CN102209075A - Behavior-based malicious email transmission node detection method - Google Patents
Behavior-based malicious email transmission node detection method Download PDFInfo
- Publication number
- CN102209075A CN102209075A CN2011101463558A CN201110146355A CN102209075A CN 102209075 A CN102209075 A CN 102209075A CN 2011101463558 A CN2011101463558 A CN 2011101463558A CN 201110146355 A CN201110146355 A CN 201110146355A CN 102209075 A CN102209075 A CN 102209075A
- Authority
- CN
- China
- Prior art keywords
- stage
- judged
- territory
- promptly
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention discloses a behavior-based malicious email transmission node detection method. In the detection method, classification judgment is performed on worm emails and ordinary junk emails by utilizing a decision tree theory so as to determine a transmission source of malicious emails. The method can be applied to either local area network access points or wide area networks, so the transmission sources of the malicious junk email can be detected and discovered with relatively lower resource consumption under large-scale network conditions to achieve high detection rate and recall rate. In addition, compared with conventional junk email worm detection methods, the method is high in detection efficiency. Compared with conventional characteristic-string-matching-based detection methods, the method is less in system maintenance.
Description
Technical field
The invention belongs to field of computer technology, particularly relate to a kind of malice mail sending node detection method based on behavior.
Background technology
First generation mail worm be the end of the nineties in last century to the beginning of this century, the virus of using Mail Clients rather than SMTP engine to propagate, typical mail worm has Mellisa and Loveletter.The mail worm of this generation can not be scanned hard disk, but can be with the addresses of items of mail in the Mail Clients address book as the recipient who propagates, and mail worm operation prerequisite to be that Email attachment is clicked open.Therefore, all mail worms are all from the mail account through confirming in the infected computer.Owing to do not have address book fraud function, be easy to just can track the mail sender of legal address usually.In this,, mail worm was used VB script and the grand malicious code of carrying out of office in generation, and only a few is then used executable binary code, and the extension name of annex is generally .vbs .doc .xls or .exe.
Second generation mail worm comes across 2002, more more dangerous than first generation virus, it has been strengthened automation function and has carried fatal destruction module, the speed of propagating is faster, by way of more, and because the variation of route of transmission is difficult to intercepting and capturing further, so can cause bigger harm to the network bandwidth, user's system and data.
Second generation mail worm such as Bagle, Mydoom, Netsky and Mytob etc. can scan hard disk (comprising file and document in the hard disk) and search for addresses of items of mail, and utilize the SMTP engine of self to propagate the copy of self.As: this mail worm obtains the wab file path by regedit, analyzes the wab file of known format then, reads address wherein.Also can travel through the Internet temp directory or traversal hard disk, be called * .ht from expanding, * .htm, * .html, * .txt, * .dbx seeks the address in the files such as * .eml.Method and spam search html classes of pages all are searching mailto and the @ signs as legal email address seemingly.But the addresses of items of mail that searches might be invalid.Because when the mail worm utilized the SMTP engine that carries to send mail, at first it can use dns server to carry out the MX inquiry, for each posting address finds suitable mail server.If return a large amount of error messages, perhaps, cause the information of a large amount of SMTP connection failures because the mail user name is incorrect, can whether be the foundation of malice mail sending node as judging.
Second generation mail worm is changeful, occurs with different mutation, comprises at mail and the shared diversified propagating source of network, allows self-replacation in the P2P Shared Folders, has file and infects function.So, even the Windows program can both infect and move these mail worms.Email attachment can compress, encrypts or be packaged into executable file, and possesses the function that stops the fail-safe software operation.These mail worms are can also be in code integrated or download hacker's rear door assembly from the hostile network server, can carry out dos attack, also can utilize software vulnerability to automatically perform sometimes, become thus have worm, the compound worm of characteristics such as virus and wooden horse.
At present, the detection for the spam worm mainly contains two kinds of methods:
First method is by the reduction to mail body, annex, then detects by traditional feature string matching way.Though the method has accuracy preferably, shortcoming is to need continuous maintenance update feature database.In addition,, therefore the disposal ability of hardware is had relatively high expectations, so under large scale network, implement relatively difficulty owing to need carry out the file reduction.
Second method is by the network traffics agreement being reduced, with the feature string in the analysis packet, and carrying out feature detection.Because the method only needs to reduce to the protocol data bag, and need not carry out the file splicing, therefore to the consumption of resource less than first kind, but still need continuous maintenance features storehouse, so maintenance cost is still very high.
