CN102227114B - The system and method that spam robot is detected by detection data transmission - Google Patents

The system and method that spam robot is detected by detection data transmission Download PDF

Info

Publication number
CN102227114B
CN102227114B CN201110152417.6A CN201110152417A CN102227114B CN 102227114 B CN102227114 B CN 102227114B CN 201110152417 A CN201110152417 A CN 201110152417A CN 102227114 B CN102227114 B CN 102227114B
Authority
CN
China
Prior art keywords
client
unusual condition
degree
fame
mail
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201110152417.6A
Other languages
Chinese (zh)
Other versions
CN102227114A (en
Inventor
罗曼·雷巴尔科
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Kaspersky Lab AO
Original Assignee
Kaspersky Lab AO
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Kaspersky Lab AO filed Critical Kaspersky Lab AO
Publication of CN102227114A publication Critical patent/CN102227114A/en
Application granted granted Critical
Publication of CN102227114B publication Critical patent/CN102227114B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Abstract

The invention discloses a kind of computer-implemented system and method for the spam robot movable that client device is detected by mail server module.The message exchange between electronic mail conversation, including mail server module and client device is carried out according to predetermined protocol between mail server module and client device.Mail server module detects the accordance with predetermined protocol, including at least one unusual condition is intentionally introduced into the first message from mail server module;Monitor the subsequent message transmission from client device;Subsequent message is compared with normative reference;And constituted according to predetermined protocol according to subsequent message the fame degree of the degree generation client device of the correct response of at least one unusual condition is judged, fame degree judges to indicate the client device carry out the possibility of spam robot movable.

