WO2005055535A1 - Systeme et procede de reseau informatique - Google Patents
Systeme et procede de reseau informatique Download PDFInfo
- Publication number
- WO2005055535A1 WO2005055535A1 PCT/GB2004/004968 GB2004004968W WO2005055535A1 WO 2005055535 A1 WO2005055535 A1 WO 2005055535A1 GB 2004004968 W GB2004004968 W GB 2004004968W WO 2005055535 A1 WO2005055535 A1 WO 2005055535A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- server
- message
- messages
- smtp
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/212—Monitoring or handling of messages using filtering or selective blocking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/23—Reliability checks, e.g. acknowledgments or fault reporting
Definitions
- This invention relates to a computer network system and method.
- it relates to a computer system and method for handling electronic mail.
- unsolicited messages In parallel with the recent rapid expansion in the use of electronic mail as a communication medium, there has been an expansion in unsolicited messages, which are commonly known as "spam".
- An unsolicited e-mail message is similar to junk mail people receive in the post.
- a sender of bulk unsolicited e-mail messages (known as a "spammer") typically uses other people's mail servers to deliver their e-mail campaigns at other people's expense. Unsolicited e-mail costs are covered by the ISP (Internet Service Provider) processing the e-mail messages and the individuals receiving the messages.
- ISP Internet Service Provider
- ISPs Internet service providers
- Unsolicited e-mail campaigns are often seen as congestion on ISP networks.
- One method is to delete all the unsolicited e-mail. This method requires the ISP to operate additional hardware and/or software to analyse each incoming e-mail message and make a decision based on rules to decide if the message is considered unsolicited. If it is, the e-mail is deleted. This method can cause false positives. A false positive is when an e-mail filter based on its rules has decided to delete the message when the message is not, in fact, unsolicited. Another method uses the same filters, but simply marks the message in the subject as a possible unsolicited message, allowing the individual that receives the e-mail to make the decision whether to delete it or not.
- the first method is the one most prone to error.
- a false positive can cause the deletion of good messages and the ISP has to incur costs for additional hardware and software.
- the second solution stops deletion of the false positives, by allowing the message to be delivered, but the individual still has to receive the messages and the network must transport them. If a spammer sends out hundreds of thousands of e-mail messages, all being identical, the filter will analyse each message. This is inefficient. Neither solution targets the original problem of the e-mail being received in the first place.
- An aim of this invention is to provide e-mail handling systems and methods that discourage or prevent mass distribution of unsolicited e-mail messages. Simply handling messages after they have been received does not achieve this. Spammers sell their spamming techniques to customers by sending out large amounts of unsolicited e-mail messages and getting paid for it by their customers. The spammer has to show that the message was successfully sent from their systems to get paid, not that it was received by the targeted individual. So as long as a message is shown as sent the sparrimer does not mind if the ISPs or recipients delete them as that does not affect their income. In fact, the more systems the ISPs put in place to delete the messages the more the spammers can send.
- e-mail is handled in the Internet using the simple mail transport protocol (SMTP), an application layer protocol in the OSI model.
- SMTP simple mail transport protocol
- the SMTP handles sending and receiving of the e-mail traffic and a receiving SMTP server confirms that a message has been received by a mail transport agent on a destination host. This is achieved by an exchange of packets between the sender and the destination in accordance with the protocol.
- this protocol it is not possible to change this protocol on an e-mail server because this would obstruct normal operation of e-mail transport, therefore, this invention is designed to be compatible with existing SMTP e-mail systems.
- this invention provides a method of operating a mail server, the method comprising: performing one or more tests upon an incoming e-mail message to assess whether it is an acceptable message; and in the event that the e-mail message is found to be unacceptable, preventing the receiving server from sending acknowledgement of receipt of the message to the sender.
- Methods embodying this aspect of the invention are surprisingly effective in discouraging spam messages.
- the impression given to the sender is that the message has failed to send, so the spammer does not receive payment for sending the message.
- the sender will typically wait for some time for receipt of acknowledgement before timing out. This blocks each sending thread within the source machine, so limiting the total number of messages that can be sent by the sender.
- Typical embodiments of the invention operate to receive messages using an application layer protocol that operates according to the simple mail transport protocol (SMTP).
- SMTP simple mail transport protocol
- prevention of acknowledgement may be implemented within a layer of the network stack lower than that of the application layer. For example, it may take place at the transport layer, which operates using the transmission control protocol (TCP) in the Internet.