Summary of the invention
In order to address the above problem, the object of the present invention is to provide a kind of can be with less resource consumption under large-scale network condition, detect, find the transmission source of malice spam, to obtain the malice mail sending node detection method based on behavior of good detection rate and recall rate.
In order to achieve the above object, the malice mail sending node detection method based on behavior provided by the invention comprises the following step that carries out in order:
(1) domain name of judging addresses of items of mail and being comprised real S1 stage whether: exist as domain name, then be judged to be normal email, set SDomain_Exist=1, enter the S2 stage then; Otherwise, set SDomain_Exist=0, jump to the S6 stage then;
(2) judge the S2 stage whether mail sources IP and territory, source are complementary: if coupling is set SIP_Domain=1, jump to the S7 stage then, promptly be judged to be normal email; Otherwise, set SIP_Domain=0, enter the S3 stage then;
(3) judge whether mail transmission/recipient uses the S3 stage of designate: when mail uses designate, set Named=1, enter the S4 stage then; Otherwise set Named=0, jump to the S11 stage then, promptly be judged to be invermination;
(4) judge the S4 stage whether mail purpose IP and territory, source are complementary: if the result who obtains mating then sets DIP_FromDomain=1; Otherwise, set DIP_FromDomain=0, jump to the S10 stage then, promptly be judged to be spam;
(5) judge the S5 stage whether mail sources territory and purpose IP number of addresses conform to: if Equal_DIP_FromDomain=1 is then set in the quantity in endogenous territory of unit interval * 5-IP number of addresses 〉=0, enter the S8 stage then, promptly be judged to be normal node; Otherwise, if Equal_DIP_FromDomain=0 is then set in the quantity in endogenous territory of unit interval * 5-IP number of addresses<0, jump to the S9 stage then, promptly be judged to be abnormal nodes;
(6) judge whether mail transmission/recipient uses the S6 stage of designate: when mail uses designate, set Named=1, enter the S12 stage then, promptly be judged to be spam; Otherwise set Named=0, jump to the S13 stage then, promptly be judged to be malice mail worm.
In stage, if deterministic process need be inquired about dns server, the query method of taking to go forward one by one, reverse query method or look-up table carry out nonproductive poll at S1-S6.
Malice mail sending node detection method based on behavior provided by the invention is to utilize the decision tree theory to the judgement of classifying of worm mail and general spam, determines the transmission source of malice mail thus.This method not only can be applied to LAP LAN Access Point, also can be applicable to wide area network, therefore can detect, find the transmission source of malice spam with less resource consumption under large-scale network condition, so verification and measurement ratio and recall rate are good.In addition, compare the detection efficiency height of this method with traditional spam Worm detection method.And compare with traditional detection method based on feature string coupling, the system maintenance amount of this method is little.
Description of drawings
Fig. 1 sends the behavioural characteristic schematic diagram for the malice mail of intercepting and capturing.
Fig. 2 is the node-classification schematic diagram.
Fig. 3 is the classification of mail schematic diagram.
Fig. 4 is the malice mail sending node detection method flow chart based on behavior provided by the invention.
Embodiment
The inventor intercepts and captures mail transmission behavioural characteristic (as shown in Figure 1) according to the regression analysis to network traffics in session layer and application layer, utilizes the C4.5 algorithm to carry out the structure of decision tree.And, find to exist really between the field in these mails the contact of a lot of inherences by the mail that obtains is studied in great detail.The spy extracts following feature:
1, SIP_Domain (Boolean type)
Under normal circumstances, the source IP address of mail belongs to the mail exchange server in territory, source.But addresser's addresses of items of mail and domain name can be forged.Therefore, this attribute can be used as important criterion.If the source IP address of Email and territory, source are complementary, then this mail should be that the legitimate mail server sends, and is likely normal email, otherwise is exception mail.Therefore, if coupling, then this attribute is set to 1; Otherwise be made as 0.
2, SDomain_Exist (Boolean type)
The e-mail address of forging may comprise the domain name of forgery.Can be by determining the whether necessary being mail behavior that notes abnormalities of these domain names.Exist as domain name, then be judged to be normal email, this attribute is set to 1; Otherwise, be set at 0.
