 
                 Patent Grant
 Patent Grant
                     11349795
 11349795
                    Limitations and disadvantages of conventional approaches to email will become apparent to one of skill in the art, through comparison of such approaches with some aspects of the present method and system set forth in the remainder of this disclosure with reference to the drawings.
Methods and systems are provided for email privacy enforcement, substantially as illustrated by and/or described in connection with at least one of the figures, as set forth more completely in the claims.
    
    
    
    
    
    
    
    
    
    
    
    
    
  
The firewall 122 comprises circuitry operable to monitor and control traffic coming into and out of the local area network (LAN) 150.
Each email client 120 is, for example, a desktop, laptop, tablet, or phone configured to run email client software such as Microsoft Outlook, Mozilla Thunderbird, or the like. Some of the email clients 120 are connected to the email subsystem 102 via connections contained within LAN 150, and others are connected via public network 124 and firewall 122. The email clients 120 may connect to the email subsystem 102 using a protocol such as SMTP, MAPI, IMAP, EAS, EWS, and/or POP3.
Each web client 128 is, for example, a desktop, laptop, tablet, or phone configured to run a web browser such as Google Chrome, Mozilla Firefox, or the like. A user of a web mail client 128 may access the email subsystem 102 by browsing to a webmail interface (e.g., https://www.owa.x.com) in the web browser.
The email systems 130 handle email for domains other than x.com (e.g., y.com). Each of the mail systems 130 may be substantially the same as the mail system comprising subsystem(s) 102 and/or 144 (“email system 102/104”) or may comprise one or more conventional email servers.
Various aspects of this disclosure are directed to an email system operable to process incoming and/or outgoing email messages in accordance with a data privacy policy (and/or other email policies) put in place by an administrator of the email system. In various example implementations, the email system 102/144 is implemented entirely in an on-premises email subsystem 102, entirely in a remote email subsystem 144, or is distributed among the on-premises subsystem 102 and the remote email subsystem 144. An example implementation of the email system 102/144 comprising one or both of email subsystem 102 and email subsystem 144 is described below with reference to 
The email system 102/144 comprises hardware 116 that in turn comprises processing circuitry 104 (e.g., one or more chipsets or systems-on-chip comprising one or more CPUs, memory, one or more graphics processors, one or more I/O controllers, etc.), network interface circuitry 106 (e.g., Ethernet, Wi-Fi, and/or the like) and storage circuitry 108 (e.g., one or more hard disk drives, solid state drives, and/or the like, and associated control/drive circuitry). The hardware 116 is configured by software and/or firmware 118 to realize special purpose circuitry for handling email as described in this disclosure. In an example implementation, the special purpose circuitry comprises connection handler circuitry 110, privacy enforcement circuitry 112, background message processing circuitry 113, message storage handling circuitry 114, content caching circuitry 115, and analytics and reporting circuitry 117.
The connection handler circuitry 110 is operable to connect the email system 102/144 to email clients 120, web clients 128, and other email systems 130 using HTTP/HTTPS, SMTP, MAPI, IMAP, EAS, EWS, POP3, and/or any other suitable protocol(s).
The privacy enforcement circuitry 112 is operable to analyze the content of email messages coming into and/or going out of email system 102/144. The privacy enforcement circuitry 112 is operable to handle the email messages (e.g., redirect, drop, archive, etc.) based on the results of the analysis. Such handling may include, for example, modifying the content of the email messages (e.g., add text and/or HTML elements, remove text and/or HTML elements, change text formatting, and/or the like) as desired or necessary based on a data privacy policy that is in place. In an example implementation, the data privacy policy is a no-tracking policy applicable to emails meeting determined criteria (e.g., email messages to and/or from particular users. Email messages having particular content in their headers, body, and/or attachments, and/or the like), and the privacy enforcement circuitry 112 performs the process(es) of 
The background message processing circuitry 113 is operable to scan an email message and/or external content associated with email message in parallel with the email message being processed by privacy enforcement circuitry 112 and message storage handling circuitry 114. In this manner, background message processing circuitry 113 may continue to analyze a copy of an email message and/or external content associated with the email message after the email message has been placed in its recipient(s) inbox(es). An example operation of the background message processing circuitry 113 is described below with reference to 
The message storage handling circuitry 114 is operable to store email messages and metadata pertaining to the email messages to storage circuitry 108. The message storage handling circuitry 114 is operable to retrieve email messages and metadata pertaining to the email messages from storage circuitry 108.
The content caching circuitry 115 is operable to store and serve content embedded in, linked to by, and/or attached to email messages sent and/or received by the email system 102/144. The content may be cached at a location identified by a unique uniform resource locator (URL) accessible via one or more networking protocols (e.g., FTP, HTTP/HTTPS, RDMA, etc.). The content may be cached at a location identified by a unique file path and file name and accessible via one or more local memory access protocols (e.g., POSIX commands of a local operating system). In an example implementation, the content caching circuitry 115 retrieves content from a first URL (e.g., a URL extracted from an incoming and/or outgoing email message by the privacy enforcement circuitry 112), stores the content in storage circuitry 108, and makes the stored content accessible via a second URL (e.g., a URL generated by the privacy enforcement circuitry 112).
The analytics and reporting circuitry 117 is operable collect, analyze, and generate data and/or metadata extracted from, and/or generated based on, email messages received and/or sent by the email system 102/144.
  