Description

The system and method that spam robot is detected by detection data transmission
Technical field
The present invention relates to the system and method for analysis network data transmission in real time, more particularly to being sent by procotol Redundant data or " spam(spam)" program identification and be allowed to fail.
Background technology
There are millions of electronic informations in the whole world daily(Email)Sent for example, by the network of internet, but It is that most is unsolicited and unnecessary, i.e., so-called " spam ".Electronic waste mail has been defined Into comprising commercial, politics and other forms advertisement and rogue program and phishing or other notorious websites Link message.The most unhappy part of spam is regularly this kind of to not representing that expectation is received by internet The personal of message sends message.Further, since each typical Internet user can be received in one day it is tens of or even hundreds of Individual spam messages, thus statistics to show that spam reaches all by the 90% of transmission message.Obviously how to tackle rubbish The problem of mail is extremely important.
A kind of mode of spam is tackled using can be by one or more keywords or by by sender Address is put into blacklist to find the various filters of spam messages.More advanced technology for example uses block diagram or classification Also allow users to that the degree of spam detection is promoted to the numerical value sometimes close to 100%.Present these technologies implement for Personal user and the such as anti-spam filter of corporate department design, anti-rubbish mail postal delivery, GFI In the commercial product of MailEssentials, this base internet security of kappa and kappa this base anti-rubbish mail.
These schemes are disposed after spam has been sent to the e-mail server of user to it, not Itself can be tackled the major problem, i.e., a large amount of spams for sending.These schemes also risk the risk of wrong report, i.e., legal electronics Mail(For example, coming from friend or colleague)Once triggering strobe utility by chance may show as spam.
Most of spam is now by personal program --- also referred to as spam robot(spam bots)—— Transmission is performed, described program is used to perform determining for such as transmission spam with being often concealed on the computer of user Phase operates.The various servers of the transmission SPAM of spammer's short-term lease, are not spam Main source, and it is in order at the purpose for promoting transmission.Therefore, an optional method for tackling spam is the calculating in user Spam robot is detected on machine.The spam amount for a domestic consumer using 10-20Mbps channel widths Can reach the spam of daily 50-100G bytes.Due to there is substantial amounts of spam robot, total traffic capacity can cause postal Part server severe stress.Therefore in the urgent need to effectively deleting spam robot from subscriber computer.
The content of the invention
In view of the foregoing, it is necessary to create a kind of system, the operation that the system can be performed according to spam robot The details of type and their implementation method recognizes them, and potential weakness is excavated in their operation further to lock With deletion spam robot.One aspect of the present invention is for analyzing client-side program to the data transfer on server Agreement using and interaction.The result of the analysis can be used to recognizing, prevent and deleting the program for sending out spam.
In addition to finding them according to the behavior of spam robot, another kind detection they mode and it Clumsy implementation method it is relevant.Spam robot is often implemented as attempting what is interacted with legal mail server SMTP clients.Inventor has realized that spam robot is often sorrily optimized and with voluntarily being sent out for them Send the low-quality algorithm of Email.This be due to spam Robot Design person aspect lack ability, or may is that by It is transmission spam as much as possible in a short time in the main task of spam robot, and feels its designer There is no need to improve spam robot.
One embodiment of the present of invention is by analysis program to Data Transport Protocol using determining the implementation of the program The mistake of mode, so as to recognize, prevent and delete the program for sending spam.
It is described according to a kind of computer-implemented system for detecting spam robot movable of one embodiment System includes computer hardware(The computer hardware include processor, operate memory, non-volatile data memory, with And communication equipment);Mail server module, the mail server module can be performed on the computer hardware, and E-mail request suitable for responding multiple email clients by the communication equipment according to email protocol;Meeting Words processor module, the conversation processor module can be performed on the computer hardware, and suitable for described many During the communication session between the first email client and the mail server module in individual email client Detect first email client(The communication session is included from first email client and from institute State the message transmission of mail server module).The Dialog processing module can be integrated into the mail server module, or real It is disconnected form to apply.The Dialog processing module is applied at least one unusual condition during the communication session It is deliberately introduced into the first message transmission from the mail server module(Such as SMTP responses)In, and monitor in institute State the transmission of the subsequent message from first email client sent after first message transmission(Such as SMTP please Ask).At least one unusual condition can be one or more any kind of unusual conditions, i.e. for example(In situation at that time Under)Non-standard or unusual condition message or time delay.The subsequent message from first email client Compared with normative reference, the normative reference is represented according to the email protocol to described at least one abnormal shape for transmission The correct response of condition.Based on the comparing, structure is transmitted according to the subsequent message from first email client The degree of the correct response of paired at least one unusual condition, generates the first fame of first email client Degree judges.Therefore the fame degree judges to indicate first email client carry out spam robot movable Possibility.
According to one embodiment, detect that the system of spam further determines that the visitor using fame degree rule database The Data Transport Protocol that communication between family end and server is used, and Spambot type.The fame degree Rule database is configured as storage for determining that client-side program is sending out the fame of the possibility grade of spam Metric then, for assessment request quantity tool method with for determine Spambot type instrument and for point Instrument with anti-rubbish mail program is associated.When used for instrument the coming from of being determined that server receives of assessment request quantity During the quantity of the similar request of other clients and its address list, the work of the type of the program for determining transmission spam Tool is associated with the property data base of the program.Instrument for determining the type of Spambot will be passed from data are determined The data of the instrument of defeated agreement and the instrument from assessment request quantity, with the data from Spambot property data base Compare, the program of spam is sent to recognize.Spambot property data base is used to store the number of identification spam According to.Instrument for propagating anti-rubbish mail program please to reception self-evaluating by " prescription " that sends for Spambot The client address of the instrument of quantity is sought, to delete Spambot.
