CN100349421C - Detecting and positioning method of spam server - Google Patents

Detecting and positioning method of spam server Download PDF

Info

Publication number
CN100349421C
CN100349421C CNB2005100774681A CN200510077468A CN100349421C CN 100349421 C CN100349421 C CN 100349421C CN B2005100774681 A CNB2005100774681 A CN B2005100774681A CN 200510077468 A CN200510077468 A CN 200510077468A CN 100349421 C CN100349421 C CN 100349421C
Authority
CN
China
Prior art keywords
address
smtp
traffic
flow
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CNB2005100774681A
Other languages
Chinese (zh)
Other versions
CN1700658A (en
Inventor
金华敏
陈珣
庄一嵘
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Guangdong Research Institute China Telecom Co ltd
China Telecom Corp Ltd
Original Assignee
GUANGDONG TELECOMMUNICATION CO Ltd INST
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by GUANGDONG TELECOMMUNICATION CO Ltd INST filed Critical GUANGDONG TELECOMMUNICATION CO Ltd INST
Priority to CNB2005100774681A priority Critical patent/CN100349421C/en
Publication of CN1700658A publication Critical patent/CN1700658A/en
Application granted granted Critical
Publication of CN100349421C publication Critical patent/CN100349421C/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention relates to a method for detecting and positioning junk mail servers. The method comprises two main steps that the distribution status of legal mail servers in a network is found by monitoring, calculating and analyzing flow rates to create a white list of the legal mail server in the network so as to prevent the legal mail servers from being mistaken as junk mail servers; according to the flow rate characteristic of the junk mail servers, the junk mail servers are detected and positioned, and correlated personal information of the junk mail servers is queried and provided. The method provides a technical means for effectively finding and positioning the junk mail servers and malicious subscribers thereof in time in order to take corresponding measures to deal with the subscribers so as to purify computer network environments and guarantee the security and smoothness of IP networks.

