CN102227114B - The system and method that spam robot is detected by detection data transmission - Google Patents
The system and method that spam robot is detected by detection data transmission Download PDFInfo
- Publication number
- CN102227114B CN102227114B CN201110152417.6A CN201110152417A CN102227114B CN 102227114 B CN102227114 B CN 102227114B CN 201110152417 A CN201110152417 A CN 201110152417A CN 102227114 B CN102227114 B CN 102227114B
- Authority
- CN
- China
- Prior art keywords
- client
- unusual condition
- degree
- fame
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Abstract
The invention discloses a kind of computer-implemented system and method for the spam robot movable that client device is detected by mail server module.The message exchange between electronic mail conversation, including mail server module and client device is carried out according to predetermined protocol between mail server module and client device.Mail server module detects the accordance with predetermined protocol, including at least one unusual condition is intentionally introduced into the first message from mail server module;Monitor the subsequent message transmission from client device;Subsequent message is compared with normative reference;And constituted according to predetermined protocol according to subsequent message the fame degree of the degree generation client device of the correct response of at least one unusual condition is judged, fame degree judges to indicate the client device carry out the possibility of spam robot movable.
Description
Technical field
The present invention relates to the system and method for analysis network data transmission in real time, more particularly to being sent by procotol
Redundant data or " spam(spam)" program identification and be allowed to fail.
Background technology
There are millions of electronic informations in the whole world daily(Email)Sent for example, by the network of internet, but
It is that most is unsolicited and unnecessary, i.e., so-called " spam ".Electronic waste mail has been defined
Into comprising commercial, politics and other forms advertisement and rogue program and phishing or other notorious websites
Link message.The most unhappy part of spam is regularly this kind of to not representing that expectation is received by internet
The personal of message sends message.Further, since each typical Internet user can be received in one day it is tens of or even hundreds of
Individual spam messages, thus statistics to show that spam reaches all by the 90% of transmission message.Obviously how to tackle rubbish
The problem of mail is extremely important.
A kind of mode of spam is tackled using can be by one or more keywords or by by sender
Address is put into blacklist to find the various filters of spam messages.More advanced technology for example uses block diagram or classification
Also allow users to that the degree of spam detection is promoted to the numerical value sometimes close to 100%.Present these technologies implement for
Personal user and the such as anti-spam filter of corporate department design, anti-rubbish mail postal delivery, GFI
In the commercial product of MailEssentials, this base internet security of kappa and kappa this base anti-rubbish mail.
These schemes are disposed after spam has been sent to the e-mail server of user to it, not
Itself can be tackled the major problem, i.e., a large amount of spams for sending.These schemes also risk the risk of wrong report, i.e., legal electronics
Mail(For example, coming from friend or colleague)Once triggering strobe utility by chance may show as spam.
Most of spam is now by personal program --- also referred to as spam robot(spam bots)——
Transmission is performed, described program is used to perform determining for such as transmission spam with being often concealed on the computer of user
Phase operates.The various servers of the transmission SPAM of spammer's short-term lease, are not spam
Main source, and it is in order at the purpose for promoting transmission.Therefore, an optional method for tackling spam is the calculating in user
Spam robot is detected on machine.The spam amount for a domestic consumer using 10-20Mbps channel widths
Can reach the spam of daily 50-100G bytes.Due to there is substantial amounts of spam robot, total traffic capacity can cause postal
Part server severe stress.Therefore in the urgent need to effectively deleting spam robot from subscriber computer.
The content of the invention
In view of the foregoing, it is necessary to create a kind of system, the operation that the system can be performed according to spam robot
The details of type and their implementation method recognizes them, and potential weakness is excavated in their operation further to lock
With deletion spam robot.One aspect of the present invention is for analyzing client-side program to the data transfer on server
Agreement using and interaction.The result of the analysis can be used to recognizing, prevent and deleting the program for sending out spam.
In addition to finding them according to the behavior of spam robot, another kind detection they mode and it
Clumsy implementation method it is relevant.Spam robot is often implemented as attempting what is interacted with legal mail server
SMTP clients.Inventor has realized that spam robot is often sorrily optimized and with voluntarily being sent out for them
Send the low-quality algorithm of Email.This be due to spam Robot Design person aspect lack ability, or may is that by
It is transmission spam as much as possible in a short time in the main task of spam robot, and feels its designer
There is no need to improve spam robot.
One embodiment of the present of invention is by analysis program to Data Transport Protocol using determining the implementation of the program
The mistake of mode, so as to recognize, prevent and delete the program for sending spam.
