WO2001038999A1 - Filtre a messages electroniques pourvu d'une base de donnees du type liste blanche et d'un mecanisme de mise en quarantaine - Google Patents

Filtre a messages electroniques pourvu d'une base de donnees du type liste blanche et d'un mecanisme de mise en quarantaine Download PDF

Info

Publication number
WO2001038999A1
WO2001038999A1 PCT/US2000/031900 US0031900W WO0138999A1 WO 2001038999 A1 WO2001038999 A1 WO 2001038999A1 US 0031900 W US0031900 W US 0031900W WO 0138999 A1 WO0138999 A1 WO 0138999A1
Authority
WO
WIPO (PCT)
Prior art keywords
database
recipient
remote host
message
proxy
Prior art date
Application number
PCT/US2000/031900
Other languages
English (en)
Inventor
Albert L. Donaldson
Original Assignee
Escom Corporation
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US09/447,590 external-priority patent/US6321267B1/en
Priority claimed from US09/548,322 external-priority patent/US7249175B1/en
Application filed by Escom Corporation filed Critical Escom Corporation
Priority to EP00980591A priority Critical patent/EP1234244A4/fr
Priority to AU17835/01A priority patent/AU782333B2/en
Priority to CA002392397A priority patent/CA2392397A1/fr
Publication of WO2001038999A1 publication Critical patent/WO2001038999A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/145Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms

Definitions

  • This invention generally concerns electronic messaging.
  • present invention concerns a system for filtering undesired electronic mail.
  • spam has come to refer to posting electronic messages to news groups or mailing to addresses on an address list the same message an
  • email to a large number of users on the Internet. This includes email advertisements, sometimes referred to as Unsolicited Commercial Email (UCE), as well as non-commercial bulk email that advocates some political or social position.
  • UCE Unsolicited Commercial Email
  • spammmer is a person or organization that generates the junk mail.
  • Email may also be used to download or activate dangerous code, such as Java applets, Javascript, and ActiveX controls. Email programs that support Hypertext
  • HTML Java Markup Language
  • Email has also been used to
  • this existing code can be invoked by
  • used to block spam can also be used to provide a layer of protection for keeping
  • SMSTP Simple Mail Transfer Protocol
  • SMTP agent is most commonly used with the Transmission Control
  • TCP/IP Protocol/Internet Protocol
  • MTAs Message Transfer Agents
  • Message Transfer Agents handle the details of sending email across the Internet.
  • an email message is typically sent in the following
  • a user 1040 (located at a personal computer or a terminal device) runs a UA
  • This queue is typically implemented as a collection of files
  • the message may be created on a personal
  • POP Post Office Protocol
  • IMAP Interactive Mail Access Protocol
  • the sending network will have one or more hosts that run a MTA 1043, such
  • TCP Transmission Control Protocol
  • Transfer Protocol 1044 to transfer the message across the Internet.
  • the SMTP session between the sending and receiving MTAs results in the
  • Agent program 1047 to read the message in the mail queue 1046.
  • Figure 2 is a graphical representation ofan example of the SMTP messages
  • sender@remote.dom sends a message to
  • the sending host's Message Transfer Agent 1001 sends an email message to
  • the sending MTA opens a TCP connection to
  • MX Mail Exchange
  • the domain escom.com has a single MX record that lists
  • IP address 192.135.140.3 Other networks, particularly large Internet Service Providers (ISPs), might have multiple MX records that define a prioritized list of JP
  • the sending MTA typically establishes the connection by: (1) making a socket
  • the process of opening a TCP connection causes the receiving host's operating system (or networking software) to associate the TCP connection with a process that is listening on the destination TCP port.
  • the TCP connection is a
  • SMTP is line-oriented, which means that
  • step 1011 the receiving MTA sends a service greeting message when it is
  • the greeting message typically gives the host name, MTA program
  • the greeting lines begin with the three-character
  • numeric code "220" By convention, the last/only line begins with the four-character
  • the sending MTA may optionally send
  • HELO message step 1012, that lists its host name. Some mail servers require the sending host to issue this message, and others do not. If the client (sending) MTA
  • the server issues the HELO message, then the server (receiving MTA) issues a HELO response, step 1013, that lists its name.
  • ESMTP Extended SMTP
  • the receiving host generates a multi-line reply listing the extended SMTP
  • the sending MTA sends a MAIL From: message to identify the
  • the Internet address is formed by concatenating the sending user's account
  • the receiving mail server sends either a "250" response if it
  • the receiving mail server may reject the address for syntactical reasons
  • the sending MTA sends a RCPT To: message to identify the
  • sendmail 8.9.3 issues a 550
  • the sending MTA may send multiple RCPT messages (step 1016), usually one for
  • the receiving server issues a separate "250" or "550" response as shown in step 1017 for each recipient.
  • the sending mail server sends a DATA message when it has
  • the server sends a response (nominally, "354", as shown in step 1019) telling the sending server to begin sending the message one line
  • the sending MTA When the sending MTA receives this reply, it sends the text of the email
  • the message includes the
  • the sending MTA When the message transfer has been completed, the sending MTA writes a
  • the receiving MTA typically responds (step 1022) with a "250"
  • MTA then sends a "quit” (step 1023) and the receiving MTA responds with a "221"
  • Figure 3 shows the same information, using a text representation of the SMTP
  • the first character of each line indicates the direction of the protocol message.
  • the email message header is transferred at the beginning of the message and
  • the email message header includes Received: lines
  • the message header is
  • protocol messages e.g., HELO, MAIL and RCPT
  • HELO High Efficiency LEO
  • MAIL Low Latency Object Dever
  • RCPT Radio Network Control Protocol
  • Junk mail messages almost invariably have a forged email
  • the spammer sends a batch of messages (usually thousands of messages) and then
  • ISP Internet Service Provider
  • the account can send junk email. After acquiring an address list, the user can send a
  • third-party relaying since the relay host is neither the initial sender of the message nor the intended recipient.
  • SMTP responses (greeting messages, 250, etc.) are not shown in this figure.
  • the spammer forges a MAIL From message listing an address at the open relay host 1061.
  • the forged MAIL address can be at any network, including spam.dom, relay.dom, any of the netn.dom hosts, or somewhere else.
  • MAIL From: address may be the same as the From: line in the message header, or it
  • MAIL address usually because he or she is able to override the normal user
  • authentication functions perhaps as a trusted user of a network server or as the
  • the spammer sends multiple RCPT messages with a list
  • step 1068 the spammer sends a DATA message
  • 1061 will forward a copy of the message to each host 1062, 1074 in the address list. For example, relay.dom will open a connection 1070 to host netl.dom 1062, send the
  • the difficulty in filtering relayed junk mail is shown in part by this example.
  • the current generation of relaying tools will also permit the spammer to enter a list of
  • the primary technique in blocking relayed spam involves databases of blacklisted IP addresses, which can be consulted by spam filtering software to
  • Examples of online blacklist databases include, for instance, the Mail Abuse
  • MMS Realtime Blackhole List
  • RBL Realtime Blackhole List
  • IRSS Relay Services Survey
  • blacklists such as MAPS or IMRSS, or risk having mail from the customer blocked because ofan entry in the MAPS or IMRSS databases.
  • an open relay can be confirmed by attempting to send a message from user A to user
  • the relay host may
  • the remote host probably is an open relay. After the response to the RCPT message is received, the testing host can close the test
  • Figure 6 shows how a spammer can use a dialup PC 1080 running a SMTP
  • dialup refers to a class of
  • Dialup SMTP Direct program 1081 runs under the control of the
  • the program can be configured to forge any email address, hostname, or any combination thereof
  • the primary method for blocking junk mail from SMTP Direct hosts is by
  • DUL lists various blocks of IP addresses that are known to be used for dialup PCs.
  • DNS Domain Name System
  • Bcc filtering may be used to reject email from unknown hosts that do not list the
  • client methods may
  • S/MIME Secure/Multipurpose Internet Mail Extension
  • OpenPGP OpenPGP standards uses public key cryptography to provide security services such as secrecy (confidentiality),
  • S/MXME or OpenPGP -protected spam can still be relayed or sent from dialup computers.
  • a preferred embodiment is provided in a conventional firewall configuration between a remote host and a local MTA.
  • the Active Filter proxy probes the sending host at the time it connects and implements a series of tests to determine if the remote host is
  • the Active Relay test concludes that if the remote host appears to relay for a test connection, then it will
  • the rejected message remains on the remote host, whether an open relay or dialup PC.
  • the Active Filtering proxy can be chained with other content filtering
  • proxies in a conventional fashion to reject other objectionable or malicious content in the body of the message. Minimal involvement is required by email administrators, when compared
  • Administrator involvement generally consists of reviewing logs and adding IP address blocks and domain names to trusted databases where necessary.
  • the method also provides the ability to automatically append IP addresses detected by certain sensor points back into the IP filtering list, so that those hosts can
  • the present invention is compatible with all known SMTP MTAs.
  • the architecture permits a natural separation of responsibilities for the proxy and the
  • the proxy offloads the rejection of junk mail, so that the MTA need only