Description

A kind of detection of spam server and localization method
Technical field
The present invention relates to a kind ofly to be used to purify computer network environment, to guarantee the method for IP network safety, exactly, relate to a kind of detection and localization method of spam server, belong to the network security technology field in the data communication.
Background technology
In all Internet services, the transmission of Email, transmission and reception are services the most basic, carry out information interchange by Email and have the characteristics convenient, fast, that expense is cheap.According to statistics, in the Internet service of the most frequent use, there is 87.65% user to select E-mail service, be in the first place of Internet service.Along with Internet service the developing rapidly of the whole world, being on the increase of number of netizens, as most important in the Internet service, most basic E-mail service, its scale also constantly enlarges in the whole world.Spam (English is referred to as Spam) is exactly that those are self-invited, the user does not wish to receive and do not subscribe to yet, but filled in the Email of mailbox by force, the commercial propaganda data in road that the content of spam mainly is panoramic commercial advertisement, product introduction, get rich etc. by the people.Spam is once issued a lot of people, transmits a lot of copies on the internet simultaneously.
In recent years, because the spam that sends by some IP addresses of China overflows, therefore, the Email of China suffers abroad to close down and becomes a much-talked-about topic; Cause is that a large amount of spams that are derived from China make that external Internet service provider has to some mail servers of China are taked the extreme measures that shields, so just makes the Email of some non-rubbish that China sends also suffer closing down to a certain degree.According to incompletely statistics, the nearly tens thousand of companies in the whole world, tissue or private network have blocked Chinese part IP address at present.In today that economic trade globalizes day by day, the IP address is blocked, and means to have cut off most economical between the Chinese and the external world, the most convenient, also the most thorough alternating current path.Therefore, press for the solution spam and the detection of server thereof, the problem of locating and stopping.
At present, the send mode of spam mainly contains following three kinds: self-built Simple Mail Transfer protocol SMTP (Simple Mail Transfer Protocol) server, broadband users such as ADSL (Asymmetric Digital Subscriber Line) ADSL/ local area network (LAN) LAN directly send, and deliver directly mail interchanger MX (Mail Exchanger) MX server.Wherein in the majority with the send mode of the self-built smtp server of ADSL/LAN user, these users send spam to the foreign mail server in a large number, influence very badly, and the IP address of often causing domestic telecommunication operator is in a large number by shutoff, and consequence is very serious.And at present, telecom operators also not have grasp how the user to be sent the technological means that the behavior of spam detects and locatees, and therefore, press for those skilled in the art and solve this technical barrier as soon as possible.
Summary of the invention
In view of this, the detection and the localization method that the purpose of this invention is to provide a kind of spam server, so that telecom operators can in time find to send the spam server and the malicious user thereof of spam, and take corresponding measure that these users are handled, to purify computer network environment and to guarantee the safe, unimpeded of IP network.
In order to achieve the above object, the invention provides a kind of detection and localization method of spam server, it is characterized in that: comprise the following steps:
(1) by monitoring, statistics and analysis to Simple Mail Transfer protocol SMTP and mail reception agreement POP3 flow, find the distribution situation of the legitimate mail server in this network, set up the white list of the legitimate mail server in this network, prevent from the wrong report of legitimate mail server is spam server;
(2) according to the SMTP of spam server and the traffic characteristic of POP3, detect and judge the IP address of spam server, again according to the database of the background user certificate server of this IP address lookup ISP of ISP, spam server is positioned, and inquire about and provide related personnel's information of this spam server.
Described step (1) further comprises the following steps:
(11) flow analysis method of employing stream Network Based xFlow, the data traffic situation that adopts Simple Mail Transfer protocol SMTP (Simple Mail Transfer Protocol) and mail reception agreement POP3 (PostOffice Protocol.3) to transmit in the monitor network; Described xFlow technology is on router the IP packet to be carried out snapshot Snapshot to handle, and generates the xFlow data message;
(12) SMTP traffic in the network is carried out the monitoring of one section setting-up time, and learn the distribution situation of this SMTP traffic, promptly the data flow of this SMTP traffic is carried out statistics and analysis, and related data is deposited in the database;
(13) if certain IP address can be satisfied following three conditions simultaneously: it flows to and the SMTP data traffic that flows out symmetry substantially; Carrying out domain name system DNS (Domain Name System) when oppositely inquiring about, this IP address possesses mail interchanger MX (Mail Exchanger) mark; Adopt mail reception agreement POP3 data flow transmitted amount big, so that the number of the xFlow stream of POP3 flow surpass threshold value at the appointed time; Think that then the mail server of this IP address is legal, this IP address is listed in the white list form;
(14) formulate the flow collection strategy of xFlow according to white list, the IP address that will filter white list when gathering the xFlow flow afterwards, not with these IP addresses as monitored object; Promptly the SMTP traffic information of the IP address in the white list is not imported database.