In a particular embodiment, the fame degree of client is calculated when it triggers one group of ad hoc rules, per rules and regulations Then describe a variety of implementation method mistakes of Data Transport Protocol.
It is following to show multiple advantages on detailed description of preferred embodiment.
Brief description of the drawings
By being considered in conjunction with the accompanying each embodiment of the invention that will be described in later, can be more fully Understand the present invention.In the accompanying drawings,
Figure 1A to 1C describes the various arrangements of client-server mode, wherein according to different embodiment realities Apply various aspects of the invention;
Fig. 2 is described according to one embodiment of present invention, the example that SMTP conversation processors are interacted with client;
Fig. 3 is described according to one embodiment of present invention, the example of operation spam robot detecting system;
Fig. 4 shows the example system for implementing the treatment of anti-rubbish mail robot according to one embodiment of present invention;
Fig. 5 describes thereon implement the exemplary computer system of embodiments of the invention.
Although the present invention can receive various modifications and alternative forms, its details is by way of the example in accompanying drawing Represent and will be described in detail.It is understood, however, that the purpose of do so is not to limit the invention to described tool Body embodiment.Conversely, this is done to include in the spirit and scope of the invention limited by appended claim All modifications, equivalent and alternative forms.
Specific embodiment
It is related to each spam robot of electronic data transfer to be communicated with mail server using specific agreement. Although the following examples are around Simple Mail Transfer protocol(SMTP)Description, it is understood that principle of the invention Can be with suitably modified and be applied to other agreements, this modification and application are practicable in these protocols.Following table 1 It is the example of the simple session for using this agreement, this helps to demonstrate the various operations that spam robot is performed.At this In individual exemplary SMTP sessions, made by server and as the operation of the client executing of potential spam robot For the function of time progressively charts record(Time shaft is by from top to bottom sequentially carrying out).
Table 1
Smtp protocol is substantially dialogue, typically folk prescription:Client sends order(That is, " request "), server use " response " is responded.
One aspect of the present invention recognizes have in smtp protocol a kind of method server can be made to trigger the particular row of client For.According to the appearance of this behavior(Or missing), server can record the fame in terms of relative refuse mail of client Degree grade.
In an exemplary embodiment, server is intentionally introduced into unusual condition in the communication with client, for example, lead to Cross and provide to the non-standard response of client request, to the non-standard response client can with or cannot properly respond to.Clothes Be engaged in device monitor client subsequent request understanding subsequent request whether in some way response abnormality situation.In monitoring, see The content and/or its sequential of subsequent request are examined, and compared with normative reference, the normative reference is to be recognized according to smtp protocol To be the correct response to this unusual condition.
One of this method is on condition that the qualified implementation method of SMTP clients tends to correct response server This non-standard response, and the underproof implementation method of SMTP clients(The feelings of such as common spam robot Shape)Can not correct response server this non-standard response.
In certain embodiments, the mechanism of the defect of identification client-side program is according to before the response of server sends The delay introduced frequently with period.Such unusual condition in server operation and the prison to client end response sequential Control is combined.The client of clumsiness design can cannot adapt to unusual condition, thus expose the defect of itself.
In related embodiment, the non-standard operation of server or unusual condition are by the various numbers issued by server Word answer codes are implemented.Answer codes are defined within SMTP standards RFC-2821, are incorporated herein by reference herein. For example, answer codes can show as character string using the digital form from 100 to 999 scopes.
Such as RFC-2821 defineds, each of three bit digitals of response is respectively provided with specific meanings.First bit digital is represented Response is good, bad or incomplete.Simple SMTP clients receive the client of abnormality code and are possible to lead to Cross and check that this first bit digital determines its next operation(Continue to do according to plan, do again, delete).Want to know big Which kind of mistake generally there occurs(For example, mailing system mistake, command syntax mistake)SMTP clients can check the second digit Word.3rd bit digital and any side information being likely to occur are stayed to do for most fine information grading.For example, passing through first The answer codes of bit digital classification include following classification:
2xx-order is successfully completed
3xx-need the more data from client
4xx-temporary error, client must be reattempted to after a certain time
5xx-fatal error
The SMTP clients of correct exploitation should properly process all answer codes of server, including be rarely employed Code, and consider to postpone(That is, the stand-by period of server response).Malware designer is generally it is not intended that meet mark It is accurate, it means that the Malware that they make cannot usually perform some operations to respond specific answer codes.For example, What the answer codes of 3xx and 4xx classifications generally triggered standard compliant client retries trial.According to the property of answer codes, Retry trial rapidly can correctly be performed, or be performed after a delay.Spam robot may be completely Ignore this answer codes, or may not meet answer codes in the way of retry, such as when what is postponed retrying to be best suitable for Response when, spam robot is but retried immediately or incessantly.