It is described according to a kind of computer-implemented system for detecting spam robot movable of one embodiment
System includes computer hardware(The computer hardware include processor, operate memory, non-volatile data memory, with
And communication equipment);Mail server module, the mail server module can be performed on the computer hardware, and
E-mail request suitable for responding multiple email clients by the communication equipment according to email protocol;Meeting
Words processor module, the conversation processor module can be performed on the computer hardware, and suitable for described many
During the communication session between the first email client and the mail server module in individual email client
Detect first email client(The communication session is included from first email client and from institute
State the message transmission of mail server module).The Dialog processing module can be integrated into the mail server module, or real
It is disconnected form to apply.The Dialog processing module is applied at least one unusual condition during the communication session
It is deliberately introduced into the first message transmission from the mail server module(Such as SMTP responses)In, and monitor in institute
State the transmission of the subsequent message from first email client sent after first message transmission(Such as SMTP please
Ask).At least one unusual condition can be one or more any kind of unusual conditions, i.e. for example(In situation at that time
Under)Non-standard or unusual condition message or time delay.The subsequent message from first email client
Compared with normative reference, the normative reference is represented according to the email protocol to described at least one abnormal shape for transmission
The correct response of condition.Based on the comparing, structure is transmitted according to the subsequent message from first email client
The degree of the correct response of paired at least one unusual condition, generates the first fame of first email client
Degree judges.Therefore the fame degree judges to indicate first email client carry out spam robot movable
Possibility.
According to one embodiment, detect that the system of spam further determines that the visitor using fame degree rule database
The Data Transport Protocol that communication between family end and server is used, and Spambot type.The fame degree
Rule database is configured as storage for determining that client-side program is sending out the fame of the possibility grade of spam
Metric then, for assessment request quantity tool method with for determine Spambot type instrument and for point
Instrument with anti-rubbish mail program is associated.When used for instrument the coming from of being determined that server receives of assessment request quantity
During the quantity of the similar request of other clients and its address list, the work of the type of the program for determining transmission spam
Tool is associated with the property data base of the program.Instrument for determining the type of Spambot will be passed from data are determined
The data of the instrument of defeated agreement and the instrument from assessment request quantity, with the data from Spambot property data base
Compare, the program of spam is sent to recognize.Spambot property data base is used to store the number of identification spam
According to.Instrument for propagating anti-rubbish mail program please to reception self-evaluating by " prescription " that sends for Spambot
The client address of the instrument of quantity is sought, to delete Spambot.
In a particular embodiment, the fame degree of client is calculated when it triggers one group of ad hoc rules, per rules and regulations
Then describe a variety of implementation method mistakes of Data Transport Protocol.
It is following to show multiple advantages on detailed description of preferred embodiment.
Brief description of the drawings
By being considered in conjunction with the accompanying each embodiment of the invention that will be described in later, can be more fully
Understand the present invention.In the accompanying drawings,
Figure 1A to 1C describes the various arrangements of client-server mode, wherein according to different embodiment realities
Apply various aspects of the invention;
Fig. 2 is described according to one embodiment of present invention, the example that SMTP conversation processors are interacted with client;
Fig. 3 is described according to one embodiment of present invention, the example of operation spam robot detecting system;
Fig. 4 shows the example system for implementing the treatment of anti-rubbish mail robot according to one embodiment of present invention;
Fig. 5 describes thereon implement the exemplary computer system of embodiments of the invention.
Although the present invention can receive various modifications and alternative forms, its details is by way of the example in accompanying drawing
Represent and will be described in detail.It is understood, however, that the purpose of do so is not to limit the invention to described tool
Body embodiment.Conversely, this is done to include in the spirit and scope of the invention limited by appended claim
All modifications, equivalent and alternative forms.
Specific embodiment
It is related to each spam robot of electronic data transfer to be communicated with mail server using specific agreement.
Although the following examples are around Simple Mail Transfer protocol(SMTP)Description, it is understood that principle of the invention
Can be with suitably modified and be applied to other agreements, this modification and application are practicable in these protocols.Following table 1
It is the example of the simple session for using this agreement, this helps to demonstrate the various operations that spam robot is performed.At this
In individual exemplary SMTP sessions, made by server and as the operation of the client executing of potential spam robot
For the function of time progressively charts record(Time shaft is by from top to bottom sequentially carrying out).
Table 1
Smtp protocol is substantially dialogue, typically folk prescription:Client sends order(That is, " request "), server use
" response " is responded.
One aspect of the present invention recognizes have in smtp protocol a kind of method server can be made to trigger the particular row of client
For.According to the appearance of this behavior(Or missing), server can record the fame in terms of relative refuse mail of client
Degree grade.
In an exemplary embodiment, server is intentionally introduced into unusual condition in the communication with client, for example, lead to
Cross and provide to the non-standard response of client request, to the non-standard response client can with or cannot properly respond to.Clothes
Be engaged in device monitor client subsequent request understanding subsequent request whether in some way response abnormality situation.In monitoring, see
The content and/or its sequential of subsequent request are examined, and compared with normative reference, the normative reference is to be recognized according to smtp protocol
To be the correct response to this unusual condition.