One of Rule of judgment in the described step (13): certain IP address flow to and the SMTP data traffic that flows out the computational methods of basic symmetry are as follows: in the unit interval T, the SMTP traffic T of the outflow of same IP address OutWith the SMTP traffic T that flows to InRatio T Out/ T InIn interval [0.8,1.25] scope, then satisfy the condition of the basic symmetry of flow; Wherein unit interval T is 24 hours, SMTP traffic T OutAnd T InUnit of measurement be number based on the xFlow stream of the data flow of smtp protocol, described xFlow stream is the one-way data bag stream that transmits between same source IP address and purpose IP address, and wherein the transport layer source port number of each packet all is identical with the destination slogan.
In the described step (13) three of Rule of judgment: this IP address adopts the big measurement standard of mail reception agreement POP3 data flow transmitted amount to be: the xFlow number of POP3 flow is greater than threshold value 100 in 5 fens clock times.
Described white list is the IP address list that meets the legitimate mail server of setting rule.
Described step (2) further comprises the following steps:
(21) the real-time SMTP traffic in monitoring and the statistics network, and the flow parameter of each IP address deposited in the database, again according to its numerical values recited sequence arrangement;
(22) the IP address that whether has SMTP traffic to exceed threshold value is checked in ergodic data storehouse;
(23) if find have SMTP traffic to exceed the IP address of threshold value, judge whether this IP address can satisfy following three conditions simultaneously: the SMTP data traffic is asymmetric, and outbound traffic is far longer than the flow that enters the station again; This IP address carries out not possessing mail interchanger MX mark when domain name system DNS is oppositely inquired about, or does not have associated dns name information; This IP address belongs to the dynamic address pond of ADSL, promptly this IP address belong to by the ISP of ISP management, be used for stochastic and dynamic and distribute to ADSL user one of the one group of IP address of using of surfing the Net; Think that then this mail server is a spam server;
(24) the IP address of record SMTP spam server and online beginning and ending time information thereof;
(25) with the IP address of above-mentioned SMTP spam server and line duration thereof condition as the data query coupling, the background user authentication database of the inquiry ISP of ISP (Internet Service Provider), confirm the user profile that comprises user name, address, telephone number at least of this IP address, so that mate related with the manufacturer of spam the dynamic IP addressing information of spam server.
The threshold value of the SMTP traffic of IP address is in the described step (22): the xFlow of SMTP traffic stream number is 100 in 5 minutes at the appointed time.
One of Rule of judgment in the described step (23): certain IP address flow to and the SMTP data traffic that flows out whether asymmetric, the computational methods that outbound traffic is far longer than the flow that enters the station are as follows: in the unit interval T, the SMTP traffic T of the outflow of same IP address OutWith the SMTP traffic T that flows to InRatio T Out/ T In, then satisfy the asymmetric condition of flow at>10 o'clock; Wherein unit interval T is 5 minutes, SMTP traffic T OutAnd T InUnit of measurement be number based on the xFlow stream of the data flow of smtp protocol.
The present invention is a kind of detection and localization method of spam server, this method provides a kind of technological means that can in time, effectively find and locate spam server and malicious user thereof for Virtual network operator, so that take corresponding measure that these users are handled, to purify computer network environment and to guarantee the safe, unimpeded of IP network.Its technical characteristics are: adopt the traffic monitoring mode based on xFlow, be adapted at using in the ISP network, monitoring range is wide; In testing process, according to symmetry, the POP3 agreement mail flow of SMTP data traffic big and DNS oppositely a plurality of conditions such as inquiry earlier the legitimate mail server is offered an explanation out, for it sets up white list, to avoid wrong report, also can reduce detected object simultaneously, improve effect.Then little according to the asymmetry that comprises the SMTP data traffic, the POP3 agreement mail flow that spam server had again, use traffic characteristic such as ADSL dynamic IP addressing pond, can detect and judge the IP address of spam server more exactly; At last, by with ISP background user authentication and accounting data in server storehouse interlock, can accurately locate the spam server and the contact between the spammer (natural person) that use dynamic IP addressing, the disposal that helps enforcing the law.Therefore, the present invention be a kind of very practical, effectively detect and locate the method for spam server, have good application prospects.
Description of drawings
Fig. 1 is that the network system of using the inventive method is formed schematic diagram.
Fig. 2 is the detection of spam server of the present invention and the flow chart of steps of localization method.
Fig. 3 is the concrete operations flow chart of steps that the phase I is set up the legitimate mail server among Fig. 2.
Fig. 4 is the concrete operations flow chart of steps that second stage detected and located spam server among Fig. 2.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, the present invention is described in further detail below in conjunction with accompanying drawing.
The behavior that the self-built smtp server of ADSL (Asymmetric Digital Subscriber Line) ADSL/ local area network (LAN) LAN user sends spam has following feature: the asymmetry of flow, and the user side outbound traffic is greater than the flow that enters the station; The ratio of SMTP traffic is great, and the reverse query note of IP address D NS does not possess the MX mark, the trackability of IP address and user profile; The POP3 flow is low.The detection of spam server of the present invention and localization method are established according to the behavioural characteristic of above-mentioned spam.
Referring to Fig. 1, introduce the network architecture of using the inventive method earlier and form by following critical piece:
Junk mail watch and location-server as the core component of whole system, are used to finish the monitoring and the location work of spam server;