3, Named (Boolean type)
By analyze finding, the Email Sender of normal email or recipient use designate (as, " John "<John@sina.com 〉), and the less use designate of worm mail.Therefore when mail used designate, setting this attribute was 1; Otherwise be 0.
4, DIP_FromDomain (Boolean type)
Whether on behalf of the purpose IP address of mail and territory, source, this attribute mate.If coupling, the value of then setting this attribute is 1, and two kinds of situations are arranged:
1) data of the present invention's use comprise the data (MUA sends to the data of this territory MTA) that send to its employed mail server from client, and for this part data, the purpose IP address of normal email (the IP address of this territory MTA) should be complementary with the territory, source.
2) some spams sends source and may forge the territory, source, makes the addresser of mail and receiver in same territory, and promptly the territory, source is identical with the purpose territory, thereby in the data of intercepting and capturing, also mate in the purpose IP of mail and territory, source.
If do not match, then setting this property value is 0.
5, FromDomain_Num (continuous type)
This attribute is represented the quantity that sends the employed not homeodomain of mail in the same node unit interval.
6, DIP_Num (continuous type)
This attribute is represented the quantity that sends the various objectives IP address of mail in the same node unit interval.
7, Equal_DIP_FromDomain (Boolean type)
The inventor finds by the data that research MUA sends to this territory MTA, if in the unit interval, this mail sending node has used the addresser source domain name more than, then this node should be a client or client network, this is because the user may use a plurality of addresses of items of mail simultaneously, or a plurality of users use different addresses of items of mail in local area network (LAN), but not certain MX mail server.When these mails normally sent, mail should at first send in the MX mail server in territory, source, and the purpose IP that this moment, monitoring system was caught also just should be the MX mail server IP address in territory, source.If this node is a normal node, the situation that corresponding many mail servers of mail server domain name possibility of considering some mail service provider are a plurality of IP address (at most corresponding 5 the IP addresses of a common domain name).Therefore, if in the unit interval, the quantity in territory, source * 5-IP number of addresses 〉=0, the value of then setting this attribute is 1, is the normal email sending node; And if this node to be spam send the source, can be more concentrated in endogenous territory of unit interval, purpose IP then can relatively disperse, so the quantity in territory, source can be less than the quantity of purpose IP, and it is poor to have bigger quantity between the two.Therefore, if in the unit interval, the quantity in territory, source * 5-IP number of addresses<0, then setting this property value is 0, promptly is judged to be abnormal nodes.
The inventor is on the basis of said extracted attribute, and the utilization traditional decision-tree is set up a series of rules based on behavior judgement exception mail, and then the transmission source of the mail that notes abnormalities.
At first, the inventor has carried out following classification with node and mail, as shown in Figures 2 and 3.
Obtain decision tree after the repetition training, and the rule that generates based on decision tree detects to the mail sending node.
Below in conjunction with the drawings and specific embodiments the malice mail sending node detection method based on behavior provided by the invention is elaborated.
As shown in Figure 4, the malice mail sending node detection method based on behavior provided by the invention comprises the following step that carries out in order:
(1) domain name of judging addresses of items of mail and being comprised real S1 stage whether: the e-mail address of forgery may comprise the domain name of forgery, can be by determining the whether necessary being mail behavior that notes abnormalities of these domain names.Exist as domain name, then be judged to be normal email, set SDomain_Exist=1, enter the S2 stage then; Otherwise, set SDomain_Exist=0, jump to the S6 stage then;
(2) judge the S2 stage whether mail sources IP and territory, source are complementary: under normal circumstances, the source IP address of mail belongs to the mail exchange server in territory, source.But addresser's addresses of items of mail and domain name can be forged, and therefore, this attribute can be used as important criterion.If the source IP address of Email and territory, source are complementary, then this mail should be that the legitimate mail server sends, and is likely normal email, otherwise is exception mail.Therefore,, be judged to be normal email, jump to the S7 stage then if coupling is set SIP_Domain=1; Otherwise, set SIP_Domain=0, enter the S3 stage then;
(3) judge whether mail transmission/recipient uses the S3 stage of designate: by analyze finding, the Email Sender of normal email or recipient use designate (as, " John "<John@sina.com 〉), and the less use designate of worm mail.Therefore when mail uses designate, set Named=1, enter the S4 stage then; Otherwise set Named=0, jump to the S11 stage then, promptly be judged to be invermination;
(4) judge the S4 stage whether mail purpose IP and territory, source are complementary:, and following two kinds of possibility situations are arranged if the result who obtains mating then sets DIP_FromDomain=1:
1) data of the present invention's use comprise the data that send to the MTA of its use from MUA, and for this part data, the purpose IP address of normal email (the IP address of MTA) should be complementary with the territory, source.
