Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail

Description

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates generally to network security and, more particularly, to systems and methods for detecting and/or preventing the transmission of unwanted e-mails, such as e-mails containing worms and viruses, including polymorphic worms and viruses, and unsolicited commercial e-mails.

2. Description of Related Art

Availability of low cost computers, high speed networking products, and readily available network connections has helped fuel the proliferation of the Internet. This proliferation has caused the Internet to become an essential tool for both the business community and private individuals. Dependence on the Internet arises, in part, because the Internet makes it possible for multitudes of users to access vast amounts of information and perform remote transactions expeditiously and efficiently. Along with the rapid growth of the Internet have come problems arising from attacks from within the network and the shear volume of commercial e-mail. As the size of the Internet continues to grow, so does the threat posed to users of the Internet.

Many of the problems take the form of e-mail. Viruses and worms often masquerade within e-mail messages for execution by unsuspecting e-mail recipients. Unsolicited commercial e-mail, or “spam,” is another burdensome type of e-mail because it wastes both the time and resources of the e-mail recipient.

Existing techniques for detecting viruses, worms, and spam examine each e-mail message individually. In the case of viruses and worms, this typically means examining attachments for byte-strings found in known viruses and worms (possibly after uncompressing or de-archiving attached files), or simulating execution of the attachment in a “safe” compartment and examining its behaviors. Similarly, existing spam filters usually examine a single e-mail message looking for heuristic traits commonly found in unsolicited commercial e-mail, such as an abundance of Uniform Resource Locators (URLs), heavy use of all-capital-letter words, use of colored text or large fonts, and the like, and then “score” the message based on the number and types of such traits found. Both the anti-virus and the anti-spam techniques can demand significant processing of each message, adding to the resource burden imposed by unwanted e-mail. Neither technique makes use of information collected from other recent messages.

Thus, there is need for an efficient technique that can quickly detect viruses, worms, and spam in e-mail messages arriving at e-mail servers, possibly by using information contained in multiple recent messages to detect unwanted mail more quickly and efficiently.

SUMMARY OF THE INVENTION

Systems and methods consistent with the present invention address this and other needs by providing a new defense that detects and prevents the transmission of unwanted (and potentially unwanted) e-mail, such as e-mails containing viruses, worms, and spam.

In accordance with an aspect of the invention as embodied and broadly described herein, a method for detecting transmission of potentially unwanted e-mail messages is provided. The method includes receiving e-mail messages and generating hash values based on one or more portions of the e-mail messages. The method further includes determining whether the generated hash values match hash values associated with prior e-mail messages. The method may also include determining that one of the e-mail messages is a potentially unwanted e-mail message when one or more of the generated hash values associated with the e-mail message match one or more of the hash values associated with the prior e-mail messages.

In accordance with another aspect of the invention, a mail server includes one or more hash memories and a hash processor. The one or more hash memories is/are configured to store count values associated with hash values. The hash processor is configured to receive an e-mail message, hash one or more portions of the e-mail message to generate hash values, and increment the count values corresponding to the generated hash values. The hash processor is further configured to determine whether the e-mail message is a potentially unwanted e-mail message based on the incremented count values.

In accordance with yet another aspect of the invention, a method for detecting transmission of unwanted e-mail messages is provided. The method includes receiving e-mail messages and detecting unwanted e-mail messages of the received e-mail messages based on hashes of previously received e-mail messages, where multiple hashes are performed on each of the e-mail messages.

In accordance with a further aspect of the invention, a method for detecting transmission of potentially unwanted e-mail messages is provided. The method includes receiving an e-mail message; generating hash values over blocks of the e-mail message, where the blocks include at least two of a main text portion, an attachment portion, and a header portion of the e-mail message; determining whether the generated hash values match hash values associated with prior e-mail messages; and determining that the e-mail message is a potentially unwanted e-mail message when one or more of the generated hash values associated with the e-mail message match one or more of the hash values associated with the prior e-mail messages.

In accordance with another aspect of the invention, a mail server in a network of cooperating mail servers is provided. The mail server includes one or more hash memories and a hash processor. The one or more hash memories is/are configured to store information relating to hash values corresponding to previously-observed e-mails. The hash processor is configured to receive at least some of the hash values from another one or more of the cooperating mail servers and store information relating to the at least some of the hash values in at least one of the one or more hash memories. The hash processor is further configured to receive an e-mail message, hash one or more portions of the received e-mail message to generate hash values, determine whether the generated hash values match the hash values corresponding to previously-observed e-mails, and identify the received e-mail message as a potentially unwanted e-mail message when one or more of the generated hash values associated with the received e-mail message match one or more of the hash values corresponding to previously-observed e-mails.

In accordance with yet another aspect of the invention, a mail server is provided. The mail server includes one or more hash memories and a hash processor. The one or more hash memories is/are configured to store count values associated with hash values. The hash processor is configured to receive e-mail messages, hash one or more portions of the received e-mail messages to generate hash values, increment the count values corresponding to the generated hash values, as incremented count values, and generate suspicion scores for the received e-mail messages based on the incremented count values.

In accordance with a further aspect of the invention, a method for preventing transmission of unwanted e-mail messages is provided. The method includes receiving an e-mail message; generating hash values over portions of the e-mail message as the e-mail message is being received; and incrementally determining whether the generated hash values match hash values associated with prior e-mail messages. The method further includes generating a suspicion score for the e-mail message based on the incremental determining; and rejecting the e-mail message when the suspicion score of the e-mail message is above a threshold.

BRIEF DESCRIPTION OF THE DRAWINGS

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate the invention and, together with the description, explain the invention. In the drawings,

FIG. 1 is a diagram of a system in which systems and methods consistent with the present invention may be implemented;

FIG. 2 is an exemplary diagram of the e-mail server of FIG. 1 according to an implementation consistent with the principles of the invention;

FIG. 3 is an exemplary functional block diagram of the e-mail server of FIG. 2 according to an implementation consistent with the principles of the invention;

FIG. 4 is an exemplary diagram of the hash processing block of FIG. 3 according to an implementation consistent with the principles of the invention; and

FIGS. 5A-5E are flowcharts of exemplary processing for detecting and/or preventing transmission of an unwanted e-mail message, such as an e-mail containing a virus or worm, including a polymorphic virus or worm, or an unsolicited commercial e-mail, according to an implementation consistent with the principles of the invention.

DETAILED DESCRIPTION

The following detailed description of the invention refers to the accompanying drawings. The same reference numbers in different drawings may identify the same or similar elements. Also, the following detailed description does not limit the invention. Instead, the scope of the invention is defined by the appended claims and equivalents.

Systems and methods consistent with the present invention provide virus, worm, and unsolicited e-mail detection and/or prevention in e-mail servers. Placing these features in e-mail servers provides a number of new advantages, including the ability to align hash blocks to crucial boundaries found in e-mail messages and eliminate certain counter-measures by the attacker, such as using small Internet Protocol (IP) fragments to limit the detectable content in each packet. It also allows these features to relate e-mail header fields with the potentially-harmful segment of the message (usually an “attachment”), and decode common file-packing and encoding formats that might otherwise make a virus or worm undetectable by the packet-based technique (e.g., “.zip files”).

By placing these features within an e-mail server, the ability to detect replicated content in the network at points where large quantities of traffic are present is obtained. By relating many otherwise-independent messages and finding common factors, the e-mail server may detect unknown, as well as known, viruses and worms. These features may also be applied to detect potential unsolicited commercial e-mail (“spam”).

E-mail servers for major Internet Service Providers (ISPs) may process a million e-mail messages a day, or more, in a single server. When viruses and worms are active in the network, a substantial fraction of this e-mail may actually be traffic generated by the virus or worm. Thus, an e-mail server may have dozens to thousands of examples of a single e-mail-borne virus pass through it in a day, offering an excellent opportunity to determine the relationships between e-mail messages and detect replicated content (a feature that is indicative of virus/worm propagation) and spam, among other, more legitimate traffic (such as traffic from legitimate mailing lists).

Systems and methods consistent with the principles of the invention provide mechanisms to detect and stop e-mail-borne viruses and worms before the addressed user receives them, in an environment where the virus is still inert. Current e-mail servers do not normally execute any code in the e-mail being transported, so they are not usually subject to virus/worm infections from the content of the e-mails they process—though, they may be subject to infection via other forms of attack.

Besides e-mail-borne viruses and worms, another common problem found in e-mail is mass-e-mailing of unsolicited commercial e-mail, colloquially referred to as “spam.” It is estimated that perhaps 25%-50% of all e-mail messages now received for delivery by major ISP e-mail servers is spam.

Users of network e-mail services are desirous of mechanisms to block e-mail containing viruses or worms from reaching their machines (where the virus or worm may easily do harm before the user realizes its presence). Users are also desirous of mechanisms to block unsolicited commercial e-mail that consumes their time and resources.

Many commercial e-mail services put a limit on each user's e-mail accumulating at the server, and not yet downloaded to the customer's machine. If too much e-mail arrives between times when the user reads his e-mail, additional e-mail is either “bounced” (i.e., returned to the sender's e-mail server) or even simply discarded, both of which events can seriously inconvenience the user. Because the user has no control over arriving e-mail due to e-mail-borne viruses/worms, or spam, it is a relatively common occurrence that the user's e-mail quota overflows due to unwanted and potentially harmful messages. Similarly, the authors of e-mail-borne viruses, as well as senders of spam, have no reason to limit the size of their messages. As a result, these messages are often much larger than legitimate e-mail messages, thereby increasing the risks of such denial of service to the user by overflowing the per-user e-mail quota.

Users are not the only group inconvenienced by spam and e-mail-borne viruses and worms. Because these types of unwanted e-mail can form a substantial fraction, even a majority, of e-mail traffic in the Internet, for extended periods of time, ISPs typically must add extra resources to handle a peak e-mail load that would otherwise be about half as large. This ratio of unwanted-to-legitimate e-mail traffic appears to be growing daily. Systems and methods consistent with the principles of the invention provide mechanisms to detect and discard unwanted e-mail in network e-mail servers.

Exemplary System Configuration

FIG. 1 is a diagram of an exemplary system 100 in which systems and methods consistent with the present invention may be implemented. System 100 includes mail clients 110 connected to a mail server 120 via a network 130. Connections made in system 100 may be via wired, wireless, and/or optical communication paths. While FIG. 1 shows three mail clients 110 and a single mail server 120, there can be more or fewer clients and servers in other implementations consistent with the principles of the invention.

Network 130 may facilitate communication between mail clients 110 and mail server 120. Typically, network 130 may include a collection of network devices, such as routers or switches, that transfer data between mail clients 110 and mail server 120. In an implementation consistent with the present invention, network 130 may take the form of a wide area network, a local area network, an intranet, the Internet, a public telephone network, a different type of network, or a combination of networks.

Mail clients 110 may include personal computers, laptops, personal digital assistants, or other types of wired or wireless devices that are capable of interacting with mail server 120 to receive e-mails. In another implementation, clients 110 may include software operating upon one of these devices. Client 110 may present e-mails to a user via a graphical user interface.

Mail server 120 may include a computer or another device that is capable of providing e-mail services for mail clients 110. In another implementation, server 120 may include software operating upon one of these devices.

FIG. 2 is an exemplary diagram of mail server 120 according to an implementation consistent with the principles of the invention. Server 120 may include bus 210, processor 220, main memory 230, read only memory (ROM) 240, storage device 250, input device 260, output device 270, and communication interface 280. Bus 210 permits communication among the components of server 120.

Processor 220 may include any type of conventional processor or microprocessor that interprets and executes instructions. Main memory 230 may include a random access memory (RAM) or another type of dynamic storage device that stores information and instructions for execution by processor 220. ROM 240 may include a conventional ROM device or another type of static storage device that stores static information and instructions for use by processor 220. Storage device 250 may include a magnetic and/or optical recording medium and its corresponding drive.

Input device 260 may include one or more conventional mechanisms that permit an operator to input information to server 120, such as a keyboard, a mouse, a pen, voice recognition and/or biometric mechanisms, etc. Output device 270 may include one or more conventional mechanisms that output information to the operator, such as a display, a printer, a pair of speakers, etc. Communication interface 280 may include any transceiver-like mechanism that enables server 120 to communicate with other devices and/or systems. For example, communication interface 280 may include mechanisms for communicating with another device or system via a network, such as network 130.

As will be described in detail below, server 120, consistent with the present invention, provides e-mail services to clients 110, while detecting unwanted e-mails and/or preventing unwanted e-mails from reaching clients 110. Server 120 may perform these tasks in response to processor 220 executing sequences of instructions contained in, for example, memory 230. These instructions may be read into memory 230 from another computer-readable medium, such as storage device 250 or a carrier wave, or from another device via communication interface 280.

Execution of the sequences of instructions contained in memory 230 may cause processor 220 to perform processes that will be described later. Alternatively, hardwired circuitry may be used in place of or in combination with software instructions to implement processes consistent with the present invention. Thus, processes performed by server 120 are not limited to any specific combination of hardware circuitry and software.

FIG. 3 is an exemplary functional block diagram of mail server 120 according to an implementation consistent with the principles of the invention. Server 120 may include a Simple Mail Transfer Protocol (SMTP) block 310, a Post Office Protocol (POP) block 320, an Internet Message Access Protocol (IMAP) block 330, and a hash processing block 340.