The email message parsing circuitry 204 is operable to scan email message contents (SMTP envelope, message headers, message body, and attachments) for tracking code suspects (e.g., raw binary and/or encoded content containing predefined strings and/or matching predefined regular expressions), and, upon finding a tracking code suspect, pass the tracking code suspects to the tracking suspect analyzer circuitry 202.
The tracking suspect analyzer circuitry 202 is operable to apply a tracking code identification algorithm to the tracking code suspects received from the email message parsing circuitry 204 to determine, for each suspect, whether it is in-fact a tracking code. The tracking suspect analyzer circuitry 202 may also be operable to characterize identified tracking code. Such characteristics may include, for example: a vendor or organization associated with particular tracking code; amount and/or type of information revealed by the tracking code; risk level associated with the tracking code, and/or the like.
In an example implementation, tracking code suspects may include <img> HTML elements, and the tracking suspect analyzer circuitry 202 determines whether a suspect is in-fact tracking code based on characteristics of the <img> element. Such characteristics may include, for example, one or more of: the size of the <img> element (e.g., <img> elements with size below some threshold number of pixels may be more likely to be identified as tracking code); transparency of the <img> element (e.g., <img> elements having a transparency attribute that is above a determined threshold may be more likely to be identified as tracking code); color(s) of the <img> element (e.g., <img> elements that are the same as or similar to a background color may be more likely to be flagged as tracking code); randomness of a URL of the <img> element (e.g., <img> elements having URLs with long strings of hexadecimal characters not having dictionary entries may be more likely to be identified as tracking code); length of a URL of the <img> element (e.g., <img> elements having very long URLs may be more likely to be identified as tracking code); presence of particular word(s) or regular expressions in a URL of the <img> element; any aliases or IP address(es) associated with a URL of the <img> element in a DNS records (e.g., the tracking suspect analyzer circuitry 202 may be operable to perform DNS lookups); a URL to which a URL of the <img> element redirects (e.g., the tracking suspect analyzer circuitry 202 may be operable run a sandboxed web browser via which it attempts to visit the URL and follows any redirects); location of the <img> element within the message body (e.g., <img> elements after the signature of an email message may be more likely to be identified as tracking code); whether and how many times an identical or similar <img> element has been detected (e.g., the same <img> element appearing many times within the same email message or a particular group of email messages may be more likely to be identified as tracking code); and/or based on an image file associated with (e.g., via URL or file path) the <img> element (e.g., previous images having the same file signature were associated with identified tracking code, previous images with the same binary content were associated with identified tracking code, and/or the visible content of the image file as determined by a “machine vision” or pattern recognition algorithm performed on the image by the tracking suspect analyzer circuitry 202).
In an example implementation, tracking code suspects may include <a> HTML elements, and the tracking suspect analyzer circuitry 202 may determine whether a suspect is in-fact tracking code based on characteristics of the <a> element. Such characteristics may, for example, include one or more of: randomness of a URL of the <a> element (e.g., <a> elements having URLs with long strings of hexadecimal characters not having dictionary entries may be more likely to be identified as tracking code); length of a URL of the <a> element (e.g., <a> elements having very long URLs may be more likely to be identified as tracking code); presence of particular word(s) or regular expressions in a URL of the <a> element; any aliases or IP address(es) associated with a URL of the <a> element in a DNS records; and/or a URL to which a URL of the <a> element redirects (e.g., the tracking suspect analyzer circuitry 202 may be operable run a sandboxed web browser via which it attempts to visit the URL).
In an example implementation, tracking code suspects may include any <script> HTML elements, and the tracking suspect analyzer circuitry 202 may determine whether a suspect is in-fact tracking code based on characteristics of the <script> element. Such characteristics may include one or more of: randomness of a URL of the <script> element (e.g., <script> elements having URLs with long strings of hexadecimal characters may be more likely to be identified as tracking code); length of a URL of the <script> element (e.g., <script> elements having very long URLs may be more likely to be identified as tracking code); presence of particular word(s) or regular expressions in a URL of the <script> element; any aliases or IP address(es) associated with a URL of the <script> element in a DNS records; and/or a URL to which a URL of the <script> element redirects (e.g., the tracking suspect analyzer circuitry 202 may be operable run a sandboxed web browser via which it attempts to visit the URL).
In an example implementation, tracking code suspects may include <link> HTML elements, and the tracking suspect analyzer circuitry 202 may determine whether a suspect is in-fact tracking code based on characteristics of the <link> element. Such characteristics may include one or more of: randomness of a URL of the <link> element (e.g., <link> elements having URLs with long strings of hexadecimal characters may be more likely to be identified as tracking code); length of a URL of the <link> element (e.g., <a> elements having very long URLs may be more likely to be identified as tracking code); presence of particular word(s) or regular expressions in a URL of the <link> element; any aliases or IP address(es) associated with a URL of the <link> element in a DNS records; and/or a URL to which a URL of the <link> element redirects (e.g., the tracking suspect analyzer circuitry 202 may be operable run a sandboxed web browser via which it attempts to visit the URL).
The content cache interface circuitry 206 is operable to: (1) receive, from the tracking suspect analyzer circuitry 202, a first URL pointing to a location at which content (e.g., images, videos, etc.) is stored, and a second URL via which the content is to be accessible when cached in the email system 102/144; and (2) provide the first URL, and the second URL to the content caching circuitry 115 for caching of the content.
The analytics and reporting interface circuitry 208 is operable to convey data and metadata from the email message parsing circuitry 204 and/or the suspect analyzer circuitry 202 to the analytics and reporting circuitry 117. Such data and/or metadata may include, for example: number of email messages processed by email message parsing circuitry 204; number of suspects found by email message parsing circuitry 204; number of tracking code suspects identified as tracking code by tracking suspect analyzer circuitry 202; categorizations/characteristics of tracking code identified by tracking suspect analyzer circuitry 202; and/or the like.
The message modification circuitry 210 is operable to modify headers, message bodies, and/or attachments of email messages processed by the privacy enforcement circuitry 112. The modification of an email message header may comprise, for example, adding a header, removing a header, modifying a header. The modification of an email message body may comprise, for example, adding text, adding an HTML element (e.g., an <img> HTML element having a URL that points to a location in the email system 102/144), modifying text, modifying an HTML element, removing text, and/or removing an HTML element. The modification of an email message attachment may comprise, for example, adding text, adding an HTML element, modifying text, modifying an HTML element, removing text, and/or removing an HTML element.
  
