WO2005055535A1 - Systeme et procede de reseau informatique - Google Patents

Systeme et procede de reseau informatique Download PDF

Info

Publication number
WO2005055535A1
WO2005055535A1 PCT/GB2004/004968 GB2004004968W WO2005055535A1 WO 2005055535 A1 WO2005055535 A1 WO 2005055535A1 GB 2004004968 W GB2004004968 W GB 2004004968W WO 2005055535 A1 WO2005055535 A1 WO 2005055535A1
Authority
WO
WIPO (PCT)
Prior art keywords
mail
server
message
messages
smtp
Prior art date
Application number
PCT/GB2004/004968
Other languages
English (en)
Inventor
Clive Homewood
Original Assignee
Boots Board Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Boots Board Limited filed Critical Boots Board Limited
Publication of WO2005055535A1 publication Critical patent/WO2005055535A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/23Reliability checks, e.g. acknowledgments or fault reporting

Definitions

  • This invention relates to a computer network system and method.
  • it relates to a computer system and method for handling electronic mail.
  • unsolicited messages In parallel with the recent rapid expansion in the use of electronic mail as a communication medium, there has been an expansion in unsolicited messages, which are commonly known as "spam".
  • An unsolicited e-mail message is similar to junk mail people receive in the post.
  • a sender of bulk unsolicited e-mail messages (known as a "spammer") typically uses other people's mail servers to deliver their e-mail campaigns at other people's expense. Unsolicited e-mail costs are covered by the ISP (Internet Service Provider) processing the e-mail messages and the individuals receiving the messages.
  • ISP Internet Service Provider
  • ISPs Internet service providers
  • Unsolicited e-mail campaigns are often seen as congestion on ISP networks.
  • One method is to delete all the unsolicited e-mail. This method requires the ISP to operate additional hardware and/or software to analyse each incoming e-mail message and make a decision based on rules to decide if the message is considered unsolicited. If it is, the e-mail is deleted. This method can cause false positives. A false positive is when an e-mail filter based on its rules has decided to delete the message when the message is not, in fact, unsolicited. Another method uses the same filters, but simply marks the message in the subject as a possible unsolicited message, allowing the individual that receives the e-mail to make the decision whether to delete it or not.
  • the first method is the one most prone to error.
  • a false positive can cause the deletion of good messages and the ISP has to incur costs for additional hardware and software.
  • the second solution stops deletion of the false positives, by allowing the message to be delivered, but the individual still has to receive the messages and the network must transport them. If a spammer sends out hundreds of thousands of e-mail messages, all being identical, the filter will analyse each message. This is inefficient. Neither solution targets the original problem of the e-mail being received in the first place.
  • An aim of this invention is to provide e-mail handling systems and methods that discourage or prevent mass distribution of unsolicited e-mail messages. Simply handling messages after they have been received does not achieve this. Spammers sell their spamming techniques to customers by sending out large amounts of unsolicited e-mail messages and getting paid for it by their customers. The spammer has to show that the message was successfully sent from their systems to get paid, not that it was received by the targeted individual. So as long as a message is shown as sent the sparrimer does not mind if the ISPs or recipients delete them as that does not affect their income. In fact, the more systems the ISPs put in place to delete the messages the more the spammers can send.
  • e-mail is handled in the Internet using the simple mail transport protocol (SMTP), an application layer protocol in the OSI model.
  • SMTP simple mail transport protocol
  • the SMTP handles sending and receiving of the e-mail traffic and a receiving SMTP server confirms that a message has been received by a mail transport agent on a destination host. This is achieved by an exchange of packets between the sender and the destination in accordance with the protocol.
  • this protocol it is not possible to change this protocol on an e-mail server because this would obstruct normal operation of e-mail transport, therefore, this invention is designed to be compatible with existing SMTP e-mail systems.
  • this invention provides a method of operating a mail server, the method comprising: performing one or more tests upon an incoming e-mail message to assess whether it is an acceptable message; and in the event that the e-mail message is found to be unacceptable, preventing the receiving server from sending acknowledgement of receipt of the message to the sender.
  • Methods embodying this aspect of the invention are surprisingly effective in discouraging spam messages.
  • the impression given to the sender is that the message has failed to send, so the spammer does not receive payment for sending the message.
  • the sender will typically wait for some time for receipt of acknowledgement before timing out. This blocks each sending thread within the source machine, so limiting the total number of messages that can be sent by the sender.
  • Typical embodiments of the invention operate to receive messages using an application layer protocol that operates according to the simple mail transport protocol (SMTP).
  • SMTP simple mail transport protocol
  • prevention of acknowledgement may be implemented within a layer of the network stack lower than that of the application layer. For example, it may take place at the transport layer, which operates using the transmission control protocol (TCP) in the Internet.
  • TCP transmission control protocol
  • Information relating to servers that are sources of unacceptable e-mail may be stored in a database. Information that has been stored in the database may be used to determine how subsequent e-mail from a particular source server should be handled, or whether a further connection from a particular sending SMTP should be accepted at all. For example, if an e- ail message comes from known spammer, the SMTP server from which the spammer's messages originate may be denied connection for a predetermined period, for example, two days.
  • the server may be operative, upon identifying a source of inappropriate e-mail messages, to send a message to one or more other server operating according to a method embodying the invention, the message identifying a server from which inappropriate messages have been received.
  • the server may store information (for example, in the database) to identify the server identified in the message as one from which messages should be rejected automatically and, for example, for a predetermined period, such as for two days. This may be implemented in a peer-to-peer network, or with a central server that co-ordinates distribution of information relating to sources of unsolicited e-mail messages amongst servers of which it is aware.
  • this invention provides a mail server operative to process mail messages by means of a method according to the first aspect of the invention.
  • the mail server may comprise conventional computer hardware and software that, when executed by the hardware, performs a method according to the first aspect of the invention.
  • this invention provides a network stack that can be executed on computer hardware to process e-mail messages in accordance with the first aspect of the invention.
  • this invention provides a software product that can be executed on computer hardware to process e-mail messages in accordance with the first aspect of the invention.
  • Figure 1 is a general overview of a spammer distributing unsolicited e-mail messages by way of the Internet according to known methods.
  • FIG. 2 illustrates components of an SMTP server embodying the invention.
  • a spammer uses a server 10 to send bulk unsolicited e-mail messages.
  • a spammer typically operates through use of an outgoing mail server 10 that has a direct connection to the Internet 12.
  • the server may be a computer owned by the spammer, or may be a server operated by an Internet service provider (ISP).
  • the server operates networking software that is capable of generating e-mail messages from a list of many e-mail addresses and sending them using the simple mail transport protocol.
  • the messages are routed by Internet servers to the intended recipient mail host 14.
  • each message is analysed by filters 16 to determine whether or not it is an unsolicited message. If it is not unsolicited, it is delivered to the individual addressee's mailbox 18. Otherwise, it is handled as unsolicited mail, either by deleting it or by changing its subject line to indicate that it is unsolicited before delivering it to the user, illustrated at 20.
  • This invention is implemented in the software systems of the recipient mail host 14.
  • an e-mail client or server When an e-mail client or server sends an message, it goes through a stage of communication, where it has to tell the incoming SMTP server where the message originated, the recipient and the data contained.
  • This communication involves the sender 10 sending to the recipient 14 one or more SMTP commands, which the recipient 14 acknowledges by sending one or more SMTP replies back to the sender 10. Therefore, after each piece of this information is passed to the receiving SMTP server, the sending SMTP waits for the receiving server to acknowledge it has received the information correctly. If the sending server 10 does not receive answers to its requests in accordance with the specifications laid down in the simple mail transport protocol, it waits for a time that is not defined by SMTP to receive the acknowledgement. This time varies depending on the manufacturer of the SMTP server.
  • the receiving SMTP server 14 analyses incoming e-mail messages, and applies analysis rules to determine whether it has become the target of a campaign of unsolicited e-mail.
  • the analysis applied to incoming messages includes rules to detect the following properties of a message:
  • the software receives the e-mail message and applies configured rules based on the above properties.
  • the information is then passed to a database where information is stored to determine how any future events involving the sending sender are stored. If a rule applied to a message fails, that is to say, it concludes that the incoming message contains fake headers or has known unsolicited content, a message is sent to all SMTP servers that implement the invention instructing them to block messages from the sender. The current message that failed the test is deleted and the sending server is marked in the database as blocked.
  • the simple mail transport protocol 22 relies upon a transport-layer protocol 24, typically the transmission control protocol (TCP) to carry its data frames.
  • TCP is a connection-based protocol (that, in turn, relies upon lower network layers 26 that will not be discussed here) that can establish reliable data transport between hosts.
  • the SMTP layer 22 must establish a TCP connection to the well-known port 25 on the recipient before any transport of e-mail messages can take place.
  • the TCP network layer 24 of the receiving host 14 operates to examine all frames received on port 25, and consults the database 30 to determine how they should be processed. If a frame is received from a host that is marked in the database as a source of unsolicited e-mail, it is handled in a non-standard manner that ensures that SMTP communication cannot be established.
  • an SMTP transaction can be considered to consist of the following events: the transport event and the routing event.
  • the invention can be implemented by providing a hook into the transport event and between the transport event and the routing event.
  • the embodiment is invoked to check whether the message is for a valid user or from a valid sender.
  • a valid sender in this context, is one that is not listed in the database as a source of unsolicited e-mail messages.
  • the incoming IP address of the sending SMTP server is compared with the database of blocked sending servers. This event is handled at the transport layer, and therefore takes place before any data reaches the SMTP layer. Thus, packets from blacklisted servers are blocked in much the same way as packets are blocked by a firewall. Thus, if the IP address of a server is in the database, this embodiment will stop any data passing from the blocked server to the SMTP layer. This occurs before the transport and routing layer.
  • the embodiment releases the message and the ⁇ transport event then continues and sends an acknowledgement to the sender, as required by the transport control protocol. If the message is rejected, an error code is returned by the transport layer.
  • the released message is then passed to the SMTP transport event.
  • the second event then fires.
  • the SMTP server is communicating with the sending SMTP server and exchanging information about the sender and recipient of the massage, etc.
  • the software now has the information regarding the sender and recipient.
  • the software checks for valid senders and receivers. It also checks that the message is not coming from a known banned e-mail address or domain name. If this fails an error is returned to the sending SMTP server. If it passes, the second event is stopped and the standard SMTP server continues. This occurs during the transport layer.
  • the second event does not have the e-mail message in a complete form, so a third event is required for the message to be processed in full.
  • the released message is then passed to the SMTP routing event.
  • the software of the embodiment can now access the complete message.
  • the third hook is then activated before the message is processed by the routing event.
  • the software now analyses the content of the message, for example, for banned file extensions and for content that suggests known spammer techniques have been applied to generate the message. If this test fails the TCP block is applied to all SMTP servers.
  • the software checks for valid senders and receivers. It also checks that the message is not coming from a known banned e-mail address or domain name. The domain/e-mail address could be being sent from a mail server different to that specified as the sender or reply-to address, so it could have got through the first event, described above.
  • the operator of the sending SMTP server is penalised because all messages from it are blocked when it is determined to be a source of spam. This is done so that the problem is removed from the recipient's server and placed in the hands of the operators of the sending server. This has the effect that if the operators were unaware of the spammer the fact that their messages are being blocked will draw attention to the existence of a problem. The operators can then take action to stop the spammer.
  • the second event does not have the e-mail message in a complete form, so a third event is required for the message to be received in full.
  • This is the mail event that does the checks on the format of the message and applies the rules described above. This occurs just before the routing layer and after the transport layer.
  • the SMTP uses the TCP for its network protocol.
  • the software systems embodying the invention are activated. These systems communicate with one another directly with the TCP protocol. This is so as not to interfere with the SMTP; only the TCP protocol is affected. This is why the SMTP layer is unaware of the changes that have occurred.
  • a post office server e.g., operating the POP3 or IMAP protocol
  • a user can then download their messages from the post office whenever it is convenient to do so.
  • the system implemented by this embodiment operates in front of the post office server, so the post office server is completely unaffected by messages that are blocked. This provides a decrease in bandwidth usage and a corresponding increase in server capacity. Therefore, the post office server has more time to process good e-mail messages and because there are fewer e-mail messages coining in, there is less traffic on the Internet connections.
  • this invention directly targets the spammer's business model. This concept causes the spammer to stop targeting the ISP or companies running the servers that embody the invention. It can also reduce the spammer's ability to target other servers.
  • a sending server will start a thread to send a message, and that thread will run until the message has been sent or it has been finally decided that the message cannot be sent.
  • Some network activities such as initiation of a TCP session, will cause the thread to block until completion or a timeout period has elapsed. Since a system can only support a finite number of threads at any one time, any thread that is blocked while trying to send a message to a server embodying the invention cannot become free to send a message to another server.
  • the TCP layer can react in several ways when it receives frames from a blocked server. For example, it may send no frames at all back to the sending server 10. In that case, the session setup fails entirely. Alternatively, it may allow the session to be set up, but then fail to acknowledge subsequent packets sent over the established session. As a further alternative, it may initiate a session teardown a short time after the session has been established.
  • a network that includes several mail servers embodying the invention can share information relating to sources of unsolicited e-mail messages.
  • one such server adds a source to its database, it can send a message to one or more other servers, each of which will add the same information to its database.
  • one server detects a source of unsolicited e-mail messages, it sends the information to a central server. The central server then sends a message to all servers of which it is aware, instructing those servers to update their databases.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

L'invention concerne un système d'exploitation de serveur de courrier Internet. Ce procédé consiste : à réaliser au moins un test sur un message de courrier électronique entrant pour évaluer l'acceptabilité du message ; à empêcher le serveur d'envoyer un accusé de réception à l'expéditeur s'il a été établi que le message électronique n'était pas acceptable. Dans des modes de réalisation caractéristiques, le courrier est transporté au moyen du protocole de transfert de courrier simple. L'accusé de réception pour le message est obtenu avantageusement à un niveau inférieur dans la pile de protocoles, de sorte qu'il est transparent pour le protocole de transfert de courrier.
PCT/GB2004/004968 2003-11-27 2004-11-25 Systeme et procede de reseau informatique WO2005055535A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
GB0327596.3 2003-11-27
GBGB0327596.3A GB0327596D0 (en) 2003-11-27 2003-11-27 Computer system and method

Publications (1)

Publication Number Publication Date
WO2005055535A1 true WO2005055535A1 (fr) 2005-06-16

Family

ID=29797928

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/GB2004/004968 WO2005055535A1 (fr) 2003-11-27 2004-11-25 Systeme et procede de reseau informatique

Country Status (2)

Country Link
GB (1) GB0327596D0 (fr)
WO (1) WO2005055535A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007028889A1 (fr) * 2005-09-07 2007-03-15 France Telecom Relachement de session dans un reseau ip

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5958006A (en) * 1995-11-13 1999-09-28 Motorola, Inc. Method and apparatus for communicating summarized data
US6052709A (en) * 1997-12-23 2000-04-18 Bright Light Technologies, Inc. Apparatus and method for controlling delivery of unsolicited electronic mail
US6321267B1 (en) * 1999-11-23 2001-11-20 Escom Corporation Method and apparatus for filtering junk email
US20030187996A1 (en) * 2001-11-16 2003-10-02 Cardina Donald M. Methods and systems for routing messages through a communications network based on message content

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5958006A (en) * 1995-11-13 1999-09-28 Motorola, Inc. Method and apparatus for communicating summarized data
US6052709A (en) * 1997-12-23 2000-04-18 Bright Light Technologies, Inc. Apparatus and method for controlling delivery of unsolicited electronic mail
US6321267B1 (en) * 1999-11-23 2001-11-20 Escom Corporation Method and apparatus for filtering junk email
US20030187996A1 (en) * 2001-11-16 2003-10-02 Cardina Donald M. Methods and systems for routing messages through a communications network based on message content

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
SATHEESH KOLATHUR ET AL: "SPAM FILTER - A collaborative method of eliminating spam - White Paper", WHITE PAPER, 8 December 2000 (2000-12-08), XP002267230 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007028889A1 (fr) * 2005-09-07 2007-03-15 France Telecom Relachement de session dans un reseau ip

Also Published As

Publication number Publication date
GB0327596D0 (en) 2003-12-31

Similar Documents

Publication Publication Date Title
US7886066B2 (en) Zero-minute virus and spam detection
US6941348B2 (en) Systems and methods for managing the transmission of electronic messages through active message date updating
US7194515B2 (en) Method and system for selectively blocking delivery of bulk electronic mail
US7472163B1 (en) Bulk message identification
US6321267B1 (en) Method and apparatus for filtering junk email
US20020147780A1 (en) Method and system for scanning electronic mail to detect and eliminate computer viruses using a group of email-scanning servers and a recipient's email gateway
US7249175B1 (en) Method and system for blocking e-mail having a nonexistent sender address
US20060036701A1 (en) Messaging system having message filtering and access control
US20150026804A1 (en) Method and Apparatus for Reclassifying E-mail or Modifying a Spam Filter Based on Users' Input
US20030220978A1 (en) System and method for message sender validation
US20040221016A1 (en) Method and apparatus for preventing transmission of unwanted email
US20090307320A1 (en) Electronic mail processing unit including silverlist filtering
US20060265459A1 (en) Systems and methods for managing the transmission of synchronous electronic messages
AU2009299539B2 (en) Electronic communication control
WO2005001733A1 (fr) Systeme de gestion de messages electroniques et procede associe
US7958187B2 (en) Systems and methods for managing directory harvest attacks via electronic messages
WO2005055535A1 (fr) Systeme et procede de reseau informatique
Moors et al. End-system tools for enhancing email reliability

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NA NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LU MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DPEN Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed from 20040101)
NENP Non-entry into the national phase

Ref country code: DE

WWW Wipo information: withdrawn in national office

Country of ref document: DE

122 Ep: pct application non-entry in european phase