SMTP block 310 may permit mail server 120 to communicate with other mail servers connected to network 130 or another network. SMTP is designed to efficiently and reliably transfer e-mail across networks. SMTP defines the interaction between mail servers to facilitate the transfer of e-mail even when the mail servers are implemented on different types of computers or running different operating systems.

POP block 320 may permit mail clients 110 to retrieve e-mail from mail server 120. POP block 320 may be designed to always receive incoming e-mail. POP block 320 may then hold e-mail for mail clients 110 until mail clients 110 connect to download them.

IMAP block 330 may provide another mechanism by which mail clients 110 can retrieve e-mail from mail server 120. IMAP block 330 may permit mail clients 110 to access remote e-mail as if the e-mail was local to mail clients 110.

Hash processing block 340 may interact with SMTP block 310, POP block 320, and/or IMAP block 330 to detect and prevent transmission of unwanted e-mail, such as e-mails containing viruses or worms and unsolicited commercial e-mail (spam).

FIG. 4 is an exemplary diagram of hash processing block 340 according to an implementation consistent with the principles of the invention. Hash processing block 340 may include hash processor 410 and one or more hash memories 420. Hash processor 410 may include a conventional processor, an application specific integrated circuit (ASIC), a field-programmable gate array (FPGA), or some other type of device that generates one or more representations for each received e-mail and records the e-mail representations in hash memory 420.

An e-mail representation will likely not be a copy of the entire e-mail, but rather it may include a portion of the e-mail or some unique value representative of the e-mail. For example, a fixed width number may be computed across portions of the e-mail in a manner that allows the entire e-mail to be identified.

To further illustrate the use of representations, a 32-bit hash value, or digest, may be computed across portions of each e-mail. Then, the hash value may be stored in hash memory 420 or may be used as an index, or address, into hash memory 420. Using the hash value, or an index derived therefrom, results in efficient use of hash memory 420 while still allowing the content of each e-mail passing through mail server 120 to be identified.

Systems and methods consistent with the present invention may use any storage scheme that records information about one or more portions of each e-mail in a space-efficient fashion, that can definitively determine if a portion of an e-mail has not been observed, and that can respond positively (i.e., in a predictable way) when a portion of an e-mail has been observed. Although systems and methods consistent with the present invention can use virtually any technique for deriving representations of portions of e-mails, the remaining discussion will use hash values as exemplary representations of portions of e-mails received by mail server 120.

In implementations consistent with the principles of the invention, hash processor 410 may hash one or more portions of a received e-mail to produce a hash value used to facilitate hash-based detection. For example, hash processor 410 may hash one or more of the main text within the message body, any attachments, and one or more header fields, such as sender-related fields (e.g., “From:,” “Sender:,” “Reply-To:,” “Return-Path:,” and “Error-To:”). Hash processor 410 may perform one or more hashes on each of the e-mail portions using the same or different hash functions.

As described in more detail below, hash processor 410 may use the hash results of the hash operation to recognize duplicate occurrences of e-mails and raise a warning if the duplicate e-mail occurrences arrive within a short period of time and raise their level of suspicion above some threshold. It may also be possible to use the hash results for tracing the path of an unwanted e-mail through the network.

Each hash value may be determined by taking an input block of data and processing it to obtain a numerical value that represents the given input data. Suitable hash functions are readily known in the art and will not be discussed in detail herein. Examples of hash functions include the Cyclic Redundancy Check (CRC) and Message Digest 5 (MD5). The resulting hash value, also referred to as a message digest or hash digest, may include a fixed length value. The hash value may serve as a signature for the data over which it was computed.

The hash value essentially acts as a fingerprint identifying the input block of data over which it was computed. Unlike fingerprints, however, there is a chance that two very different pieces of data will hash to the same value, resulting in a hash collision. An acceptable hash function should provide a good distribution of values over a variety of data inputs in order to prevent these collisions. Because collisions occur when different input blocks result in the same hash value, an ambiguity may arise when attempting to associate a result with a particular input.

Hash processor 410 may store a representation of each e-mail it observes in hash memory 420. Hash processor 410 may store the actual hash values as the e-mail representations or it may use other techniques for minimizing storage requirements associated with retaining hash values and other information associated therewith. A technique for minimizing storage requirements may use one or more arrays or Bloom filters.

Rather than storing the actual hash value, which can typically be on the order of 32 bits or more in length, hash processor 410 may use the hash value as an index for addressing an array within hash memory 420. In other words, when hash processor 410 generates a hash value for a portion of an e-mail, the hash value serves as the address location into the array. At the address corresponding to the hash value, a count value may be incremented at the respective storage location, thus, indicating that a particular hash value, and hence a particular e-mail portion, has been seen by hash processor 410. In one implementation, the count value is associated with an 8-bit counter with a maximum value that sticks at 255. While counter arrays are described by way of example, it will be appreciated by those skilled in the relevant art, that other storage techniques may be employed without departing from the spirit of the invention.

Hash memory 420 may store a suspicion count that is used to determine the overall suspiciousness of an e-mail message. For example, the count value (described above) may be compared to a threshold, and the suspicion count for the e-mail may be incremented if the threshold is exceeded. Hence, there may be a direct relationship between the count value and the suspicion count, and it may be possible for the two values to be the same. The larger the suspicion count, the more important the hit should be considered in determining the overall suspiciousness of the packet. Alternatively, the suspicion count can be combined in a “scoring function” with values from this or other hash blocks in the same message in order to determine whether the message should be considered suspicious.

It is not enough, however, for hash memory 420 to simply identify that an e-mail contains content that has been seen recently. There are many legitimate sources (e.g., e-mail list servers) that produce multiple copies of the same message, addressed to multiple recipients. Similarly, individual users often e-mail messages to a group of people and, thus, multiple copies might be seen if several recipients happen to receive their mail from the same server. Also, people often forward copies of received messages to friends or co-workers.

In addition, virus/worm authors typically try to minimize the replicated content in each copy of the virus/worm, in order to not be detected by existing virus and worm detection technology that depends on detecting fixed sequences of bytes in a known virus or worm. These mutable viruses/worms are usually known as polymorphic, and the attacker's goal is to minimize the recognizability of the virus or worm by scrambling each copy in a different way. For the virus or worm to remain viable, however, a small part of it can be mutable in only a relatively small number of ways, because some of its code must be immediately-executable by the victim's computer, and that limits the mutation and obscurement possibilities for the critical initial code part.

In order to accomplish the proper classification of various types of legitimate and unwanted e-mail messages, multiple hash memories 420 can be employed, with separate hash memories 420 being used for specific sub-parts of a standard e-mail message. The outputs of different ones of hash memories 420 can then be combined in an overall “scoring” or classification function to determine whether the message is undesirable or legitimate, and possibly estimate the probability that it belongs to a particular class of traffic, such as a virus/worm message, spam, e-mail list message, normal user-to-user message.

For e-mail following the Internet mail standard REC 822 (and its various extensions), hashing of certain individual e-mail header fields into field-specific hash memories 420 may be useful. Among the header fields for which this may be helpful are: (1) various sender-related fields, such as “From:”, “Sender:”, “Reply-To:”, “Return-Path:” and “Error-To:”; (2) the “To:” field (often a fixed value for a mailing list, frequently missing or idiosyncratic in spam messages); and (3) the last few “Received:” headers (i.e., the earliest ones, since they are normally added at the top of the message), excluding any obvious timestamp data. It may also be useful to hash a combination of the “From:” field and the e-mail address of the recipient (transferred as part of the SMTP mail-transfer protocol, and not necessarily found in the message itself).

Any or all of hash memories 420 may be pre-loaded with knowledge of known good or bad traffic. For example, known viruses and spam content (e.g., the infamous “Craig Shergold letter” or many pyramid swindle letters) can be pre-hashed into the relevant hash memories 420, and/or periodically refreshed in the memory as part of a periodic “cleaning” process described below. Also, known legitimate mailing lists, such as mailing lists from legitimate e-mail list servers, can be added to a “From:” hash memory 420 that passes traffic without further examination.

Over time, hash memories 420 may fill up and the possibility of overflowing an existing count value increases. The risk of overflowing a count value may be reduced if the counter arrays are periodically flushed to other storage media, such as a magnetic disk drive, optical media, solid state drive, or the like. Alternatively, the counter arrays may be slowly and incrementally erased. To facilitate this, a time-table may be established for flushing/erasing the counter arrays. If desired, the flushing/erasing cycle can be reduced by computing hash values only for a subset of the e-mails received by mail server 120. While this approach reduces the flushing/erasing cycle, it increases the possibility that a target e-mail may be missed (i.e., a hash value is not computed over a portion of it).

Non-zero storage locations within hash memories 420 may be decremented periodically rather than being erased. This may ensure that the “random noise” from normal e-mail traffic would not remain in a counter array indefinitely. Replicated traffic (e.g., e-mails containing a virus/worm that are propagating repeatedly across the network), however, would normally cause the relevant storage locations to stay substantially above the “background noise” level.

One way to decrement the count values in the counter array fairly is to keep a total count, for each hash memory 420, of every time one of the count values is incremented. After this total count reaches some threshold value (probably in the millions), for every time a count value is incremented in hash memory 420, another count value gets decremented. One way to pick the count value to decrement is to keep a counter, as a decrement pointer, that simply iterates through the storage locations sequentially. Every time a decrement operation is performed, the following may done: (a) examine the candidate count value to be decremented and if non-zero, decrement it and increment the decrement pointer to the next storage location; and (b) if the candidate count value is zero, then examine each sequentially-following storage location until a non-zero count value is found, decrement that count value, and advance the decrement pointer to the following storage location.

It may be important to avoid decrementing any counters below zero, while not biasing decrements unfairly. Because it may be assumed that the hash is random, this technique should not favor any particular storage location, since it visits each of them before starting over. This technique may be superior to a timer-based decrement because it keeps a fixed total count population across all of the storage locations, representing the most recent history of traffic, and is not subject to changes in behavior as the volume of traffic varies over time.

A variation of this technique may include randomly selecting a count value to decrement, rather than processing them cyclically. In this variation, if the chosen count value is already zero, then another one could be picked randomly, or the count values in the storage locations following the initially-chosen one could be examined in series, until a non-zero count value is found.

Exemplary Processing for Unwanted E-Mail Detection/Prevention

FIGS. 5A-5E are flowcharts of exemplary processing for detecting and/or preventing transmission of unwanted e-mail, such as an e-mail containing a virus or worm, including a polymorphic virus or worm, or an unsolicited commercial e-mail (spam), according to an implementation consistent with the principles of the invention. The processing of FIGS. 5A-5E will be described in terms of a series of acts that may be performed by mail server 120. In implementations consistent with the principles of the invention, some of the acts may be optional and/or performed in an order different than that described. In other implementations, different acts may be substituted for described acts or added to the process.

Processing may begin when hash processor 410 (FIG. 4) receives, or otherwise observes, an e-mail message (act 502) (FIG. 5A). Hash processor 410 may hash the main text of the message body, excluding any attachments (act 504). When hashing the main text, hash processor 410 may perform one or more conventional hashes covering one or more portions, or all, of the main text. For example, hash processor 410 may perform hash functions on fixed or variable sized blocks of the main text. It may be beneficial for hash processor 410 to perform multiple hashes on each of the blocks using the same or different hash functions.

It may be desirable to pre-process the main text to remove attempts to fool pattern-matching mail filters. An example of this is HyperText Markup Language (HTML) e-mail, where spammers often insert random text strings in HTML comments between or within words of the text. Such e-mail may be referred to as “polymorphic spam” because it attempts to make each message appear unique. This method for evading detection might otherwise defeat the hash detection technique, or other string-matching techniques. Thus, removing all HTML comments from the message before hashing it may be desirable. It might also be useful to delete HTML tags from the message, or apply other specialized, but simple, pre-processing techniques to remove content not actually presented to the user. In general, this may be done in parallel with the hashing of the message text, since viruses and worms may be hidden in the non-visible content of the message text.

Hash processor 410 may also hash any attachments, after first attempting to expand them if they appear to be known types of compressed files (e.g., “zip” files) (act 506). When hashing an attachment, hash processor 410 may perform one or more conventional hashes covering one or more portions, or all, of the attachment. For example, hash processor 410 may perform hash functions on fixed or variable sized blocks of the attachment. It may be beneficial for hash processor 410 to perform multiple hashes on each of the blocks using the same or different hash functions.

Hash processor 410 may compare the main text and attachment hashes with known viruses, worms, or spam content in a hash memory 420 that is pre-loaded with information from known viruses, worms, and spam content (acts 508 and 510). If there are any hits in this hash memory 420, there is a probability that the e-mail message contains a virus or worm or is spam. A known polymorphic virus may have only a small number of hashes that match in this hash memory 420, out of the total number of hash blocks in the message. A non-polymorphic virus may have a very high fraction of the hash blocks hit in hash memory 420. For this reason, storage locations within hash memory 420 that contain entries from polymorphic viruses or worms may be given more weight during the pre-loading process, such as by giving them a high initial suspicion count value.

A high fraction of hits in this hash memory 420 may cause the message to be marked as a probable known virus/worm or spam. In this case, the e-mail message can be sidetracked for remedial action, as described below.

A message with a significant “score” from polymorphic virus/worm hash value hits may or may not be a virus/worm instance, and may be sidetracked for further investigation, or marked as suspicious before forwarding to the recipient. An additional check may also be made to determine the level of suspicion.