Turning now to accompanying drawing, accompanying drawing 1A-1C and 4 is described for detecting and selectively repairing or forbid spam machine One group of computer-implemented system of device people.Embodiments in accordance with the present invention, these systems are commonly implemented in client-server The server end of pattern.Each computer-implemented system can be a physical machine, or can be such as according to effect Or function, or it is distributed to action function among multiple physical machines by the program threads under cloud computing distributed model situation. In various embodiments, various aspects of the invention can be configured to operation on a virtual machine, and the virtual machine then runs On one or more physical machines.It will be appreciated by those skilled in the art that feature of the invention can be by a variety of Appropriate its embodiments are realized.In the system of accompanying drawing 1A-1C and 4, various modules, such as smtp server are described 120, SMTP conversation processor modules 130, and Client Policy module 140.Term " server " used herein or " mould Block " presentation-entity element, component, or the component arrangement implemented using hardware, such as by application specific integrated circuit(ASIC)Or it is existing Field programmable gate array(FPGA), or hardware and software combination, such as realized by microprocessor system and one group of instruction The function of server or module and(When executed)The microprocessor system is converted into special purpose device.One module also may be used To be embodied as two combinations of module, some functions are only helped realize with hardware, other functions with the combination of hardware and software come Help is realized.At least part of in some embodiments and whole in some cases server or module all may be used With in one or more all-purpose computers(That computer for for example describing in greater detail below)Processor on perform, The processor also uses multitask, multithreading, distribution while operating system, system program and application program is performed (For example, cloud)Treatment or other such technologies come service implementation device or module.Therefore, server or module can be with various appropriate Configuration realize, and should not be so limited any specific exemplary implementation method in this article.
Figure 1A to 1C shows the various modules for implementing smtp protocol.Figure 1A describes client 110 and smtp server The typical model of 120 interactions.Under this arrangement, client 110(Also referred to as mail user agent(MUA), i.e. allow user The program of message is sent and received on their computers)Transfer data to smtp server 120(Also referred to as MTA, mail is passed Defeated agency, i.e. be responsible for sending the program of mail on the server).Shown in the example of SMTP sessions as explained above, interaction is made With the unidirectional dialog shown as with the server of client, wherein server only notifies the shape of operation of the client on performing State.
Figure 1B describes the example of the SMTP conversation processor modules according to one embodiment.Conversation processor module includes Module for tracking interactive order and sequential in SMTP session frameworks.SMTP conversation processors module 130 is located at Between client 110 and smtp server 120.Except treatment request of the client 110 to smtp server 120, SMTP sessions Processor module 130 is also connected to Client Policy module 140.Client Policy module 140 may include to use the black name of IP address Singly, forbid on the various of Email mail transmission.Strategy may be embodied as in some time periods(This is due to some rubbish Rubbish e-mail machines people worked to hide detection in some of one day period)Prevent sending for Email.
Fig. 1 C show the variant of the embodiment according to fig. 1 above B, SMTP conversation processors module 130 and client The module of policy module 140 as smtp server 120 integrated subassembly.
Most of spam robots start to upload their data in the way of batch is loaded, i.e., be not to notify clothes Business device exchange mode but in the way of instant data flow.Many servers support the extension of SMTP streamlines(Such as RFC Defined in 2920)Or do not check the order of order transmitted by client.This enables spam robot to hold The read operation of any response to server of row and send message to server, this simplifies designing illegal client(Example Such as spam robot)Task.The behavior of many spam robots is fully according to this mode.In one embodiment In, SMTP conversation processors module 130 detects spam by checking the order and sequential of the order transmitted by client Robot.In an example for showing, following inspection is performed during the MAIL orders to client send positive response Look into:
0. client sends MAIL orders
1. server sends answer codes:250-OK <CR><LF>.Because server provides multirow answer codes( Hyphen after digital answer codes shows that will have more responses arrives, and often goes with symbol<CR><LF>Terminate), The correct response of client should wait additional row before newer command is sent.
2. server monitors socket in the timeout period of 5 seconds.If client sends data during timeout period, Server record critical error and the fame angle value of the client is updated to improve the suspicion level of the client.If The not response from client during the timeout period of 5 seconds, then assume that client correctly waits multirow response sequence Additional row, and process proceeds.
3. server sends the last column for showing that it is multirow response(That is, there is no hyphen)But do not include<LF> The imperfect response of character:250 OK <CR>.
4. server monitors socket in the timeout period of 5 seconds.If client sends data during timeout period, Server record critical error and the fame angle value of the client is updated to improve the suspicion level of the client(That is, it is raw Into worse fame degree record).If the not response from client during the timeout period of 5 seconds, assume that client rectifies Wait last correctly<LF>Character, and process proceeds.
5. server sends and shows the ending character that multirow response terminates:<LF>.
6. server monitors the socket of Next Command in the timeout period of 5 seconds.If there is no data during this, Server record non-fatal error, and the fame degree grade of client is updated only to improve the suspicious etc. of the client a little Level.
In related embodiment, smtp server formulates a series of delays and/or prompting, cannot correctly be rung for exposing The clumsy SMTP clients for designing for answering these to postpone and/or point out.These postpone and/or prompting can be in itself illegal 's.Although for example, being successfully received data or SMTP clients from SMTP clients successfully have issued request, servicing Device still can send answer codes 421(Indicate the service unavailable, and server is by closing transmission channel)But it is not actual to close Close channel.But, server is waited and whether monitor client resends its data or its request, and whether client disconnects company Connect and attempt to reconnect, or whether client ignores message and continues to send its next request completely.According to client pair This abnormal response fabricated by server, the fame degree grade of client can be adjusted.
In another related embodiment, if client success response some exceptions, the fame degree of client can one Determine degree ground to recover.