Router is as the network equipment that is distributed in the IP network, for junk mail watch and location-server provide xFlow data message; The xFlow technology of main flow mainly contains: NetStream of the Netflow of Cisco, the sFlow of Juniper, Huawei and the Netflow of Extreme;
Dns server, the server of domain name mapping is provided for the user as ISP, in native system, be used to junk mail watch and location-server that inquiry of the domain name is provided and judge the IP address of legal mail server, so that provide foundation for the white list of setting up mail server;
The ISP subscriber authentication server as the server of ISP authenticated user information, is used to junk mail watch and location-server that the inquiry and the location of user profile are provided in native system.
Referring to Fig. 2, introduce the detection and the localization method of spam server of the present invention, its whole operation flow process is divided into two stages:
(1) by monitoring, statistics and analysis to flow, find the distribution situation of the legitimate mail server in this network, set up the white list of the legitimate mail server in this network, prevent from the wrong report of legitimate mail server is spam server;
(2) according to the traffic characteristic of spam server, spam server is detected and locatees, and inquiry and related personnel's information of this spam server is provided.
Below in conjunction with embodiment, the concrete operations step or the flow process in two stages of the present invention is described respectively.
Referring to Fig. 3, the detailed process that the phase I is set up legitimate mail server white list is as follows:
(11) on the routing device of monitor network, be configured, make router generate the xFlow data message, and send the xFlow data message to junk mail watch and location-server by User Datagram Protoco (UDP) UDP according to IP traffic;
(12) on junk mail watch and location-server, utilize xFlow collector and analysis tool thereof that SMTP traffic data and the POP3 data on flows of each routing device in setting the xFlow data message of sending in the period imported database, and this SMTP traffic distribution situation is carried out statistical analysis;
(13) after the above-mentioned flow study that (is generally more than 24 hours) through after a while, judge whether to have traveled through database? in this way, then finish this operation; Otherwise the IP address that will satisfy following three conditions is simultaneously listed in the white list as the legitimate mail server:
Condition one: the SMTP data traffic that flows to and flow out of some IP address is symmetry substantially, and computational methods are: in the unit interval T, and the SMTP traffic T of the outflow of same IP address OutWith the SMTP traffic T that flows to InRatio T Out/ T InIn interval [0.8,1.25] scope; Wherein unit interval T is 24 hours, SMTP traffic T OutAnd T InUnit of measurement be number based on the xFlow stream of the data flow of smtp protocol; This xFlow stream is the one-way data bag stream that transmits between same source IP address and purpose IP address, and wherein the transport layer source port number of each packet all is identical with the destination slogan;
Condition two: carry out domain name system DNS when oppositely inquiring about, this IP address possesses mail interchanger MX mark;
Condition three: this IP address adopts mail reception agreement POP3 data flow transmitted amount bigger, and the flow of average per 5 minutes POP3 is greater than 100.
(14) formulate the flow collection filtering policy of xFlow collector according to white list, not with IP address in the white list as monitored object; Promptly the SMTP traffic information of the IP address in the white list is not imported database.
Referring to Fig. 4, second stage detects with the detailed process of location spam server as follows:
(21) according to the amended xFlow data traffic of the white list of legitimate mail server acquisition filter strategy, SMTP traffic in the network is monitored in real time;
(22) setting the SMTP data traffic situation importing database that (for example 5 minutes) send each routing device in the period, and arranging according to size order;
(23) judge whether to have traveled through database? in this way, then finish this operation; Otherwise whether inquiry has the SMTP data traffic of certain IP address to exceed threshold value (threshold value can be got in 5 minutes, the number of the xFlow stream of SMTP is 100), if exceed threshold value, whether basis can satisfy following three conditions simultaneously and classify these IP addresses as the spam server address again:
Condition one: this IP address SMTP traffic is asymmetric, and the outbound traffic of SMTP data flow is far longer than the flow that enters the station; Criterion is: in the unit interval T, and the SMTP traffic T of the outflow of same IP address OutWith the SMTP traffic T that flows to InRatio T Out/ T In>10; Wherein unit interval T is 5 minutes, SMTP traffic T OutAnd T InUnit of measurement be number based on the xFlow stream of the data flow of smtp protocol;
Condition two: the reverse inquiry of this IP address D NS does not possess the MX mark, or does not have associated dns name information;
Condition three: this IP address belongs to the dynamic IP addressing pond of ADSL; The dynamic IP addressing pond of described ADSL is one group of IP address of the ISP of ISP management, the IP address assignment that is used at random, dynamically inciting somebody to action wherein uses for ADSL user: when the user signs in to the ISP network, ISP can be from the dynamic IP addressing pond of ADSL, distribute an IP address for this user, for user's use of surfing the Net; When user offline, discharge this IP address, use so that it is distributed to other login users once more by ISP;
(24) information such as the IP address of record SMTP spam server and line duration thereof;
(25) with the IP address of above-mentioned SMTP spam server and line duration thereof condition as the data query coupling, the background user authentication database of inquiry ISP, consumer positioning information is promptly confirmed the user profile that comprises user name, address, telephone number at least of this IP address; So just the dynamic IP addressing information of spam server and the manufacturer of spam can be mated relatedly, handle for law enforcement later on and to produce evidence.