For example, hash processor 410 may hash a concatenation of the From and To header fields of the e-mail message (act 512) (FIG. 5B). Hash processor 410 may then check the suspicion counts in hash memories 420 for the hashes of the main text, any attachments, and the concatenated From/To (act 514). Hash processor 410 may determine whether the main text or attachment suspicion count is significantly higher than the From/To suspicion count (act 516). If so, then the content is appearing much more frequently outside the messages between this set of users (which might otherwise be due to an e-mail exchange with repeated message quotations) and, thus, is much more suspicious.

When this occurs, hash processor 410 may take remedial action (act 518). The remedial action taken might take different forms, which may be programmable or determined by an operator of mail server 120. For example, hash processor 410 may discard the e-mail. This is not recommended for anything but virtually-certain virus/worm/spam identification, such as a perfect match to a known virus.

As an alternate technique, hash processor 410 may mark the e-mail with a warning in the message body, in an additional header, or other user-visible annotation, and allow the user to deal with it when it is downloaded. For data that appears to be from an unknown mailing list, a variant of this option is to request the user to send back a reply message to the server, classifying the suspect message as either spam or a mailing list. In the latter case, the mailing list source address can be added to the “known legitimate mailing lists” hash memory 420.

As another technique, hash processor 410 may subject the e-mail to more sophisticated (and possibly more resource-consuming) detection algorithms to make a more certain determination. This is recommended for potential unknown viruses/worms or possible detection of a polymorphic virus/worm.

As yet another technique, hash processor 410 may hold the e-mail message in a special area and create a special e-mail message to notify the user of the held message (probably including From and Subject fields). Hash processor 410 may also give instructions on how to retrieve the message.

As a further technique, hash processor 410 may mark the e-mail message with its suspicion score result, but leave it queued for the user's retrieval. If the user's quota would overflow when a new message arrives, the score of the incoming message and the highest score of the queued messages are compared. If the highest queued message has a score above a settable threshold, and the new message's score is lower than the threshold, the queued message with the highest score may be deleted from the queue to make room for the new message. Otherwise, if the new message has a score above the threshold, it may be discarded or “bounced” (e.g., the sending e-mail server is told to hold the message and retry it later). Alternatively, if it is desired to never bounce incoming messages, mail server 120 may accept the incoming message into the user's queue and repeatedly delete messages with the highest suspicion score from the queue until the total is below the user's quota again.

As another technique, hash processor 410 may apply hash-based functions as the e-mail message starts arriving from the sending server and determine the message's suspicion score incrementally as the message is read in. If the message has a high-enough suspicion score (above a threshold) during the early part of the message, mail server 120 may reject the message, optionally with either a “retry later” or a “permanent refusal” result to the sending server (which one is used may be determined by settable thresholds applied to the total suspicion score, and possibly other factors, such as server load). This results in the unwanted e-mail using up less network bandwidth and receiving server resources, and penalizes servers sending unwanted mail, relative to those that do not.

If the suspicion count for the main text or any attachment is not significantly higher than the From/To suspicion count (act 516), hash processor 410 may determine whether the main text or any attachment has significant replicated content (non-zero or high suspicion count values for many hash blocks in the text/attachment content in all storage locations of hash memories 420) (act 520) (FIG. 5A). If not, the message is probably a normal user-to-user e-mail. These types of messages may be “passed” without further examination. When appropriate, hash processor 410 may also record the generated hash values by incrementing the suspicion count value in the corresponding storage locations in hash memory 420.

If the message text is substantially replicated (e.g., greater than 90%), hash processor 410 may check one or more portions of the e-mail message against known legitimate mailing lists within hash memory 420 (act 522) (FIG. 5C). For example, hash processor 410 may hash the From or Sender fields of the e-mail message and compare it/them to known legitimate mailing lists within hash memory 420. Hash processor 410 may also determine whether the e-mail actually appears to originate from the correct source for the mailing list by examining, for example, the sequence of Received headers. Hash processor 410 may further examine a combination of the From or Sender fields and the recipient address to determine if the recipient has previously received e-mail from the sender. This is typical for mailing lists, but atypical of unwanted e-mail, which will normally not have access to the actual list of recipients for the mailing list. Failure of this examination may simply pass the message on, but mark it as “suspicious,” since the recipient may simply be a new subscriber to the mailing list, or the mailings may be infrequent enough to not persist in the hash counters between mailings.

If there is a match with a legitimate mailing list (act 524), then the message is probably a legitimate mailing list duplicate and may be passed with no further examination. This assumes that the mailing list server employs some kind of filtering to exclude unwanted e-mail (e.g., refusing to forward e-mail that does not originate with a known list recipient or refusing e-mail with attachments).

If there is no match with any legitimate mailing lists within hash memory 420, hash processor 410 may hash the sender-related fields (e.g., From, Sender, Reply-To) (act 526). Hash processor 410 may then determine the suspicion count for the sender-related hashes in hash memories 420 (act 528).

Hash processor 410 may determine whether the suspicion counts for the sender-related hashes are similar to the suspicion count(s) for the main text hash(es) (act 530) (FIG. 5D). If both From and Sender fields are present, then the Sender field should match with roughly the same suspicion count value as the message body hash. The From field may or may not match. For a legitimate mailing list, it may be a legitimate mailing list that is not in the known legitimate mailing lists hash memory 420 (or in the case where there is no known legitimate mailing lists hash memory 420). If only the From field is present, it should match about as well as the message text for a mailing list. If none of the sender-related fields match as well as the message text, the e-mail message may be considered moderately suspicious (probably spam, with a variable and fictitious From address or the like).

As an additional check, hash processor 410 may hash the concatenation of the sender-related field with the highest suspicion count value and the e-mail recipient's address (act 532). Hash processor 410 may then check the suspicion count for the concatenation in a hash memory 420 used just for this check (act 534). If it matches with a significant suspicion count value (act 536) (FIG. 5E), then the recipient has recently received multiple messages from this source, which makes it probable that it is a mailing list. The e-mail message may then be passed without further examination.

If the message text or attachments are mostly replicated (e.g., greater than 90% of the hash blocks), but with mostly low suspicion count values in hash memory 420 (act 538), then the message is probably a case of a small-scale replication of a single message to multiple recipients. In this case, the e-mail message may then be passed without further examination.

If the message text or attachments contain some significant degree of content replication (say, greater than 50% of the hash blocks) and at least some of the hash values have high suspicion count values in hash memory 420 (act 540), then the message is fairly likely to be a virus/worm or spam. A virus or worm should be considered more likely if the high-count matches are in an attachment. If the highly-replicated content is in the message text, then the message is more likely to be spam, though it is possible that e-mail text employing a scripting language (e.g., Java script) might also contain a virus.

If the replication is in the message text, and the suspicion count is substantially higher for the message text than for the From field, the message is likely to be spam (because spammers generally vary the From field to evade simpler spam filters). A similar check can be made for the concatenation of the From and To header fields, except that in this case, it is most suspicious if the From/To hash misses (finds a zero suspicion count), indicating that the sender does not ordinarily send e-mail to that recipient, making it unlikely to be a mailing list, and very likely to be a spammer (because they normally employ random or fictitious From addresses).

In the above cases, hash processor 410 may take remedial action (act 542). The particular type of action taken by hash processor 410 may vary as described above.

CONCLUSION

Systems and methods consistent with the present invention provide mechanisms within an e-mail server to detect and/or prevent transmission of unwanted e-mail, such as e-mail containing viruses or worms, including polymorphic viruses and worms, and unsolicited commercial e-mail (spam).

Implementation of a hash-based detection mechanism in an e-mail server at the e-mail message level provides advantages over a packet-based implementation in a router or other network node device. For example, the entire e-mail message has been re-assembled, both at the packet level (i.e., IP fragment re-assembly) and at the application level (multiple packets into a complete e-mail message). Also, the hashing algorithm can be applied more intelligently to specific parts of the e-mail message (e.g., header fields, message body, and attachments). Attachments that have been compressed for transport (e.g., “.zip” files) can be expanded for inspection. Without doing this, a polymorphic virus could easily hide inside such files with no repeatable hash signature visible at the packet transport level.

With the entire message available for a single pass of the hashing process, packet boundaries and packet fragmentation do not split sequences of bytes that might otherwise provide useful hash signatures. A clever attacker might otherwise obscure a virus/worm attack by causing the IP packets carrying the malicious code to be fragmented into pieces smaller than that for which the hashing process is effective, or by forcing packet breaks in the middle of otherwise-visible fixed sequences of code in the virus/worm. Also, the entire message is likely to be longer than a single packet, thereby reducing the probability of false alarms (possibly due to insufficient hash-block sample size and too few hash blocks per packet) and increasing the probability of correct identification of a virus/worm (more hash blocks will match per message than per packet, since packets will be only parts of the entire message).

Also, fewer hash-block alignment issues arise when the hash blocks can be intelligently aligned with fields of the e-mail message, such as the start of the message body, or the start of an attachment block. This results in faster detection of duplicate contents than if the blocks are randomly aligned (as is the case when the method is applied to individual packets).

E-mail-borne malicious code, such as viruses and worms, also usually includes a text message designed to cause the user to read the message and/or perform some other action that will activate the malicious code. It is harder for such text to be polymorphic, because automatic scrambling of the user-visible text will either render it suspicious-looking, or will be very limited in variability. This fact, combined with the ability to start a hash block at the start of the message text by parsing the e-mail header, reduces the variability in hash signatures of the message, making it easier to detect with fewer examples seen.

Further, the ability to extract and hash specific headers from an e-mail message separately may be used to help classify the type of replicated content the message body carries. Because many legitimate cases of message replication exist (e.g., topical mailing lists, such as Yahoo Groups), intelligent parsing and hashing of the message headers is very useful to reduce the false alarm rate, and to increase the accuracy of detection of real viruses, worms, and spam.

This detection technique, compared to others which might extract and save fixed strings to be searched for in other pieces of e-mail, includes hash-based filters that are one-way functions (i.e., it is possible, given a piece of text, to determine if it has been seen before in another message). Given the state data contained in the filter, however, it is virtually impossible to reconstruct a prior message, or any piece of a prior message, that has been passed through the filter previously. Thus, this technique can maintain the privacy of e-mail, without retaining any information that can be attributed to a specific sender or receiver.

The foregoing description of preferred embodiments of the present invention provides illustration and description, but is not intended to be exhaustive or to limit the invention to the precise form disclosed. Modifications and variations are possible in light of the above teachings or may be acquired from practice of the invention.

For example, systems and methods have been described with regard to a mail server. In other implementations, the systems and methods described herein may be used within other devices, such as a mail client. In such a case, the mail client may periodically obtain suspicion count values for its hash memory from one or more network devices, such as a mail server.

It may be possible for multiple mail servers to work together to detect and prevent unwanted e-mails. For example, high-scoring entries from the hash memory of one mail server might be distributed to other mail servers, as long as the same hash functions are used by the same cooperating servers. This may accelerate the detection process, especially for mail servers that experience relatively low volumes of traffic.

Further, certain portions of the invention have been described as “blocks” that perform one or more functions. These blocks may include hardware, such as an ASIC or a FPGA, software, or a combination of hardware and software.

No element, act, or instruction used in the description of the present application should be construed as critical or essential to the invention unless explicitly described as such. Also, as used herein, the article “a” is intended to include one or more items. Where only one item is intended, the term “one” or similar language is used. The scope of the invention is defined by the claims and their equivalents.