Fig. 2 shows the example algorithm of SMTP conversation processors module 130 and the interaction of client 110.Opened in SMTP sessions Beginning step 210 server proceeds by read operation when socket is connected.Read operation generally occurs to be sent out in server Before going out title.Title is the response from server, is on it receives Client command after session start wish.Such as Fruit socket had been received by data before title is sent, then this process shows that an error has occurred, and showed this visitor Family end is potentially spam robot.On the other hand, if client does not have within the time of regulation after title is sent Send data, then mean client be it is blunt, or server be subjected to refusal service(DoS)Attack.
In step 220, check whether the addresses such as the IP address or hostname of client appear in such as DUL(Dial user List)In database, it occurs generally indicating that SMTP sessions be used to send spam.Also checked in the response of client Timeout period, i.e. the client end response time after the response of specific server.
For example, when the treatment to multirow response combination is checked, the last row for searching response whether there is character<CR ><LF>(That is, to the transition of new row)It is critically important.If sending order line 250-OK<CR><LF>Afterwards and Any data are obtained by reading socket in the timeout period of 5 seconds, this can regard critical error as.It is such to evaluate operation As other similar operations are performed in step 230 together.When being collected into the non-standard behaviour on client in response server As when occur fault data when, then improve client negative fame degree grade, it is potential spam to be considered as Robot.
When one group of specific rule is triggered, the fame degree of client is calculated in step 240, each rule is described The various different embodiments mistakes of Data Transport Protocol.Table 2 below shows the example for implementing smtp protocol.
Fame degree grade Parameter Response The parameter life-span
It is key Transmission client data Before title 1 month
It is nonessential Do not receive Client command Send 5 seconds after title 1 week
It is key Receive client data Lack data 1 month
Table 2
It is characterized with the evaluation of its own or fame degree grade per rule.In this example, fame degree grade can lead to The classification of such as " key ", " nonessential " etc. is crossed to represent.Evaluation can also be by digitized representations(For example, inventor The safety scoring of the calculating described in Zaitsev etc., the U.S. Patent application of Application No. 7,530,106, disclosure of which Included in the way of carrying and stating herein).Additionally, the life-span represents the duration of the fame metric of triggering validity then.Therefore, often Individual client has its feature as the fame degree grade of potential spam robot possibility, the fame degree grade with Time change, thus avoids possible wrong report.
Fig. 3 describes example procedure according to an embodiment of the invention.After the request for receiving client, step The type of the agreement that 310 determinations are used(For example, TCP, SSL, IP etc.)And the data transfer behavior of client.Client Whether the time needed for response of the example of data transfer behavior including client end response server, and client correctly responds Any unusual condition being deliberately introduced in the response of server.
Fig. 2 describes the example of the operation of step 310(Show and transmit data and follow-up to visitor using smtp protocol The judgement of the fame degree at family end 110).In this step, server performs the wrong step for attempting to trigger client.These Mistake can be divided into two classes:(1)Critical error, expression is further impossible or nonsensical with client operation(For example, Disconnect, fatal error, the host-host protocol mistake of such as SSL mistakes);(2)The mistake of an ordinary nature, by the specific operation of client Or cause without operation, and will not prevent to be interacted with the further of client.
Then, whether the agreement that the client for being detected in step 320 is used is associated with spam robot. Negative acknowledge to step 330 is it is concluded that the operation of request Bu Shi spams robot.Otherwise, in step 340 Analyze the quantity of the similar request from client to server.Similar request may include with similar message master in an example The email message for being sent to various different recipients for holding in vivo.Then, the quantity of request is checked in step 350, if Predetermined threshold value is not above, then in step 360 system it may be concluded that the operation of request Bu Shi spams robot.
Otherwise, if process reaches step 370, system is in such stage, and the request of client has some special Levy, i.e., the fame degree grade that client has and spam robot is consistent(Determine in step 310), communication protocol with Know that the agreement that spam robot is used is consistent(Determine in step 320)And the number of the request from client to server Measure sufficiently large to represent that client is probably spam robot(Determine in step 340).In a word, these evaluations show to clothes The request of business device is the operation of spam robot.
In step 370, the feature that is observed of client is collected and by itself and specific known spam robot The feature of type compares, and is used to identify suspection by that specific spam robot of client implementation.Such as The specific spam robot of fruit can be identified(Or be depicted recently), then its weakness may be known, or rubbish Rubbish e-mail machines people can determine its weakness and tackle this spam robot developing in the case of showing as new type Specified handler bag.Equally in step 370, Update log is used to suspicious spam robot type and client It is associated(For example, Email or IP address with client, host name, domain etc.).Finally, in step 380 to institute The all clients address that the client table of analysis reveals identical or fully similar behavior sends notice or processes.
In an example, notify to show that client is under the control of spam robot, it can aid in electricity The sub- mail owner(Or system manager)It is modified operation.Various methods have been dreamed up to be used to transmit and application processing function Bag.In an example, this example is suitable for use with the client computer system that Malware deletes instrument, can notify to dislike Meaning software deletes the service routine of instrument on the spam robot type that has found, and can issue including deleting rubbish The Malware of the instruction of e-mail machines people deletes tool renewal.In another example, self-defined spam robot is deleted Except program can be specially adapted for spam robot type having found or detecting.This self-defined spam machine Device people delete program can be sent to be logged in step 370 reveal identical or phase with analyzed client table Like all clients address of behavior.In another treatment example, the analysis to spam robot may be exposed through Going out it can be utilized(For example, using buffer overflow technique, or technological achievement that is other known or will being determined)Weakness, and And server is able to carry out being tackled using these technological achievements the operation of spam robot.