  
In block 404, the privacy enforcement circuitry 112 begins scanning the email message 306.
In block 405, the privacy enforcement circuitry 112 determines whether the sender of the email has previously been whitelisted (e.g., via the interface described below with reference to 
In block 406, each time tracking code is detected during the scan of the email message then the process advances to block 408.
In block 408, the identified tracking code is logged. This may comprise, for example, passing the tracking code and/or characteristics of the tracking code to analytics and reporting circuitry 117 where it is added to a database. In an example implementation, the privacy enforcement circuitry 112 may flag the email message 306 as having been tracked by the sender (e.g., add the text “tracked” to the subject line and/or message body).
In block 409, the privacy enforcement circuitry 112 determines whether the tracking code has previously been whitelisted (e.g., whitelisted via the interface described below with reference to 
In block 410, if the tracking code identified in block 406 is not associated with external content, then the process advances to block 412 in which the tracking code is removed from the email. After block 410, the process returns to block 406 and the scanning continues looking for more tracking code in the email message.
Returning to block 410, if the tracking code identified in block 406 is associated with external content (e.g., a tracked <img>, <a>, <scripts>, or <link> element having a URL pointing to an external content), then the process advances to block 414.
In block 414, the message modification circuitry 210 replaces the tracking code detected in block 406 with an untracked reference to the external content. For example, the tracking code may comprise an <img> element with a first URL, and the message modification circuitry 210 may replace the first URL with a second URL. The second URL may point to a copy of the external content which has been cached by content caching circuitry 115.
For example, referring briefly to 
In an example implementation, a replacement URL inserted by message modification circuitry 210 may comprise the original URL appended to or concatenated with a URL that points to a location under common control with the email system 102/144. The original URL may be appended as a query string, as one or more path element (path elements are separated by forward slashes), or as a combination of a path element(s) and query string. To illustrate, assume an original URL of www.y.com/image12345, then a corresponding replacement URL may be, for example: www.x.com/y/com/image12345 or www.x.com?y.com/image12345. In an example implementation, the replacement URL may comprise an API key assigned to x.com (the domain associated with email system 102/144). For example, assuming an API key of “1811WN” the replacement URL may be www.x.com/y/com/image12345/1811WN or www.x.com?y.com/image12345/1811WN. In an example implementation, a portion of the replacement URL may be hashed or encoded using a key uniquely associated with x.com (the domain associated with email system 102/144). For example, first the original URL and an API key may be appended to a URL controlled by the owners of x.com (e.g., www.x.com/y/com/image12345/1811WN or www.x.com?y.com/image12345/1811WN), and then a portion of the URL may be hashed or encrypted (e.g., www.x.com/y/com/image12345/1811WN becomes www.x.com/4eYTRDhhy432%{circumflex over ( )}3, or www.x.com?y.com/image12345/1811WN becomes www.x.com?7DgeEF3$#$% d8y).
Returning to 
In block 418, the privacy enforcement circuitry 112 issues a request to the content caching circuitry 115 for the content caching circuitry 115 to download the external content and cache it. The privacy enforcement circuitry 112 may provide a first URL from which to retrieve the external content, and a second URL via which the cached content can be accessed. After block 418, the process returns to block 406 and the scanning continues looking for more tracking code in the email message. In an example implementation in which the content cache is in remote email subsystem 144 and the privacy enforcement circuitry 112 is in local email subsystem 102, the content cache interface circuitry 206 may queue up a plurality of URLs corresponding to content to be cached. The plurality of queued URLs may then be sent to the content caching circuitry 115 in a single request.
Returning to block 406, if no more tracking code is detected in the email message, then the process advances to block 420.
In block 420, the message, after having all tracking code removed or replaced, is passed to message storage handling circuitry 114, at which point it becomes available in its x.com recipient(s)′ mailbox(es).
In block 422, data and/or metadata is passed to the analytics and reporting circuitry 117. Such data may include, for example, headers of the email message 306 and content and/or characteristics of tracking code detected in the email message 306 (e.g., URLs and/or HTML elements of the tracking code).
  