Claims

1. A method for detecting potentially unwanted e-mail messages, comprising: receiving a plurality of e-mail messages;processing the plurality of e-mail messages by removing HTML comments and HTML tags from the plurality of e-mail messages;generating one or more hash values based on one or more portions of the plurality of e-mail messages such that each of the plurality of e-mail messages has one or more corresponding generated hash values;counting the one or more of the generated hash values associated with at least one of the plurality of e-mail messages that match one or more hash values associated with at least one prior e-mail message;determining that the at least one of the plurality of e-mail messages is a potentially unwanted e-mail message based on the counting of the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more of the hash values associated with the at least one prior e-mail message;generating at least one suspicion score for the at least one of the plurality of e-mail messages based on the counting of the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more hash values associated with the at least one prior e-mail message; andtaking remedial action on the at least one of the plurality of e-mail messages that is determined to be the potentially unwanted e-mail message, based on the at least one suspicion score, the taking remedial action including deleting a newly received e-mail message.
2. The method of claim 1, wherein the generating the one or more hash values includes: performing a plurality of hashes on a plurality of variable-sized blocks of a main text of the plurality of e-mail messages.
3. The method of claim 1, wherein the generating the one or more hash values includes: performing a plurality of hashes on a plurality of fixed-sized blocks of a main text of the plurality of e-mail messages.
4. The method of claim 1, wherein the generating the one or more hash values includes: performing a plurality of hashes on a main text of the plurality of e-mail messages using a plurality of different hash functions.
5. The method of claim 1, wherein the generating the one or more hash values includes: performing a plurality of hashes on a main text of the plurality of e-mail messages using a same hash function.
6. The method of claim 1, wherein the generating the one or more hash values includes: attempting to expand an attachment of the plurality of e-mail messages, andhashing the attachment after attempting to expand the attachment.
7. The method of claim 1, wherein the generating the one or more hash values includes: performing a plurality of hashes on a plurality of variable-sized blocks of an attachment of the plurality of e-mail messages.
8. The method of claim 1, wherein the generating the one or more hash values includes: performing a plurality of hashes on a plurality of fixed-sized blocks of an attachment of the plurality of e-mail messages.
9. The method of claim 1, wherein the generating the one or more hash values includes: performing a plurality of hashes on an attachment of the plurality of e-mail messages using a plurality of different hash functions.
10. The method of claim 1, wherein the generating the one or more hash values includes: performing a plurality of hashes on an attachment of the plurality of e-mail messages using a same hash function.
11. The method of claim 1, further comprising: comparing the generated one or more hash values to hash values corresponding to known unwanted e-mails.
12. The method of claim 11, wherein the known unwanted e-mails include at least one of e-mails containing a virus, e-mails containing a worm, or unsolicited commercial e-mails.
13. The method of claim 1, wherein the generating the one or more hash values includes: hashing at least one of a main text or an attachment to generate one or more first hash values, andhashing a concatenation of first and second header fields to generate a second hash value.
14. The method of claim 13, wherein the first and second header fields include a From header field and a To header field.
15. The method of claim 13, wherein the counting the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more hash values associated with the at least one prior e-mail message includes: determining a first suspicion count based on a number of the hash values associated with the at least one prior e-mail message that match the one or more first hash values, anddetermining a second suspicion count based on a number of the hash values associated with the at least one prior e-mail message that match the second hash value.
16. The method of claim 15, wherein the determining that at least one of the plurality of e-mail messages is a potentially unwanted e-mail message includes: determining that the at least one of the plurality of e-mail messages is the potentially unwanted e-mail message when the first suspicion count is significantly higher than the second suspicion count.
17. The method of claim 1, wherein the taking remedial action further includes at least one of: bouncing the at least one of the plurality of e-mail messages,marking the at least one of the plurality of e-mail messages with a warning,subjecting the at least one of the plurality of e-mail messages to a virus or worm detection process, orcreating a notification message.
18. The method of claim 1, wherein the generating the one or more hash values and the counting the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more hash values associated with the at least one prior e-mail message are performed incrementally as the plurality of e-mail messages are being received.
19. The method of claim 1, further comprising: comparing the generated one or more hash values to hash values associated with one or more known legitimate mailing lists; andpassing the plurality of e-mail messages without further examination when the one or more generated hash values associated with the at least one of the plurality of e-mail messages match one or more hash values associated with the one or more known legitimate mailing lists.
20. The method of claim 19, wherein the comparing the one or more generated hash values includes: determining whether the plurality of e-mail messages originated from the one or more known legitimate mailing lists.
21. The method of claim 1, wherein the generating the one or more hash values includes: hashing a main text to generate a first hash value, andhashing one or more sender-related header fields to generate one or more second hash values.
22. The method of claim 21, wherein the one or more sender-related header fields include at least one of a From header field, a Sender header field, or a Reply-To header field.
23. The method of claim 21, wherein the counting the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more hash values associated with the at least one prior e-mail message includes: determining a first suspicion count based on a number of the hash values associated with the at least one prior e-mail message that match the first hash value, anddetermining one or more second suspicion counts based on a number of the hash values associated with the at least one prior e-mail message that match the one or more second hash values.
24. The method of claim 23, wherein the determining that at least one of the plurality of e-mail messages is a potentially unwanted e-mail message includes: determining that the at least one of the plurality of e-mail messages is the potentially unwanted e-mail message when the first suspicion count is higher than the one or more second suspicion counts.
25. The method of claim 1, wherein the generating the one or more hash values includes: hashing a main text of the plurality of e-mail messages to generate at least one main text hash, andhashing at least one header field of the plurality of e-mail messages to generate at least one header hash.
26. The method of claim 25, wherein the counting the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more hash values associated with the at least one prior e-mail message includes: determining whether the at least one main text hash matches a substantially higher number of the hash values associated with the at least one prior e-mail message than the at least one header hash; andwherein the determining that at least one of the plurality of e-mail messages is a potentially unwanted e-mail message includes: determining that the at least one of the plurality of e-mail messages is the potentially unwanted e-mail message when the at least one main text hash matches a substantially higher number of the hash values associated with the at least one prior e-mail message than the at least one header hash.
27. A computer program product embodied on a non-transitory computer-readable medium, comprising: computer code for receiving a plurality of e-mail messages;computer code for processing the plurality of e-mail messages by removing HTML comments and HTML tags from the plurality of e-mail messages;computer code for generating one or more hash values based on one or more portions of the plurality of e-mail messages such that each of the plurality of e-mail messages has one or more corresponding generated hash values;computer code for counting the one or more of the generated hash values associated with at least one of the plurality of e-mail messages that match one or more hash values associated with at least one prior e-mail message;computer code for determining that the at least one of the plurality of e-mail messages is a potentially unwanted e-mail message based on the counting of the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more of the hash values associated with the at least one prior e-mail message;computer code for generating at least one suspicion score for the at least one of the plurality of e-mail messages based on the counting of the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more hash values associated with the at least one prior e-mail message; andcomputer code for taking remedial action on the at least one of the plurality of e-mail messages that is determined to be the potentially unwanted e-mail message, based on the at least one suspicion score, the taking remedial action including deleting a newly received e-mail message.
28. The computer program product of claim 27, wherein the computer program product is operable such that the generating the one or more hash values includes: performing a plurality of hashes on a plurality of variable-sized blocks of a main text of the plurality of e-mail messages.
29. The computer program product of claim 27, wherein the computer program product is operable such that the generating the one or more hash values includes: performing a plurality of hashes on a plurality of fixed-sized blocks of a main text of the plurality of e-mail messages.
30. The computer program product of claim 27, wherein the computer program product is operable such that the generating the one or more hash values includes: performing a plurality of hashes on a main text of the plurality of e-mail messages using a plurality of different hash functions.
31. The computer program product of claim 27, wherein the computer program product is operable such that the generating the one or more hash values includes: performing a plurality of hashes on a main text of the plurality of e-mail messages using a same hash function.
32. The computer program product of claim 27, wherein the computer program product is operable such that the generating the one or more hash values includes: attempting to expand an attachment of the plurality of e-mail messages, andhashing the attachment after attempting to expand the attachment.
33. The computer program product of claim 27, wherein the computer program product is operable such that the generating the one or more hash values includes: performing a plurality of hashes on a plurality of variable-sized blocks of an attachment of the plurality of e-mail messages.
34. The computer program product of claim 27, wherein the computer program product is operable such that the generating the one or more hash values includes: performing a plurality of hashes on a plurality of fixed-sized blocks of an attachment of the plurality of e-mail messages.
35. The computer program product of claim 27, wherein the computer program product is operable such that the generating the one or more hash values includes: performing a plurality of hashes on an attachment of the plurality of e-mail messages using a plurality of different hash functions.
36. The computer program product of claim 27, wherein the computer program product is operable such that the generating the one or more hash values includes: performing a plurality of hashes on an attachment of the plurality of e-mail messages using a same hash function.
37. The computer program product of claim 27, further comprising: computer code for comparing the generated hash values to hash values corresponding to known unwanted e-mails.
38. The computer program product of claim 37, wherein the known unwanted e-mails include at least one of e-mails containing a virus, e-mails containing a worm, or unsolicited commercial e-mails.
39. The computer program product of claim 27, wherein the computer program product is operable such that the generating the one or more hash values includes: hashing at least one of a main text or an attachment to generate one or more first hash values, andhashing a concatenation of first and second header fields to generate a second hash value.
40. The computer program product of claim 39, wherein the first and second header fields include a From header field and a To header field.
41. The computer program product of claim 39, wherein the computer program product is operable such that the counting the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more hash values associated with the at least one prior e-mail message includes: determining a first suspicion count based on a number of the hash values associated with the at least one prior e-mail message that match the one or more first hash values, anddetermining a second suspicion count based on a number of the hash values associated with the at least one prior e-mail message that match the second hash value.
42. The computer program product of claim 41, wherein the computer program product is operable such that the determining that at least one of the plurality of e-mail messages is a potentially unwanted e-mail message includes: determining that the at least one of the plurality of e-mail messages is the potentially unwanted e-mail message when the first suspicion count is significantly higher than the second suspicion count.
43. The computer program product of claim 27, wherein the computer program product is operable such that the taking remedial action further includes at least one of: bouncing the at least one of the plurality of e-mail messages,marking the at least one of the plurality of e-mail messages with a warning,subjecting the at least one of the plurality of e-mail messages to a virus or worm detection process, orcreating a notification message.
44. The computer program product of claim 27, wherein the computer program product is operable such that the generating the one or more hash values and the counting the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more hash values associated with the at least one prior e-mail message are performed incrementally as the plurality of e-mail messages are being received.
45. The computer program product of claim 27, further comprising: computer code for comparing the generated one or more hash values to has values associated with one or more known legitimate mailing lists; andcomputer code for passing the plurality of e-mail messages without further examination when the one or more generated hash values associated with the at least one of the plurality of e-mail messages match one or more hash values associated with the one or more known legitimate mailing lists.
46. The computer program product of claim 45, wherein the computer program product is operable such that the comparing the generated the one or more hash values includes: determining whether the plurality of e-mail messages originated from the one or more known legitimate mailing lists.
47. The computer program product of claim 27, wherein the generating the one or more hash values includes: hashing a main text to generate a first hash value, andhashing one or more sender-related header fields to generate one or more second hash values.
48. The computer program product of claim 47, wherein the computer program product is operable such that the one or more sender-related header fields include at least one of a From header field, a Sender header field, or a Reply-To header field.
49. The computer program product of claim 47, wherein the computer program product is operable such that the counting the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more hash values associated with the at least one prior e-mail message includes: determining a first suspicion count based on a number of the hash values associated with the at least one prior e-mail message that match the first hash value, anddetermining one or more second suspicion counts based on a number of the hash values associated with the at least one prior e-mail message that match the one or more second hash values.
50. The computer program product of claim 49, wherein the computer program product is operable such that the determining that at least one of the plurality of e-mail messages is a potentially unwanted e-mail message includes: determining that the at least one of the plurality of e-mail messages is the potentially unwanted e-mail message when the first suspicion count is higher than the one or more second suspicion counts.
51. The computer program product of claim 27, wherein the computer program product is operable such that the generating the one or more hash values includes: hashing a main text of the plurality of e-mail messages to generate at least one main text hash, andhashing at least one header field of the plurality of e-mail messages to generate at least one header hash.
52. The computer program product of claim 51, wherein the computer program product is operable such that the counting the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more hash values associated with the at least one prior e-mail message includes: determining whether the at least one main text hash matches a substantially higher number of the hash values associated with the at least one prior e-mail message than the at least one header hash; andwherein the determining that at least one of the plurality of e-mail messages is a potentially unwanted e-mail message includes: determining that the at least one of the plurality of e-mail messages is the potentially unwanted e-mail message when the at least one main text hash matches a substantially higher number of the hash values associated with the at least one prior e-mail message than the at least one header hash.
53. The computer program product of claim 37, wherein the hash values are stored using one or more bloom filters.
54. The computer program product of claim 27, wherein the computer program product is operable such that the one or more bloom filters are used in connection with the determining that the at least one of the plurality of e-mail messages is the potentially unwanted e-mail message.
55. The computer program product of claim 27, wherein the computer program product is operable such that the one or more corresponding generated hash values each serve as a signature for data over which the one or more corresponding generated hash values was computed.
56. The computer program product of claim 27, wherein the computer program product is operable such that the at least one suspicion score for the at least one of the plurality of e-mail messages is based on whether the count of the one or more of the generated hash values exceeds a threshold.
57. The computer program product of claim 56, wherein the threshold is a settable threshold.
58. The computer program product of claim 27, wherein the one or more generated hash values includes a plurality of generated hash values.
59. The computer program product of claim 27, wherein the one or more of the hash values associated with the at least one prior e-mail message include one or more hash values of at least one portion of content of the at least one prior e-mail message that was determined to be a known unsolicited commercial e-mail message.
60. The computer program product of claim 27, wherein the computer readable medium includes non-volatile memory.
61. The computer program product of claim 27, wherein the computer program product is operable such that the one or more hash values are generated using a hash function that provides a distribution of values over a variety of data inputs sufficient to prevent hash collisions.
62. The computer program product of claim 27, wherein the computer program product is operable such that the one or more of the generated hash values are indexed.
63. The computer program product of claim 27, wherein the computer program product is operable such that the at least one suspicion score includes a suspicion count.
64. The computer program product of claim 27, wherein the computer program product is operable such that the at least one suspicion score is based on a scoring function.
65. The computer program product of claim 27, wherein the computer program product is operable such that the at least one suspicion score is based on a scoring function that is a function of a plurality of subparts of the plurality of e-mail messages.
66. The computer program product of claim 27, wherein the computer program product is operable such that at least a portion of the computer code is executed at a server.
67. The computer program product of claim 27, wherein the computer program product is operable such that the remedial action is programmable.
68. The computer program product of claim 27, wherein the one or more of the generated hash values includes one generated hash value.
69. The computer program product of claim 27, wherein the at least one prior e-mail message includes one prior e-mail message.
70. The computer program product of claim 27, wherein the at least one suspicion score includes one suspicion score.
71. The computer program product of claim 27, wherein the one or more of the hash values associated with the at least one prior e-mail message include one or more hash values of the at least one prior e-mail message.
72. The computer program product of claim 27, wherein the one or more of the hash values associated with the at least one prior e-mail message include one or more hash values of the at least one prior e-mail message that was determined to be a known unsolicited commercial e-mail message.
73. A system including a processor and a non-transitory computer-readable medium, comprising: means for receiving a plurality of e-mail messages;means for processing the plurality of e-mail messages by removing HTML comments and HTML tags from the plurality of e-mail messages;means for generating one or more hash values based on one or more portions of the plurality of e-mail messages such that each of the plurality of e-mail messages has one or more corresponding generated hash values;means for counting the one or more of the generated hash values associated with at least one of the plurality of e-mail messages that match one or more hash values associated with at least one prior e-mail message;means for determining that the at least one of the plurality of e-mail messages is a potentially unwanted e-mail message based on the counting of the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more of the hash values associated with the at least one prior e-mail message;means for generating at least one suspicion score for the at least one of the plurality of e-mail messages based on the counting of the one or more of the generated hash values associated with the at least one of the plurality of e-mail messages that match the one or more hash values associated with the at least one prior e-mail message; andmeans for taking remedial action on the at least one of the plurality of e-mail messages that is determined to be the potentially unwanted e-mail message, based on the at least one suspicion score, the taking remedial action including deleting a newly received e-mail message.
74. The system of claim 73, wherein the system is operable such that the generating the one or more hash values includes: performing a plurality of hashes on a plurality of variable-sized blocks of a main text of the plurality of e-mail messages.
75. The system of claim 73, wherein the system is operable such that the generating the one or more hash values includes: performing a plurality of hashes on a plurality of fixed-sized blocks of a main text of the plurality of e-mail messages.
76. The system of claim 73, wherein the system is operable such that the generating the one or more hash values includes: attempting to expand an attachment of the plurality of e-mail messages, andhashing the attachment after attempting to expand the attachment.
77. The system of claim 73, wherein the system is operable such that the generating the one or more hash values includes: performing a plurality of hashes on a plurality of variable-sized blocks of an attachment of the plurality of e-mail messages.
78. The system of claim 73, wherein the system is operable such that the generating the one or more hash values includes: performing a plurality of hashes on a plurality of fixed-sized blocks of an attachment of the plurality of e-mail messages.
79. The system of claim 73, further comprising: means for comparing the generated hash values to hash values corresponding to known unwanted e-mails.
80. The system of claim 79, wherein the known unwanted e-mails include at least one of e-mails containing a virus, e-mails containing a worm, or unsolicited commercial e-mails.
81. The system of claim 73, wherein the system is operable such that the generating the one or more hash values and the counting the one or more of the generated hash values that match the hash values associated with the at least one prior e-mail message are performed incrementally as the plurality of e-mail messages are being received.
82. The system of claim 73, further comprising: means for comparing the generated one or more hash values to hash values associated with one or more known legitimate mailing lists; andmeans for passing the plurality of e-mail messages without further examination when the one or more generated hash values associated with the at least one of the plurality of e-mail messages match one or more has values associated with the one or more known legitimate mailing lists.
83. The system of claim 73, wherein the system is operable such that the generating the one or more hash values includes: hashing a main text of the plurality of e-mail messages to generate a main text hash, andhashing at least one header field of the plurality of e-mail messages to generate at least one header hash.