  • the MTA may provide other conventional spam-filtering
  • FIG. 1 depicts the general architecture for Internet electronic mail using the
  • SMSTP Simple Mail Transfer Protocol
  • Figure 2 is a graphical representation ofan exchange of SMTP protocol messages involved in transferring a single electronic mail message from one MTA to
  • Figure 3 is a printout of the message of Fig. 2, showing the protocol
  • Figure 4 shows how a bulk mail program takes advantage of an open relay
  • Spammers typically use relaying to offload processing from their computer and obscure their involvement in sending the message.
  • Figure 5 shows the SMTP messages used to perform a simple test of a remote
  • Figure 6 shows how spammers may transfer mail directly from a SMTP direct
  • Spammers typically use
  • FIG. 7 is a block diagram of the Active Filter proxy server system in accordance with the preferred embodiment.
  • FIGS 8-12 show specific architectures in accordance with the present
  • FIG 8 shows the general architecture, in which the Active Filtering proxy is
  • Figure 9 shows the proxy and MTA residing on the same computer.
  • FIGS 10 and 11 show the present invention implemented as part of a SMTP
  • Figure 12 shows how a proxy may be chained with a content- filtering proxy for enhanced control over incoming email.
  • FIG. 13 shows an overview of the protocol transactions exchanged in
  • FIGS 14-23 show the details of the protocol interactions and processing flow
  • Figure 14 shows the initial connection from the remote host to the proxy, a
  • Figure 15 shows the processing of the remote host's HELO and MAIL
  • Figure 16 shows the general framework for the Active Dialup test.
  • Figure 17 shows details of the preferred embodiment for a sequential name check used in the Active Dialup test.
  • Figure 18 shows the Active Relay test.
  • Figure 19 illustrates the Active User verification method.
  • Figure 20 shows how the proxy opens a connection to the local MTA 1403 to
  • Figure 21 shows the transfer of the data in the email message (header, body,
  • Figure 22 illustrates an alternative embodiment for the Active Dialup test
  • Figure 23 shows a second alternative embodiment for the Active Dialup test based upon the inability to establish reverse test connections to neighbors of the
  • FIG. 24 is a block diagram of the Active Filter proxy server system in
  • FIG. 25 is an overview flow chart showing the processing of the MAIL From
  • Figure 26 is an overview flow chart of per-RCPT whitelist processing for an
  • the proxy connects to the local MTA after the first authorized
  • Figure 27 shows how the proxy quarantines a message that did not pass Active
  • Figure 28 shows the processing of the remainder of the email message
  • Figure 29 shows the retrieval of a quarantined message by a user or
  • FIG. 7 illustrates the design of the Active Filtering proxy server.
  • the server
  • a host computer preferably a firewall host 1103 as shown
  • the proxy design requires services provided by the computer hardware platform
  • the hardware platform 1091 includes one or
  • processors memory, disk storage, and network interfaces.
  • the number of processors is more processors, memory, disk storage, and network interfaces. The number of processors, memory, disk storage, and network interfaces. The number of processors, memory, disk storage, and network interfaces. The number of processors, memory, disk storage, and network interfaces.
  • processors and amount of memory required depends upon the anticipated processing
  • RAM random access memory
  • a larger network might require multiprocessor implementation with hundreds of megabytes of RAM.
  • the platform may also include a console (not shown) for configuring and controlling
  • the server may also be performed via the network.
  • the operating system 1090 provides an execution environment for the proxy
  • TCP Transmission Protocol
  • DNS Domain Name System
  • the file and memory management functions cooperate to provide access to a virtual memory space that
  • the operating system also provides the abstraction of TCP sockets 1092 and
  • Each socket identifies a remote host endpoint, such that the socket 1092 is
  • socket 1089 is used to control communications with the local Message Transfer Agent
  • the operating system also provides a means,
  • Configuration databases include Trusted DB 1093, which is used to identify
  • Whitelist DB 1094
  • Blacklist DB 1095 which identifies IP addresses of remote hosts that will be
  • Relay DB 1096 which contains configuration data for the Active Dialup filter, including addresses of
  • Dialup DB 1097 which identifies untrusted hosts that are known not to be dialup clients; Configuration DB
  • each database to be provided as a separate file.
  • the Active Filtering Proxy 1104 is run
  • configuration databases 1093-1098 interacts with the remote host to determine if it is likely to be a source of junk mail, and either closes the connection (without any mail
  • the proxy writes one or more
  • the proxy does not save the message to a local file but
  • the proxy instead performs all transfers from memory buffers. That is, the proxy receives a
  • SMTP message from socket 1092 into a memory buffer optionally validates the
  • the proxy exits after processing each
  • FIGs 8-12 show five architectures that provide Active Filtering of junk mail
  • the Active Filtering proxy 1104 (Fig. 7) runs on a separate firewall
  • proxy server 1103 (Fig. 8), it can be chained with other proxy servers 1116 to
  • the organization's network includes, at a minimum, a router 1101, Internet connection 1100, Local Area Network (LAN) 1102 and MTA 1106. Accordingly,
  • packet-filtering router 1101 routes packets from the Internet 1100 to the SMTP proxy
  • the router operates at the network layer of the protocol
  • IPv4 Internet Protocol version 4
  • IPv6 Internet Protocol version 6
  • Internet connection 1100 which is between the router 1101 and external hosts,
  • circuits such as dialup modem, ISDN, ADSL, or cable TV using link-layer protocols
  • PPP Point- to-Point Protocol
  • SIP Single Line Interface Protocol
  • firewall host 1103 has two separate LAN interfaces 1102
  • LAN 1102 interconnects the Internet 1100 with the firewall host 1103.
  • LAN 1117 connects the firewall host 1103 with the organization's protected servers (e.g., 1105) and workstations (not shown). These LANs are typically Ethernet or
  • Each architecture of Figs. 8-12 has one or more MTAs 1106. These include
  • MTAs may be various Internet service providers, and other MTA programs. These MTAs may be used to satisfy various Internet service providers, and other MTA programs. These MTAs may be used to satisfy various Internet service providers, and other MTA programs. These MTAs may be used to satisfy various Internet service providers, and other MTA programs. These MTAs may be used to satisfy various Internet service providers, and other MTA programs. These MTAs may be used to satisfy various Internet service providers, and other MTA programs. These MTAs may be used to various Internet service providers, and other MTA programs. These MTAs may be used to communicate.
  • the proxy server is identified as a Mail Exchange (MX) host
  • the remote host gets the name of the proxy server from the MX record, translates the name into an IP address, acquires a socket, and opens a Transmission Control
  • TCP Transmission Protocol
  • the proxy server process 1104 opens a connection to port 25 of the mailhost 1105 (which has likewise been bound by
  • the MTA 1106) transfers the initial protocol messages to the MTA 1106, and then
  • the router 1101, firewall host 1103 and mail server host 1105 can also be any suitable router 1101, firewall host 1103 and mail server host 1105.
  • the firewall host 1103 has a single physical LAN interface device that is shared by the two logical interface functions
  • firewall host 1103 cannot be configured to
  • the router 1101 must be configured to block such direct access from the Internet to the
  • the proxy 1104 performs the same functions as
  • proxy server 1104 may use any available InterProcess Communications (IPC) method
  • a first alternative for instance, includes a TCP
  • connection to some port other than TCP 25 is used, although any other TCP
  • the router 1101 must then be configured to prevent packet
  • proxy 1104 could use a Unix domain socket, named pipe, or other mechanism that is
  • the Active Filtering technology may be included as part of a
  • MTA wrapper program 1110 for example, the Trusted Information Systems (TIS) Firewall Toolkit (FWTK) sendmail wrapper smap program.
  • TIS Trusted Information Systems
  • FWTK Firewall Toolkit
  • a wrapper 1110 is to protect the MTA 1106, and Active Filtering is an ancillary function.
  • Various IPC methods 1108 are possible,
  • the Active Filtering technology 1112 could be any Active Filtering technology 1112. As shown in Figure 11, the Active Filtering technology 1112 could be any Active Filtering technology 1112.
  • the Active Filtering proxy 1104 (on firewall host)
  • proxy servers 1116 on firewall hosts 1114) to perform other mail filtering functions.