2) some spams sends source and may forge the territory, source, makes the addresser of mail and receiver in same territory, and promptly the territory, source is identical with the purpose territory, thereby in the data of intercepting and capturing, also mate in the purpose IP of mail and territory, source.
General decision method is in a consideration situation 1) prerequisite under, the erroneous judgement of this mail can be normal email, this sending node also can be mistaken for normal node.And this method is considered situation 1 simultaneously) and situation 2), then so far still can't clearly judge the state of this mail sending node, need enter the S5 stage further to judge; Otherwise, set DIP_FromDomain=0, jump to the S10 stage then, promptly be judged to be spam;
(5) judge the S5 stage whether mail sources territory and purpose IP number of addresses conform to: the inventor finds by the data that research MUA sends to this territory MTA, if in the unit interval, this mail sending node has used the addresser source domain name more than, then this node should be a client or client network, this is because the user may use a plurality of addresses of items of mail simultaneously, or a plurality of users use different addresses of items of mail in local area network (LAN), but not certain MX mail server.When these mails normally sent, mail should at first send in the MX mail server in territory, source, and the purpose IP that this moment, monitoring system was caught also just should be the MX mail server IP address in territory, source.If this node is a normal node, the situation that corresponding many mail servers of mail server domain name possibility of considering some mail service provider are a plurality of IP address (at most corresponding 5 the IP addresses of a common domain name).Therefore, if in the unit interval, the quantity in territory, source * 5-IP number of addresses 〉=0 is then set Equal_DIP_FromDomain=1, enters the S8 stage then, promptly is judged to be normal node.And if this node to be spam send the source, can be more concentrated in endogenous territory of unit interval, purpose IP then can relatively disperse, so the quantity in territory, source can be less than the quantity of purpose IP, and it is poor to have bigger quantity between the two.Therefore, if in the unit interval, the quantity in territory, source * 5-IP number of addresses<0 is then set Equal_DIP_FromDomain=0, jumps to the S9 stage then, promptly is judged to be abnormal nodes;
(6) judge whether mail transmission/recipient uses the S6 stage of designate: by analyze finding, the Email Sender of normal email or recipient use designate (as, " John "<John@sina.com>), and the less use designate of worm mail.Therefore when mail uses designate, set Named=1, enter the S12 stage then, promptly be judged to be spam; Otherwise set Named=0, jump to the S13 stage then, promptly be judged to be malice mail worm.
In addition, several attributes of using in this detection method, as SIP_Domain, SDomain_Exist, there is very strong dependence in DIP_FromDomain to DNS.With attribute SIP_Domain is example, for whether the IP address of determining the Email Sender is complementary with the mail domain at its place, need make full use of the DNS inquiry of the domain name.Therefore in the stage,, then take following three kinds of modes to carry out nonproductive poll at S1-S6 if deterministic process need be inquired about dns server:
1) query method that goes forward one by one: to the request that dns server sends the MX type, dns server will return the mail exchange server domain name and the IP address of request domain.But exception appears in result that dns server returns sometimes.For example: may only comprise the domain name of mail exchange server among the result and do not have corresponding IP address.Like this, adopt the inquiry mode that goes forward one by one, promptly utilize the domain name of obtaining to send the request of category-A type again to dns server, just obtain corresponding IP address then.
2) reverse query method: the request results that preceding a kind of method is returned also may be incomplete.A large-scale email service provider has several mail exchange servers usually.But be not that all servers were all registered on dns server.In order to address this problem, adopt the oppositely method of inquiry, that is, by sending the request of PTR type to dns server, whether the IP address that inquiry is asked is in the mail transmission/acceptance domain that it is declared.Experiment showed, the dns resolution information that to obtain the overwhelming majority by above method.
3) look-up table:, cause and directly to obtain real mail exchange server address from dns server owing to disposed anti-virus or Anti-Spam gateway on some mail server.In the face of this problem, the inventor has set up the corresponding relation tabulation of common IP and domain name, and constantly upgrades, as replenishing of DNS request results.
