message includes a previously identified indication of spam messages. Known spam checker 66 includes a user interface that enables an administrator to enter known spam information such as the types of information listed above. The administrator can also enter a range of IP addresses to filter any and all messages coming from sources within the range of IP addresses. The spam information is stored in a spam database 68 that is in communication with known spam checker 66.
Spam filter 64 also includes a pattern identifier 70, which tracks information over a number of messages to identify patterns that are not detectable by looking at a single message alone. For example, pattern identifier 70 can detect that a number of messages have a sequence of target addresses, phone numbers, and the like, which indicates that an automated system sent messages to a sequence of target recipients. Pattern identifier 70 can also detect a large number of messages coming from a single source, which suggests a new source of spam. Conversely, pattern identifier 70 can detect a large number of messages sent to a single target, which suggests a denial of service attack. A number of other techniques can be used individually, or in combination, to analyze multiple messages and assess whether the messages comprise spam. Some of the techniques include detecting a large number of recipients in a message, detecting a large number of repeated words in a message, detecting a long source address, and detecting other characteristics. The characteristics can be statistically analyzed, such as with Bayesian techniques. Alternatively, or in addition, the characteristics can be assigned weighted scores, voted on, or otherwise evaluated for indications of spam.
Call to Action Frequency Detection
The intent of many spam messages is to cause the recipient to take some action such as visit a website, call an operator, go to a nightclub, or the like. In order to induce such action, the spam message must include a "call to action" with sufficient information that the recipient can take the spammer's desired action. Pattern identifier 70 is capable of recognizing classes of call to action patterns, including Uniform Resource Locators (URLs), domain names, IP addresses, email addresses, text message addresses, phone numbers, fax numbers, push-to-talk addresses, or any other call to action pattern with defined and understood characteristics. In addition to identifying identical call to action patterns in multiple messages, pattern identifier 70 can evaluate sets of call to action patterns for equivalency. For example, a URL in each individual message may change slightly, but pattern identifier 70 can consider them to be part of the same call to action pattern for detection and blocking purposes. Call to action patterns, in addition to having consistent characteristics, generally consist of a communication technology value that is independent of local human languages and/or human symbologies such as number systems. Although different localities may have some differing communication technologies, such as different phone number patterns, a minimum of localization is required to allow pattern identifier 70 to detect a call to action pattern in any locale or human language.
Pattern identifier 70 can automatically notify a human operator and direct them to evaluate one or more messages that fall within one of the detected patterns to determine whether the pattern represents spam messages. One or more messages that conform to a detected pattern can be stored by a quarantine module 72 that is in communication with spam filter 64 and spam database 68. Quarantine module 72 temporarily stores messages for a human operator to evaluate, and processes messages that the human operator does not have time to evaluate. The human operator can interact with quarantine module 72 through an 5 administrator user interface 74. The human operator can also use administrator user interface 74 to interact with spam database 68 to manually enter and/or modify information related to spam detection.
Non-spam messages that were temporarily quarantined, or that previously passed through spam filer 64, can be released for delivery by l O a message transmitter 76 to one or more service carriers that can deliver the messages to target client devices. As with the message receiver, message transmitter 76 conforms to at least one of a plurality of communication protocols. There may be multiple message transmitters, each corresponding to a different communication protocol. Alternatively,
15 message transmitter 76 can be a central transmitter that can detect and conform to the protocol(s) of the intended service carrier(s). If necessary, message transmitter 76 can convert the content of an outgoing message to a format that is compatible with protocol(s) of the intended service carrier(s).