Fig. 4 shows the exemplary system of implementation anti-rubbish mail robot according to an embodiment of the invention treatment System.Instrument 410 determines the type and specific data of used Data Transport Protocol according to fame degree rule database 420 To evaluate fame degree grade.Additionally, instrument 430 assesses the quantity of the similar request from other clients.By combining from two The individual information that receives of originating, instrument 440 determines the type of spam robot and by this information and spam machine The data stored in people's property data base 450 compare.After spam robot is successfully determined, anti-robot tool 460 to the similar request of the request that have sent to be analyzed address transmission processe, or start other all amendment behaviour described above Make.
Fig. 5 is a general-purpose computing system example, and spam robot of the invention detector can be implemented thereon Each embodiment.Personal computer or server 20 include CPU 21, system storage 22 and system bus 23, system bus 23 include various system components, including the memory being associated with CPU 21.System bus 23 is implemented as any known Bus structures, including bus driver, bus storage control, peripheral bus and local bus and can with it is any other Bus structures are interacted.System storage includes read-only storage(ROM)24 and random access storage device(RAM)25.Basic input/ Output system(BIOS)Master comprising information transfer between the part for for example ensureing personal computer 20 when starting using ROM 24 Program,.
Personal computer 20 includes hard disk drive 27, the disk drive for reading and writing erasable disk 29 for reading and writing Device 28 and CD drive 30, CD drive 30 can for read-write such as CD-ROM, DVD-ROM's or other optical mediums Erasing CD-disc 31.Hard disk drive 27, disc driver 28, CD drive 30 pass through hard-disk interface 32, disk interface respectively 33 or CD interface 34 be all connected to system bus 23.Driver and corresponding computer-readable storage medium are personal computers 20 Computer instruction, data structure, the Nonvolatile memory device of program module and other data.This description is shown using hard The implementation method of the system of disk, erasable disk 29 and CD-E Compact Disc-Erasable 31, it should be understood that can be using can count The other types of computer-readable storage medium cassette tape of calculation machine readable form data storage, flash drive or other are non-easily Lose memory, digital disk, bernoulli cassette tape, random access storage device(RAM), read-only storage(ROM)Etc.).
Some potentially include operating system 35 interior software module storage hard disk, disk 29, CD 31, ROM 24 or In RAM 25.Computer 20 has file system 36, the storage program area 35 of the file system 36 and additional software application Program 37, other program modules 38 and routine data 39.User can be by input equipment(Keyboard 40, mouse 42)Input order With information to personal computer 20.Other input equipments can be(It is not shown):Microphone, control stick, game paddle, disc type Satellite antenna, scanner etc..This input equipment is generally connected to by turn being connected to the serial port 46 of system bus CPU 21, but it is also possible to by such as parallel port, game port or USB(USB)Other devices connection.It is aobvious Show that device 47 or other types of display device are also connected to system bus 23 by the interface of such as video adapter 48.Except display Outside device 47, personal computer can equip other peripheral output devices of loudspeaker and printer etc.(It is not shown).
Personal computer 20 can by using be connected to another or multiple remote computers 49 logic connect with Operated in network environment.One(Or many)Remote computer 49 and personal computer, server, router, network station, equity Equipment(peering device)Or other network nodes are identical, generally there is the entity portion of the personal computer 20 for describing before The largely or entirely part for dividing, as shown in figure 5, still only showing there is the storage device 50 of application program 37.Logic is connected Including LAN(LAN)51 and wide area network(WAN)52, these networks are conventional office facilities, and are also used for cooperated computing Machine network, company intranet and internet.
When using lan network, personal computer 20 is connected to LAN 51 by network adapter or interface 53.Using During WAN network, there is personal computer 20 modem 54 or other worldwide computer networks 52 with such as internet to lead to The device of letter.Modem 54 is connected to system bus 23 by serial port 46, and can be built-in or external Formula.The software module of exposed personal computer 20 or this class method of part are stored in remote storage device in a network environment In.It should be noted that network connection is merely illustrative and need not show definite network configuration and network, i.e. actual On have the other manner and other means for communicating each other of computer for setting up logic connection.
Above-described embodiment is intended to illustrative and not limiting.Other more embodiments are comprising in the claims.Additionally, to the greatest extent Pipe describes various aspects of the invention by referring to specific embodiment, those skilled in the art will recognize that without departing substantially from power In the case that profit requires the spirit and scope of the present invention for limiting, the change in form and in details can be made.For example, will be different Normal situation is intentionally introduced into the agreement that server can apply to other non-SMTP to the principle of the response of client request, takes Business device can use the agreement request client response(In this case unusual condition is incorporated into the request of server, and And response of the monitor client to asking).
Those skilled in the art will recognize that the present invention can include the feature less than any of the above-described separate embodiments. Embodiment described herein being not intended to the mode that exhaustive each feature of the invention can be combined.Therefore, embodiment is simultaneously It is not the mutual exclusion combination of feature, but as understood by those skilled in the art, the present invention may include selected from different independent The combination of the different independent feature of embodiment.
Any of the above described merging by reference document is restricted to be not merged with the theme runed counter to that clearly discloses of this paper. Any of the above described merging by reference document is further limited to the claim being included in these files not by by drawing With being merged into claims hereof.But, unless be clearly left out, the claim of otherwise any these files It is combined to be a part disclosed herein.Any of the above described merging by reference document is also further limited to unless clearly Be incorporated into herein, otherwise these files provide any definition be not incorporated by reference into herein.
For the purpose for explaining the claims in the present invention, clearly it is intended that and does not quote the 6th section of United States patent law the 112nd section Content, except non-claimed uses particular term " method being used for ... " and " the step of being used for ... ".