Removing tracking code and/or tracking code suspects from email message 306 before the email message reaches the inbox(es) of its intended x.com recipient(s) (the x.com RCPT TO recipient(s) as set by the sender's MUA), as done in the processes of 
  
In block 604, email message 306 is passed, via connection handler circuitry 110, to the email client 120.
In block 606, the email client 120 issues a command (e.g., an HTTP GET command) to fetch the image pointed to by the replacement URL.
In block 608, the content caching circuitry 115 receives the request from the email client 120, retrieves the image from storage 108, and sends the content to the email client (e.g., in an HTTP response).
In block 610, the email client 120 receives the image and presents it in the body of the email message 306. Because content caching circuitry 115 (and not email client 120) retrieved the image from the original URL, and because any subsequent requests for the image (whether by the same email client 120 or a different email client 120) will be served by content caching circuitry 115, the host of the original URL (and thus the sender of the email message 306) does not see: the type of device on which email client 120 is running, the location of the email client 120, the time that the email client 120 read the email message 306, or how many times email client 120 opened the email message 306.
In some instances, the content caching circuitry 115 may not yet have had a chance to retrieve and cache the image. In such instances, the content caching circuitry 115 may retrieve the image from the location pointed to by the original URL (which may be included in the HTTP GET command as, for example, a query string of the requested URL), cache the content at a location pointed to by the replacement URL, then send the response with the image to the email client 120.
In 
  
  
The cell in each row of column 906 holds the receipt date of the email message corresponding to the row. The email system 102/144 may have extracted the receipt date from the SMTP envelope and/or headers of the email message.
The cell in each row of column 908 holds the sender of the email message corresponding to the row. The email system 102/144 may have extracted the sender information from the SMTP envelope and/or headers of the email message.
The cell in each row of column 910 holds the subject line of the email message corresponding to the row. The email system 102/144 may have extracted the subject line from the headers of the email message.
In other embodiments, other columns similar to 906, 908, and 910 may be present and may hold other information extracted from the SMTP envelope, email message headers, email message body, and/or email message attachments.
The cell in each row of column 912 contains an interface element (e.g., a checkbox) that enables a user of the dashboard to add the sender of the email message to a whitelist. For example, checking the box in column 912 and row 918 may prevent the privacy enforcement circuitry 112 from removing or replacing tracking code in future emails from F@Z.com. In another example implementation, the dashboard may provide interface elements for whitelisting by domain (e.g., not replacing or removing tracking code from any sender with an @Z.com email address).
In another example implementation, the dashboard may comprise another or different table in which each row corresponds to an instance of identified tracking code. Such a table may show allow whitelisting or blacklisting particular tracking code or class/group of tracking code (e.g., whitelisting or blacklisting by domain, subdomain, and/or path elements).
The cell in each row of column 916 indicates a characterization of the corresponding email message. In the example shown, the characterization is a categorization of tracking code detected in the email message, where the categories are: individually targeted tracking code, behavioral marketing tracking code, and bulk marketing tracking code. This characterization may be determined based on, for example, the features provided by the tool which generated the tracking code (e.g., whether the tool provides information on location of the recipient at the time of open). In another example implementation, the characterization may be a risk level of the email message determined based on, for example, the sender (or just the sender's domain), the category of tracking code, and/or content of the message headers and/or body.
  