- TCP transmission control protocol
- Information relating to servers that are sources of unacceptable e-mail may be stored in a database. Information that has been stored in the database may be used to determine how subsequent e-mail from a particular source server should be handled, or whether a further connection from a particular sending SMTP should be accepted at all. For example, if an e- ail message comes from known spammer, the SMTP server from which the spammer's messages originate may be denied connection for a predetermined period, for example, two days.
- the server may be operative, upon identifying a source of inappropriate e-mail messages, to send a message to one or more other server operating according to a method embodying the invention, the message identifying a server from which inappropriate messages have been received.
- the server may store information (for example, in the database) to identify the server identified in the message as one from which messages should be rejected automatically and, for example, for a predetermined period, such as for two days. This may be implemented in a peer-to-peer network, or with a central server that co-ordinates distribution of information relating to sources of unsolicited e-mail messages amongst servers of which it is aware.
- this invention provides a mail server operative to process mail messages by means of a method according to the first aspect of the invention.
- the mail server may comprise conventional computer hardware and software that, when executed by the hardware, performs a method according to the first aspect of the invention.
- this invention provides a network stack that can be executed on computer hardware to process e-mail messages in accordance with the first aspect of the invention.
- this invention provides a software product that can be executed on computer hardware to process e-mail messages in accordance with the first aspect of the invention.
- Figure 1 is a general overview of a spammer distributing unsolicited e-mail messages by way of the Internet according to known methods.
- FIG. 2 illustrates components of an SMTP server embodying the invention.
- a spammer uses a server 10 to send bulk unsolicited e-mail messages.
- a spammer typically operates through use of an outgoing mail server 10 that has a direct connection to the Internet 12.
- the server may be a computer owned by the spammer, or may be a server operated by an Internet service provider (ISP).
- the server operates networking software that is capable of generating e-mail messages from a list of many e-mail addresses and sending them using the simple mail transport protocol.
- the messages are routed by Internet servers to the intended recipient mail host 14.
- each message is analysed by filters 16 to determine whether or not it is an unsolicited message. If it is not unsolicited, it is delivered to the individual addressee's mailbox 18. Otherwise, it is handled as unsolicited mail, either by deleting it or by changing its subject line to indicate that it is unsolicited before delivering it to the user, illustrated at 20.
- This invention is implemented in the software systems of the recipient mail host 14.
- an e-mail client or server When an e-mail client or server sends an message, it goes through a stage of communication, where it has to tell the incoming SMTP server where the message originated, the recipient and the data contained.
- This communication involves the sender 10 sending to the recipient 14 one or more SMTP commands, which the recipient 14 acknowledges by sending one or more SMTP replies back to the sender 10. Therefore, after each piece of this information is passed to the receiving SMTP server, the sending SMTP waits for the receiving server to acknowledge it has received the information correctly. If the sending server 10 does not receive answers to its requests in accordance with the specifications laid down in the simple mail transport protocol, it waits for a time that is not defined by SMTP to receive the acknowledgement. This time varies depending on the manufacturer of the SMTP server.
- the receiving SMTP server 14 analyses incoming e-mail messages, and applies analysis rules to determine whether it has become the target of a campaign of unsolicited e-mail.
- the analysis applied to incoming messages includes rules to detect the following properties of a message:
- the software receives the e-mail message and applies configured rules based on the above properties.
- the information is then passed to a database where information is stored to determine how any future events involving the sending sender are stored. If a rule applied to a message fails, that is to say, it concludes that the incoming message contains fake headers or has known unsolicited content, a message is sent to all SMTP servers that implement the invention instructing them to block messages from the sender. The current message that failed the test is deleted and the sending server is marked in the database as blocked.
- the simple mail transport protocol 22 relies upon a transport-layer protocol 24, typically the transmission control protocol (TCP) to carry its data frames.
- TCP is a connection-based protocol (that, in turn, relies upon lower network layers 26 that will not be discussed here) that can establish reliable data transport between hosts.
- the SMTP layer 22 must establish a TCP connection to the well-known port 25 on the recipient before any transport of e-mail messages can take place.
- the TCP network layer 24 of the receiving host 14 operates to examine all frames received on port 25, and consults the database 30 to determine how they should be processed. If a frame is received from a host that is marked in the database as a source of unsolicited e-mail, it is handled in a non-standard manner that ensures that SMTP communication cannot be established.