0 FIGURE 3 is a flow diagram illustrating exemplary logic for filtering messages for spam. At an operation 100, the message receiver receives an inbound message conforming to the corresponding message protocol, such as an email protocol, a mobile messaging protocol, a paging message protocol, and the like. The message receiver performs 5 the protocol-specific interaction with the sender to construct an entire message. The message receiver converts the message to a common format that other processing modules can understand. A single format can be used for all processing modules, or multiple formats can be used for different processing modules. The message receiver can also parse 0 the message header and/or content for further modular processing. Secret Password
At a decision operation 102, the spam filter determines whether the message includes a secret safe code that a recipient, enterprise, and/or service has selected to indicate that the message is not spam. For example, a receiving enterprise can specify a password, an encoded value, or other special content that is used to inform the spam filter that a bulk message is not spam to all members of the enterprise. Alternatively, an individual recipient can specify a secret safe code, that the recipient can distribute to those individuals and/or message sources from which the recipient is willing accept messages. The spam filter can access the spam database to determine whether the secret safe code is associated with the recipient, and if so, immediately release the message for delivery to the recipient.
The spam filter can also refer to ists of safe contacts (sometimes referred to as white lists) in the spam database, so that the spam filter will not consider as spam messages received from members of the safe contact lists. White lists may be defined for individual recipients, a group or recipients, and/or all recipients. Messages from white listed contacts skip the remaining spam detection processing and are passed to a target carrier service, at an operation 120, for delivery to the recipient's client device.
If the received message does not include a safe code, safe contact, or the like, the spam filter determines whether the message includes a known spam indicator at a decision operation 104. For example, the spam filter can compare the message sender address to a list of stored addresses known to distribute spam (sometimes referred to as a black list). In addition, the spam filter parses the message for call to action patterns and determines whether the message includes a call to action pattern that was previously identified as an indicator of spam. For instance, the spam filter can compare a URL in the message to a list of LJRLs that were previously identified as call to actions patterns of spam messages conforming to the same or different message protocols. If the message includes a known spam indicator, such as a black listed sender address or a previously determined call to action, the spam filter deletes the message at an operation 124.
5 If the message does not include a known spam indicator, the spam filter determines whether the message comprises only previously released patterns at a decision operation 106. If the spam filter or a human operator previously analyzed a detected pattern and determined that the pattern does not indicate spam, the pattern can be stored in the l O- database with an indication that subsequent messages including the pattern need not be delayed or deleted. Subsequent messages that include multiple patterns can be released automatically at operation 120 if all of the patterns in the message were previously determined not to indicate spam.
15 A previously released call to action pattern is distinguished from a widely recognized pattern that some filtering systems consider a white list entry. For example, some filtering systems consider a URL to a well known retail Web site as an indication that the message is not spam. In these filtering systems, the well known retail Web site is part of a 0 predefined white list. However, clever spammers can exploit these widely recognized patterns by including them in spam messages to slip through filtering systems that include widely recognized patterns in a white list. The present invention does not include a predefined white list of widely recognized patterns that would be considered safe codes. 5 Instead, the present invention treats a widely recognized pattern as a potential indicator of spam until the spam filter or human operator analyzes the widely recognized pattern and determines that it is not a call to action that indicates spam. These widely recognized patterns can then be added to the data base of previously released patterns. If a 0 subsequent message includes only previously released patterns (or no patterns), the subsequent message can be release automatically at operation 120. If the message includes a call to action pattern that was not previously released and was not affirmatively identified as an indicator of spam, the pattern is stored for further comparison with other messages at an operation 108. For each message that includes the same call to action pattern, a count is incremented for this pattern. At a decision operation 1 10, the spam filter determines whether the detected call to action pattern was found in more than a threshold number (X) of messages. This number can be based actual messages received and/or a single message that is addressed to a threshold number of recipients. In addition, or alternatively, this decision can be based on other evaluations, such as statistical analyses, voting, and the like.