One of this method is on condition that the qualified implementation method of SMTP clients tends to correct response server
This non-standard response, and the underproof implementation method of SMTP clients(The feelings of such as common spam robot
Shape)Can not correct response server this non-standard response.
In certain embodiments, the mechanism of the defect of identification client-side program is according to before the response of server sends
The delay introduced frequently with period.Such unusual condition in server operation and the prison to client end response sequential
Control is combined.The client of clumsiness design can cannot adapt to unusual condition, thus expose the defect of itself.
In related embodiment, the non-standard operation of server or unusual condition are by the various numbers issued by server
Word answer codes are implemented.Answer codes are defined within SMTP standards RFC-2821, are incorporated herein by reference herein.
For example, answer codes can show as character string using the digital form from 100 to 999 scopes.
Such as RFC-2821 defineds, each of three bit digitals of response is respectively provided with specific meanings.First bit digital is represented
Response is good, bad or incomplete.Simple SMTP clients receive the client of abnormality code and are possible to lead to
Cross and check that this first bit digital determines its next operation(Continue to do according to plan, do again, delete).Want to know big
Which kind of mistake generally there occurs(For example, mailing system mistake, command syntax mistake)SMTP clients can check the second digit
Word.3rd bit digital and any side information being likely to occur are stayed to do for most fine information grading.For example, passing through first
The answer codes of bit digital classification include following classification:
2xx-order is successfully completed
3xx-need the more data from client
4xx-temporary error, client must be reattempted to after a certain time
5xx-fatal error
The SMTP clients of correct exploitation should properly process all answer codes of server, including be rarely employed
Code, and consider to postpone(That is, the stand-by period of server response).Malware designer is generally it is not intended that meet mark
It is accurate, it means that the Malware that they make cannot usually perform some operations to respond specific answer codes.For example,
What the answer codes of 3xx and 4xx classifications generally triggered standard compliant client retries trial.According to the property of answer codes,
Retry trial rapidly can correctly be performed, or be performed after a delay.Spam robot may be completely
Ignore this answer codes, or may not meet answer codes in the way of retry, such as when what is postponed retrying to be best suitable for
Response when, spam robot is but retried immediately or incessantly.
Turning now to accompanying drawing, accompanying drawing 1A-1C and 4 is described for detecting and selectively repairing or forbid spam machine
One group of computer-implemented system of device people.Embodiments in accordance with the present invention, these systems are commonly implemented in client-server
The server end of pattern.Each computer-implemented system can be a physical machine, or can be such as according to effect
Or function, or it is distributed to action function among multiple physical machines by the program threads under cloud computing distributed model situation.
In various embodiments, various aspects of the invention can be configured to operation on a virtual machine, and the virtual machine then runs
On one or more physical machines.It will be appreciated by those skilled in the art that feature of the invention can be by a variety of
Appropriate its embodiments are realized.In the system of accompanying drawing 1A-1C and 4, various modules, such as smtp server are described
120, SMTP conversation processor modules 130, and Client Policy module 140.Term " server " used herein or " mould
Block " presentation-entity element, component, or the component arrangement implemented using hardware, such as by application specific integrated circuit(ASIC)Or it is existing
Field programmable gate array(FPGA), or hardware and software combination, such as realized by microprocessor system and one group of instruction
The function of server or module and(When executed)The microprocessor system is converted into special purpose device.One module also may be used
To be embodied as two combinations of module, some functions are only helped realize with hardware, other functions with the combination of hardware and software come
Help is realized.At least part of in some embodiments and whole in some cases server or module all may be used
With in one or more all-purpose computers(That computer for for example describing in greater detail below)Processor on perform,
The processor also uses multitask, multithreading, distribution while operating system, system program and application program is performed
(For example, cloud)Treatment or other such technologies come service implementation device or module.Therefore, server or module can be with various appropriate
Configuration realize, and should not be so limited any specific exemplary implementation method in this article.
Figure 1A to 1C shows the various modules for implementing smtp protocol.Figure 1A describes client 110 and smtp server
The typical model of 120 interactions.Under this arrangement, client 110(Also referred to as mail user agent(MUA), i.e. allow user
The program of message is sent and received on their computers)Transfer data to smtp server 120(Also referred to as MTA, mail is passed
Defeated agency, i.e. be responsible for sending the program of mail on the server).Shown in the example of SMTP sessions as explained above, interaction is made
With the unidirectional dialog shown as with the server of client, wherein server only notifies the shape of operation of the client on performing
State.