RELATED APPLICATIONS

This application is a continuation of U.S. patent application Ser. No. 10/654,771, filed Sep. 4, 2003, which, in turn, claims priority under 35 U.S.C. §119 based on U.S. Provisional Application No. 60/407,975, filed Sep. 5, 2002, both of which are incorporated herein by reference. U.S. patent application Ser. No. 10/654,771 is also a continuation-in-part of U.S. patent application Ser. No. 10/251,403, filed Sep. 20, 2002, now U.S. Pat. No. 7,328,349 which claims priority under 35 U.S.C. §119 based on U.S. Provisional Application No. 60/341,462, filed Dec. 14, 2001, both of which are incorporated herein by reference. U.S. patent application Ser. No. 10/654,771 is also a continuation-in-part of U.S. patent application Ser. No. 09/881,145 now abandoned, and U.S. patent application Ser. No. 09/881,074, now U.S. Pat. No. 6,981,158 both of which were filed on Jun. 14, 2001, and both of which claim priority under 35 U.S.C. §119 based on U.S. Provisional Application No. 60/212,425, filed Jun. 19, 2000, all of which are incorporated herein by reference.

US Referenced Citations (939)

Number	Name	Date	Kind
3956615	Anderson et al.	May 1976	A
4104721	Markstein et al.	Aug 1978	A
4177510	Appell et al.	Dec 1979	A
4200770	Hellman et al.	Apr 1980	A
4289930	Connolly et al.	Sep 1981	A
4384325	Slechta, Jr. et al.	May 1983	A
4386233	Smid et al.	May 1983	A
4386416	Giltner et al.	May 1983	A
4405829	Rivest et al.	Sep 1983	A
4442484	Childs, Jr. et al.	Apr 1984	A
4532588	Foster	Jul 1985	A
4584639	Hardy	Apr 1986	A
4590470	Koenig	May 1986	A
4607137	Jansen et al.	Aug 1986	A
4621321	Boebert et al.	Nov 1986	A
4641274	Swank	Feb 1987	A
4648031	Jenner	Mar 1987	A
4701840	Boebert et al.	Oct 1987	A
4710763	Franke et al.	Dec 1987	A
4713753	Boebert et al.	Dec 1987	A
4713780	Schultz et al.	Dec 1987	A
4754428	Schultz et al.	Jun 1988	A
4837798	Cohen et al.	Jun 1989	A
4853961	Pastor	Aug 1989	A
4864573	Horsten	Sep 1989	A
4868877	Fischer	Sep 1989	A
4870571	Frink	Sep 1989	A
4885789	Burger et al.	Dec 1989	A
4910774	Barakat	Mar 1990	A
4914568	Kodosky et al.	Apr 1990	A
4926480	Chaum	May 1990	A
4947430	Chaum	Aug 1990	A
4951196	Jackson	Aug 1990	A
4975950	Lentz	Dec 1990	A
4979210	Nagata et al.	Dec 1990	A
4996711	Chaum	Feb 1991	A
5005200	Fischer	Apr 1991	A
5008814	Mathur	Apr 1991	A
5020059	Gorin et al.	May 1991	A
5051886	Kawaguchi et al.	Sep 1991	A
5054096	Beizer	Oct 1991	A
5070528	Hawe et al.	Dec 1991	A
5093914	Coplien et al.	Mar 1992	A
5105184	Pirani et al.	Apr 1992	A
5119465	Jack et al.	Jun 1992	A
5124984	Engel	Jun 1992	A
5144557	Wang et al.	Sep 1992	A
5144659	Jones	Sep 1992	A
5144660	Rose	Sep 1992	A
5144665	Takaragi et al.	Sep 1992	A
5153918	Tuai	Oct 1992	A
5164988	Matyas et al.	Nov 1992	A
5167011	Priest	Nov 1992	A
5191611	Lang	Mar 1993	A
5200999	Matyas et al.	Apr 1993	A
5204961	Barlow	Apr 1993	A
5210795	Lipner et al.	May 1993	A
5210824	Putz et al.	May 1993	A
5210825	Kavaler	May 1993	A
5214702	Fischer	May 1993	A
5224163	Gasser et al.	Jun 1993	A
5226080	Cole et al.	Jul 1993	A
5228083	Lozowick et al.	Jul 1993	A
5235642	Wobber et al.	Aug 1993	A
5239466	Morgan et al.	Aug 1993	A
5241594	Kung	Aug 1993	A
5247661	Hager et al.	Sep 1993	A
5263147	Francisco et al.	Nov 1993	A
5263157	Janis	Nov 1993	A
5265163	Golding et al.	Nov 1993	A
5265164	Matyas et al.	Nov 1993	A
5267313	Hirata	Nov 1993	A
5272754	Boerbert	Dec 1993	A
5276735	Boebert et al.	Jan 1994	A
5276736	Chaum	Jan 1994	A
5276737	Micali	Jan 1994	A
5276869	Forrest et al.	Jan 1994	A
5276901	Howell et al.	Jan 1994	A
5278901	Shieh et al.	Jan 1994	A
5280527	Gullman et al.	Jan 1994	A
5283887	Zachery	Feb 1994	A
5293250	Okumura et al.	Mar 1994	A
5299263	Beller et al.	Mar 1994	A
5303303	White	Apr 1994	A
5305385	Schanning et al.	Apr 1994	A
5311591	Fischer	May 1994	A
5311593	Carmi	May 1994	A
5313521	Torii et al.	May 1994	A
5313637	Rose	May 1994	A
5315657	Abadi et al.	May 1994	A
5315658	Micali	May 1994	A
5319776	Hile et al.	Jun 1994	A
5325370	Cleveland et al.	Jun 1994	A
5329623	Smith et al.	Jul 1994	A
5333266	Boaz et al.	Jul 1994	A
5341426	Barney et al.	Aug 1994	A
5347578	Duxbury	Sep 1994	A
5351293	Michener et al.	Sep 1994	A
5355472	Lewis	Oct 1994	A
5355474	Thuraisngham et al.	Oct 1994	A
5359659	Rosenthal	Oct 1994	A
5361002	Casper	Nov 1994	A
5367621	Cohen et al.	Nov 1994	A
5371794	Diffie et al.	Dec 1994	A
5377354	Scannell et al.	Dec 1994	A
5379340	Overend et al.	Jan 1995	A
5379374	Ishizaki et al.	Jan 1995	A
5386470	Carter et al.	Jan 1995	A
5388189	Kung	Feb 1995	A
5404231	Bloomfield	Apr 1995	A
5406557	Baudoin	Apr 1995	A
5406628	Beller et al.	Apr 1995	A
5410326	Goldstein	Apr 1995	A
5414650	Hekhuis	May 1995	A
5414833	Hershey et al.	May 1995	A
5416842	Aziz	May 1995	A
5418908	Keller et al.	May 1995	A
5424724	Williams et al.	Jun 1995	A
5432932	Chen et al.	Jul 1995	A
5436972	Fischer	Jul 1995	A
5440723	Arnold et al.	Aug 1995	A
5455828	Zisapel	Oct 1995	A
5479411	Klein	Dec 1995	A
5481312	Cash et al.	Jan 1996	A
5481613	Ford et al.	Jan 1996	A
5483466	Kawahara et al.	Jan 1996	A
5485409	Gupta et al.	Jan 1996	A
5485460	Schrier et al.	Jan 1996	A
5491750	Bellare et al.	Feb 1996	A
5495610	Shing et al.	Feb 1996	A
5499294	Friedman	Mar 1996	A
5504454	Daggett et al.	Apr 1996	A
5509074	Choudhury et al.	Apr 1996	A
5511122	Atkinson	Apr 1996	A
5511163	Lerche et al.	Apr 1996	A
5513126	Harkins et al.	Apr 1996	A
5513323	Williams et al.	Apr 1996	A
5521910	Matthews	May 1996	A
5530852	Meske, Jr. et al.	Jun 1996	A
5535276	Ganesan	Jul 1996	A
5537533	Staheli et al.	Jul 1996	A
5539824	Bjorklund et al.	Jul 1996	A
5541993	Fan et al.	Jul 1996	A
5544320	Konrad	Aug 1996	A
5548646	Aziz et al.	Aug 1996	A
5550984	Gelb	Aug 1996	A
5550994	Tashiro et al.	Aug 1996	A
5553145	Micali	Sep 1996	A
5555309	Kruys	Sep 1996	A
5557346	Lipner et al.	Sep 1996	A
5557742	Smaha et al.	Sep 1996	A
5557765	Lipner et al.	Sep 1996	A
5561703	Arledge et al.	Oct 1996	A
5564106	Puhl et al.	Oct 1996	A
5566170	Bakke et al.	Oct 1996	A
5572590	Chess	Nov 1996	A
5572643	Judson	Nov 1996	A
5577209	Boyle et al.	Nov 1996	A
5583940	Vidrascu et al.	Dec 1996	A
5583995	Gardner et al.	Dec 1996	A
5586260	Hu	Dec 1996	A
5602918	Chen et al.	Feb 1997	A
5604490	Blakley, III et al.	Feb 1997	A
5606668	Shwed	Feb 1997	A
5608819	Ikeuchi	Mar 1997	A
5608874	Ogawa et al.	Mar 1997	A
5615340	Dai et al.	Mar 1997	A
5619648	Canale et al.	Apr 1997	A
5621579	Yuen	Apr 1997	A
5621889	Lermuzeaux et al.	Apr 1997	A
5623598	Voigt et al.	Apr 1997	A
5623600	Ji et al.	Apr 1997	A
5623601	Vu	Apr 1997	A
5623637	Jones et al.	Apr 1997	A
5625695	M'Raihi et al.	Apr 1997	A
5627977	Hickey et al.	May 1997	A
5629982	Micali	May 1997	A
5631961	Mills et al.	May 1997	A
5632011	Landfield et al.	May 1997	A
5636371	Yu	Jun 1997	A
5638487	Chigier	Jun 1997	A
5640454	Lipner et al.	Jun 1997	A
5644404	Hashimoto et al.	Jul 1997	A
5644571	Seaman	Jul 1997	A
5647000	Leighton	Jul 1997	A
5649095	Cozza	Jul 1997	A
5655081	Bonnell et al.	Aug 1997	A
5657461	Harkins et al.	Aug 1997	A
5666416	Micali	Sep 1997	A
5666530	Clark et al.	Sep 1997	A
5671279	Elgamal	Sep 1997	A
5673322	Pepe et al.	Sep 1997	A
5675507	Bobo, II	Oct 1997	A
5675733	Williams	Oct 1997	A
5677955	Doggett et al.	Oct 1997	A
5684951	Goldman et al.	Nov 1997	A
5687235	Perlman et al.	Nov 1997	A
5689565	Spies et al.	Nov 1997	A
5689566	Nguyen	Nov 1997	A
5694616	Johnson et al.	Dec 1997	A
5696822	Nachenberg	Dec 1997	A
5699431	Van Oorschot et al.	Dec 1997	A
5699513	Feigen et al.	Dec 1997	A
5706442	Anderson et al.	Jan 1998	A
5706507	Schloss	Jan 1998	A
5708780	Levergood et al.	Jan 1998	A
5708826	Ikeda et al.	Jan 1998	A
5710883	Hong et al.	Jan 1998	A
5717757	Micali	Feb 1998	A
5717758	Micali	Feb 1998	A
5724428	Rivest	Mar 1998	A
5724512	Winterbottom	Mar 1998	A
5727156	Herr-Hoyman et al.	Mar 1998	A
5740231	Cohn et al.	Apr 1998	A
5742759	Nessett et al.	Apr 1998	A
5742769	Lee et al.	Apr 1998	A
5745573	Lipner et al.	Apr 1998	A
5745574	Muftic	Apr 1998	A
5751956	Kirsch	May 1998	A
5758343	Vigil et al.	May 1998	A
5761531	Ohmura et al.	Jun 1998	A
5764906	Edelstein et al.	Jun 1998	A
5765030	Nachenberg et al.	Jun 1998	A
5768388	Goldwasser et al.	Jun 1998	A
5768528	Stumm	Jun 1998	A
5769942	Maeda	Jun 1998	A
5771348	Kubatzki et al.	Jun 1998	A
5778372	Cordell et al.	Jul 1998	A