Now referring to 
In block 1104, the privacy enforcement circuitry 112 informs the content caching circuitry 115 of the inserted image and the unique URL. The content caching circuitry 115 associates the unique URL with an already-cached first image.
In block 1106, the process monitors for a change in status of the email message 306.
In block 1108, in response to a change in status of the email message 306, the unique URL is associated with an already-cached second image instead of the first image.
Through use of an <img> element in the body of the email, the status of the email message 306 will be seen by the user regardless of which email client 120 she happens to open the email on—there is no reliance on a particular browser or plugin, for example. In serving the first image or second image, the content caching circuitry 115 may indicate to the email client 120 that the image is not to be cached such that the email client 120 will fetch the latest image associated with the unique URL each time the email message 306 is opened.
In an example implementation, the change in status of the email message 306 the email message 306 either being flagged as a phishing attempt or not a phishing attempt upon the completion of a phishing analysis by the background processing circuitry 113. That is, the phishing analysis may take an amount of time that is longer than it is desired to delay delivery of the email message to the x.com recipient(s)′ inbox(es). Accordingly, the email message 306 may be conveyed to background message processing circuitry 113 and to the message storage handling circuitry 114 in parallel. The first image may indicate through imagery (e.g., caution sign with caption “under review”) that the scan is incomplete. The second image may indicate that the email is not a phishing attempt (e.g., the second image may be a green check mark) or may indicate that the email is likely a phishing attempt (e.g., a red x with the caption “phishing attempt”). In this manner, if the user opens the email message 306 and sees the first image, she knows to wait for the analysis to complete before interacting with the email. In one implementation, the message may instruct the recipient to close the email message and reopen it later, so that a new image fetch will be triggered to fetch the image containing the text of the analysis. If the user opens the email message 306 and sees the second image indicating that the email is not a phishing attempt, she knows she that interacting with the email is low risk. If the user opens the email if the user opens the email message 306 and sees the second image indicating that the email is a phishing attempt, she knows to delete it and/or report it.
In accordance with an example implementation of this disclosure, a system comprises email message parsing circuitry (e.g., 204), tracking code suspect analyzer circuitry (e.g., 202), and message modification circuitry (e.g., 210). The email message parsing circuitry is operable to, after reception of an email message via a SMTP connection (e.g., via connection handler circuitry 110) and prior to the email message being made available in an inbox of a recipient of the email message (e.g., the recipient indicated in the RCPT TO command of the SMTP exchange), scan the email message to extract a tracking code suspect. The tracking code suspect analyzer circuitry is operable to analyze the tracking code suspect to determine, based on one or more characteristics of the tracking code suspect, whether the tracking code suspect is tracking code and, upon a determination that the tracking code suspect is tracking code, notify the message modification circuitry. The message modification circuitry is operable to replace the tracking code suspect in the email message with replacement content. The one or more characteristics of the tracking code suspect may comprise a transparency attribute and/or size attribute of an image associated with the tracking code suspect. The one or more characteristics of the tracking code suspect may comprise a uniform resource locator (URL) of the tracking code suspect. The one or more characteristics of the tracking code suspect may comprise a particular domain or subdomain in a uniform resource locator (URL) of the tracking code suspect. The one or more characteristics of the tracking code suspect may comprise a particular query string in a uniform resource locator (URL) of the tracking code suspect. The one or more characteristics of the tracking code suspect may comprise a particular path element or combination of path elements in a uniform resource locator (URL) of the tracking code suspect. The one or more characteristics of the tracking code suspect may comprise a domain or Internet Protocol (IP) corresponding to a uniform resource locator (URL) of the tracking code suspect. The one or more characteristics of the tracking code suspect may comprise a length, in number of alphanumeric characters, of the tracking code suspect. The one or more characteristics of the tracking code suspect may comprise characteristics of visible content of an image associated with the tracking code suspect. The characteristics of the visible content of the image may comprise color variation among pixels of the image. The one or more characteristics of the tracking code suspect may comprise presence of a particular substring in a uniform resource locator (URL) of the tracking code suspect. The one or more characteristics of the tracking code suspect may comprise a uniform resource locator (URL) of the tracking code suspect being a match for a particular regular expression. The tracking code suspect may comprise a first uniform resource locator (URL). The replacement content may comprise a second URL. The second URL may comprise the first URL as a query string. The second URL may comprise the first URL as one or more path elements. The system may comprise content cache interface circuitry (e.g., 206) operable to send the second URL to content caching circuitry. The system may comprise content caching circuitry (e.g., 115), and the content caching circuitry may be operable to fetch content from the first URL and store the content at a location pointed to by the second URL. 19. The system may comprise reporting circuitry. The tracking code suspect analyzer circuitry may be operable to determine which one of a plurality of categories (e.g., individually targeted, behavioral marketing, or bulk marketing; or “high risk, medium risk, or low risk) to assign to identified tracking code based on a domain or IP address associated with the identified tracking code, and assign the one of the plurality of categories to the identified tracking code. The system may comprise analytics and reporting circuitry (e.g., 117) is operable to generate a report (e.g., dashboard of 
  
In the example of 
Using an image map instead of an anchor tag enables the text and/or imagery of the hyperlinks to be dynamically set after the email has already been sent (and the HTML markup is fixed). This is achieved through dynamic selection of which image to serve in response to a request for https://x.com/status_[uniqueID]. This provides the ability to hide and disable (to prevent inadvertent clicks) the hyperlink in instances that there turns out to be no need for the hyperlinks (e.g., because analysis of the email message 306 determines that no informational or warning messages are warranted). This can be achieved by serving, in response to a request for https://x.com/status_[uniqueID], an image that does not contain the regions which the map in the html indicates are hyperlinks (i.e., the image is smaller than where the mapped regions begin).
In some instances, where image maps are not supported by the user's email client, an anchor tag around the image may be used instead. For example, the system may maintain a database (such as described in co-pending Ser. No. 16/214,716, which is hereby incorporated herein by reference in its entirety) that keeps track of the email client that a user typically uses and may decide whether to use image maps or anchor tags based on that user's typical email client. The user may be able to set image format preferences through a web-based interface.
  