Figure 1B describes the example of the SMTP conversation processor modules according to one embodiment.Conversation processor module includes
Module for tracking interactive order and sequential in SMTP session frameworks.SMTP conversation processors module 130 is located at
Between client 110 and smtp server 120.Except treatment request of the client 110 to smtp server 120, SMTP sessions
Processor module 130 is also connected to Client Policy module 140.Client Policy module 140 may include to use the black name of IP address
Singly, forbid on the various of Email mail transmission.Strategy may be embodied as in some time periods(This is due to some rubbish
Rubbish e-mail machines people worked to hide detection in some of one day period)Prevent sending for Email.
Fig. 1 C show the variant of the embodiment according to fig. 1 above B, SMTP conversation processors module 130 and client
The module of policy module 140 as smtp server 120 integrated subassembly.
Most of spam robots start to upload their data in the way of batch is loaded, i.e., be not to notify clothes
Business device exchange mode but in the way of instant data flow.Many servers support the extension of SMTP streamlines(Such as RFC
Defined in 2920)Or do not check the order of order transmitted by client.This enables spam robot to hold
The read operation of any response to server of row and send message to server, this simplifies designing illegal client(Example
Such as spam robot)Task.The behavior of many spam robots is fully according to this mode.In one embodiment
In, SMTP conversation processors module 130 detects spam by checking the order and sequential of the order transmitted by client
Robot.In an example for showing, following inspection is performed during the MAIL orders to client send positive response
Look into:
0. client sends MAIL orders
1. server sends answer codes:250-OK <CR><LF>.Because server provides multirow answer codes(
Hyphen after digital answer codes shows that will have more responses arrives, and often goes with symbol<CR><LF>Terminate),
The correct response of client should wait additional row before newer command is sent.
2. server monitors socket in the timeout period of 5 seconds.If client sends data during timeout period,
Server record critical error and the fame angle value of the client is updated to improve the suspicion level of the client.If
The not response from client during the timeout period of 5 seconds, then assume that client correctly waits multirow response sequence
Additional row, and process proceeds.
3. server sends the last column for showing that it is multirow response(That is, there is no hyphen)But do not include<LF>
The imperfect response of character:250 OK <CR>.
4. server monitors socket in the timeout period of 5 seconds.If client sends data during timeout period,
Server record critical error and the fame angle value of the client is updated to improve the suspicion level of the client(That is, it is raw
Into worse fame degree record).If the not response from client during the timeout period of 5 seconds, assume that client rectifies
Wait last correctly<LF>Character, and process proceeds.
5. server sends and shows the ending character that multirow response terminates:<LF>.
6. server monitors the socket of Next Command in the timeout period of 5 seconds.If there is no data during this,
Server record non-fatal error, and the fame degree grade of client is updated only to improve the suspicious etc. of the client a little
Level.
In related embodiment, smtp server formulates a series of delays and/or prompting, cannot correctly be rung for exposing
The clumsy SMTP clients for designing for answering these to postpone and/or point out.These postpone and/or prompting can be in itself illegal
's.Although for example, being successfully received data or SMTP clients from SMTP clients successfully have issued request, servicing
Device still can send answer codes 421(Indicate the service unavailable, and server is by closing transmission channel)But it is not actual to close
Close channel.But, server is waited and whether monitor client resends its data or its request, and whether client disconnects company
Connect and attempt to reconnect, or whether client ignores message and continues to send its next request completely.According to client pair
This abnormal response fabricated by server, the fame degree grade of client can be adjusted.
In another related embodiment, if client success response some exceptions, the fame degree of client can one
Determine degree ground to recover.
Fig. 2 shows the example algorithm of SMTP conversation processors module 130 and the interaction of client 110.Opened in SMTP sessions
Beginning step 210 server proceeds by read operation when socket is connected.Read operation generally occurs to be sent out in server
Before going out title.Title is the response from server, is on it receives Client command after session start wish.Such as
Fruit socket had been received by data before title is sent, then this process shows that an error has occurred, and showed this visitor
Family end is potentially spam robot.On the other hand, if client does not have within the time of regulation after title is sent
Send data, then mean client be it is blunt, or server be subjected to refusal service(DoS)Attack.
In step 220, check whether the addresses such as the IP address or hostname of client appear in such as DUL(Dial user
List)In database, it occurs generally indicating that SMTP sessions be used to send spam.Also checked in the response of client
Timeout period, i.e. the client end response time after the response of specific server.
For example, when the treatment to multirow response combination is checked, the last row for searching response whether there is character<CR
><LF>(That is, to the transition of new row)It is critically important.If sending order line 250-OK<CR><LF>Afterwards and
Any data are obtained by reading socket in the timeout period of 5 seconds, this can regard critical error as.It is such to evaluate operation
As other similar operations are performed in step 230 together.When being collected into the non-standard behaviour on client in response server
As when occur fault data when, then improve client negative fame degree grade, it is potential spam to be considered as
Robot.