  • various products such as in
  • the Active Filtering proxy 1104 is the first host
  • the two filtering proxies 1104 and 1116 provide improved filtering by requiring each message
  • the Active Filtering and content filtering proxy servers may run on the same proxy host.
  • the Active Filtering and content filtering proxy servers may run on the same proxy host.
  • invocation of the content filtering proxy may use a means such as the Content
  • CVP Vectoring Protocol
  • proxies to be added to the chain, for example, proxies
  • Active Filtering operates primarily as a server with respect to the initial connection from the remote host.
  • SMTP is a
  • the Active Filtering proxy 1104 (and its implementations in
  • 1110 and 1112 provides for actively probing the remote host with a reverse SMTP
  • FIG 13 provides an overview of the present invention, with more detailed
  • FIG. 14-29 The figure shows the key steps used by the Active
  • Filter Proxy 1401 to validate a single email message from a remote host 1400 and
  • An additional connection may be
  • the Active Filter Proxy 1401 corresponds to proxy 1104 shown in Fig. 7.
  • the proxy 1401 is shown in Fig. 13 connected between the remote host 1400
  • the proxy 1401 and MTA 1402 may be located at separate locations
  • the proxy 1401 controls when it reads data on the connection 1403, it is not possible for the remote host 1400 to proceed with transfer of its message until the
  • proxy 1401 completes its filtering. The proxy only handles incoming email and does
  • the present invention may be implemented
  • this method uses multiple SMTP connections, appropriately timed to permit the proxy server to
  • the remote host 1400 involves transactions 1410, 1413, 1480, 1484, 1488, 1493, and 1495.
  • the SMTP connection 1418 is initiated by the Active Filtering proxy 1401,
  • server 1401 makes other connections to DNS name servers and, if the connection
  • the proxy server 1401 gets the IP address of the remote host and compares the IP address with a database of disallowed
  • IP address of the remote host 1400 matches an entry in the database
  • the proxy server closes the TCP connection 1403 without transferring an email
  • the proxy server processes the HELO (optional) and
  • the MAIL message contains the address
  • trusted addresses e.g. trusted hosts or whitelisted addresses
  • proxy attempts to open a reverse test connection 1418 to the remote server host.
  • the proxy If the proxy cannot open the reverse connection, it may be because the remote host is a dialup workstation. Accordingly, the proxy then performs Active Dialup
  • testing 1420 Internet service providers typically block service requests (such as
  • DHCP Dynamic Host Configuration Protocol
  • the proxy uses certain heuristics based on the name of the host and its neighbors to categorize the
  • the administrator can configure the types of testing to be conducted by the proxy.
  • the proxy reads the configuration database 1098 to determine the proper
  • the administrator can set the configuration database 1098 to
  • Active Relay 1450 testing Under Active Relay testing 1450, once the reverse
  • connection 1418 is opened, then the proxy 1401 sends HELO, MAIL From, and
  • the proxy preferably sends an error
  • the proxy 1401 conducts Active User testing 1901.
  • the proxy 1401 conducts Active User testing 1901.
  • step 1470 the Active Dialup, Active Relay and/or Active User testing
  • step 1472 if a HELO message
  • the proxy sends it to the MTA.
  • the proxy sends the MAIL From message (received in step 1413) to the MTA, and sends the MTA response back to the remote host. This is more fully described with respect to
  • the proxy 1401 opens the connection 1470 to the MTA 1402, it transfers
  • protocol messages e.g., RCPT 1480, DATA 1484, message data (header 1488 and
  • Bcc filter 1491 returns an error to the remote host and closes all connections.
  • the proxy 1401 also transfers MTA 1402 protocol responses (e.g., 250, 550, not shown)
  • the MTA 1402 When the message is transferred successfully, the MTA 1402 normally closes the connection to the proxy 1401, which in turn closes the connection to the remote
  • the proxy simply exits. In multi-threaded implementations, the proxy deallocates the resources (sockets, memory
  • FIGS 14-23 detail the methods and apparatus of the Active Filtering
  • Remote Host 1400 Remote Host 1400
  • Active Filter Proxy 1401 Remote Filter Proxy 1402.
  • Host 1400 shown at the left in the figures, is the host that is attempting to send mail to the local domain. This host may be a sending MTA, a telnet session from a user
  • Active Filter Proxy 1401 is located between the Remote Host 1400 and Local MTA
  • MTA is shown in the figures as flowing from left to right. The system further
  • the Active Filtering design may
  • Figures 13-21 apply to an Active Filter proxy
  • server process that may or may not be located on the same host as the local MTA
  • IPC Intra-process Communications
  • the proxy runs on a
  • the proxy may run as two
  • the proxy host 1401 is preferably a Mail Exchange (MX) host for
  • the local domain and is configured to listen on the SMTP port (TCP 25) for
  • the proxy runs on a Unix system and the Unix inetd (Internet Daemon) program (not shown) is
  • process 1401 handles a single message and exits when it has either rejected the message or transferred the message to the MTA.
  • the proxy 1401 gets the remote host's IP address and
  • a dotted-quad format e.g., 192.168.200.201.
  • the proxy then calls gethostbyaddr() to get the remote hostname (e.g.,
  • DNS Pointer (PTR) record that maps the IP address to a host name
  • IP Address (A) record that maps the name to the corresponding IP address.
  • the proxy has both the IP address and name (if defined in DNS), as well as
  • the proxy only acquires naming information about the remote
  • the proxy could get a connection from any servers in Table 1.
  • the proxy determines if the remote host is categorized as trusted.
  • Trusted networks are usually defined manually by using a suitable editor to enter IP addresses of trusted networks into the trusted database 1093 (Fig. 7). The proxy looks
  • This database is preferably a single linear file.
  • a host name e.g.,
  • host37.remote.dom matches an entry “remote.dom” if the two strings match from the last byte forward, for the length of the shorter string. If the host is trusted,
  • processing continues with display of the greeting message in step 1409.
  • step 1406 the proxy determines whether the remote network has been
  • the proxy compares the IP address of the remote host 1400 with entries
  • the blacklist database is implemented as a linear file containing one filter per line.
  • Each filter consists of an ASCII dotted-quad address followed by a forward slash "/" and the number of bits to be compared, for
  • the proxy can also provide other blacklisting approaches other than
  • the proxy can include
  • Blacklisting by domain name is useful when an administrator observes a
  • configuration database 1098 contains a list of patterns, and if the connection host
  • Short-term blacklisting can be used to handle temporary situations (such as
  • blacklisting uses an additional blacklist file that is periodically cleared out by the
  • the proxy 1401 issues an error reply to the remote host (e.g., "550 SMTP administratively blocked"), closes the remote host (e.g., "550 SMTP administratively blocked")
  • connection 1403 logs the rejected connection, and exits without any email being
  • the system log 1099 (Fig. 7) may be configured to log on the local host or
  • remote host such as the local MTA 1402. If the remote host 1400 is trusted or
  • the Active Filter displays the SMTP greeting message, step 1409.
  • the proxy connects to the server (Fig. 20) only after validating the MAIL From message.
  • remote.dom might preferably be maintained in a hashed list or dbm file.
  • Blacklisted IP addresses might preferably be maintained in bitmap, a hashed list, dbm file, or even in Content Addressable Memory (CAM) for increased performance.
  • the check for a blacklisted IP address consists of opening the bitmap database, seeking to
  • IP addresses If the bit is set, then the block of addresses is blacklisted, otherwise it is
  • Blacklisted IP addresses are appended automatically to the blacklist database by various sensors in subsequent filters (i.e., the Active Dialup, Active Relay and
  • Active User Filters subject to a configuration setting. This permits the Active Filter proxy to react quickly to floods of spam from a particular host. However, if the
  • the remote host 1400 may send an optional HELO message
  • the proxy 1401 simply reads the message in step 1411, potentially
  • the remote host 1400 sends a mandatory MAIL From message to
  • the proxy reads the message from the TCP connection.
  • the message must contain an email address, represented as " ⁇ mfaddr>", in the Internet address format consisting of the concatenation of a user name, "@" sign, and
  • the filter proxy also ensures that the MAIL From