  
As shown in 
  
The analysis results may indicate, for example, whether the message is from a trusted sender, whether the message is a marketing message, a likelihood that the message is malicious, whether the message is from a newly registered domain, whether the sender of the message is a close misspelling of another sender, and/or the like.
The recipient feedback may be generated in response to recipient interactions with hyperlinks such as those in the regions 1330 and 1332. The recipient feedback may comprise, for example, which recipients marked the message as one or more of: safe (i.e., not malicious), a phishing attempt, spam, marketing, from unknown sender, an account notification, a subscribed newsletter, and/or the like.
In accordance with an example implementation, a message handling system (e.g., 102/144) comprising connection handler circuitry (e.g., 110), message parsing circuitry (e.g., 204), message modification circuitry (e.g., 210), message processing circuitry (e.g., 112 and/or 113), and content caching circuitry (e.g., 115), wherein the message parsing circuitry is operable to extract one or more headers (e.g., sender address, recipient address(es), subject line, and/or other headers) and/or content (e.g., plain text and/or HTML) of a received message (e.g., an email message, SMS message, MMS message, a message on a service such as Slack or Microsoft Teams, and/or the like). The message modification circuitry is operable to generate a modified message by inserting, into the message, an HTML tag (e.g., 1011) comprising a first unique uniform resource locator (URL). The connection handler circuitry is operable to send the modified message to a device that handles messages for the recipient (e.g., an email server, an SMS server, a server of a messaging service such as Slack or Teams, and/or the like). The message processing circuitry is operable to analyze the one or more headers and/or content. The message processing circuitry is operable to determine which image of a plurality of images to serve in response to a request containing the first unique URL, wherein the determination is based on the analysis of the one or more headers and/or content. The content caching circuitry is operable to serve the determined image. The message processing circuitry may be operable to serve a first image of the plurality of images (e.g., 1302) while the analysis is in progress and to serve a second image (e.g., 1304) of the plurality of images after the analysis is complete. The first image of the plurality of images may indicate that the analysis is in progress; and the second image of the plurality of images may indicate that the analysis is complete. The second image may indicate a result of the analysis. The result of the analysis may be a determined risk level of the message (e.g., whether the message is high, medium, or low risk of being a phishing attempt). The send may be performed before the analysis is complete. The HTML element may comprise a hyperlink (e.g., in an anchor tag or image map) that, when clicked, triggers a send of feedback about the message to the message handling system. The message processing circuitry is operable to: before reception of the feedback in response to an interaction with the hyperlink, determine to serve a first image (e.g., 1304) of the plurality of images; and after reception of the feedback in response to an interaction with the hyperlink, determine to serve a second image (e.g., 1306) of the plurality of images. The first image may comprise a first message and the second image may comprise a second message. The second image may comprises a message corresponding to the received feedback (e.g., “this message has been marked as spam,” “John marked this message safe,” etc.).