When one group of specific rule is triggered, the fame degree of client is calculated in step 240, each rule is described
The various different embodiments mistakes of Data Transport Protocol.Table 2 below shows the example for implementing smtp protocol.
Fame degree grade | Parameter | Response | The parameter life-span |
It is key | Transmission client data | Before title | 1 month |
It is nonessential | Do not receive Client command | Send 5 seconds after title | 1 week |
It is key | Receive client data | Lack data | 1 month |
Table 2
It is characterized with the evaluation of its own or fame degree grade per rule.In this example, fame degree grade can lead to
The classification of such as " key ", " nonessential " etc. is crossed to represent.Evaluation can also be by digitized representations(For example, inventor
The safety scoring of the calculating described in Zaitsev etc., the U.S. Patent application of Application No. 7,530,106, disclosure of which
Included in the way of carrying and stating herein).Additionally, the life-span represents the duration of the fame metric of triggering validity then.Therefore, often
Individual client has its feature as the fame degree grade of potential spam robot possibility, the fame degree grade with
Time change, thus avoids possible wrong report.
Fig. 3 describes example procedure according to an embodiment of the invention.After the request for receiving client, step
The type of the agreement that 310 determinations are used(For example, TCP, SSL, IP etc.)And the data transfer behavior of client.Client
Whether the time needed for response of the example of data transfer behavior including client end response server, and client correctly responds
Any unusual condition being deliberately introduced in the response of server.
Fig. 2 describes the example of the operation of step 310(Show and transmit data and follow-up to visitor using smtp protocol
The judgement of the fame degree at family end 110).In this step, server performs the wrong step for attempting to trigger client.These
Mistake can be divided into two classes:(1)Critical error, expression is further impossible or nonsensical with client operation(For example,
Disconnect, fatal error, the host-host protocol mistake of such as SSL mistakes);(2)The mistake of an ordinary nature, by the specific operation of client
Or cause without operation, and will not prevent to be interacted with the further of client.
Then, whether the agreement that the client for being detected in step 320 is used is associated with spam robot.
Negative acknowledge to step 330 is it is concluded that the operation of request Bu Shi spams robot.Otherwise, in step 340
Analyze the quantity of the similar request from client to server.Similar request may include with similar message master in an example
The email message for being sent to various different recipients for holding in vivo.Then, the quantity of request is checked in step 350, if
Predetermined threshold value is not above, then in step 360 system it may be concluded that the operation of request Bu Shi spams robot.
Otherwise, if process reaches step 370, system is in such stage, and the request of client has some special
Levy, i.e., the fame degree grade that client has and spam robot is consistent(Determine in step 310), communication protocol with
Know that the agreement that spam robot is used is consistent(Determine in step 320)And the number of the request from client to server
Measure sufficiently large to represent that client is probably spam robot(Determine in step 340).In a word, these evaluations show to clothes
The request of business device is the operation of spam robot.
In step 370, the feature that is observed of client is collected and by itself and specific known spam robot
The feature of type compares, and is used to identify suspection by that specific spam robot of client implementation.Such as
The specific spam robot of fruit can be identified(Or be depicted recently), then its weakness may be known, or rubbish
Rubbish e-mail machines people can determine its weakness and tackle this spam robot developing in the case of showing as new type
Specified handler bag.Equally in step 370, Update log is used to suspicious spam robot type and client
It is associated(For example, Email or IP address with client, host name, domain etc.).Finally, in step 380 to institute
The all clients address that the client table of analysis reveals identical or fully similar behavior sends notice or processes.
In an example, notify to show that client is under the control of spam robot, it can aid in electricity
The sub- mail owner(Or system manager)It is modified operation.Various methods have been dreamed up to be used to transmit and application processing function
Bag.In an example, this example is suitable for use with the client computer system that Malware deletes instrument, can notify to dislike
Meaning software deletes the service routine of instrument on the spam robot type that has found, and can issue including deleting rubbish
The Malware of the instruction of e-mail machines people deletes tool renewal.In another example, self-defined spam robot is deleted
Except program can be specially adapted for spam robot type having found or detecting.This self-defined spam machine
Device people delete program can be sent to be logged in step 370 reveal identical or phase with analyzed client table
Like all clients address of behavior.In another treatment example, the analysis to spam robot may be exposed through
Going out it can be utilized(For example, using buffer overflow technique, or technological achievement that is other known or will being determined)Weakness, and
And server is able to carry out being tackled using these technological achievements the operation of spam robot.
Fig. 4 shows the exemplary system of implementation anti-rubbish mail robot according to an embodiment of the invention treatment
System.Instrument 410 determines the type and specific data of used Data Transport Protocol according to fame degree rule database 420
To evaluate fame degree grade.Additionally, instrument 430 assesses the quantity of the similar request from other clients.By combining from two
The individual information that receives of originating, instrument 440 determines the type of spam robot and by this information and spam machine
The data stored in people's property data base 450 compare.After spam robot is successfully determined, anti-robot tool
460 to the similar request of the request that have sent to be analyzed address transmission processe, or start other all amendment behaviour described above
Make.