  • the proxy checks the MAIL From address to determine if the remote connection is from another Active Filtering proxy 1401. For instance, suppose
  • Host A opens a data connection to host B.
  • host B opens a
  • one of the proxies runs out of resources.
  • ESMTP Extended SMTP
  • connection may be sent by host B to indicate that the connection is a reverse test connection.
  • Filtering proxy uses the reserved address "reverse" with the local domain name on
  • the proxy 1401 checks the MAIL From address to
  • proxy issues an error reply 1416 on the incoming connection and exits.
  • the proxy then closes the connection when it detects this address to prevent abuse by spammers who might learn this reserved address.
  • the remote host e.g., the remote host
  • the proxy at host B will not be able to test the local host (e.g., host A), but email will
  • the proxy filter 1401 skips subsequent checking of the MAIL From argument if the connecting hostname matches a trusted database entry, using
  • the trusted database identifies networks with which there are
  • step 1417 processing continues with
  • step 1470 Also at step 1417, the filter skips subsequent checking of the MAIL From
  • the whitelist file is a text file that contains
  • the whitelist database maybe implemented as a hashed database (e.g., dbm) files, or even could be disabled.
  • step 1470 If the address matches a whitelist entry, processing continues with step 1470.
  • step 1418 the proxy 1401 attempts to open the
  • socket() to acquire a socket structure to manage the connection to port 25 of the
  • step 1419 the proxy 1401 checks the status of the connect() call.
  • TCP returns -1 and sets an error number to indicate the specific error. If the reverse connection is successful, then the proxy continues with step 1450
  • the remote network may silently block
  • the local networking software will return ETIMEDOUT 60 as the network
  • the ISP permits the user to only operate as a client. That is, the ISP uses its packet routers to block network service requests such as SMTP to their dialup users.
  • the proxy 1401 attempts to determine if the IP address or domain
  • dialup i.e., will not accept a reverse connection and have a sequential
  • an ISP may have sequentially-named mailhosts with some mailhosts dedicated for outgoing mail and
  • step 1421 there will typically be only a few entries in this
  • the remaining entries are common across the Internet and can be pre-defined and installed along with the proxy server. It may be necessary to add an entry to this
  • the addresses in step 1421 are preferably expressed as a dotted-quad IP address, a slash "/", and a number of bits to be matched.
  • the filter
  • An address matches a particular filter if the filter address 1097 (Fig. 7) and the remote host 1400 IP address match for the specified number of bits.
  • IP address 192.168.200.29 matches the filter 192.168.200.201/24
  • representations may be desirable for performance
  • the proxy 1401 compares the name of the connecting host
  • match points are required to classify a remote host as a dialup. This approach takes
  • the filter scans the node name of the remote host 1400 for
  • the node name is the part of the host
  • dial-37 The preferred embodiment obtains this information from an entry in the dialup configuration database 1097 (Fig. 7), which contains text strings and associated
  • the node name contains "smtp” (indicating a SMTP host) or "mail” (indicating a
  • the Dialup DB 1097 has a Reject-
  • the proxy 1401 compares the node name of the remote host 1400 with its neighbors and assigns additional points if the names appear to follow a
  • the proxy compares
  • nnn-10 to nnn+10 are within the range nnn-10 to nnn+10, where nnn is the node address (last byte of IP address) of the remote host 1400. Details of step 1423 are provided in Fig. 17. For example, the following Table 3 for a remote host
  • This example shows how this particular ISP sequentially named its hosts over
  • the proxy can consider either node names or complete host names in
  • an ISP can organize a dialup
  • the proxy 1401 compares the total current number of match
  • step 1425 the proxy 1401 issues an SMTP error message (e.g., "550
  • the proxy also logs the rejected dialup and
  • FIG. 17 shows further detail of the processing flow for step 1423 in
  • Step 1500 calculates a 32-bit IP address for the remote host, which is used in step 1504 to calculate the IP address of one of its
  • Steps 1501, 1502, and 1503 perform the remaining steps shown in the
  • step 1424 of Fig. 16 classifies the remote host as a dialup or non-dialup based on the accumulated number of match
  • Step 1505 limits the name comparison to the 8-bit (Class C) address block that
  • the neighbor x is in a different address block than the
  • the range is absolutely bounded by a minimum node address of 0 and a maximum node address of 255, so that the comparison for
  • remote host 192.168.200.2 would only consider node addresses from 0-1 and 3-12, in
  • Steps 1506 and 1507 call gethostbyaddr() to get the host structure for the neighbor x, which contains the host name. Errors do not terminate the comparison, since there may be gaps in the DNS information near the remote host. Steps 1509 and
  • Step 1511 scans forward and backwards to identify the sequence of
  • sequence may contain substrings of matching characters, but as shown in step 1512, if
  • Step 1513 scans the two strings from the names of the remote host and the neighbor x to determine if either contains a hexadecimal-only digit, i.e., a character in
  • step 1514-1516 the proxy 1401
  • step 1517-1519 the proxy calculates the absolute distance between the two
  • the names appear to be part of a sequence and the match counter is incremented.
  • Table 4 shows the distance as correlated to the offset x for the four nearest neighbors of the remote host 63.11.217.117, based on the information in Table 3.
  • the distance calculated for each of the four nearest neighbors is identically equal to the difference in IP address values, thus the names are part of a
  • dialup host based upon a linear correlation of its neighbors' host names. It does not
  • remote host is part of a name sequence that is sufficiently long. It correctly handles
  • variable-width names e.g., "001" through “255”
  • fixed-width names e.g., "001" through “255”
  • variable-width names e.g., "1”
  • blacklist filter 1406 ( Figure 14). Bulk mailers who use the SMTP direct mechanism
  • IP address will typically retry from different (dynamically assigned) IP addresses, but frequently from addresses in the same Class C (8-bit) address range.
  • the blacklist database nominally with the number of bits to be matched set to 24, the
  • the preferred embodiment provides for Active Dialup detection following reception of the MAIL From message on connection 1403. This permits logging of the MAIL From message on connection 1403.
  • a proxy might perform Active Dialup
  • the proxy would then preferably perform name categorization in steps 1422, 1423, and 1424 before
  • dialup addresses Such sequential names are easiest to define and maintain, so it is in
  • a change of a "3" to a "7" involves an edit distance of one, as does insertion of a character, or
  • a proxy can conclude that a low edit distance is evidence that the
  • remote host name is part of a set of closely-related names consistent with a dialup name space. This method could be used to replace the method shown in Figure 17
  • steps 1500-1520 are as described in
  • Figure 17 and provide a method of acquiring the neighboring host names for the
  • step 1530 the proxy accesses the Dialup DB 1097 to acquire the
  • threshold value to be used in the remaining steps. Possible threshold values are 1, 2, and 3, since an edit distance of 0 would be used in the remaining steps.
  • step 1531 the proxy scans each character of the
  • step 1532 If the two characters are identical (step 1532), then the proxy advances the character pointer in the two names. In steps 1533, 1534, and 1535, the proxy
  • proxy then continues with the next name, as determined by step 1502.
  • the host may be categorized as either
  • dialup or non-dialup based on a correlation value between names and IP addresses.
  • the x value in this case would be the node IP address (e.g., 107, 108, 109, etc.) and the y value would be some numeric representation of the host name
  • step 1418 (Fig. 15). If a sufficient number of neighboring addresses
  • remote host is a dialup. This method might be used by itself to replace the method
  • steps 1500-1520 are as described in Figure 17 and provide a means of stepping through each of the 20 nearest IP addresses for the remote host.
  • steps 1500-1520 are as described in Figure 17 and provide a means of stepping through each of the 20 nearest IP addresses for the remote host.
  • the proxy attempts to connect to the neighbor x, using the same means
  • step 1418 It checks the status for the connection in step 1551. If the
  • the proxy increments the match count. However, if the proxy is able to establish a
  • filtering software than it is to deal with the spam or junk mail after it is received on