One such evaluation includes detecting a consistent sequence of call to action patterns. For example, a number of messages might include a domain name that differs in a consistent or inconsequential manner. To illustrate this situation, a sample sequence of domain names is listed below:
www.random_word_A l .random_word_B. domain, com www . random_word_A2. r andom_word_B .domain . com www . random_word_A3. random_word_B . domain . com www . random_word_A4. r andom_word_B . domain . com
The above samples include a sequentially incrementing random word in a portion of the domain name, but they all specify the same domain type (e.g., .com). A corresponding domain name service (DNS) could resolve the sequence of domain names to a single network and/or device, which could be the directed destination of spam. As another example, a sequence of consistently or inconsequentially changing domain names may specify the same file name, which may also suggest spam.
in any case, as long as the call to action pattern is found in fewer than the threshold number of messages, the current message is passed to the target service at operation 120. Although analysis of the message thus far in the process may suggest a likelihood that the message is spam, the message is not considered spam unless the threshold frequency is reached for the detected call to action pattern. The frequency can be adjusted to modulate spam detection relative to traffic loads and/or for other reasons.
Reaching a threshold frequency does not necessarily ensure that the call to action pattern indicates spam. When the number of messages and/or recipients associated with a given call to action pattern exceeds the adjustable threshold, the message containing this call to action pattern is quarantined at an operation 1 12, and the spam detection system sends a notification message to one or more human operators. The notification identifies the message, the message content, the call to action pattern, the frequency of the call to action pattern, and/or other information. A human operator responds by reviewing the quarantined message and subsequent messages with the same call to action pattern that may have arrived after quarantine was imposed. The administrator is given a limited time to evaluate the message to prevent undue delay in delivering the message, especially an instant message, an SMS message, or other near-real-time message. This time limitation can be adjusted or determined based on message characteristics, such as the type of message, the source of the message, the target service, a paid priority level, and the like.
At a decision operation 1 14, the spam filter determines whether the allowed time has lapsed. If the allowed time has lapsed, the message is passed to the target service at operation 120 for delivery to the intended recipient's client device. Until the pattern is determined to be a spam indicator, or not, by a human operator, messages that contain the pattern will continue to be quarantined for the time limit, and, if not acted upon, released to be delivered.
If the administrator reviews the quarantined message within the time limit, the administrator determines at a decision operation 1 18 whether the message is spam. If the administrator concludes that the message is not spam or that the call to action pattern is not a good indicator of spam, the administrator can flag the call to action pattern, so that the spam filter will not use that pattern to subsequently divert 5 messages to quarantine.
if the administrator is not certain whether the message is spam, the administrator can manually release the message for delivery without flagging and/or storing the call to action pattern. Any subsequent message with the same call to action pattern would again be quarantined l O for another review. Conversely, the administrator can manually delete the message, or group of messages with the same call to action pattern. Again, a subsequent message with the same call to action pattern would be quarantined for another review. However, if the administrator indicates with certainty that the message is spam, and/or that the call to
15 action pattern is a good spam indicator, the spam filter stores the call to action pattern as a spam indicator at an operation 122. All messages in quarantine that contain that call to action pattern are then deleted at operation 122. The call to action pattern is automatically loaded into the database and subsequent messages with that call to action pattern will 0 be automatically deleted without human intervention. After the message is deleted or passed to the target service, control returns to operation ioo to await another message.
The above specification, examples, and data provide a complete description of the manufacture and use of the composition of 5 the invention. Since many embodiments of the invention can be made without departing from the spirit and scope of the invention, the invention resides in the claims hereinafter appended.