- an SMTP transaction can be considered to consist of the following events: the transport event and the routing event.
- the invention can be implemented by providing a hook into the transport event and between the transport event and the routing event.
- the embodiment is invoked to check whether the message is for a valid user or from a valid sender.
- a valid sender in this context, is one that is not listed in the database as a source of unsolicited e-mail messages.
- the incoming IP address of the sending SMTP server is compared with the database of blocked sending servers. This event is handled at the transport layer, and therefore takes place before any data reaches the SMTP layer. Thus, packets from blacklisted servers are blocked in much the same way as packets are blocked by a firewall. Thus, if the IP address of a server is in the database, this embodiment will stop any data passing from the blocked server to the SMTP layer. This occurs before the transport and routing layer.
- the embodiment releases the message and the ⁇ transport event then continues and sends an acknowledgement to the sender, as required by the transport control protocol. If the message is rejected, an error code is returned by the transport layer.
- the released message is then passed to the SMTP transport event.
- the second event then fires.
- the SMTP server is communicating with the sending SMTP server and exchanging information about the sender and recipient of the massage, etc.
- the software now has the information regarding the sender and recipient.
- the software checks for valid senders and receivers. It also checks that the message is not coming from a known banned e-mail address or domain name. If this fails an error is returned to the sending SMTP server. If it passes, the second event is stopped and the standard SMTP server continues. This occurs during the transport layer.
- the second event does not have the e-mail message in a complete form, so a third event is required for the message to be processed in full.
- the released message is then passed to the SMTP routing event.
- the software of the embodiment can now access the complete message.
- the third hook is then activated before the message is processed by the routing event.
- the software now analyses the content of the message, for example, for banned file extensions and for content that suggests known spammer techniques have been applied to generate the message. If this test fails the TCP block is applied to all SMTP servers.
- the software checks for valid senders and receivers. It also checks that the message is not coming from a known banned e-mail address or domain name. The domain/e-mail address could be being sent from a mail server different to that specified as the sender or reply-to address, so it could have got through the first event, described above.
- the operator of the sending SMTP server is penalised because all messages from it are blocked when it is determined to be a source of spam. This is done so that the problem is removed from the recipient's server and placed in the hands of the operators of the sending server. This has the effect that if the operators were unaware of the spammer the fact that their messages are being blocked will draw attention to the existence of a problem. The operators can then take action to stop the spammer.
- the second event does not have the e-mail message in a complete form, so a third event is required for the message to be received in full.
- This is the mail event that does the checks on the format of the message and applies the rules described above. This occurs just before the routing layer and after the transport layer.
- the SMTP uses the TCP for its network protocol.
- the software systems embodying the invention are activated. These systems communicate with one another directly with the TCP protocol. This is so as not to interfere with the SMTP; only the TCP protocol is affected. This is why the SMTP layer is unaware of the changes that have occurred.
- a post office server e.g., operating the POP3 or IMAP protocol
- a user can then download their messages from the post office whenever it is convenient to do so.
- the system implemented by this embodiment operates in front of the post office server, so the post office server is completely unaffected by messages that are blocked. This provides a decrease in bandwidth usage and a corresponding increase in server capacity. Therefore, the post office server has more time to process good e-mail messages and because there are fewer e-mail messages coining in, there is less traffic on the Internet connections.
- this invention directly targets the spammer's business model. This concept causes the spammer to stop targeting the ISP or companies running the servers that embody the invention. It can also reduce the spammer's ability to target other servers.
- a sending server will start a thread to send a message, and that thread will run until the message has been sent or it has been finally decided that the message cannot be sent.
- Some network activities such as initiation of a TCP session, will cause the thread to block until completion or a timeout period has elapsed. Since a system can only support a finite number of threads at any one time, any thread that is blocked while trying to send a message to a server embodying the invention cannot become free to send a message to another server.
- the TCP layer can react in several ways when it receives frames from a blocked server. For example, it may send no frames at all back to the sending server 10. In that case, the session setup fails entirely. Alternatively, it may allow the session to be set up, but then fail to acknowledge subsequent packets sent over the established session. As a further alternative, it may initiate a session teardown a short time after the session has been established.
- a network that includes several mail servers embodying the invention can share information relating to sources of unsolicited e-mail messages.
- one such server adds a source to its database, it can send a message to one or more other servers, each of which will add the same information to its database.