Fig. 5 is a general-purpose computing system example, and spam robot of the invention detector can be implemented thereon
Each embodiment.Personal computer or server 20 include CPU 21, system storage 22 and system bus 23, system bus
23 include various system components, including the memory being associated with CPU 21.System bus 23 is implemented as any known
Bus structures, including bus driver, bus storage control, peripheral bus and local bus and can with it is any other
Bus structures are interacted.System storage includes read-only storage(ROM)24 and random access storage device(RAM)25.Basic input/
Output system(BIOS)Master comprising information transfer between the part for for example ensureing personal computer 20 when starting using ROM 24
Program,.
Personal computer 20 includes hard disk drive 27, the disk drive for reading and writing erasable disk 29 for reading and writing
Device 28 and CD drive 30, CD drive 30 can for read-write such as CD-ROM, DVD-ROM's or other optical mediums
Erasing CD-disc 31.Hard disk drive 27, disc driver 28, CD drive 30 pass through hard-disk interface 32, disk interface respectively
33 or CD interface 34 be all connected to system bus 23.Driver and corresponding computer-readable storage medium are personal computers 20
Computer instruction, data structure, the Nonvolatile memory device of program module and other data.This description is shown using hard
The implementation method of the system of disk, erasable disk 29 and CD-E Compact Disc-Erasable 31, it should be understood that can be using can count
The other types of computer-readable storage medium cassette tape of calculation machine readable form data storage, flash drive or other are non-easily
Lose memory, digital disk, bernoulli cassette tape, random access storage device(RAM), read-only storage(ROM)Etc.).
Some potentially include operating system 35 interior software module storage hard disk, disk 29, CD 31, ROM 24 or
In RAM 25.Computer 20 has file system 36, the storage program area 35 of the file system 36 and additional software application
Program 37, other program modules 38 and routine data 39.User can be by input equipment(Keyboard 40, mouse 42)Input order
With information to personal computer 20.Other input equipments can be(It is not shown):Microphone, control stick, game paddle, disc type
Satellite antenna, scanner etc..This input equipment is generally connected to by turn being connected to the serial port 46 of system bus
CPU 21, but it is also possible to by such as parallel port, game port or USB(USB)Other devices connection.It is aobvious
Show that device 47 or other types of display device are also connected to system bus 23 by the interface of such as video adapter 48.Except display
Outside device 47, personal computer can equip other peripheral output devices of loudspeaker and printer etc.(It is not shown).
Personal computer 20 can by using be connected to another or multiple remote computers 49 logic connect with
Operated in network environment.One(Or many)Remote computer 49 and personal computer, server, router, network station, equity
Equipment(peering device)Or other network nodes are identical, generally there is the entity portion of the personal computer 20 for describing before
The largely or entirely part for dividing, as shown in figure 5, still only showing there is the storage device 50 of application program 37.Logic is connected
Including LAN(LAN)51 and wide area network(WAN)52, these networks are conventional office facilities, and are also used for cooperated computing
Machine network, company intranet and internet.
When using lan network, personal computer 20 is connected to LAN 51 by network adapter or interface 53.Using
During WAN network, there is personal computer 20 modem 54 or other worldwide computer networks 52 with such as internet to lead to
The device of letter.Modem 54 is connected to system bus 23 by serial port 46, and can be built-in or external
Formula.The software module of exposed personal computer 20 or this class method of part are stored in remote storage device in a network environment
In.It should be noted that network connection is merely illustrative and need not show definite network configuration and network, i.e. actual
On have the other manner and other means for communicating each other of computer for setting up logic connection.
Above-described embodiment is intended to illustrative and not limiting.Other more embodiments are comprising in the claims.Additionally, to the greatest extent
Pipe describes various aspects of the invention by referring to specific embodiment, those skilled in the art will recognize that without departing substantially from power
In the case that profit requires the spirit and scope of the present invention for limiting, the change in form and in details can be made.For example, will be different
Normal situation is intentionally introduced into the agreement that server can apply to other non-SMTP to the principle of the response of client request, takes
Business device can use the agreement request client response(In this case unusual condition is incorporated into the request of server, and
And response of the monitor client to asking).
Those skilled in the art will recognize that the present invention can include the feature less than any of the above-described separate embodiments.
Embodiment described herein being not intended to the mode that exhaustive each feature of the invention can be combined.Therefore, embodiment is simultaneously
It is not the mutual exclusion combination of feature, but as understood by those skilled in the art, the present invention may include selected from different independent
The combination of the different independent feature of embodiment.
Any of the above described merging by reference document is restricted to be not merged with the theme runed counter to that clearly discloses of this paper.