After taking above three kinds of querying methods, improved the accuracy rate of detection method greatly, and made recall rate and accuracy rate balanced more.
Claims (2)
1. malice mail sending node detection method based on behavior, it is characterized in that: described detection method comprises the following step that carries out in order:
(1) domain name of judging addresses of items of mail and being comprised real S1 stage whether: exist as domain name, then be judged to be normal email, set SDomain_Exist=1, enter the S2 stage then; Otherwise, set SDomain_Exist=0, jump to the S6 stage then;
(2) judge the S2 stage whether mail sources IP and territory, source are complementary: if coupling is set SIP_Domain=1, jump to the S7 stage then, promptly be judged to be normal email; Otherwise, set SIP_Domain=0, enter the S3 stage then;
(3) judge whether mail transmission/recipient uses the S3 stage of designate: when mail uses designate, set Named=1, enter the S4 stage then; Otherwise set Named=0, jump to the S11 stage then, promptly be judged to be invermination;
(4) judge the S4 stage whether mail purpose IP and territory, source are complementary: if the result who obtains mating then sets DIP_FromDomain=1; Otherwise, set DIP_FromDomain=0, jump to the S10 stage then, promptly be judged to be spam;
(5) judge the S5 stage whether mail sources territory and purpose IP number of addresses conform to: if Equal_DIP_FromDomain=1 is then set in the quantity in endogenous territory of unit interval * 5-IP number of addresses 〉=0, enter the S8 stage then, promptly be judged to be normal node; Otherwise, if Equal_DIP_FromDomain=0 is then set in the quantity in endogenous territory of unit interval * 5-IP number of addresses<0, jump to the S9 stage then, promptly be judged to be abnormal nodes;
(6) judge whether mail transmission/recipient uses the S6 stage of designate: when mail uses designate, set Named=1, enter the S12 stage then, promptly be judged to be spam; Otherwise set Named=0, jump to the S13 stage then, promptly be judged to be malice mail worm.
2. the malice mail sending node detection method based on behavior according to claim 1, it is characterized in that: at S1-S6 in the stage, if judge the process need inquiry dns server whether domain name and IP mate, the query method of taking to go forward one by one, reverse query method or look-up table carry out nonproductive poll.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101463558A CN102209075A (en) | 2011-06-02 | 2011-06-02 | Behavior-based malicious email transmission node detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011101463558A CN102209075A (en) | 2011-06-02 | 2011-06-02 | Behavior-based malicious email transmission node detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102209075A true CN102209075A (en) | 2011-10-05 |
Family
ID=44697739
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011101463558A Pending CN102209075A (en) | 2011-06-02 | 2011-06-02 | Behavior-based malicious email transmission node detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102209075A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506356A (en) * | 2014-12-24 | 2015-04-08 | 网易(杭州)网络有限公司 | Method and device for determining credibility of IP (Internet protocol) address |
| CN105187298A (en) * | 2015-08-17 | 2015-12-23 | 武汉闪达科技有限公司 | System and method for building trusted channel in sending mail |
| CN108055195A (en) * | 2017-12-22 | 2018-05-18 | 广东睿江云计算股份有限公司 | A kind of method of filtering spam Email |
| CN110138723A (en) * | 2019-03-25 | 2019-08-16 | 中国科学院信息工程研究所 | The determination method and system of malice community in a kind of mail network |
| CN110224852A (en) * | 2019-04-28 | 2019-09-10 | 中电长城网际安全技术研究院(北京)有限公司 | Network security monitoring method and device based on HTM algorithm |
| WO2020049391A1 (en) * | 2018-09-06 | 2020-03-12 | International Business Machines Corporation | Suspicious activity detection in computer networks |
| CN111262831A (en) * | 2020-01-07 | 2020-06-09 | 深信服科技股份有限公司 | Phishing mail detection method, device, equipment and computer readable storage medium |
| CN111404806A (en) * | 2020-03-16 | 2020-07-10 | 深信服科技股份有限公司 | Method, device and equipment for detecting harpoon mails and computer readable storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564551A (en) * | 2004-03-16 | 2005-01-12 | 张晴 | Method of carrying out preventing of refuse postal matter |