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un serveur mandataire de filtrage actif filtrant le courrier électronique-poubelle reçu d'hôtes Internet distants utilisant le protocole SMTP (Simple Mail Transfer Protocol) au niveau d'un agent de transfert des messages. Ledit serveur mandataire (1104) sonde activement les hôtes distants qui tentent d'envoyer du courrier à un serveur de courrier électronique protégé afin d'identifier les ordinateurs personnels commutés, les relais ouverts et les messages électroniques falsifiés. Ledit système offre plusieurs couches de défense, notamment : un filtrage temps de connexion basé sur l'adresse IP, l'identification des ordinateurs personnels commutés tentant d'envoyer des messages, la vérification des relais (ouverts) permissifs, la vérification de la validité de l'adresse de l'expéditeur et le filtrage des en-têtes des messages. Si un message passe par toutes les couches pertinentes, il est directement remis à tous ses destinataires. Une liste blanche (1094) de destinataires permet à l'utilisateur ou à l'administrateur système d'identifier des expéditeurs et/ou domaines particuliers acceptables. Si un ou plusieurs destinataires ont accepté de recevoir du courrier émanant de l'expéditeur, le message est remis à ces destinataires, mais il est rejeté ou mis en quarantaine pour le reste des destinataires.
PCT/US2000/031900 1999-11-23 2000-11-21 Filtre a messages electroniques pourvu d'une base de donnees du type liste blanche et d'un mecanisme de mise en quarantaine WO2001038999A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
EP00980591A EP1234244A4 (fr) 1999-11-23 2000-11-21 Filtre a messages electroniques pourvu d'une base de donnees du type liste blanche et d'un mecanisme de mise en quarantaine
AU17835/01A AU782333B2 (en) 1999-11-23 2000-11-21 Electronic message filter having a whitelist database and a quarantining mechanism
CA002392397A CA2392397A1 (fr) 1999-11-23 2000-11-21 Filtre a messages electroniques pourvu d'une base de donnees du type liste blanche et d'un mecanisme de mise en quarantaine