As utilized herein the terms “circuits” and “circuitry” refer to physical electronic components (i.e. hardware) and any software and/or firmware (“code”) which may configure the hardware, be executed by the hardware, and or otherwise be associated with the hardware. As used herein, for example, a particular processor and memory may comprise a first “circuit” when executing a first one or more lines of code and may comprise a second “circuit” when executing a second one or more lines of code. As utilized herein, “and/or” means any one or more of the items in the list joined by “and/or”. As an example, “x and/or y” means any element of the three-element set {(x), (y), (x, y)}. In other words, “x and/or y” means “one or both of x and y”. As another example, “x, y, and/or z” means any element of the seven-element set {(x), (y), (z), (x, y), (x, z), (y, z), (x, y, z)}. In other words, “x, y and/or z” means “one or more of x, y and z”. As utilized herein, the term “exemplary” means serving as a non-limiting example, instance, or illustration. As utilized herein, the terms “e.g.,” and “for example” set off lists of one or more non-limiting examples, instances, or illustrations. As utilized herein, circuitry is “operable” to perform a function whenever the circuitry comprises the necessary hardware and code (if any is necessary) to perform the function, regardless of whether performance of the function is disabled or not enabled (e.g., by a user-configurable setting, factory trim, etc.).
Some implementations may comprise a non-transitory machine-readable (e.g., computer readable) medium (e.g., FLASH drive, optical disk, magnetic storage disk, or the like) having stored thereon one or more lines of code executable by a machine, thereby causing the machine to perform processes as described herein. The machine-readable medium may be accessible via a network (e.g., the Internet) such that when the code is downloaded and installed on local machines, the local machines are configured into a system as described in this disclosure, and when the code is executed by such system, the system performs processes described in this disclosure.
While the present method and/or system has been described with reference to certain implementations, it will be understood by those skilled in the art that various changes may be made and equivalents may be substituted without departing from the scope of the present method and/or system. In addition, many modifications (e.g., re-ordering of flowchart blocks) may be made to adapt a particular situation or material to the teachings of the present disclosure without departing from its scope. Therefore, it is intended that the present method and/or system not be limited to the particular implementations disclosed, but that the present method and/or system will include all implementations falling within the scope of the appended claims.
This application is a continuation of U.S. patent application Ser. No. 16/524,322 filed on Jul. 29, 2019, which is a continuation-in-part of U.S. patent application Ser. No. 16/150,694 filed on Oct. 3, 2018 (now 10,841,262), which is a continuation-in-part of U.S. patent application Ser. No. 15/613,343 filed on Jun. 5, 2017 (now U.S. Pat. No. 10,187,342), which is a continuation of Ser. No. 15/285,797 filed on Oct. 5, 2016 (now U.S. Pat. No. 9,674,129). Each of the above-mentioned applications is hereby incorporated herein by reference.
| Number | Name | Date | Kind | 
|---|---|---|---|
| 5771355 | Kuzma | Jun 1998 | A | 
| 5781901 | Kuzma | Jul 1998 | A | 
| 5903723 | Beck | May 1999 | A | 
| 6275850 | Beyda | Aug 2001 | B1 | 
| 6377978 | Nguyen | Apr 2002 | B1 | 
| 6430624 | Jamtgaard | Aug 2002 | B1 | 
| 6493751 | Tate | Dec 2002 | B1 | 
| 6505237 | Beyda | Jan 2003 | B2 | 
| 6618747 | Flynn | Sep 2003 | B1 | 
| 6650890 | Irlam | Nov 2003 | B1 | 
| 6871236 | Fishman | Mar 2005 | B2 | 
| 6978276 | Demsky | Dec 2005 | B2 | 
| 7007066 | Malik | Feb 2006 | B1 | 
| 7025209 | Hawkins | Apr 2006 | B2 | 
| 7035902 | Bates | Apr 2006 | B1 | 
| 7054905 | Hanna | May 2006 | B1 | 
| 7092993 | Goldberg | Aug 2006 | B2 | 
| 7109985 | Spencer | Sep 2006 | B2 | 
| 7113948 | Jhingan | Sep 2006 | B2 | 
| 7146402 | Kucherawy | Dec 2006 | B2 | 
| 7257639 | Li | Aug 2007 | B1 | 
| 7305430 | Choubey | Dec 2007 | B2 | 
| 7353536 | Morris | Apr 2008 | B1 | 
| 7403983 | Ueno | Jul 2008 | B2 | 
| 7421514 | Lee | Sep 2008 | B2 | 
| 7457955 | Seshadri | Nov 2008 | B2 | 
| 7529802 | Nelson | May 2009 | B2 | 
| 7730140 | Braun | Jun 2010 | B2 | 
| 7831669 | Braun | Nov 2010 | B2 | 
| 7958555 | Chen | Jun 2011 | B1 | 
| 8051483 | Fang | Nov 2011 | B2 | 
| 8073910 | Tokuda | Dec 2011 | B2 | 
| 8073912 | Kaplan | Dec 2011 | B2 | 
| 8180833 | Braun | May 2012 | B2 | 
| 8180834 | Kay | May 2012 | B2 | 
| 8201247 | Chen | Jun 2012 | B1 | 
| 8209222 | Esclamada | Jun 2012 | B2 | 