Claims

What is claimed as new and desired to be protected by Letters Patent of the United States is:
5 l . A method for detecting an unsolicited message, comprising: detecting a call to action pattern in a message received according one of a plurality of communication protocols; l O determining that the call to action pattern is included in a number of other received messages that exceeds a threshold number; temporarily preventing the message from being delivered; and 15 notifying a human operator to review the message to determine whether the message comprises an unsolicited message.
2. The method of Claim i , wherein the call to action pattern comprises at least one of a universal 0 resource locator (URL), an email address, a text message address, a telephone number, a fax number, a push-to-talk address, and an Internet protocol (IP) address..
3. The method of Claim l , further comprising 5 determining that the message does not include content selected by a user to indicate that the message should be delivered without review by the human operator.
4. The method of Claim l , further comprising
5 determining that the message does not include data known to indicate an unsolicited message.
5. The method of Claim l , further comprising releasing the message for delivery after a delay period.
6. The method of Claim 5, further comprising l O automatically indicating that subsequent messages that include the call to action pattern will be released without being temporarily prevented from delivery.
7. The method of Claim l , further comprising determining that the call to action pattern was not
15 previously identified for release without delay.
8. The method of Claim l , further comprising enabling the human operator to indicate that the call to action pattern shall cause subsequent messages that include the call to action pattern to be one of: 0 released without delay; and deleted.
9. The method of Claim l , further comprising: detecting that one portion of the call to action pattern is the same in previously received messages; and detecting that another portion of the call to action pattern differs in at least one of a consistent and an inconsequential manner from the previously received messages.
10. The method of Claim l , wherein the other received messages were received according to at least one different communication protocol from the one of the plurality of communication protocols according to which the message was received.
1 1. The method of Claim l , wherein the plurality of communication protocols support at least one of short message service, mail management system, instant messaging, and multimedia message service.
12. A system for detecting an unsolicited message, comprising: a processor; a communication interface in communication with the processor and in communication with at least one network conforming to at least one of a plurality of communication protocols; a user interface in communication with the processor and enabling a human operator to review and input information; and a memory in communication with the processor and storing data and instructions that cause the processor to perform a plurality of operations including: 5 detecting a call to action pattern in a message received according the at least one of the plurality of communication protocols; determining that the call to action pattern is included in a number of other received messages that l O exceeds a threshold number; temporarily preventing the message from being delivered; and notifying a human operator to review the message to determine whether the message comprises an 15 unsolicited message.
13. The system of Claim 12, wherein the call to action pattern comprises at least one of a universal resource locator (URL), an email address, a text message address, a telephone number, a fax 0 number, a push-to-talk address, and an Internet protocol (IP) address.
14. The system of Claim 12, wherein the instructions further cause the processor to perform the function of releasing the message for delivery after a delay 5 period.
15. The system of Claim 14, wherein the instructions further cause the processor to perform the function of automatically indicating that subsequent messages that include the call to action pattern will
5 be released without being temporarily prevented from delivery.
16. The system of Claim 12, wherein the instructions further cause the processor to perform the function of determining that the call to action pattern was not l O previously identified for release without delay.
17. The system of Claim 12, wherein the instructions further cause the processor to perform the function of enabling the human operator to indicate through the user interface that the call to action pattern shall
15 cause subsequent messages that include the call to action pattern to be one of: released without delay; and deleted.
18. The system of Claim 12, wherein the instructions 0 further cause the processor to perform the functions of: detecting that one portion of the call to action pattern is the same in previously received messages; and detecting that another portion of the call to action 5 pattern differs in at least one of a consistent and an inconsequential manner from the previously received messages.
19.A system for detecting spam, comprising: a message receiver that can receive a message 5 according to at least one of a plurality of communication protocols; a spam filter in communication with the message receiver and detecting a call to action pattern in the message and in at least one other message; and i O a quarantine module that enables a human operator to determine whether the message is spam.
20. The system of Claim 19, further comprising a message transmitter that can transmit the message to a communication service for delivery to an 15 intended recipient, wherein the message receiver is in communication with a first network and the message transmitter is in communication with a second network.
PCT/US2005/026069 2004-07-30 2005-07-22 Messaging spam detection WO2006014804A2 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/902,799 2004-07-30
US10/902,799 US20060026242A1 (en) 2004-07-30 2004-07-30 Messaging spam detection

Publications (2)

Publication Number Publication Date
WO2006014804A2 true WO2006014804A2 (en) 2006-02-09
WO2006014804A3 WO2006014804A3 (en) 2007-05-18