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US09/447,590 1999-11-23
US09/447,590 US6321267B1 (en) 1999-11-23 1999-11-23 Method and apparatus for filtering junk email
US09/548,322 US7249175B1 (en) 1999-11-23 2000-04-12 Method and system for blocking e-mail having a nonexistent sender address
US09/548,322 2000-04-12
US57384800A 2000-05-19 2000-05-19
US09/573,848 2000-05-19

Publications (1)

Publication Number Publication Date
WO2001038999A1 true WO2001038999A1 (fr) 2001-05-31

Family

ID=27412331

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2000/031900 WO2001038999A1 (fr) 1999-11-23 2000-11-21 Filtre a messages electroniques pourvu d'une base de donnees du type liste blanche et d'un mecanisme de mise en quarantaine

Country Status (4)

Country Link
EP (1) EP1234244A4 (fr)
AU (1) AU782333B2 (fr)
CA (1) CA2392397A1 (fr)
WO (1) WO2001038999A1 (fr)

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003003236A1 (fr) 2001-06-29 2003-01-09 Nokia, Inc. Appareil et procede pour traiter le courrier electronique
EP1300997A2 (fr) * 2001-10-06 2003-04-09 Terrace Technologies, Inc. Système et procédé de prévention de courrier électronique non sollicité
KR100391319B1 (ko) * 2001-10-06 2003-07-12 주식회사 테라스테크놀로지 동적 ip 필터링을 이용한 전자우편 시스템 및 방법
GB2396028A (en) * 2002-11-04 2004-06-09 Townsites Co Uk Ltd Email filtering method
EP1433079A1 (fr) * 2001-10-06 2004-06-30 Terrace Technologies, Inc. Systeme et procede permettant d'empecher et de retarder la propagation de virus par courrier electronique
WO2004112334A1 (fr) * 2003-06-12 2004-12-23 Rodriguez Ralph A Systemes de gestion de documents de communication electronique
WO2005065038A2 (fr) 2004-01-09 2005-07-21 Npx Technologies Ltd. Detection de communications relayees
EP1564670A3 (fr) * 2004-02-13 2005-11-02 Microsoft Corporation Mise en quarantaine intélligente pour la prévention du pourriel
WO2005115122A2 (fr) 2004-05-25 2005-12-08 Reflexion Network Solutions, Inc. Systeme et procede de regulation de l'acces a un destinataire de messages electroniques
WO2005116895A1 (fr) * 2004-05-21 2005-12-08 Computer Associates Think, Inc. Systeme et procede de gestion des courriers electroniques dans une entreprise
US7080408B1 (en) 2001-11-30 2006-07-18 Mcafee, Inc. Delayed-delivery quarantining of network communications having suspicious contents
US7174454B2 (en) 2002-11-19 2007-02-06 America Online, Inc. System and method for establishing historical usage-based hardware trust
WO2007037524A1 (fr) * 2005-09-30 2007-04-05 Trend Micro Incorporated Dispositif de gestion de securite, systeme de communication et procede de controle d'acces
US7216361B1 (en) 2000-05-19 2007-05-08 Aol Llc, A Delaware Limited Liability Company Adaptive multi-tier authentication system
US7249175B1 (en) * 1999-11-23 2007-07-24 Escom Corporation Method and system for blocking e-mail having a nonexistent sender address
EP1811438A1 (fr) * 2005-12-29 2007-07-25 Research In Motion Limited Système et procédé de gestion dynamique de pourriels (spam)
EP1812852A2 (fr) * 2004-11-18 2007-08-01 Cisco Technology, Inc. Attenuation d'attaques de reseau au moyen d'une generation de signature automatique
EP1877904A2 (fr) * 2005-05-05 2008-01-16 Ironport Systems, Inc. Detection de messages electroniques non sollicites a partir de l'analyse probabiliste de ressources referencees
US7424746B1 (en) 2001-11-30 2008-09-09 Mcafee, Inc. Intrusion detection and vulnerability assessment system, method and computer program product
WO2008133644A2 (fr) * 2006-11-03 2008-11-06 Lucent Technologies Inc. Procédé et dispositif pour annuler des dénonciations de trafic indésirable dans un ou plusieurs réseaux de paquets
US7472164B2 (en) 2004-01-09 2008-12-30 International Business Machines Corporation System and method for identifying spoofed email by modifying the sender address
US7849143B2 (en) 2005-12-29 2010-12-07 Research In Motion Limited System and method of dynamic management of spam
US8001598B1 (en) 2003-04-25 2011-08-16 Symantec Corporation Use of geo-location data for spam detection
US8266703B1 (en) 2001-11-30 2012-09-11 Mcafee, Inc. System, method and computer program product for improving computer network intrusion detection by risk prioritization
CN107347051A (zh) * 2016-05-05 2017-11-14 阿里巴巴集团控股有限公司 一种业务报文处理方法及系统
US10375091B2 (en) 2017-07-11 2019-08-06 Horizon Healthcare Services, Inc. Method, device and assembly operable to enhance security of networks