Claims (18)

1. a kind of computer-implemented system for detecting spam robot movable, the system includes:
Computer hardware, the computer hardware includes processor, operation memory, non-volatile data memory, Yi Jitong Letter equipment;
Mail server module, the mail server module can be performed on the computer hardware, and suitable for root The e-mail request from multiple email clients is responded by the communication equipment according to email protocol;
Conversation processor module, the conversation processor module can be performed on the computer hardware, and suitable for visiting The first email client surveyed in the multiple email client, the detection is in first Email visitor Carried out during communication session between family end and the mail server module, the communication session is included from the described first electricity Sub- Mail Clients and the message from the mail server module are transmitted, wherein the conversation processor module is also applicable In:
At least one unusual condition is deliberately introduced into from the mail server module during the communication session In first message transmission, and monitor after being sent from first email client after the first message is transmitted Continuous message transmission;
Subsequent message transmission is compared with normative reference, the normative reference is represented according to the email protocol pair The correct response of at least one unusual condition;
Constituted to described at least one abnormal shape according to the subsequent message transmission from first email client The degree of the correct response of condition, the fame degree for generating first email client judges that the fame degree judges to indicate First email client carries out the possibility of spam robot movable;
The second unusual condition is deliberately introduced into from the mail server module second during the communication session In message transmission, and monitor subsequently the disappearing from first email client transmission after second message transmission Breath transmission;
Subsequent message according to being sent from first email client after second message transmission is transmitted and constituted To the degree of the correct response of second unusual condition, the fame degree for adjusting first email client is sentenced It is fixed;And
Fame degree according to being adjusted judges operation is given notice or corrected to first email client.
2. system according to claim 1, wherein the email protocol is smtp protocol and wherein described mail Server module is smtp server.
3. system according to claim 1, wherein at least one unusual condition includes time delay.
4. system according to claim 1, wherein the described correct response of at least one unusual condition is included by First email client postpones transmission.
5. system according to claim 1, wherein at least one unusual condition and second unusual condition are each SMTP answer codes including indicating mistake.
6. system according to claim 1, wherein at least one unusual condition and second unusual condition are each Including indicating response to include the SMTP answer codes of multirow.
7. system according to claim 1, wherein at least one unusual condition is imperfect message.
8. system according to claim 1, wherein the conversation processor module is applied also for according to the described first electricity The judgement of the protocol type that sub- Mail Clients is used is sentenced setting the fame degree of first email client It is fixed.
9. system according to claim 1, wherein the conversation processor module is applied also for according to first electronics The judgement of the type of error that Mail Clients is produced in response at least one unusual condition and second unusual condition, The fame degree to set first email client judges.
10. system according to claim 1, wherein the conversation processor module is applied also for according to first electronics The judgement of the quantity of the similar electronic mail that Mail Clients sends sets the name of first email client Reputation degree judges.
11. systems according to claim 1, wherein the conversation processor module is applied also for according to described adjusted Fame degree judges to give notice or correct at least one email client outside first email client Operation.
12. it is a kind of by mail server module detect client device spam robot movables it is computer-implemented Method, methods described includes:
Electronic mail conversation with client device is carried out by the mail server module, the electronic mail conversation according to Predetermined protocol is carried out and including the message exchange between the mail server module and the client device;And
The accordance of the client device and the predetermined protocol is detected by the mail server module, including:
Intentionally at least one unusual condition is incorporated into the first message from the mail server module;
The subsequent message transmission from the client device is monitored, the subsequent message is sent out after the first message Send;
The subsequent message is compared with normative reference, the normative reference represent according to the predetermined protocol to it is described at least One correct response of unusual condition;
Journey to the correct response of at least one unusual condition is turned into according to the predetermined protocol according to the subsequent message Degree, the fame degree for generating the client device judges that the fame degree judges that the instruction client device carries out rubbish postal The possibility of part robot movable;
The second unusual condition is deliberately introduced into from the mail server module during the electronic mail conversation In the transmission of second message;
Monitor the subsequent message transmission sent from the client device after second message transmission;
Subsequent message transmission according to being sent from the client device after second message transmission is constituted to described the The degree of the correct response of two unusual conditions, the fame degree for adjusting the client device judges;And
Fame degree according to being adjusted judges operation is given notice or corrected at least one client device.
13. methods according to claim 12, wherein carrying out the electronic mail conversation according to predetermined protocol includes basis Smtp protocol carries out the electronic mail conversation.
14. methods according to claim 12, wherein introduce at least one unusual condition to include introducing time delay.
15. methods according to claim 12, wherein introduce at least one unusual condition to include introducing the mail The false instruction that server module makes a mistake.
16. methods according to claim 12, its is directed to wherein introducing at least one unusual condition and including introducing Correct response is the unusual condition of the client device delays transmission.
17. methods according to claim 12, wherein introduce at least one unusual condition to include sending imperfect disappearing Breath.
18. methods according to claim 12, also including according to the client device during the electronic mail conversation At least one additional parameter of behavior judge adjusting the fame degree.
CN201110152417.6A 2010-07-23 2011-06-08 The system and method that spam robot is detected by detection data transmission Expired - Fee Related CN102227114B (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
RU2010130872 2010-07-23
RU2010130872 2010-07-23