Family

ID=35733660

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2005/026069 WO2006014804A2 (en) 2004-07-30 2005-07-22 Messaging spam detection

Country Status (2)

Country Link
US (1) US20060026242A1 (en)
WO (1) WO2006014804A2 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103796184A (en) * 2012-10-30 2014-05-14 中国电信股份有限公司 Spam short message recognition method and system

Families Citing this family (79)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6826729B1 (en) * 2001-06-29 2004-11-30 Microsoft Corporation Gallery user interface controls
US9715678B2 (en) * 2003-06-26 2017-07-25 Microsoft Technology Licensing, Llc Side-by-side shared calendars
US7716593B2 (en) * 2003-07-01 2010-05-11 Microsoft Corporation Conversation grouping of electronic mail records
US20050005249A1 (en) * 2003-07-01 2005-01-06 Microsoft Corporation Combined content selection and display user interface
US7392249B1 (en) * 2003-07-01 2008-06-24 Microsoft Corporation Methods, systems, and computer-readable mediums for providing persisting and continuously updating search folders
US7707255B2 (en) 2003-07-01 2010-04-27 Microsoft Corporation Automatic grouping of electronic mail
US8799808B2 (en) * 2003-07-01 2014-08-05 Microsoft Corporation Adaptive multi-line view user interface
US7953814B1 (en) * 2005-02-28 2011-05-31 Mcafee, Inc. Stopping and remediating outbound messaging abuse
US9015621B2 (en) 2004-08-16 2015-04-21 Microsoft Technology Licensing, Llc Command user interface for displaying multiple sections of software functionality controls
US8146016B2 (en) 2004-08-16 2012-03-27 Microsoft Corporation User interface for displaying a gallery of formatting options applicable to a selected object
US8117542B2 (en) 2004-08-16 2012-02-14 Microsoft Corporation User interface for displaying selectable software functionality controls that are contextually relevant to a selected object
US8255828B2 (en) * 2004-08-16 2012-08-28 Microsoft Corporation Command user interface for displaying selectable software functionality controls
US7895531B2 (en) * 2004-08-16 2011-02-22 Microsoft Corporation Floating command object
US7703036B2 (en) 2004-08-16 2010-04-20 Microsoft Corporation User interface for displaying selectable software functionality controls that are relevant to a selected object
US7430284B2 (en) * 2004-08-19 2008-09-30 Sybase 365, Inc. Architecture and methods for inter-carrier Multi-Media Messaging
FR2875317A1 (en) * 2004-09-10 2006-03-17 France Telecom METHOD FOR MONITORING ELECTRONIC COURIERES ISSUED AND / OR RECEIVED BY A CLIENT OF AN INTERNET ACCESS PROVIDER WITHIN A TELECOMMUNICATION NETWORK
US20060075099A1 (en) * 2004-09-16 2006-04-06 Pearson Malcolm E Automatic elimination of viruses and spam
US7747966B2 (en) * 2004-09-30 2010-06-29 Microsoft Corporation User interface for providing task management and calendar information
US20060123083A1 (en) * 2004-12-03 2006-06-08 Xerox Corporation Adaptive spam message detector
US8412779B1 (en) * 2004-12-21 2013-04-02 Trend Micro Incorporated Blocking of unsolicited messages in text messaging networks
US9160755B2 (en) 2004-12-21 2015-10-13 Mcafee, Inc. Trusted communication network
US20060168042A1 (en) * 2005-01-07 2006-07-27 International Business Machines Corporation Mechanism for mitigating the problem of unsolicited email (also known as "spam"
US8472915B2 (en) * 2005-01-14 2013-06-25 Samantha DiPerna Emergency personal protection system integrated with mobile devices
EP1869858A2 (en) * 2005-04-13 2007-12-26 France Telecom Method for controlling the sending of unsolicited voice information