| 8214497 | Alperovitch | Jul 2012 | B2 | 
| 8396932 | Pattekar | Mar 2013 | B2 | 
| 8402546 | Greenshpon | Mar 2013 | B2 | 
| 8407292 | Grosu | Mar 2013 | B2 | 
| 8458269 | Friedman | Jun 2013 | B2 | 
| 8544090 | Chen | Sep 2013 | B1 | 
| 8560614 | Morrey | Oct 2013 | B2 | 
| 8566243 | Bharathula | Oct 2013 | B1 | 
| 8607361 | Gillum | Dec 2013 | B2 | 
| 8769663 | Fang | Jul 2014 | B2 | 
| 8826432 | Dabbiere | Sep 2014 | B2 | 
| 8850524 | Morris | Sep 2014 | B2 | 
| 8856246 | Post | Oct 2014 | B2 | 
| 8943585 | Akase | Jan 2015 | B2 | 
| 9027037 | Sato | May 2015 | B2 | 
| 9047459 | Lu | Jun 2015 | B2 | 
| 9137185 | Costenaro | Sep 2015 | B2 | 
| 9165285 | Schultz | Oct 2015 | B2 | 
| 9203650 | Malcolm | Dec 2015 | B2 | 
| 9203849 | Hunt | Dec 2015 | B2 | 
| 9225704 | Johansson | Dec 2015 | B1 | 
| 9355244 | Liu | May 2016 | B2 | 
| 9374369 | Mahaffey | Jun 2016 | B2 | 
| 9559997 | Everton | Jan 2017 | B1 | 
| 9576154 | Ramesh | Feb 2017 | B2 | 
| 9602540 | Johansson | Mar 2017 | B1 | 
| 9654431 | Johansson | May 2017 | B1 | 
| 9674129 | Everton | Jun 2017 | B1 | 
| 9710814 | Gorny | Jul 2017 | B2 | 
| 9749360 | Irimie | Aug 2017 | B1 | 
| 9760616 | Terada | Sep 2017 | B2 | 
| 9824332 | Everton | Nov 2017 | B1 | 
| 9847973 | Jakobsson | Dec 2017 | B1 | 
| 9860202 | Everton | Jan 2018 | B1 | 
| 10049207 | Ramesh | Aug 2018 | B2 | 
| 10050917 | Alperovitch | Aug 2018 | B2 | 
| 10096001 | Everton | Oct 2018 | B1 | 
| 10135677 | Hankins | Nov 2018 | B1 | 
| 10187342 | Everton | Jan 2019 | B2 | 
| 10243989 | Ding | Mar 2019 | B1 | 
| 10298565 | Zhang | May 2019 | B2 | 
| 10326723 | Everton | Jun 2019 | B2 | 
| 10410218 | Gorny | Sep 2019 | B2 | 
| 10459602 | Everton | Oct 2019 | B2 | 
| 10574696 | Celik | Feb 2020 | B2 | 
| 10594645 | Tokuda | Mar 2020 | B2 | 
| 10841262 | Everton | Nov 2020 | B2 | 
| 10893009 | Everton | Jan 2021 | B2 | 
| 10904186 | Everton | Jan 2021 | B1 | 
| 10979393 | Everton | Apr 2021 | B2 | 
| 11005798 | Everton | May 2021 | B2 | 
| 20010054073 | Ruppert | Dec 2001 | A1 | 
| 20020091538 | Schwartz | Jul 2002 | A1 | 
| 20030014671 | Henson | Jan 2003 | A1 | 
| 20030055867 | King | Mar 2003 | A1 | 
| 20030115273 | Delia | Jun 2003 | A1 | 
| 20050193075 | Haff | Sep 2005 | A1 | 
| 20060031309 | Luoffo | Feb 2006 | A1 | 
| 20060031352 | Marston | Feb 2006 | A1 | 
| 20060168012 | Rose | Jul 2006 | A1 | 
| 20070083670 | Kelley | Apr 2007 | A1 | 
| 20070180035 | Liu | Aug 2007 | A1 | 
| 20080028028 | Chismark | Jan 2008 | A1 | 
| 20080168146 | Fletcher | Jul 2008 | A1 | 
| 20080244021 | Fang | Oct 2008 | A1 | 
| 20090112995 | Addae | Apr 2009 | A1 | 
| 20090313342 | Thie | Dec 2009 | A1 | 
| 20100011077 | Shkolnikov | Jan 2010 | A1 | 
| 20100287246 | Klos | Nov 2010 | A1 | 
| 20110296003 | McCann | Dec 2011 | A1 | 
| 20120167174 | Saxena | Jun 2012 | A1 | 
| 20120167233 | Gillum | Jun 2012 | A1 | 
| 20120296988 | Rao | Nov 2012 | A1 | 
| 20130204952 | Everton | Aug 2013 | A1 | 
| 20130205022 | Kagan | Aug 2013 | A1 | 
| 20130297747 | Everton | Nov 2013 | A1 | 
| 20140280594 | Everton | Sep 2014 | A1 | 
| 20140358521 | Mikutel | Dec 2014 | A1 | 
| 20150058429 | Liu | Feb 2015 | A1 | 
| 20150227861 | Everton | Aug 2015 | A1 | 
| 20170034091 | Egilmez | Feb 2017 | A1 | 
| 20170063764 | Lindley | Mar 2017 | A1 | 
| 20170187701 | Bonnell | Jun 2017 | A1 | 
| 20180091453 | Jakobsson | Mar 2018 | A1 | 
| 20180097761 | Everton | Apr 2018 | A1 | 
| 20180115504 | Everton | Apr 2018 | A1 | 
| 20180152471 | Jakobsson | May 2018 | A1 | 
| 20180375877 | Jakobsson | Dec 2018 | A1 | 
| 20190020682 | Edwards | Jan 2019 | A1 | 
| 20190036859 | Everton | Jan 2019 | A1 | 
| 20190199745 | Jakobsson | Jun 2019 | A1 | 
| 20190279222 | Gorny | Sep 2019 | A1 | 
| 20190392454 | Gorny | Dec 2019 | A1 | 
| 20200004989 | Lockhart, III | Jan 2020 | A1 | 
| 20210126882 | Everton | Apr 2021 | A1 | 
| 20210211410 | Everton | Jul 2021 | A1 | 
| Number | Date | Country | |
|---|---|---|---|
| 20210211398 A1 | Jul 2021 | US | 
| Number | Date | Country | |
|---|---|---|---|
| Parent | 16524322 | Jul 2019 | US | 
| Child | 17211806 | US | 
| Number | Date | Country | |
|---|---|---|---|
| Parent | 16150694 | Oct 2018 | US | 
| Child | 16524322 | US | |
| Parent | 15613343 | Jun 2017 | US | 
| Child | 16150694 | US | |
| Parent | 15285797 | Oct 2016 | US | 
| Child | 15613343 | US |