5781729	Baker et al.	Jul 1998	A
5781735	Southard	Jul 1998	A
5781857	Hwang et al.	Jul 1998	A
5781901	Kuzma	Jul 1998	A
5790664	Coley et al.	Aug 1998	A
5790789	Suarez	Aug 1998	A
5790790	Smith et al.	Aug 1998	A
5790793	Higley	Aug 1998	A
5790856	Lillich	Aug 1998	A
5793763	Mayes et al.	Aug 1998	A
5793868	Micali	Aug 1998	A
5793954	Baker et al.	Aug 1998	A
5793972	Shane	Aug 1998	A
5796830	Johnson et al.	Aug 1998	A
5796942	Esbensen	Aug 1998	A
5796948	Cohen	Aug 1998	A
5798706	Kraemer et al.	Aug 1998	A
5799083	Brothers et al.	Aug 1998	A
5801700	Ferguson	Sep 1998	A
5802178	Holden et al.	Sep 1998	A
5802277	Cowlard	Sep 1998	A
5802371	Meier	Sep 1998	A
5805719	Pare, Jr. et al.	Sep 1998	A
5805801	Holloway et al.	Sep 1998	A
5812398	Nielsen	Sep 1998	A
5812763	Teng	Sep 1998	A
5812776	Gifford	Sep 1998	A
5812844	Jones et al.	Sep 1998	A
5815573	Johnson et al.	Sep 1998	A
5815657	Williams et al.	Sep 1998	A
5821398	Speirs et al.	Oct 1998	A
5822526	Waskiewicz	Oct 1998	A
5822527	Post	Oct 1998	A
5826013	Nachenberg	Oct 1998	A
5826014	Coley et al.	Oct 1998	A
5826022	Nielsen	Oct 1998	A
5826029	Gore, Jr. et al.	Oct 1998	A
5828832	Holden et al.	Oct 1998	A
5828893	Wied et al.	Oct 1998	A
5832208	Chen et al.	Nov 1998	A
5835087	Herz et al.	Nov 1998	A
5835090	Clark et al.	Nov 1998	A
5835600	Rivest	Nov 1998	A
5835758	Nochur et al.	Nov 1998	A
5842216	Anderson et al.	Nov 1998	A
5845084	Cordell et al.	Dec 1998	A
5850442	Muftic	Dec 1998	A
5852665	Gressel et al.	Dec 1998	A
5855020	Kirsch	Dec 1998	A
5857022	Sudia	Jan 1999	A
5859966	Hayman et al.	Jan 1999	A
5860068	Cook	Jan 1999	A
5862325	Reed et al.	Jan 1999	A
5864667	Barkan	Jan 1999	A
5864683	Boebert et al.	Jan 1999	A
5864852	Luotonen	Jan 1999	A
5872844	Yacobi	Feb 1999	A
5872849	Sudia	Feb 1999	A
5872931	Chivaluri	Feb 1999	A
5878230	Weber et al.	Mar 1999	A
5884033	Duvall et al.	Mar 1999	A
5889943	Ji et al.	Mar 1999	A
5892825	Mages et al.	Apr 1999	A
5892903	Klaus	Apr 1999	A
5892904	Atkinson et al.	Apr 1999	A
5893114	Hashimoto et al.	Apr 1999	A
5896499	McKelvey	Apr 1999	A
5898830	Wesinger, Jr. et al.	Apr 1999	A
5898836	Freivald et al.	Apr 1999	A
5901227	Perlman	May 1999	A
5903651	Kocher	May 1999	A
5903723	Beck et al.	May 1999	A
5903882	Asay et al.	May 1999	A
5905859	Holloway et al.	May 1999	A
5907618	Gennaro et al.	May 1999	A
5907620	Klemba et al.	May 1999	A
5911776	Guck	Jun 1999	A
5912972	Barton	Jun 1999	A
5919257	Trostle	Jul 1999	A
5919258	Kayashima et al.	Jul 1999	A
5920630	Wertheimer et al.	Jul 1999	A
5922074	Richard et al.	Jul 1999	A
5923846	Gage et al.	Jul 1999	A
5923885	Johnson et al.	Jul 1999	A
5928329	Clark et al.	Jul 1999	A
5930479	Hall	Jul 1999	A
5933478	Ozaki et al.	Aug 1999	A
5933498	Schneck et al.	Aug 1999	A
5933647	Aronberg et al.	Aug 1999	A
5937066	Gennaro et al.	Aug 1999	A
5937164	Mages et al.	Aug 1999	A
5940591	Boyle et al.	Aug 1999	A
5941998	Tillson	Aug 1999	A
5946679	Ahuja et al.	Aug 1999	A
5948062	Tzelnic et al.	Sep 1999	A
5948104	Gluck et al.	Sep 1999	A
5950195	Stockwell et al.	Sep 1999	A
5951644	Creemer	Sep 1999	A
5951698	Chen et al.	Sep 1999	A
5956403	Lipner et al.	Sep 1999	A
5956481	Walsh et al.	Sep 1999	A
5958005	Thorne et al.	Sep 1999	A
5958010	Agarwal et al.	Sep 1999	A
5959976	Kuo	Sep 1999	A
5960170	Chen et al.	Sep 1999	A
5963915	Kirsch	Oct 1999	A
5964889	Nachenberg	Oct 1999	A
5970248	Meier	Oct 1999	A
5974141	Saito	Oct 1999	A
5978799	Hirsch	Nov 1999	A
5983012	Bianchi et al.	Nov 1999	A
5983228	Kobayashi et al.	Nov 1999	A
5987606	Cirasole et al.	Nov 1999	A
5987609	Hasebe	Nov 1999	A
5991406	Lipner et al.	Nov 1999	A
5991807	Schmidt et al.	Nov 1999	A
5991879	Still	Nov 1999	A
5991881	Conklin et al.	Nov 1999	A
5996011	Humes	Nov 1999	A
5996077	Williams	Nov 1999	A
5999723	Nachenberg	Dec 1999	A
5999932	Paul	Dec 1999	A
5999967	Sundsted	Dec 1999	A
6000041	Baker et al.	Dec 1999	A
6003027	Prager	Dec 1999	A
6006329	Chi	Dec 1999	A
6009103	Woundy	Dec 1999	A
6009274	Fletcher et al.	Dec 1999	A
6009462	Birrell et al.	Dec 1999	A
6012144	Pickett	Jan 2000	A
6014651	Crawford	Jan 2000	A
6021510	Nachenberg	Feb 2000	A
6023723	McCormick et al.	Feb 2000	A
6026414	Anglin	Feb 2000	A
6029256	Kouznetsov	Feb 2000	A
6035423	Hodges et al.	Mar 2000	A
6038233	Hamamoto et al.	Mar 2000	A
6049789	Frison et al.	Apr 2000	A
6052531	Waldin, Jr. et al.	Apr 2000	A
6052709	Paul	Apr 2000	A
6052788	Wesinger, Jr. et al.	Apr 2000	A
6055519	Kennedy et al.	Apr 2000	A
6058381	Nelson	May 2000	A
6058482	Liu	May 2000	A
6061448	Smith et al.	May 2000	A
6061722	Lipa et al.	May 2000	A
6067410	Nachenberg	May 2000	A
6070243	See et al.	May 2000	A
6072942	Stockwell et al.	Jun 2000	A
6073140	Morgan et al.	Jun 2000	A
6075863	Krishnan et al.	Jun 2000	A
6078929	Rao	Jun 2000	A
6085320	Kaliski, Jr.	Jul 2000	A
6088803	Tso et al.	Jul 2000	A
6088804	Hill et al.	Jul 2000	A
6092067	Girling et al.	Jul 2000	A
6092102	Wagner	Jul 2000	A
6092114	Shaffer et al.	Jul 2000	A
6092191	Shimbo et al.	Jul 2000	A
6092194	Touboul	Jul 2000	A
6092201	Turnbull et al.	Jul 2000	A
6094277	Toyoda	Jul 2000	A
6094731	Waldin et al.	Jul 2000	A
6097811	Micali	Aug 2000	A
6104500	Alam et al.	Aug 2000	A
6108683	Kamada et al.	Aug 2000	A
6108688	Nielsen	Aug 2000	A
6108691	Lee et al.	Aug 2000	A
6108786	Knowlson	Aug 2000	A
6112181	Shear et al.	Aug 2000	A
6118856	Paarsmarkt et al.	Sep 2000	A
6119137	Smith et al.	Sep 2000	A
6119142	Kosaka	Sep 2000	A
6119157	Traversat et al.	Sep 2000	A
6119165	Li et al.	Sep 2000	A
6119230	Carter	Sep 2000	A
6119231	Foss et al.	Sep 2000	A
6119236	Shipley	Sep 2000	A
6122661	Stedman et al.	Sep 2000	A
6123737	Sadowsky	Sep 2000	A
6134550	Van Oorschot et al.	Oct 2000	A
6134551	Aucsmith	Oct 2000	A
6138254	Voshell	Oct 2000	A
6141695	Sekiguchi et al.	Oct 2000	A
6141778	Kane et al.	Oct 2000	A
6144744	Smith, Sr. et al.	Nov 2000	A
6145083	Shaffer et al.	Nov 2000	A
6151643	Cheng et al.	Nov 2000	A
6151675	Smith	Nov 2000	A
6154769	Cherkasova et al.	Nov 2000	A
6154844	Touboul et al.	Nov 2000	A
6154879	Pare et al.	Nov 2000	A
6161130	Horvitz et al.	Dec 2000	A
6161137	Ogdon et al.	Dec 2000	A
6167407	Nachenberg et al.	Dec 2000	A
6167438	Yates et al.	Dec 2000	A
6169969	Cohen	Jan 2001	B1
6178242	Tsuria	Jan 2001	B1
6178509	Nardone et al.	Jan 2001	B1
6182142	Win et al.	Jan 2001	B1
6182226	Reid et al.	Jan 2001	B1
6185678	Arbaugh et al.	Feb 2001	B1
6185682	Tang	Feb 2001	B1
6185689	Todd, Sr. et al.	Feb 2001	B1
6192360	Dumais et al.	Feb 2001	B1
6192407	Smith et al.	Feb 2001	B1
6199102	Cobb	Mar 2001	B1
6202157	Brownlie et al.	Mar 2001	B1
6215763	Doshi et al.	Apr 2001	B1
6216265	Roop et al.	Apr 2001	B1
6219706	Fan et al.	Apr 2001	B1
6219714	Inhwan et al.	Apr 2001	B1
6223094	Muehleck et al.	Apr 2001	B1
6223172	Hunter et al.	Apr 2001	B1
6223213	Cleron et al.	Apr 2001	B1
6226666	Chang et al.	May 2001	B1
6230190	Edmonds et al.	May 2001	B1
6230194	Frailong et al.	May 2001	B1
6230266	Perlman et al.	May 2001	B1
6233577	Ramasubramani et al.	May 2001	B1
6240401	Oren et al.	May 2001	B1
6243815	Antur et al.	Jun 2001	B1
6249575	Heilmann et al.	Jun 2001	B1
6249585	McGrew et al.	Jun 2001	B1
6249807	Shaw et al.	Jun 2001	B1
6253337	Maloney et al.	Jun 2001	B1
6260043	Puri et al.	Jul 2001	B1
6260142	Thakkar et al.	Jul 2001	B1
6266337	Marco	Jul 2001	B1
6266668	Vanderveldt et al.	Jul 2001	B1
6266692	Greenstein	Jul 2001	B1
6266700	Baker et al.	Jul 2001	B1
6266774	Sampath et al.	Jul 2001	B1
6269380	Terry et al.	Jul 2001	B1
6269447	Maloney et al.	Jul 2001	B1
6269456	Hodges et al.	Jul 2001	B1
6272532	Feinleib	Aug 2001	B1
6272632	Carman et al.	Aug 2001	B1
6275937	Hailpern et al.	Aug 2001	B1
6275942	Bernhard et al.	Aug 2001	B1
6275977	Nagai et al.	Aug 2001	B1
6279113	Vaidya	Aug 2001	B1
6279133	Vafai et al.	Aug 2001	B1
6282565	Shaw et al.	Aug 2001	B1
6285991	Powar	Sep 2001	B1
6289214	Backstrom	Sep 2001	B1
6292833	Liao et al.	Sep 2001	B1
6298445	Shostack et al.	Oct 2001	B1
6301668	Gleichauf et al.	Oct 2001	B1
6301699	Hollander et al.	Oct 2001	B1
6304898	Shiigi	Oct 2001	B1
6304904	Sathyanarayan et al.	Oct 2001	B1
6304973	Williams	Oct 2001	B1
6311207	Mighdoll et al.	Oct 2001	B1
6311273	Helbig et al.	Oct 2001	B1
6314190	Zimmermann	Nov 2001	B1
6317829	Van Oorschot	Nov 2001	B1
6320948	Heilmann et al.	Nov 2001	B1
6321267	Donaldson	Nov 2001	B1
6324569	Ogilvie et al.	Nov 2001	B1
6324647	Bowman-Amuah	Nov 2001	B1