Claims (8)

1, a kind of detection of spam server and localization method is characterized in that: comprise the following steps:
(1) by monitoring, statistics and analysis to Simple Mail Transfer protocol SMTP and mail reception agreement POP3 flow, find the distribution situation of the legitimate mail server in this network, set up the white list of the legitimate mail server in this network, prevent from the wrong report of legitimate mail server is spam server;
(2) according to the SMTP of spam server and the traffic characteristic of POP3, detect and judge the IP address of spam server, again according to the database of the background user certificate server of this IP address lookup ISP of ISP, spam server is positioned, and inquire about and provide related personnel's information of this spam server.
2, the detection of spam server according to claim 1 and localization method is characterized in that: described step (1) further comprises the following steps:
(11) flow analysis method of employing stream Network Based xFlow, the data traffic situation that adopts Simple Mail Transfer protocol SMTP and mail reception agreement POP3 to transmit in the monitor network; Described xFlow technology is on router the IP packet to be carried out snapshot Snapshot to handle, and generates the xFlow data message;
(12) SMTP traffic in the network is carried out the monitoring of one section setting-up time, and learn the distribution situation of this SMTP traffic, promptly the data flow of this SMTP traffic is carried out statistics and analysis, and related data is deposited in the database;
(13) if certain IP address can be satisfied following three conditions simultaneously: it flows to and the SMTP data traffic that flows out symmetry substantially; Carrying out domain name system DNS when oppositely inquiring about, this IP address possesses mail interchanger MX mark; Adopt mail reception agreement POP3 data flow transmitted amount big, so that the number of the xFlow stream of POP3 flow surpass threshold value at the appointed time; Think that then the mail server of this IP address is legal, this IP address is listed in the white list form;
(14) formulate the flow collection strategy of xFlow according to white list, the IP address that will filter white list when gathering the xFlow flow afterwards, not with these IP addresses as monitored object; Promptly the SMTP traffic information of the IP address in the white list is not imported database.
3, the detection of spam server according to claim 2 and localization method, it is characterized in that: one of Rule of judgment in the described step (13): certain IP address flow to and the SMTP data traffic that flows out the computational methods of basic symmetry are as follows: in the unit interval T, the SMTP traffic T of the outflow of same IP address OutWith the SMTP traffic T that flows to InRatio T Out/ T InIn interval [0.8,1.25] scope, then satisfy the condition of the basic symmetry of flow; Wherein unit interval T is 24 hours, SMTP traffic T OutAnd T InUnit of measurement be number based on the xFlow stream of the data traffic of smtp protocol, described xFlow stream is the one-way data bag stream that transmits between same source IP address and purpose IP address, and wherein the transport layer source port number of each packet all is identical with the destination slogan.
4, the detection of spam server according to claim 2 and localization method is characterized in that: in the described step (13) three of Rule of judgment: this IP address adopts the big measurement standard of mail reception agreement POP3 data flow transmitted amount to be: the number of the xFlow stream of POP3 flow is greater than threshold value 100 in 5 fens clock times.
5, the detection of spam server according to claim 1 and localization method is characterized in that: described white list is the IP address list that meets the legitimate mail server of setting rule.
6, the detection of spam server according to claim 1 and localization method is characterized in that: described step (2) further comprises the following steps:
(21) the real-time SMTP traffic in monitoring and the statistics network, and the flow parameter of each IP address deposited in the database, again according to its numerical values recited sequence arrangement;
(22) the IP address that whether has SMTP traffic to exceed threshold value is checked in ergodic data storehouse;
(23) if find have SMTP traffic to exceed the IP address of threshold value, judge whether this IP address can satisfy following three conditions simultaneously: the SMTP data traffic is asymmetric, and outbound traffic is far longer than the flow that enters the station again; This IP address carries out not possessing mail interchanger MX mark when domain name system DNS is oppositely inquired about, or does not have associated dns name information; This IP address belongs to the dynamic address pond of ADSL, promptly this IP address belong to by the ISP of ISP management, be used for stochastic and dynamic and distribute to ADSL user one of the one group of IP address of using of surfing the Net; Think that then this mail server is a spam server;
(24) the IP address of record SMTP spam server and online beginning and ending time information thereof;
(25) with the IP address of above-mentioned SMTP spam server and line duration thereof condition as the data query coupling, the background user authentication database of the inquiry ISP of ISP, confirm the user profile that comprises user name, address, telephone number at least of this IP address, so that mate related with the manufacturer of spam the dynamic IP addressing information of spam server.
7, the detection of spam server according to claim 6 and localization method is characterized in that: the threshold value of the SMTP traffic of IP address is in the described step (22): the xFlow stream number of SMTP traffic is 100 in 5 fens clock times.
8, the detection of spam server according to claim 6 and localization method, it is characterized in that: one of Rule of judgment in the described step (23): certain IP address flow to and the SMTP data traffic that flows out whether asymmetric, the computational methods that outbound traffic is far longer than the flow that enters the station are as follows: in the unit interval T, and the SMTP traffic T of the outflow of same IP address OutWith the SMTP traffic T that flows to InRatio T Out/ T In, then satisfy the asymmetric condition of flow at>10 o'clock; Wherein unit interval T is 5 minutes, SMTP traffic T OutAnd T InUnit of measurement be number based on the xFlow stream of the data flow of smtp protocol.
CNB2005100774681A 2005-06-21 2005-06-21 Detecting and positioning method of spam server Active CN100349421C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CNB2005100774681A CN100349421C (en) 2005-06-21 2005-06-21 Detecting and positioning method of spam server

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CNB2005100774681A CN100349421C (en) 2005-06-21 2005-06-21 Detecting and positioning method of spam server

Publications (2)

Publication Number Publication Date
CN1700658A CN1700658A (en) 2005-11-23
CN100349421C true CN100349421C (en) 2007-11-14

Family

ID=35476529

Family Applications (1)

Application Number Title Priority Date Filing Date
CNB2005100774681A Active CN100349421C (en) 2005-06-21 2005-06-21 Detecting and positioning method of spam server

Country Status (1)

Country Link
CN (1) CN100349421C (en)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080292077A1 (en) * 2007-05-25 2008-11-27 Alcatel Lucent Detection of spam/telemarketing phone campaigns with impersonated caller identities in converged networks
CN101494598B (en) * 2008-01-25 2013-06-05 华为技术有限公司 Flow control method, device and system
US8146151B2 (en) * 2008-02-27 2012-03-27 Microsoft Corporation Safe file transmission and reputation lookup
CN103037415B (en) * 2012-12-12 2016-07-06 深信服网络科技(深圳)有限公司 Network analysis method and system
CN104158792A (en) * 2013-05-14 2014-11-19 中兴通讯股份有限公司 Spam zombie detection method and system
CN103441920B (en) * 2013-08-14 2016-10-05 新浪网技术(中国)有限公司 The determination methods of spam server and device
CN103595583B (en) * 2013-11-12 2017-07-28 国家电网公司 Embedded Email security monitoring method based on Intranet new mail platform
CN104104589B (en) * 2014-06-23 2017-07-21 新浪网技术(中国)有限公司 A kind of E-mail sending method and system
KR102150624B1 (en) * 2014-07-01 2020-09-01 삼성전자 주식회사 Method and apparatus for notifying smishing
CN105007218B (en) * 2015-08-20 2018-07-31 世纪龙信息网络有限责任公司 Anti-rubbish E-mail method and system
CN106572056B (en) * 2015-10-10 2019-07-12 阿里巴巴集团控股有限公司 A kind of risk monitoring and control method and device
CN108055195B (en) * 2017-12-22 2021-03-30 广东睿江云计算股份有限公司 Method for filtering junk e-mails

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1547143A (en) * 2003-12-03 2004-11-17 勇 陈 Method for preventing junk mail
CN1564551A (en) * 2004-03-16 2005-01-12 张晴 Method of carrying out preventing of refuse postal matter
US20050015455A1 (en) * 2003-07-18 2005-01-20 Liu Gary G. SPAM processing system and methods including shared information among plural SPAM filters
US20050080855A1 (en) * 2003-10-09 2005-04-14 Murray David J. Method for creating a whitelist for processing e-mails
CN1614607A (en) * 2004-11-25 2005-05-11 中国科学院计算技术研究所 Filtering method and system for e-mail refuse

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050015455A1 (en) * 2003-07-18 2005-01-20 Liu Gary G. SPAM processing system and methods including shared information among plural SPAM filters
US20050080855A1 (en) * 2003-10-09 2005-04-14 Murray David J. Method for creating a whitelist for processing e-mails
CN1547143A (en) * 2003-12-03 2004-11-17 勇 陈 Method for preventing junk mail
CN1564551A (en) * 2004-03-16 2005-01-12 张晴 Method of carrying out preventing of refuse postal matter
CN1614607A (en) * 2004-11-25 2005-05-11 中国科学院计算技术研究所 Filtering method and system for e-mail refuse

Also Published As

Publication number Publication date
CN1700658A (en) 2005-11-23

Similar Documents

Publication Publication Date Title
CN100349421C (en) Detecting and positioning method of spam server
US10389609B2 (en) Categorizing IP-based network traffic using DNS data
US6751663B1 (en) System wide flow aggregation process for aggregating network activity records
CN101335686B (en) Method for carrying out data flow analysis and management on network appliance
CN101188580B (en) A real time spam filtering method and system
EP2521317B1 (en) Method, device and router for packet loss detection
CN1859154B (en) Performance managing method between household gateway and broad band remote access server
CN101188614B (en) A method, system and device for secure control of the user access
Fiadino et al. Vivisecting whatsapp through large-scale measurements in mobile networks
CN103036733A (en) Unconventional network access behavior monitoring system and monitoring method
US8064348B2 (en) Gathering traffic profiles for endpoint devices that are operably coupled to a network
EP0958679B1 (en) System for parameter analysis and traffic monitoring in asynchronous transfer mode networks
CA2302003A1 (en) Service management
Birke et al. Experiences of VoIP traffic monitoring in a commercial ISP
CN101179449B (en) Monitoring system, apparatus and method in IP network
CN102546364B (en) Network data distribution method and device
Lu et al. A real implementation of DPI in 3G network
CN101355585B (en) System and method for protecting information of distributed architecture data communication equipment
CN102907044A (en) Service scheduling method and apparatus under multiple broadband network gateways
Peuhkuri Internet traffic measurements–aims, methodology, and discoveries
KR101338485B1 (en) Quality of each service management Method and system in total IP network
CN101184044A (en) Packet processing method of multicast monitoring discovery protocol
CN101296123A (en) Method for reporting equipment information
CA2302000A1 (en) Distributed aggregation
CN110365528A (en) A kind of processing complaint analysis method based on home broadband big data

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
ASS Succession or assignment of patent right

Owner name: CHINA TELECOMMUNICATION STOCK CO., LTD.

Free format text: FORMER OWNER: CHINA TELECOMMUNICATION STOCK CO., LTD. GUANGDONG ACADEME

Effective date: 20091030

C41 Transfer of patent application or patent right or utility model
C56 Change in the name or address of the patentee

Owner name: CHINA TELECOMMUNICATION STOCK CO., LTD. GUANGDONG

Free format text: FORMER NAME: GUANGDONG PROVINCE TELECOMMUNICATION CO., LTD. RESEARCH INSTITUTE

CP03 Change of name, title or address

Address after: 20 floor, No. 109 Zhongshan Avenue, Tianhe District, Guangdong, Guangzhou

Patentee after: GUANGDONG RESEARCH INSTITUTE, CHINA TELECOM Co.,Ltd.

Address before: No. 109, Zhongshan Avenue, Tianhe District, Guangdong, Guangzhou

Patentee before: Guangdong Telecommunication Co.,Ltd. Institude

TR01 Transfer of patent right

Effective date of registration: 20091030

Address after: No. 31, Finance Street, Beijing, Xicheng District

Patentee after: CHINA TELECOM Corp.,Ltd.

Address before: 20 floor, No. 109 Zhongshan Avenue, Tianhe District, Guangdong, Guangzhou

Patentee before: GUANGDONG RESEARCH INSTITUTE, CHINA TELECOM Co.,Ltd.