- one server detects a source of unsolicited e-mail messages, it sends the information to a central server. The central server then sends a message to all servers of which it is aware, instructing those servers to update their databases.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
Abstract
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0327596.3 | 2003-11-27 | ||
GBGB0327596.3A GB0327596D0 (en) | 2003-11-27 | 2003-11-27 | Computer system and method |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2005055535A1 true WO2005055535A1 (fr) | 2005-06-16 |
Family
ID=29797928
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/GB2004/004968 WO2005055535A1 (fr) | 2003-11-27 | 2004-11-25 | Systeme et procede de reseau informatique |
Country Status (2)
Country | Link |
---|---|
GB (1) | GB0327596D0 (fr) |
WO (1) | WO2005055535A1 (fr) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007028889A1 (fr) * | 2005-09-07 | 2007-03-15 | France Telecom | Relachement de session dans un reseau ip |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5958006A (en) * | 1995-11-13 | 1999-09-28 | Motorola, Inc. | Method and apparatus for communicating summarized data |
US6052709A (en) * | 1997-12-23 | 2000-04-18 | Bright Light Technologies, Inc. | Apparatus and method for controlling delivery of unsolicited electronic mail |
US6321267B1 (en) * | 1999-11-23 | 2001-11-20 | Escom Corporation | Method and apparatus for filtering junk email |
US20030187996A1 (en) * | 2001-11-16 | 2003-10-02 | Cardina Donald M. | Methods and systems for routing messages through a communications network based on message content |
-
2003
- 2003-11-27 GB GBGB0327596.3A patent/GB0327596D0/en not_active Ceased
-
2004
- 2004-11-25 WO PCT/GB2004/004968 patent/WO2005055535A1/fr active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5958006A (en) * | 1995-11-13 | 1999-09-28 | Motorola, Inc. | Method and apparatus for communicating summarized data |
US6052709A (en) * | 1997-12-23 | 2000-04-18 | Bright Light Technologies, Inc. | Apparatus and method for controlling delivery of unsolicited electronic mail |
US6321267B1 (en) * | 1999-11-23 | 2001-11-20 | Escom Corporation | Method and apparatus for filtering junk email |
US20030187996A1 (en) * | 2001-11-16 | 2003-10-02 | Cardina Donald M. | Methods and systems for routing messages through a communications network based on message content |
Non-Patent Citations (1)
Title |
---|
SATHEESH KOLATHUR ET AL: "SPAM FILTER - A collaborative method of eliminating spam - White Paper", WHITE PAPER, 8 December 2000 (2000-12-08), XP002267230 * |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2007028889A1 (fr) * | 2005-09-07 | 2007-03-15 | France Telecom | Relachement de session dans un reseau ip |
Also Published As
Publication number | Publication date |
---|---|
GB0327596D0 (en) | 2003-12-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US7886066B2 (en) | Zero-minute virus and spam detection | |
US6941348B2 (en) | Systems and methods for managing the transmission of electronic messages through active message date updating | |
US7194515B2 (en) | Method and system for selectively blocking delivery of bulk electronic mail | |
US7472163B1 (en) | Bulk message identification | |
US6321267B1 (en) | Method and apparatus for filtering junk email | |
US20020147780A1 (en) | Method and system for scanning electronic mail to detect and eliminate computer viruses using a group of email-scanning servers and a recipient's email gateway | |
US7249175B1 (en) | Method and system for blocking e-mail having a nonexistent sender address | |
US20060036701A1 (en) | Messaging system having message filtering and access control | |
US20150026804A1 (en) | Method and Apparatus for Reclassifying E-mail or Modifying a Spam Filter Based on Users' Input | |
US20030220978A1 (en) | System and method for message sender validation | |
US20040221016A1 (en) | Method and apparatus for preventing transmission of unwanted email | |
US20090307320A1 (en) | Electronic mail processing unit including silverlist filtering | |
US20060265459A1 (en) | Systems and methods for managing the transmission of synchronous electronic messages | |
AU2009299539B2 (en) | Electronic communication control | |
WO2005001733A1 (fr) | Systeme de gestion de messages electroniques et procede associe | |
US7958187B2 (en) | Systems and methods for managing directory harvest attacks via electronic messages | |
WO2005055535A1 (fr) | Systeme et procede de reseau informatique | |
Moors et al. | End-system tools for enhancing email reliability |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DPEN | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101) | ||
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWW | Wipo information: withdrawn in national office |
Country of ref document: DE |
|
122 | Ep: pct application non-entry in european phase |