6324656	Gleichauf et al.	Nov 2001	B1
6327579	Crawford	Dec 2001	B1
6327594	Van Huben et al.	Dec 2001	B1
6327620	Tams et al.	Dec 2001	B1
6327652	England et al.	Dec 2001	B1
6330551	Burchetta et al.	Dec 2001	B1
6330589	Kennedy	Dec 2001	B1
6330670	England et al.	Dec 2001	B1
6332163	Bowman-Amuah	Dec 2001	B1
6338141	Wells	Jan 2002	B1
6341369	Degenaro et al.	Jan 2002	B1
6347374	Drake et al.	Feb 2002	B1
6347375	Reinert et al.	Feb 2002	B1
6353886	Howard et al.	Mar 2002	B1
6356859	Talbot et al.	Mar 2002	B1
6356935	Gibbs	Mar 2002	B1
6357008	Nachenberg	Mar 2002	B1
6362836	Shaw et al.	Mar 2002	B1
6363489	Comay et al.	Mar 2002	B1
6367009	Davis et al.	Apr 2002	B1
6367012	Atkinson et al.	Apr 2002	B1
6370648	Diep	Apr 2002	B1
6373950	Rowney	Apr 2002	B1
6381694	Yen	Apr 2002	B1
6385596	Wiser et al.	May 2002	B1
6385655	Smith et al.	May 2002	B1
6389419	Wong et al.	May 2002	B1
6393465	Leeds	May 2002	B2
6393568	Ranger et al.	May 2002	B1
6397259	Lincke et al.	May 2002	B1
6397335	Franczek et al.	May 2002	B1
6400804	Bilder	Jun 2002	B1
6401210	Templeton	Jun 2002	B1
6405318	Rowland	Jun 2002	B1
6411716	Brickell	Jun 2002	B1
6424650	Yang et al.	Jul 2002	B1
6430184	Robins et al.	Aug 2002	B1
6430688	Kohl et al.	Aug 2002	B1
6434536	Geiger	Aug 2002	B1
6438549	Aldred et al.	Aug 2002	B1
6438576	Huang et al.	Aug 2002	B1
6438612	Yionen	Aug 2002	B1
6442588	Clark et al.	Aug 2002	B1
6442686	McArdle et al.	Aug 2002	B1
6442688	Moses et al.	Aug 2002	B1
6442689	Kocher	Aug 2002	B1
6446109	Gupta	Sep 2002	B2
6449367	Van Wie et al.	Sep 2002	B2
6449640	Haverstock et al.	Sep 2002	B1
6452613	Lefebvre et al.	Sep 2002	B1
6453345	Trcka et al.	Sep 2002	B2
6453352	Wagner et al.	Sep 2002	B1
6453419	Flint et al.	Sep 2002	B1
6460050	Pace et al.	Oct 2002	B1
6460141	Olden	Oct 2002	B1
6469969	Carson et al.	Oct 2002	B2
6470086	Smith	Oct 2002	B1
6477651	Teal	Nov 2002	B1
6484203	Porras et al.	Nov 2002	B1
6487599	Smith et al.	Nov 2002	B1
6487658	Micali	Nov 2002	B1
6487666	Shanklin et al.	Nov 2002	B1
6496974	Sliger et al.	Dec 2002	B1
6496979	Chen et al.	Dec 2002	B1
6499107	Gleichauf et al.	Dec 2002	B1
6502191	Smith et al.	Dec 2002	B1
6507851	Fujiwara et al.	Jan 2003	B1
6510431	Eichstaedt et al.	Jan 2003	B1
6510464	Grantges, Jr. et al.	Jan 2003	B1
6510466	Cox et al.	Jan 2003	B1
6516316	Ramasubramani et al.	Feb 2003	B1
6516411	Smith	Feb 2003	B2
6519264	Carr et al.	Feb 2003	B1
6519703	Joyce	Feb 2003	B1
6526171	Furukawa	Feb 2003	B1
6529498	Cheng	Mar 2003	B1
6539430	Humes	Mar 2003	B1
6546416	Kirsch	Apr 2003	B1
6546493	Magdych et al.	Apr 2003	B1
6550012	Villa et al.	Apr 2003	B1
6560632	Chess et al.	May 2003	B1
6574611	Matsuyama et al.	Jun 2003	B1
6574737	Kingsford et al.	Jun 2003	B1
6577920	Hypponen et al.	Jun 2003	B1
6578025	Pollack et al.	Jun 2003	B1
6578147	Shanklin et al.	Jun 2003	B1
6584488	Brenner et al.	Jun 2003	B1
6584564	Olkin et al.	Jun 2003	B2
6587949	Steinberg	Jul 2003	B1
6606708	Devine et al.	Aug 2003	B1
6609196	Dickinson, III et al.	Aug 2003	B1
6609205	Bernhard et al.	Aug 2003	B1
6611869	Eschelbeck et al.	Aug 2003	B1
6611925	Spear	Aug 2003	B1
6615242	Riemers	Sep 2003	B1
6622150	Kouznetsov et al.	Sep 2003	B1
6647400	Moran	Nov 2003	B1
6650890	Irlam et al.	Nov 2003	B1
6654787	Aronson et al.	Nov 2003	B1
6658568	Ginter et al.	Dec 2003	B1
6662230	Eichstaedt et al.	Dec 2003	B1
6668269	Kamada et al.	Dec 2003	B1
6675153	Cook et al.	Jan 2004	B1
6675209	Britt	Jan 2004	B1
6678270	Garfinkel	Jan 2004	B1
6681331	Munson et al.	Jan 2004	B1
6684335	Epstein, III et al.	Jan 2004	B1
6687687	Smadja	Feb 2004	B1
6687732	Bector et al.	Feb 2004	B1
6691156	Drummond et al.	Feb 2004	B1
6694023	Kim	Feb 2004	B1
6697950	Ko	Feb 2004	B1
6701440	Kim et al.	Mar 2004	B1
6704874	Porras et al.	Mar 2004	B1
6707915	Jobst et al.	Mar 2004	B1
6711127	Gorman et al.	Mar 2004	B1
6711679	Guski et al.	Mar 2004	B1
6715082	Chang et al.	Mar 2004	B1
6721721	Bates et al.	Apr 2004	B1
6725223	Abdo et al.	Apr 2004	B2
6725377	Kouznetsov	Apr 2004	B1
6728886	Ji et al.	Apr 2004	B1
6731756	Pizano et al.	May 2004	B1
6732101	Cook	May 2004	B1
6732149	Kephart	May 2004	B1
6732157	Gordon et al.	May 2004	B1
6735700	Flint et al.	May 2004	B1
6735703	Kilpatrick et al.	May 2004	B1
6738462	Brunson	May 2004	B1
6738814	Cox et al.	May 2004	B1
6738932	Price	May 2004	B1
6741595	Maher, III et al.	May 2004	B2
6742015	Bowman-Amuah	May 2004	B1
6742124	Kilpatrick et al.	May 2004	B1
6742128	Joiner	May 2004	B1
6745192	Libenzi	Jun 2004	B1
6748531	Epstein	Jun 2004	B1
6754705	Joiner et al.	Jun 2004	B2
6757830	Tarbotton et al.	Jun 2004	B1
6760765	Asai et al.	Jul 2004	B1
6760845	Cafarelli et al.	Jul 2004	B1
6766450	Micali	Jul 2004	B2
6768991	Hearnden	Jul 2004	B2
6769016	Rothwell et al.	Jul 2004	B2
6772334	Glawitsch	Aug 2004	B1
6772346	Chess et al.	Aug 2004	B1
6775657	Baker	Aug 2004	B1
6775704	Watson et al.	Aug 2004	B1
6779033	Watson et al.	Aug 2004	B1
6782503	Dawson	Aug 2004	B1
6785728	Schneider et al.	Aug 2004	B1
6785732	Bates et al.	Aug 2004	B1
6785818	Sobel et al.	Aug 2004	B1
6789202	Ko et al.	Sep 2004	B1
6792546	Shanklin et al.	Sep 2004	B1
6799197	Shetty et al.	Sep 2004	B1
6802002	Corella	Oct 2004	B1
6804237	Luo et al.	Oct 2004	B1
6804778	Levi et al.	Oct 2004	B1
6804783	Wesinger, Jr. et al.	Oct 2004	B1
6826698	Minkin et al.	Nov 2004	B1
6842860	Branstad et al.	Jan 2005	B1
6842861	Cox et al.	Jan 2005	B1
6845449	Carman et al.	Jan 2005	B1
6847888	Fox et al.	Jan 2005	B2
6851057	Nachenberg	Feb 2005	B1
6859793	Lambiase	Feb 2005	B1
6862581	Lambiase	Mar 2005	B1
6870849	Callon et al.	Mar 2005	B1
6883101	Fox et al.	Apr 2005	B1
6892178	Zacharia	May 2005	B1
6892179	Zacharia	May 2005	B1
6892237	Gai et al.	May 2005	B1
6892241	Kouznetsov et al.	May 2005	B2
6895385	Zacharia et al.	May 2005	B1
6895436	Caillau et al.	May 2005	B1
6907430	Chong et al.	Jun 2005	B2
6909205	Corcoran et al.	Jun 2005	B2
6910134	Maher, III et al.	Jun 2005	B1
6910135	Grainger	Jun 2005	B1
6915426	Carman et al.	Jul 2005	B1
6922776	Cook et al.	Jul 2005	B2
6928550	Le Pennec et al.	Aug 2005	B1
6928556	Black et al.	Aug 2005	B2
6934857	Bartleson et al.	Aug 2005	B1
6941348	Petry et al.	Sep 2005	B2
6941467	Judge et al.	Sep 2005	B2
6944673	Malan et al.	Sep 2005	B2
6947442	Lato et al.	Sep 2005	B1
6947936	Suermondt et al.	Sep 2005	B1
6950933	Cook et al.	Sep 2005	B1
6952776	Chess	Oct 2005	B1
6954775	Shanklin et al.	Oct 2005	B1
6968336	Gupta	Nov 2005	B1
6968461	Lucas et al.	Nov 2005	B1
6971019	Nachenberg	Nov 2005	B1
6976168	Branstad et al.	Dec 2005	B1
6976271	Le Pennec et al.	Dec 2005	B1
6978223	Milliken	Dec 2005	B2
6981146	Sheymov	Dec 2005	B1
6981158	Sanchez et al.	Dec 2005	B1
6985923	Bates et al.	Jan 2006	B1
6993660	Libenzi et al.	Jan 2006	B1
7010696	Cambridge et al.	Mar 2006	B1
7055173	Chaganty et al.	May 2006	B1
7058974	Maher, III et al.	Jun 2006	B1
7080000	Cambridge	Jul 2006	B1
7085934	Edwards	Aug 2006	B1
7093002	Wolff et al.	Aug 2006	B2
7107618	Gordon et al.	Sep 2006	B1
7117358	Bandini et al.	Oct 2006	B2
7117533	Libenzi	Oct 2006	B1
7120252	Jones et al.	Oct 2006	B1
7127743	Khanolkar et al.	Oct 2006	B1
7134141	Crosbie et al.	Nov 2006	B2
7136487	Schon et al.	Nov 2006	B1
7150042	Wolff et al.	Dec 2006	B2
7159237	Schneier et al.	Jan 2007	B2
7181015	Matt	Feb 2007	B2
7181768	Ghosh et al.	Feb 2007	B1
7213260	Judge	May 2007	B2
7222157	Sutton et al.	May 2007	B1
7225255	Favier et al.	May 2007	B2
7225466	Judge	May 2007	B2
7234168	Gupta et al.	Jun 2007	B2
7308715	Gupta et al.	Dec 2007	B2
7310818	Parish et al.	Dec 2007	B1
7328349	Milliken	Feb 2008	B2
7366764	Vollebregt	Apr 2008	B1
7409714	Gupta et al.	Aug 2008	B2
7458098	Judge et al.	Nov 2008	B2
7519994	Judge et al.	Apr 2009	B2
7533272	Gordon et al.	May 2009	B1
7624274	Alspector et al.	Nov 2009	B1
7660865	Hulten et al.	Feb 2010	B2
7693945	Dulitz et al.	Apr 2010	B1
20010005889	Albrecht	Jun 2001	A1
20010009580	Ikeda	Jul 2001	A1
20010011308	Clark et al.	Aug 2001	A1
20010034839	Karjoth et al.	Oct 2001	A1
20010039579	Trcka et al.	Nov 2001	A1
20010049793	Sugimoto	Dec 2001	A1
20020001384	Buer et al.	Jan 2002	A1
20020004902	Toh et al.	Jan 2002	A1
20020016826	Johansson et al.	Feb 2002	A1
20020016910	Wright et al.	Feb 2002	A1
20020019945	Houston et al.	Feb 2002	A1
20020023140	Hile et al.	Feb 2002	A1
20020026591	Hartley et al.	Feb 2002	A1
20020032860	Wheeler et al.	Mar 2002	A1
20020032871	Malan et al.	Mar 2002	A1
20020035683	Kaashoek et al.	Mar 2002	A1
20020038339	Xu	Mar 2002	A1
20020042876	Smith	Apr 2002	A1
20020042877	Wheeler et al.	Apr 2002	A1
20020046041	Lang	Apr 2002	A1
20020049853	Chu et al.	Apr 2002	A1
20020069263	Sears et al.	Jun 2002	A1
20020071438	Singh	Jun 2002	A1
20020078381	Farley et al.	Jun 2002	A1
20020078382	Sheikh et al.	Jun 2002	A1
20020080888	Shu et al.	Jun 2002	A1
20020083033	Abdo et al.	Jun 2002	A1
20020083342	Webb et al.	Jun 2002	A1
20020083343	Crosbie et al.	Jun 2002	A1
20020087882	Schneier et al.	Jul 2002	A1
20020091697	Huang et al.	Jul 2002	A1
20020091757	Cuomo et al.	Jul 2002	A1
20020095492	Kaashoek et al.	Jul 2002	A1
20020107853	Hofmann et al.	Aug 2002	A1
20020112008	Christenson et al.	Aug 2002	A1
20020112168	Filipi-Martin et al.	Aug 2002	A1
20020112185	Hodges	Aug 2002	A1
20020116463	Hart	Aug 2002	A1
20020116627	Tarbotton et al.	Aug 2002	A1
20020120705	Schiavone et al.	Aug 2002	A1
20020120853	Tyree	Aug 2002	A1
20020120874	Shu et al.	Aug 2002	A1
20020129002	Alberts et al.	Sep 2002	A1
20020129277	Caccavale	Sep 2002	A1
20020133365	Grey et al.	Sep 2002	A1
20020133586	Shanklin et al.	Sep 2002	A1
20020138416	Lovejoy et al.	Sep 2002	A1
20020138755	Ko	Sep 2002	A1
20020138759	Dutta	Sep 2002	A1
20020138762	Horne	Sep 2002	A1
20020143963	Converse et al.	Oct 2002	A1
20020147734	Shoup et al.	Oct 2002	A1
20020147780	Liu et al.	Oct 2002	A1
20020147915	Chefalas et al.	Oct 2002	A1
20020147925	Lingafelt et al.	Oct 2002	A1
20020152399	Smith	Oct 2002	A1
20020161718	Coley et al.	Oct 2002	A1
20020165971	Baron	Nov 2002	A1
20020169954	Bandini et al.	Nov 2002	A1
20020172367	Mulder et al.	Nov 2002	A1
20020174358	Wolff et al.	Nov 2002	A1
20020178227	Matsa et al.	Nov 2002	A1
20020178383	Hrabik et al.	Nov 2002	A1
20020181703	Logan et al.	Dec 2002	A1
20020186698	Ceniza	Dec 2002	A1
20020188864	Jackson	Dec 2002	A1
20020194161	McNamee et al.	Dec 2002	A1
20020194469	Dominique et al.	Dec 2002	A1
20020194490	Halperin et al.	Dec 2002	A1
20020199095	Bandini et al.	Dec 2002	A1
20030004688	Gupta et al.	Jan 2003	A1
20030004689	Gupta et al.	Jan 2003	A1
20030005326	Flemming	Jan 2003	A1
20030009554	Burch et al.	Jan 2003	A1
20030009693	Brock et al.	Jan 2003	A1
20030009696	Bunker et al.	Jan 2003	A1
20030009698	Lindeman et al.	Jan 2003	A1
20030009699	Gupta et al.	Jan 2003	A1
20030014662	Gupta et al.	Jan 2003	A1
20030014664	Hentunen	Jan 2003	A1
20030021280	Makinson et al.	Jan 2003	A1
20030023692	Moroo	Jan 2003	A1
20030023695	Kobata et al.	Jan 2003	A1
20030023873	Ben-Itzhak	Jan 2003	A1
20030023874	Prokupets et al.	Jan 2003	A1
20030023875	Hursey et al.	Jan 2003	A1
20030028803	Bunker et al.	Feb 2003	A1
20030033516	Howard et al.	Feb 2003	A1
20030033542	Goseva-Popstojanova et al.	Feb 2003	A1
20030037141	Milo et al.	Feb 2003	A1
20030041263	Devine et al.	Feb 2003	A1
20030041264	Black et al.	Feb 2003	A1
20030046421	Horvitz et al.	Mar 2003	A1
20030051026	Carter et al.	Mar 2003	A1
20030051163	Bidaud	Mar 2003	A1
20030051168	King et al.	Mar 2003	A1
20030055931	Cravo De Almeida et al.	Mar 2003	A1
20030061502	Teblyashkin et al.	Mar 2003	A1
20030061506	Cooper et al.	Mar 2003	A1
20030065791	Garg et al.	Apr 2003	A1
20030065943	Geis et al.	Apr 2003	A1
20030084020	Shu	May 2003	A1
20030084280	Bryan et al.	May 2003	A1
20030084320	Tarquini et al.	May 2003	A1
20030084323	Gales	May 2003	A1
20030084347	Luzzatto	May 2003	A1
20030088680	Nachenberg et al.	May 2003	A1
20030088792	Card et al.	May 2003	A1
20030093667	Dutta et al.	May 2003	A1
20030093695	Dutta	May 2003	A1
20030093696	Sugimoto	May 2003	A1
20030095555	McNamara et al.	May 2003	A1
20030097439	Strayer et al.	May 2003	A1
20030097564	Tewari et al.	May 2003	A1
20030101381	Mateev et al.	May 2003	A1
20030105827	Tan et al.	Jun 2003	A1
20030105859	Garnett et al.	Jun 2003	A1
20030105976	Copeland, III	Jun 2003	A1
20030110392	Aucsmith et al.	Jun 2003	A1
20030110393	Brock et al.	Jun 2003	A1
20030110396	Lewis et al.	Jun 2003	A1
20030115485	Milliken	Jun 2003	A1
20030115486	Choi et al.	Jun 2003	A1
20030120604	Yokota et al.	Jun 2003	A1
20030120647	Aiken et al.	Jun 2003	A1
20030123665	Dunstan et al.	Jul 2003	A1
20030126464	McDaniel et al.	Jul 2003	A1
20030126472	Banzhof	Jul 2003	A1
20030135749	Gales et al.	Jul 2003	A1
20030140137	Joiner et al.	Jul 2003	A1
20030140250	Taninaka et al.	Jul 2003	A1
20030145212	Crumly	Jul 2003	A1
20030145225	Bruton, III et al.	Jul 2003	A1
20030145226	Bruton, III et al.	Jul 2003	A1
20030145232	Poletto et al.	Jul 2003	A1
20030149887	Yadav	Aug 2003	A1
20030149888	Yadav	Aug 2003	A1
20030154393	Young	Aug 2003	A1
20030154399	Zuk et al.	Aug 2003	A1
20030154402	Pandit et al.	Aug 2003	A1
20030158905	Petry et al.	Aug 2003	A1
20030159069	Choi et al.	Aug 2003	A1
20030159070	Mayer et al.	Aug 2003	A1
20030167402	Stolfo et al.	Sep 2003	A1
20030172120	Tomkow et al.	Sep 2003	A1
20030172166	Judge et al.	Sep 2003	A1
20030172167	Judge et al.	Sep 2003	A1
20030172289	Soppera	Sep 2003	A1
20030172291	Judge et al.	Sep 2003	A1
20030172292	Judge	Sep 2003	A1
20030172294	Judge	Sep 2003	A1
20030172301	Judge et al.	Sep 2003	A1
20030172302	Judge et al.	Sep 2003	A1
20030187996	Cardina et al.	Oct 2003	A1
20030212791	Pickup	Nov 2003	A1
20030233328	Scott et al.	Dec 2003	A1
20030236845	Pitsos	Dec 2003	A1
20040015554	Wilson	Jan 2004	A1
20040025044	Day	Feb 2004	A1
20040054886	Dickinson, III et al.	Mar 2004	A1
20040058673	Irlam et al.	Mar 2004	A1
20040059811	Sugauchi et al.	Mar 2004	A1
20040083384	Hypponen	Apr 2004	A1
20040088570	Roberts et al.	May 2004	A1
20040103315	Cooper et al.	May 2004	A1
20040111531	Staniford et al.	Jun 2004	A1
20040139160	Wallace et al.	Jul 2004	A1
20040139334	Wiseman	Jul 2004	A1
20040143763	Radatti	Jul 2004	A1
20040167968	Wilson et al.	Aug 2004	A1
20040177120	Kirsch	Sep 2004	A1
20040181462	Bauer et al.	Sep 2004	A1
20040191462	Hosoda et al.	Sep 2004	A1
20040193482	Hoffman et al.	Sep 2004	A1
20040203589	Wang et al.	Oct 2004	A1
20040205135	Hallam-Baker	Oct 2004	A1
20040236884	Beetz	Nov 2004	A1
20040267893	Lin	Dec 2004	A1
20050014749	Chen et al.	Jan 2005	A1
20050021738	Goeller et al.	Jan 2005	A1
20050043936	Corston-Oliver et al.	Feb 2005	A1
20050052998	Oliver et al.	Mar 2005	A1
20050058129	Jones et al.	Mar 2005	A1
20050065810	Bouron	Mar 2005	A1
20050081059	Bandini et al.	Apr 2005	A1
20050086526	Aguirre	Apr 2005	A1
20050102366	Kirsch	May 2005	A1
20050188045	Katsikas	Aug 2005	A1
20050204159	Davis et al.	Sep 2005	A1
20050235360	Pearson	Oct 2005	A1
20050262209	Yu	Nov 2005	A1
20050262210	Yu	Nov 2005	A1
20060036693	Hulten et al.	Feb 2006	A1
20060036727	Kurapati et al.	Feb 2006	A1
20060042483	Work et al.	Mar 2006	A1
20060047794	Jezierski	Mar 2006	A1
20060095404	Adelman et al.	May 2006	A1
20060095966	Park	May 2006	A1
20060123083	Goutte et al.	Jun 2006	A1
20060149820	Rajan et al.	Jul 2006	A1
20060168006	Shannon et al.	Jul 2006	A1
20060168017	Stern et al.	Jul 2006	A1
20060212925	Shull et al.	Sep 2006	A1
20060212930	Shull et al.	Sep 2006	A1
20060212931	Shull et al.	Sep 2006	A1
20060230039	Shull et al.	Oct 2006	A1
20060253458	Dixon et al.	Nov 2006	A1
20060259551	Caldwell, Jr.	Nov 2006	A1
20080060075	Cox et al.	Mar 2008	A1
20090064329	Okumura et al.	Mar 2009	A1
20090083413	Levow et al.	Mar 2009	A1
20100017487	Patinkin	Jan 2010	A1
20100049848	Levow et al.	Feb 2010	A1
20100145900	Zheng et al.	Jun 2010	A1

Foreign Referenced Citations (5)

Number	Date	Country
WO9605673	Feb 1996	WO
WO0028420	May 2000	WO
WO0155927	Aug 2001	WO
WO0173523	Oct 2001	WO
WO02101516	Dec 2002	WO

Related Publications (1)

	Number	Date	Country
	20090132669 A1	May 2009	US

Provisional Applications (3)

Number	Date	Country
60407975	Sep 2002	US
60341462	Dec 2001	US
60212425	Jun 2000	US

Continuations (1)

	Number	Date	Country
Parent	10654771	Sep 2003	US
Child	12248790		US

Continuation in Parts (4)

	Number	Date	Country
Parent	10654771		US
Child	10654771		US
Parent	10251403	Sep 2002	US
Child	10654771		US
Parent	09881145	Jun 2001	US
Child	10654771		US
Parent	09881074	Jun 2001	US
Child	09881145		US

Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

US Classifications

Field of Search

US

International Classifications

Disclaimer

Term Extension

Abstract