US8239882B2 (en) 2005-08-30 2012-08-07 Microsoft Corporation Markup based extensibility for user interfaces
US8689137B2 (en) * 2005-09-07 2014-04-01 Microsoft Corporation Command user interface for displaying selectable functionality controls in a database application
US9542667B2 (en) 2005-09-09 2017-01-10 Microsoft Technology Licensing, Llc Navigating messages within a thread
US8627222B2 (en) 2005-09-12 2014-01-07 Microsoft Corporation Expanded search and find user interface
US8244532B1 (en) * 2005-12-23 2012-08-14 At&T Intellectual Property Ii, L.P. Systems, methods, and programs for detecting unauthorized use of text based communications services
US8370928B1 (en) * 2006-01-26 2013-02-05 Mcafee, Inc. System, method and computer program product for behavioral partitioning of a network to detect undesirable nodes
US9727989B2 (en) 2006-06-01 2017-08-08 Microsoft Technology Licensing, Llc Modifying and formatting a chart using pictorially provided chart elements
US8605090B2 (en) * 2006-06-01 2013-12-10 Microsoft Corporation Modifying and formatting a chart using pictorially provided chart elements
US8417791B1 (en) 2006-06-30 2013-04-09 Google Inc. Hosted calling service
US7849186B2 (en) * 2006-09-21 2010-12-07 Commtouch Software Ltd. Device, method and system for detecting unwanted conversational media session
US9159049B2 (en) 2007-06-08 2015-10-13 At&T Intellectual Property I, L.P. System and method for managing publications
US7899870B2 (en) * 2007-06-25 2011-03-01 Microsoft Corporation Determination of participation in a malicious software campaign
US8201103B2 (en) 2007-06-29 2012-06-12 Microsoft Corporation Accessing an out-space user interface for a document editor program
US8484578B2 (en) 2007-06-29 2013-07-09 Microsoft Corporation Communication between a document editor in-space user interface and a document editor out-space user interface
US8762880B2 (en) 2007-06-29 2014-06-24 Microsoft Corporation Exposing non-authoring features through document status information in an out-space user interface
CA2638457A1 (en) * 2007-08-03 2009-02-03 Sales Spider Inc. Systems and methods for generating sales leads data
US20090083413A1 (en) * 2007-09-24 2009-03-26 Levow Zachary S Distributed frequency data collection via DNS
US8504622B1 (en) * 2007-11-05 2013-08-06 Mcafee, Inc. System, method, and computer program product for reacting based on a frequency in which a compromised source communicates unsolicited electronic messages
FR2926428B1 (en) * 2008-01-16 2010-03-19 Miyowa METHOD FOR FILTERING MESSAGES IN AN INSTANT MESSAGING SYSTEM OF MOBILE TERMINALS, INSTANT MESSAGING SYSTEM, AND SERVER THEREFOR
US7860971B2 (en) * 2008-02-21 2010-12-28 Microsoft Corporation Anti-spam tool for browser
US9588781B2 (en) 2008-03-31 2017-03-07 Microsoft Technology Licensing, Llc Associating command surfaces with multiple active components
US9665850B2 (en) 2008-06-20 2017-05-30 Microsoft Technology Licensing, Llc Synchronized conversation-centric message list and message reading pane
US8402096B2 (en) 2008-06-24 2013-03-19 Microsoft Corporation Automatic conversation techniques
US10354229B2 (en) 2008-08-04 2019-07-16 Mcafee, Llc Method and system for centralized contact management
US8316310B2 (en) 2008-08-05 2012-11-20 International Business Machines Corporation System and method for human identification proof for use in virtual environments
US9178842B2 (en) * 2008-11-05 2015-11-03 Commvault Systems, Inc. Systems and methods for monitoring messaging applications for compliance with a policy
US8386318B2 (en) * 2008-12-30 2013-02-26 Satyam Computer Services Ltd. System and method for supporting peer interactions