Any of the above described merging by reference document is further limited to the claim being included in these files not by by drawing
With being merged into claims hereof.But, unless be clearly left out, the claim of otherwise any these files
It is combined to be a part disclosed herein.Any of the above described merging by reference document is also further limited to unless clearly
Be incorporated into herein, otherwise these files provide any definition be not incorporated by reference into herein.
For the purpose for explaining the claims in the present invention, clearly it is intended that and does not quote the 6th section of United States patent law the 112nd section
Content, except non-claimed uses particular term " method being used for ... " and " the step of being used for ... ".
Claims (18)
1. a kind of computer-implemented system for detecting spam robot movable, the system includes:
Computer hardware, the computer hardware includes processor, operation memory, non-volatile data memory, Yi Jitong
Letter equipment;
Mail server module, the mail server module can be performed on the computer hardware, and suitable for root
The e-mail request from multiple email clients is responded by the communication equipment according to email protocol;
Conversation processor module, the conversation processor module can be performed on the computer hardware, and suitable for visiting
The first email client surveyed in the multiple email client, the detection is in first Email visitor
Carried out during communication session between family end and the mail server module, the communication session is included from the described first electricity
Sub- Mail Clients and the message from the mail server module are transmitted, wherein the conversation processor module is also applicable
In:
At least one unusual condition is deliberately introduced into from the mail server module during the communication session
In first message transmission, and monitor after being sent from first email client after the first message is transmitted
Continuous message transmission;
Subsequent message transmission is compared with normative reference, the normative reference is represented according to the email protocol pair
The correct response of at least one unusual condition;
Constituted to described at least one abnormal shape according to the subsequent message transmission from first email client
The degree of the correct response of condition, the fame degree for generating first email client judges that the fame degree judges to indicate
First email client carries out the possibility of spam robot movable;
The second unusual condition is deliberately introduced into from the mail server module second during the communication session
In message transmission, and monitor subsequently the disappearing from first email client transmission after second message transmission
Breath transmission;
Subsequent message according to being sent from first email client after second message transmission is transmitted and constituted
To the degree of the correct response of second unusual condition, the fame degree for adjusting first email client is sentenced
It is fixed;And
Fame degree according to being adjusted judges operation is given notice or corrected to first email client.
2. system according to claim 1, wherein the email protocol is smtp protocol and wherein described mail
Server module is smtp server.
3. system according to claim 1, wherein at least one unusual condition includes time delay.
4. system according to claim 1, wherein the described correct response of at least one unusual condition is included by
First email client postpones transmission.
5. system according to claim 1, wherein at least one unusual condition and second unusual condition are each
SMTP answer codes including indicating mistake.
6. system according to claim 1, wherein at least one unusual condition and second unusual condition are each
Including indicating response to include the SMTP answer codes of multirow.
7. system according to claim 1, wherein at least one unusual condition is imperfect message.
8. system according to claim 1, wherein the conversation processor module is applied also for according to the described first electricity
The judgement of the protocol type that sub- Mail Clients is used is sentenced setting the fame degree of first email client
It is fixed.
9. system according to claim 1, wherein the conversation processor module is applied also for according to first electronics
The judgement of the type of error that Mail Clients is produced in response at least one unusual condition and second unusual condition,
The fame degree to set first email client judges.
10. system according to claim 1, wherein the conversation processor module is applied also for according to first electronics
The judgement of the quantity of the similar electronic mail that Mail Clients sends sets the name of first email client
Reputation degree judges.
11. systems according to claim 1, wherein the conversation processor module is applied also for according to described adjusted
Fame degree judges to give notice or correct at least one email client outside first email client
Operation.
12. it is a kind of by mail server module detect client device spam robot movables it is computer-implemented
Method, methods described includes:
Electronic mail conversation with client device is carried out by the mail server module, the electronic mail conversation according to
Predetermined protocol is carried out and including the message exchange between the mail server module and the client device;And
The accordance of the client device and the predetermined protocol is detected by the mail server module, including:
Intentionally at least one unusual condition is incorporated into the first message from the mail server module;
The subsequent message transmission from the client device is monitored, the subsequent message is sent out after the first message
Send;
The subsequent message is compared with normative reference, the normative reference represent according to the predetermined protocol to it is described at least
One correct response of unusual condition;
Journey to the correct response of at least one unusual condition is turned into according to the predetermined protocol according to the subsequent message
Degree, the fame degree for generating the client device judges that the fame degree judges that the instruction client device carries out rubbish postal
The possibility of part robot movable;
The second unusual condition is deliberately introduced into from the mail server module during the electronic mail conversation
In the transmission of second message;
Monitor the subsequent message transmission sent from the client device after second message transmission;
Subsequent message transmission according to being sent from the client device after second message transmission is constituted to described the
The degree of the correct response of two unusual conditions, the fame degree for adjusting the client device judges;And
Fame degree according to being adjusted judges operation is given notice or corrected at least one client device.