Publications (2)

Publication Number Publication Date
CN102227114A CN102227114A (en) 2011-10-26
CN102227114B true CN102227114B (en) 2017-06-16

Family

ID=44808072

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110152417.6A Expired - Fee Related CN102227114B (en) 2010-07-23 2011-06-08 The system and method that spam robot is detected by detection data transmission

Country Status (1)

Country Link
CN (1) CN102227114B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067922A (en) * 2013-01-24 2013-04-24 中兴通讯股份有限公司 Method and system for preventing illegal access point in wireless local area network
CN105007218B (en) * 2015-08-20 2018-07-31 世纪龙信息网络有限责任公司 Anti-rubbish E-mail method and system
CN108075947B (en) * 2017-07-31 2024-02-27 北京微应软件科技有限公司 Storage device, PC (personal computer) end and maintenance method and system of communication connection connectivity
CN110519228B (en) * 2019-07-22 2020-12-04 中国科学院信息工程研究所 Method and system for identifying malicious cloud robot in black-production scene

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7822977B2 (en) * 2000-02-08 2010-10-26 Katsikas Peter L System for eliminating unauthorized electronic mail
US8046832B2 (en) * 2002-06-26 2011-10-25 Microsoft Corporation Spam detector with challenges
US7539761B1 (en) * 2003-12-19 2009-05-26 Openwave Systems, Inc. System and method for detecting and defeating IP address spoofing in electronic mail messages

Also Published As

Publication number Publication date
CN102227114A (en) 2011-10-26

Similar Documents

Publication Publication Date Title
US11765121B2 (en) Managing electronic messages with a message transfer agent
US9521114B2 (en) Securing email communications
US10243989B1 (en) Systems and methods for inspecting emails for malicious content
RU2541123C1 (en) System and method of rating electronic messages to control spam
US9686308B1 (en) Systems and methods for detecting and/or handling targeted attacks in the email channel
US7610344B2 (en) Sender reputations for spam prevention
US9154514B1 (en) Systems and methods for electronic message analysis
US8769695B2 (en) Phish probability scoring model
AU2004216772B2 (en) Feedback loop for spam prevention
US20140082726A1 (en) Real-time classification of email message traffic
US8606866B2 (en) Systems and methods of probing data transmissions for detecting spam bots
US20150082451A1 (en) System and Method for Evaluating Domains to Send Emails While Maintaining Sender Reputation
US8413251B1 (en) Using disposable data misuse to determine reputation
US7890588B2 (en) Unwanted mail discriminating apparatus and unwanted mail discriminating method
WO2020248658A1 (en) Abnormal account detection method and apparatus
US20200074079A1 (en) Method and system for checking malicious hyperlink in email body
US8793802B2 (en) System, method, and computer program product for preventing data leakage utilizing a map of data
CN102227114B (en) The system and method that spam robot is detected by detection data transmission
CN102124485B (en) Apparatus, and associated method, for detecting fraudulent text message
Onaolapo et al. {SocialHEISTing}: Understanding Stolen Facebook Accounts
US20060031325A1 (en) Method for managing email with analyzing mail behavior
US20190306102A1 (en) Reminding method of unfamiliar emails
Morovati et al. Detection of Phishing Emails with Email Forensic Analysis and Machine Learning Techniques.
Maleki A behavioral based detection approach for business email compromises
EP2490383B1 (en) Systems and methods of probing data transmissions for detecting spam bots

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20170616

Termination date: 20210608