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1905563B (zh) * 2006-08-18 2010-07-28 华为技术有限公司 一种滤除垃圾电话的方法和系统

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5999932A (en) * 1998-01-13 1999-12-07 Bright Light Technologies, Inc. System and method for filtering unsolicited electronic mail messages using data matching and heuristic processing
US6023723A (en) * 1997-12-22 2000-02-08 Accepted Marketing, Inc. Method and system for filtering unwanted junk e-mail utilizing a plurality of filtering mechanisms

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6370139B2 (en) * 1997-10-24 2002-04-09 Tranz-Send Broadcasting Network, Inc. System and method for providing information dispersal in a networked computing environment
AU1907899A (en) * 1997-12-22 1999-07-12 Accepted Marketing, Inc. E-mail filter and method thereof

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6023723A (en) * 1997-12-22 2000-02-08 Accepted Marketing, Inc. Method and system for filtering unwanted junk e-mail utilizing a plurality of filtering mechanisms
US5999932A (en) * 1998-01-13 1999-12-07 Bright Light Technologies, Inc. System and method for filtering unsolicited electronic mail messages using data matching and heuristic processing

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP1234244A4 *

Cited By (52)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7249175B1 (en) * 1999-11-23 2007-07-24 Escom Corporation Method and system for blocking e-mail having a nonexistent sender address
US7216361B1 (en) 2000-05-19 2007-05-08 Aol Llc, A Delaware Limited Liability Company Adaptive multi-tier authentication system
US7849307B2 (en) 2000-05-19 2010-12-07 Aol Inc. System and method for establishing historical usage-based hardware trust
US9397996B2 (en) 2000-05-19 2016-07-19 Microsoft Technology Licensing, Llc Establishing historical usage-based hardware trust
US8954730B2 (en) 2000-05-19 2015-02-10 Microsoft Technology Licensing, Llc Establishing historical usage-based hardware trust
US8612747B2 (en) 2000-05-19 2013-12-17 Microsoft Corporation System and method for establishing historical usage-based hardware trust
US7908644B2 (en) 2000-05-19 2011-03-15 Aol Inc. Adaptive multi-tier authentication system
WO2003003236A1 (fr) 2001-06-29 2003-01-09 Nokia, Inc. Appareil et procede pour traiter le courrier electronique
EP1407377A4 (fr) * 2001-06-29 2007-05-30 Nokia Inc Appareil et procede pour traiter le courrier electronique
EP1407377A1 (fr) * 2001-06-29 2004-04-14 Nokia Inc. Appareil et procede pour traiter le courrier electronique
US7624154B2 (en) 2001-06-29 2009-11-24 Nokia Corporation Apparatus and method for handling electronic mail
US7328250B2 (en) 2001-06-29 2008-02-05 Nokia, Inc. Apparatus and method for handling electronic mail
EP1433079A1 (fr) * 2001-10-06 2004-06-30 Terrace Technologies, Inc. Systeme et procede permettant d'empecher et de retarder la propagation de virus par courrier electronique
EP1433079A4 (fr) * 2001-10-06 2004-12-15 Terrace Technologies Inc Systeme et procede permettant d'empecher et de retarder la propagation de virus par courrier electronique
CN1311370C (zh) * 2001-10-06 2007-04-18 泰瑞斯技术股份有限公司 电子邮件服务系统和使用动态ip过滤技术的方法
EP1300997A3 (fr) * 2001-10-06 2004-01-02 Terrace Technologies, Inc. Système et procédé de prévention de courrier électronique non sollicité
KR100391319B1 (ko) * 2001-10-06 2003-07-12 주식회사 테라스테크놀로지 동적 ip 필터링을 이용한 전자우편 시스템 및 방법
EP1300997A2 (fr) * 2001-10-06 2003-04-09 Terrace Technologies, Inc. Système et procédé de prévention de courrier électronique non sollicité
US7080408B1 (en) 2001-11-30 2006-07-18 Mcafee, Inc. Delayed-delivery quarantining of network communications having suspicious contents
US8266703B1 (en) 2001-11-30 2012-09-11 Mcafee, Inc. System, method and computer program product for improving computer network intrusion detection by risk prioritization
US7424746B1 (en) 2001-11-30 2008-09-09 Mcafee, Inc. Intrusion detection and vulnerability assessment system, method and computer program product
GB2396028A (en) * 2002-11-04 2004-06-09 Townsites Co Uk Ltd Email filtering method
US7174454B2 (en) 2002-11-19 2007-02-06 America Online, Inc. System and method for establishing historical usage-based hardware trust
US8001598B1 (en) 2003-04-25 2011-08-16 Symantec Corporation Use of geo-location data for spam detection
GB2419013A (en) * 2003-06-12 2006-04-12 Ralph A Rodriguez Electronic communication document management systems
WO2004112334A1 (fr) * 2003-06-12 2004-12-23 Rodriguez Ralph A Systemes de gestion de documents de communication electronique
US7472164B2 (en) 2004-01-09 2008-12-30 International Business Machines Corporation System and method for identifying spoofed email by modifying the sender address
US8966088B2 (en) 2004-01-09 2015-02-24 Paypal Israel Ltd. Detecting relayed communications
EP1702429A2 (fr) * 2004-01-09 2006-09-20 NPX Technologies Ltd. Detection de communications relayees
EP1702429A4 (fr) * 2004-01-09 2011-08-03 Paypal Israel Ltd Detection de communications relayees
US11522827B2 (en) 2004-01-09 2022-12-06 Paypal Israel Ltd. Detecting relayed communications
WO2005065038A2 (fr) 2004-01-09 2005-07-21 Npx Technologies Ltd. Detection de communications relayees
US10798055B2 (en) 2004-01-09 2020-10-06 Paypal Israel Ltd. Detecting relayed communications
US10122683B2 (en) 2004-01-09 2018-11-06 Paypal, Inc. Detecting relayed communications
EP1564670A3 (fr) * 2004-02-13 2005-11-02 Microsoft Corporation Mise en quarantaine intélligente pour la prévention du pourriel
WO2005116895A1 (fr) * 2004-05-21 2005-12-08 Computer Associates Think, Inc. Systeme et procede de gestion des courriers electroniques dans une entreprise
WO2005115122A2 (fr) 2004-05-25 2005-12-08 Reflexion Network Solutions, Inc. Systeme et procede de regulation de l'acces a un destinataire de messages electroniques
EP1769336A2 (fr) * 2004-05-25 2007-04-04 Reflexion Network Solutions, Inc. Systeme et procede de regulation de l'acces a un destinataire de messages electroniques
EP1769336A4 (fr) * 2004-05-25 2014-08-20 Reflexion Network Solutions Inc Systeme et procede de regulation de l'acces a un destinataire de messages electroniques
EP1812852A2 (fr) * 2004-11-18 2007-08-01 Cisco Technology, Inc. Attenuation d'attaques de reseau au moyen d'une generation de signature automatique
EP1812852A4 (fr) * 2004-11-18 2014-01-22 Cisco Tech Inc Attenuation d'attaques de reseau au moyen d'une generation de signature automatique
EP1877904A2 (fr) * 2005-05-05 2008-01-16 Ironport Systems, Inc. Detection de messages electroniques non sollicites a partir de l'analyse probabiliste de ressources referencees
EP1877904A4 (fr) * 2005-05-05 2013-09-11 Cisco Ironport Systems Llc Detection de messages electroniques non sollicites a partir de l'analyse probabiliste de ressources referencees
WO2007037524A1 (fr) * 2005-09-30 2007-04-05 Trend Micro Incorporated Dispositif de gestion de securite, systeme de communication et procede de controle d'acces
US8195816B2 (en) 2005-09-30 2012-06-05 Trend Micro Incorporated Security management device, communication system, and access control method
US7849143B2 (en) 2005-12-29 2010-12-07 Research In Motion Limited System and method of dynamic management of spam
EP1811438A1 (fr) * 2005-12-29 2007-07-25 Research In Motion Limited Système et procédé de gestion dynamique de pourriels (spam)
KR101118398B1 (ko) * 2006-11-03 2012-03-13 알카텔-루센트 유에스에이 인코포레이티드 트래픽 방어 방법 및 장치
WO2008133644A3 (fr) * 2006-11-03 2009-04-09 Lucent Technologies Inc Procédé et dispositif pour annuler des dénonciations de trafic indésirable dans un ou plusieurs réseaux de paquets
WO2008133644A2 (fr) * 2006-11-03 2008-11-06 Lucent Technologies Inc. Procédé et dispositif pour annuler des dénonciations de trafic indésirable dans un ou plusieurs réseaux de paquets
CN107347051A (zh) * 2016-05-05 2017-11-14 阿里巴巴集团控股有限公司 一种业务报文处理方法及系统
US10375091B2 (en) 2017-07-11 2019-08-06 Horizon Healthcare Services, Inc. Method, device and assembly operable to enhance security of networks

Also Published As

Publication number Publication date
AU782333B2 (en) 2005-07-21
EP1234244A4 (fr) 2005-03-09
CA2392397A1 (fr) 2001-05-31
AU1783501A (en) 2001-06-04
EP1234244A1 (fr) 2002-08-28

Similar Documents

Publication Publication Date Title
US7249175B1 (en) Method and system for blocking e-mail having a nonexistent sender address
US6321267B1 (en) Method and apparatus for filtering junk email
AU782333B2 (en) Electronic message filter having a whitelist database and a quarantining mechanism
US7529802B2 (en) Method for performing multiple hierarchically tests to verify identity of sender of an email message and assigning the highest confidence value
US10212188B2 (en) Trusted communication network
US8271596B1 (en) Apparatus and methods for controlling the transmission of messages
KR101137089B1 (ko) 착신 메시지들을 검증하는 방법 및 시스템
US8738708B2 (en) Bounce management in a trusted communication network
US8725889B2 (en) E-mail management services
US20060004896A1 (en) Managing unwanted/unsolicited e-mail protection using sender identity
US8583787B2 (en) Zero-minute virus and spam detection
US20050015455A1 (en) SPAM processing system and methods including shared information among plural SPAM filters
WO2007045049A1 (fr) Procede d'authentification de messages electroniques
US20070088789A1 (en) Method and system for indicating an email sender as spammer
US20060265459A1 (en) Systems and methods for managing the transmission of synchronous electronic messages
WO2007055770A2 (fr) Reseau de communication de confiance
US7958187B2 (en) Systems and methods for managing directory harvest attacks via electronic messages
US11916873B1 (en) Computerized system for inserting management information into electronic communication systems
Schryen The e-mail delivery process and its susceptibility to spam
Gosselin et al. Message Handling System (X. 400) Threats, Vulnerabilities, and Countermeasures

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
WWE Wipo information: entry into national phase

Ref document number: 17835/01

Country of ref document: AU

WWE Wipo information: entry into national phase

Ref document number: 2000980591

Country of ref document: EP

Ref document number: 2392397

Country of ref document: CA

WWP Wipo information: published in national office

Ref document number: 2000980591

Country of ref document: EP

REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

WWG Wipo information: grant in national office

Ref document number: 17835/01

Country of ref document: AU

WWR Wipo information: refused in national office

Ref document number: 2000980591

Country of ref document: EP

WWW Wipo information: withdrawn in national office

Ref document number: 2000980591

Country of ref document: EP