US8718318B2 (en) * 2008-12-31 2014-05-06 Sonicwall, Inc. Fingerprint development in image based spam blocking
KR101544437B1 (en) * 2009-02-11 2015-08-17 삼성전자주식회사 Apparatus and method for spam configuration
US9046983B2 (en) 2009-05-12 2015-06-02 Microsoft Technology Licensing, Llc Hierarchically-organized control galleries
US20100332975A1 (en) * 2009-06-25 2010-12-30 Google Inc. Automatic message moderation for mailing lists
US8745143B2 (en) * 2010-04-01 2014-06-03 Microsoft Corporation Delaying inbound and outbound email messages
US10104029B1 (en) * 2011-11-09 2018-10-16 Proofpoint, Inc. Email security architecture
US10616272B2 (en) 2011-11-09 2020-04-07 Proofpoint, Inc. Dynamically detecting abnormalities in otherwise legitimate emails containing uniform resource locators (URLs)
US9245115B1 (en) 2012-02-13 2016-01-26 ZapFraud, Inc. Determining risk exposure and avoiding fraud using a collection of terms
US10115060B2 (en) 2013-03-15 2018-10-30 The Rocket Science Group Llc Methods and systems for predicting a proposed electronic message as spam based on a predicted hard bounce rate for a list of email addresses
US9258260B2 (en) * 2013-08-19 2016-02-09 Microsoft Technology Licensing, Llc Filtering electronic messages based on domain attributes without reputation
US9853927B2 (en) * 2013-08-27 2017-12-26 Microsoft Technology Licensing, Llc Enforcing resource quota in mail transfer agent within multi-tenant environment
US10277628B1 (en) 2013-09-16 2019-04-30 ZapFraud, Inc. Detecting phishing attempts
US10694029B1 (en) 2013-11-07 2020-06-23 Rightquestion, Llc Validating automatic number identification data
US20160269342A1 (en) * 2015-03-09 2016-09-15 International Business Machines Corporation Mediating messages with negative sentiments in a social network
US10721195B2 (en) 2016-01-26 2020-07-21 ZapFraud, Inc. Detection of business email compromise
US10805314B2 (en) 2017-05-19 2020-10-13 Agari Data, Inc. Using message context to evaluate security of requested data
US11936604B2 (en) 2016-09-26 2024-03-19 Agari Data, Inc. Multi-level security analysis and intermediate delivery of an electronic message
US10880322B1 (en) 2016-09-26 2020-12-29 Agari Data, Inc. Automated tracking of interaction with a resource of a message
US9847973B1 (en) 2016-09-26 2017-12-19 Agari Data, Inc. Mitigating communication risk by detecting similarity to a trusted message contact
US11044267B2 (en) 2016-11-30 2021-06-22 Agari Data, Inc. Using a measure of influence of sender in determining a security risk associated with an electronic message
US10715543B2 (en) 2016-11-30 2020-07-14 Agari Data, Inc. Detecting computer security risk based on previously observed communications
US11722513B2 (en) 2016-11-30 2023-08-08 Agari Data, Inc. Using a measure of influence of sender in determining a security risk associated with an electronic message
US11019076B1 (en) 2017-04-26 2021-05-25 Agari Data, Inc. Message security assessment using sender identity profiles
US11757914B1 (en) 2017-06-07 2023-09-12 Agari Data, Inc. Automated responsive message to determine a security risk of a message sender
US11102244B1 (en) 2017-06-07 2021-08-24 Agari Data, Inc. Automated intelligence gathering
CN113067765B (en) * 2020-01-02 2023-01-13 中国移动通信有限公司研究院 Multimedia message monitoring method, device and equipment
US11722445B2 (en) * 2020-12-03 2023-08-08 Bank Of America Corporation Multi-computer system for detecting and controlling malicious email
US11711464B2 (en) * 2021-02-24 2023-07-25 T-Mobile Usa, Inc. Spam telephone call reducer