13. methods according to claim 12, wherein carrying out the electronic mail conversation according to predetermined protocol includes basis
Smtp protocol carries out the electronic mail conversation.
14. methods according to claim 12, wherein introduce at least one unusual condition to include introducing time delay.
15. methods according to claim 12, wherein introduce at least one unusual condition to include introducing the mail
The false instruction that server module makes a mistake.
16. methods according to claim 12, its is directed to wherein introducing at least one unusual condition and including introducing
Correct response is the unusual condition of the client device delays transmission.
17. methods according to claim 12, wherein introduce at least one unusual condition to include sending imperfect disappearing
Breath.
18. methods according to claim 12, also including according to the client device during the electronic mail conversation
At least one additional parameter of behavior judge adjusting the fame degree.
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
RU2010130872 | 2010-07-23 | ||
RU2010130872 | 2010-07-23 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN102227114A CN102227114A (en) | 2011-10-26 |
CN102227114B true CN102227114B (en) | 2017-06-16 |
Family
ID=44808072
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201110152417.6A Expired - Fee Related CN102227114B (en) | 2010-07-23 | 2011-06-08 | The system and method that spam robot is detected by detection data transmission |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN102227114B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103067922A (en) * | 2013-01-24 | 2013-04-24 | 中兴通讯股份有限公司 | Method and system for preventing illegal access point in wireless local area network |
CN105007218B (en) * | 2015-08-20 | 2018-07-31 | 世纪龙信息网络有限责任公司 | Anti-rubbish E-mail method and system |
CN108075947B (en) * | 2017-07-31 | 2024-02-27 | 北京微应软件科技有限公司 | Storage device, PC (personal computer) end and maintenance method and system of communication connection connectivity |
CN110519228B (en) * | 2019-07-22 | 2020-12-04 | 中国科学院信息工程研究所 | Method and system for identifying malicious cloud robot in black-production scene |
Family Cites Families (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7822977B2 (en) * | 2000-02-08 | 2010-10-26 | Katsikas Peter L | System for eliminating unauthorized electronic mail |
US8046832B2 (en) * | 2002-06-26 | 2011-10-25 | Microsoft Corporation | Spam detector with challenges |
US7539761B1 (en) * | 2003-12-19 | 2009-05-26 | Openwave Systems, Inc. | System and method for detecting and defeating IP address spoofing in electronic mail messages |
-
2011
- 2011-06-08 CN CN201110152417.6A patent/CN102227114B/en not_active Expired - Fee Related
Also Published As
Publication number | Publication date |
---|---|
CN102227114A (en) | 2011-10-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11765121B2 (en) | Managing electronic messages with a message transfer agent | |
US9521114B2 (en) | Securing email communications | |
US10243989B1 (en) | Systems and methods for inspecting emails for malicious content | |
RU2541123C1 (en) | System and method of rating electronic messages to control spam | |
US9686308B1 (en) | Systems and methods for detecting and/or handling targeted attacks in the email channel | |
US7610344B2 (en) | Sender reputations for spam prevention | |
US9154514B1 (en) | Systems and methods for electronic message analysis | |
US8769695B2 (en) | Phish probability scoring model | |
AU2004216772B2 (en) | Feedback loop for spam prevention | |
US20140082726A1 (en) | Real-time classification of email message traffic | |
US8606866B2 (en) | Systems and methods of probing data transmissions for detecting spam bots | |
US20150082451A1 (en) | System and Method for Evaluating Domains to Send Emails While Maintaining Sender Reputation | |
US8413251B1 (en) | Using disposable data misuse to determine reputation | |
US7890588B2 (en) | Unwanted mail discriminating apparatus and unwanted mail discriminating method | |
WO2020248658A1 (en) | Abnormal account detection method and apparatus | |
US20200074079A1 (en) | Method and system for checking malicious hyperlink in email body | |
US8793802B2 (en) | System, method, and computer program product for preventing data leakage utilizing a map of data | |
CN102227114B (en) | The system and method that spam robot is detected by detection data transmission | |
CN102124485B (en) | Apparatus, and associated method, for detecting fraudulent text message | |
Onaolapo et al. | {SocialHEISTing}: Understanding Stolen Facebook Accounts | |
US20060031325A1 (en) | Method for managing email with analyzing mail behavior | |
US20190306102A1 (en) | Reminding method of unfamiliar emails | |
Morovati et al. | Detection of Phishing Emails with Email Forensic Analysis and Machine Learning Techniques. | |
Maleki | A behavioral based detection approach for business email compromises | |
EP2490383B1 (en) | Systems and methods of probing data transmissions for detecting spam bots |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20170616 Termination date: 20210608 |