-
2011
- 2011-06-02 CN CN2011101463558A patent/CN102209075A/en active Pending
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1564551A (en) * | 2004-03-16 | 2005-01-12 | 张晴 | Method of carrying out preventing of refuse postal matter |
Non-Patent Citations (1)
| Title |
|---|
| 张健等: "改进的恶意邮件发送节点检测方法", 《通信学报》 * |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104506356A (en) * | 2014-12-24 | 2015-04-08 | 网易(杭州)网络有限公司 | Method and device for determining credibility of IP (Internet protocol) address |
| CN104506356B (en) * | 2014-12-24 | 2018-06-15 | 网易(杭州)网络有限公司 | A kind of method and apparatus of determining IP address credit worthiness |
| CN105187298A (en) * | 2015-08-17 | 2015-12-23 | 武汉闪达科技有限公司 | System and method for building trusted channel in sending mail |
| CN108055195A (en) * | 2017-12-22 | 2018-05-18 | 广东睿江云计算股份有限公司 | A kind of method of filtering spam Email |
| WO2020049391A1 (en) * | 2018-09-06 | 2020-03-12 | International Business Machines Corporation | Suspicious activity detection in computer networks |
| US10778689B2 (en) | 2018-09-06 | 2020-09-15 | International Business Machines Corporation | Suspicious activity detection in computer networks |
| GB2590851A (en) * | 2018-09-06 | 2021-07-07 | Ibm | Suspicious activity detection in computer networks |
| GB2590851B (en) * | 2018-09-06 | 2022-01-12 | Arkose Labs Inc | Suspicious activity detection in computer networks |
| CN110138723A (en) * | 2019-03-25 | 2019-08-16 | 中国科学院信息工程研究所 | The determination method and system of malice community in a kind of mail network |
| CN110138723B (en) * | 2019-03-25 | 2020-05-12 | 中国科学院信息工程研究所 | Method and system for determining malicious community in mail network |
| CN110224852A (en) * | 2019-04-28 | 2019-09-10 | 中电长城网际安全技术研究院(北京)有限公司 | Network security monitoring method and device based on HTM algorithm |
| CN111262831A (en) * | 2020-01-07 | 2020-06-09 | 深信服科技股份有限公司 | Phishing mail detection method, device, equipment and computer readable storage medium |
| CN111404806A (en) * | 2020-03-16 | 2020-07-10 | 深信服科技股份有限公司 | Method, device and equipment for detecting harpoon mails and computer readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| AU2010263086B2 (en) | Real-time spam look-up system | |
| CN102209075A (en) | Behavior-based malicious email transmission node detection method | |
| Torabi et al. | Detecting Internet abuse by analyzing passive DNS traffic: A survey of implemented systems | |
| US8205258B1 (en) | Methods and apparatus for detecting web threat infection chains | |
| CA2606998C (en) | Detecting unwanted electronic mail messages based on probabilistic analysis of referenced resources | |
| EP1484893B1 (en) | Origination/destination features and lists for spam prevention | |
| US7921063B1 (en) | Evaluating electronic mail messages based on probabilistic analysis | |
| AU2008204378B2 (en) | A method and system for collecting addresses for remotely accessible information sources | |
| US8925087B1 (en) | Apparatus and methods for in-the-cloud identification of spam and/or malware | |
| US20140007238A1 (en) | Collective Threat Intelligence Gathering System | |
| US20080250503A1 (en) | Method and system for filtering communication | |
| US20060168017A1 (en) | Dynamic spam trap accounts | |
| US20080133672A1 (en) | Email safety determination | |
| WO2007050244A2 (en) | Method and system for detecting and responding to attacking networks | |
| CN101471897A (en) | Heuristic detection of possible misspelled addresses in electronic communications | |
| JP2004500761A (en) | System to identify distributed content | |
| CN102567873A (en) | Email filtering using relationship and reputation data | |
| Lin et al. | Genetic-based real-time fast-flux service networks detection | |
| Sadan et al. | Social network analysis of web links to eliminate false positives in collaborative anti-spam systems | |
| Leiba et al. | SMTP Path Analysis. | |
| Portier et al. | Security in plain txt: Observing the use of dns txt records in the wild | |
| Fernandez et al. | Early detection of spam domains with passive DNS and SPF | |
| Kidmose et al. | Detection of malicious and abusive domain names | |
| Zhang et al. | A behavior-based detection approach to mass-mailing host | |
| JP7453886B2 (en) | Detection device, detection method and detection program |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20111005 |