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030191969A1 (en) * 2000-02-08 2003-10-09 Katsikas Peter L. System for eliminating unauthorized electronic mail
US20040093384A1 (en) * 2001-03-05 2004-05-13 Alex Shipp Method of, and system for, processing email in particular to detect unsolicited bulk email
US6779021B1 (en) * 2000-07-28 2004-08-17 International Business Machines Corporation Method and system for predicting and managing undesirable electronic mail
US20050060643A1 (en) * 2003-08-25 2005-03-17 Miavia, Inc. Document similarity detection and classification system

Family Cites Families (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7117358B2 (en) * 1997-07-24 2006-10-03 Tumbleweed Communications Corp. Method and system for filtering communication
US6931433B1 (en) * 2000-08-24 2005-08-16 Yahoo! Inc. Processing of unsolicited bulk electronic communication
US7149778B1 (en) * 2000-08-24 2006-12-12 Yahoo! Inc. Unsolicited electronic mail reduction
US6769016B2 (en) * 2001-07-26 2004-07-27 Networks Associates Technology, Inc. Intelligent SPAM detection system using an updateable neural analysis engine
US7016939B1 (en) * 2001-07-26 2006-03-21 Mcafee, Inc. Intelligent SPAM detection system using statistical analysis
US20030149726A1 (en) * 2002-02-05 2003-08-07 At&T Corp. Automating the reduction of unsolicited email in real time
WO2004010662A1 (en) * 2002-07-22 2004-01-29 Fujitsu Limited Electronic mail server, electronic mail delivery relaying method, and computer program
US20050015626A1 (en) * 2003-07-15 2005-01-20 Chasin C. Scott System and method for identifying and filtering junk e-mail messages or spam based on URL content

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030191969A1 (en) * 2000-02-08 2003-10-09 Katsikas Peter L. System for eliminating unauthorized electronic mail
US6779021B1 (en) * 2000-07-28 2004-08-17 International Business Machines Corporation Method and system for predicting and managing undesirable electronic mail
US20040093384A1 (en) * 2001-03-05 2004-05-13 Alex Shipp Method of, and system for, processing email in particular to detect unsolicited bulk email
US20050060643A1 (en) * 2003-08-25 2005-03-17 Miavia, Inc. Document similarity detection and classification system

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103796184A (en) * 2012-10-30 2014-05-14 中国电信股份有限公司 Spam short message recognition method and system
CN103796184B (en) * 2012-10-30 2017-12-26 中国电信股份有限公司 Refuse messages recognition methods and system

Also Published As

Publication number Publication date
US20060026242A1 (en) 2006-02-02
WO2006014804A3 (en) 2007-05-18

Similar Documents

Publication Publication Date Title
US20060026242A1 (en) Messaging spam detection
US10185479B2 (en) Declassifying of suspicious messages
US8046014B2 (en) Management of messages included in a message thread displayed by a handheld device
US7428579B2 (en) Method and system for segmentation of a message inbox
US9384471B2 (en) Spam reporting and management in a communication network
US20040064734A1 (en) Electronic message system
JP5684919B2 (en) Spam reporting and spam management in telecommunications networks
WO2005112596A2 (en) Method and system for providing a disposable email address
CA2911989C (en) Method, system and apparatus for dectecting instant message spam
AU2009326869A1 (en) Electronic messaging integrity engine
AU2009299539B2 (en) Electronic communication control
US20140040403A1 (en) System, method and computer program product for gathering information relating to electronic content utilizing a dns server
US20060168042A1 (en) Mechanism for mitigating the problem of unsolicited email (also known as "spam"
US20130191474A1 (en) Electronic Messaging Recovery Engine
CN113938311B (en) Mail attack tracing method and system
KR20040016609A (en) Method for blocking spam sms by using a control sms
AU2003205033A1 (en) Electronic message system
CN1625133A (en) Method for detecting worm virus spreading
JP2010272124A (en) Electronic mail system and electronic mail communication method

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase