Patent Grant
7647376
The present invention relates generally to electronic mail (‘e-mail’), and more specifically, to a method and system for identifying and reporting SPAM e-mail messages.
Unsolicited bulk e-mail, commonly referred to as “SPAM”, is increasingly becoming a nuisance to computer users. SPAM itself is not illegal, however, the content of some messages may violate laws or the SPAM initiator's contract with his Internet Service Provider (ISP). SPAM e-mail is generally defined as an unsolicited mailing, usually to a large number of people. SPAM can be very annoying to the recipient because it interrupts other activities, consumes system resources, and requires active efforts by recipients who want to dispose of these unwanted messages.
SPAM is also an increasing problem for Internet service providers and entities with easily identifiable e-mail addresses such as large corporations. ISPs object to junk mail because it reduces their users' satisfaction of the services. Corporations want to eliminate junk mail because it reduces worker productivity. SPAM impacts organizations by occupying employees' time and increasing security risks. Time is spent by employees to open each message, classify it as legitimate or junk e-mail, and delete the message. Time may also be spent by employees following up on advertising content while on the job. Employees may also be deceived into acting improperly, such as to release confidential information, due to a forged message. There is also a loss of the network administrator's time in dealing with SPAM and forged messages, as well as the use of network bandwidth, disk space, and system memory required to store the messages. Also, in the process of deleting junk mail, users may inadvertently discard or overlook other important messages. Another objection to SPAM is that it is frequently used to advertise objectionable, fraudulent, or dangerous content, such as pornography or to propagate financial scams such as illegal pyramid schemes.
The person or organization that generates the junk mail (referred to as a ‘spammer’) often gets around filtering methods by using a different e-mail address for each mailing or forwarding his e-mail by way of an intermediary to conceal the actual origin. Instead of mailing directly from an easily traced account at a major Internet service provider, spammers may, for instance, send their e-mail from a SPAM-friendly network, using forged headers, and relay the message through intermediate hosts. However, the e-mail message often contains an actual web site that relates to the message so that the recipient can find additional information on the advertised product or service. No action can be taken against the person or organization that generates the junk mail unless that person or organization is identified and someone reports the problem to the relevant authority.
There is, therefore, a need for a system and method for identifying and reporting SPAM to the appropriate authority so that the authority can take action to prevent the spammer from distributing further unsolicited e-mail.
A method and system for generating a report on an unsolicited electronic message and sending the report to the relevant authority are disclosed.
A method of the present invention generally comprises receiving an electronic mail message and determining whether the electronic message is an unsolicited message. If the message is an unsolicited message, it is examined to identify a network address relating to the message and an authority hosting the network address. A report is then generated containing the identified network address and the hosting authority.
The generated report is sent to the hosting authority or to a central managed service provider that collects reports and transmits them to the appropriate authority. The reports may also be held and collected over a period of time before they are sent out.
A system of the present invention generally comprises a detector operable to detect a network address within an electronic message identified as an unsolicited message and a host identifier operable to identify an authority hosting the network. The system further includes a report generator operable to generate a report containing the identified network address and hosting authority and a storage medium configured to at least temporarily store the identified network address and hosting authority.
In one embodiment, the system includes a database that contains common words and phrases that can be used in searching for a URL within the message. The host identifier may then use an Internet tool to identify the organization hosting the web site of the URL.
In another aspect of the present invention, a computer product generally comprises code that receives an electronic mail message and determines whether the electronic message is an unsolicited message. The product further includes code that examines the message to identify a network address relating to the message if the message is an unsolicited message and code that identifies an authority hosting the network address and generates a report containing the identified network address. A computer readable medium is provided to store the computer codes.
The above is a brief description of some deficiencies in the prior art and advantages of the present invention. Other features, advantages, and embodiments of the invention will be apparent to those skilled in the art from the following description, drawings, and claims.
Corresponding reference characters indicate corresponding parts throughout the several views of the drawings.
The following description is presented to enable one of ordinary skill in the art to make and use the invention. Descriptions of specific embodiments and applications are provided only as examples and various modifications will be readily apparent to those skilled in the art. The general principles described herein may be applied to other embodiments and applications without departing from the scope of the invention. Thus, the present invention is not to be limited to the embodiments shown, but is to be accorded the widest scope consistent with the principles and features described herein. For purpose of clarity, details relating to technical material that is known in the technical fields related to the invention have not been described in detail.
The present invention provides a method and system for generating a report upon detection of unsolicited or SPAM electronic mail (‘e-mail’) messages. The report is preferably automatically generated upon detection of an unsolicited e-mail. In one embodiment, the system sends the report to the relevant authority (e.g., Internet Service Provider (ISP) or backbone provider hosting the spammer). The report may be used by the authority to take action if necessary in shutting down a spammer's web site and mail access.
Referring now to the drawings, and first to
In the network shown in
The network may include any number of servers 36 for hosting network sites (web sites). The servers are typically connected to the network at points of presence (POPs), established by network service providers at a variety of geographic locations. A given geographic location, such as a metropolitan area, will typically contain multiple POPs established by different network service providers. Each POP may supply Internet connections to one or more users and servers. The connection between POPs, users, and servers may include any suitable transmission media, including, but not limited to, public telephone lines, T1 lines, T3 lines, dial-up, DSL (Digital Subscriber Line), cable, Ethernet or wireless connections. The computers may be connected over a network such as the Internet, an intranet, a wide area network (WAN), local area network (LAN), or any other type of network. The computers may also be directly connected to one another or any number of other user computers. The computer may be a client computer coupled to an Internet service provider over a SLIP (Serial Line Interface Protocol) or PPP (Point to Point Protocol) connection. The Internet service provider is, in turn, coupled to the Internet, the client computer thereby having the ability to send and receive information to other nodes on the Internet using a TCP/IP protocol (Transmission Control Protocol/Internet Protocol).
It is to be understood that the network configuration and interconnections shown in
E-mail messages that are identified as SPAM by SPAM detector 42 are sent to network address detector 44, which is used to identify the URL (Uniform Resource Locator), or other applicable network address, of a web site pertaining to the message. As previously discussed, much of the information that is included in the SPAM e-mail message is typically spoofed, and therefore cannot be used to identify the true source of the mail. However, it is common for SPAM e-mails to contain URL's of web sites relating to the e-mail message. These are typically valid web sites since they must allow the recipient of the e-mail to follow up on the spammer's offer. The web site may contain, for example, information on how to obtain products or sign up for services advertised in the spammer's original message. The URL may then be used to track the origin of the spammer's e-mail or a web site they are using to sell their product or service.
In addition to locating the URLs within the e-mail, the network address detector 44 is configured to examine the text surrounding the URL to determine the likelihood that the URL is an address of the spammer's web site. For example, text within a SPAM e-mail may include:
The SPAM database 46 also includes a list of known valid (or trusted) senders of e-mails to rule out network addresses that may be present in the legitimate e-mail messages. For example, in the case where a SPAM e-mail was forwarded through an innocent party. The database may be pre-populated, but is preferably updateable by a system administrator to ensure that the SPAM reporting system 40 does not become a nuisance to innocent third parties.
Once a network address is identified, host identifier 48 is used to locate the web server hosting the spammer's web pages. Many Internet service providers require their subscribers to sign contracts that forbid SPAM. It is therefore appropriate to report the SPAM to any service provider whose users originate SPAM. WHOIS, NSlookup, Finger, Telnet, Ping, Traceroute, or any other address tracing tool may be used to identify the ISP and report the problem. NSlookup allows for recovery of the IP address from a domain name. Traceroute demonstrates the route that a packet takes from an arbitrary Internet site to another arbitrary site.
If the URL contains a raw IP address, a reverse DNS (Domain Name Server) lookup may be used to identify the domain name of the web site. Once the domain name is found, a WHOIS lookup may be used to identify the individuals who are involved in maintaining the spammer's Internet domain. The WHOIS report contains various administrative contacts for the owner of the domain, such as shown below:
WHOIS Information for someorg.com
The WHOIS report may also contain additional contact information for parent organizations. For example, if a small ISP is hosted by a larger backbone provider this information may be included in the report. The system administrator may have the option of notifying the organization only, or also notifying the parent organization. As used herein, the term ‘hosting authority’ refers to any organization responsible, either directly or indirectly, for hosting the spammer's web site, domain, or e-mail account.
The report generator 50 uses the hostmaster or postmaster e-mail address provided by the host identifier 48 to generate a report 52 which is sent by e-mail to the hosting authority. The report 52 may include, for example, content of the suspected SPAM e-mail, date and time the e-mail arrived on recipient's server, IP address and name reported during the SMTP connection, and the full WHOIS report used to track down the responsible authority. The IP address and name reported during SMTP connection may be spoofed, but this may be useful in tracking down an open SPAM relay that the spammer is using. The report 52 may also include disclaimer information and user definable text. The e-mail message used to transmit the report 52 to the relevant authority may also be signed to verify the source. It is to be understood that the report may contain less information than noted above or additional information without departing from the scope of the invention.
In order to prevent the SPAM reporting system 40 from becoming a nuisance to the authorities, the system 40 may include a device which restricts the frequency and number of reports sent to any given authority. For example, the information on spammers may be collected and reported only once a month.
The system 40 may also be configured to include one or more central Managed Service Providers (MSPs) which are responsible for collecting information from a number of organizations. Each MSP is responsible for reporting spammers to authorities once enough evidence has been collected from one or more organizations for a particular SPAM threat. The device reduces the chance of multiple organizations sending individual reports, and thus further reduces the possibility of the SPAM reporting system 40 becoming a nuisance itself.
The computer on which the SPAM reporting system is installed may be a stand-alone desktop computer, laptop computer, server, mainframe, or a mobile or handheld computing device (e.g., personal digital assistant (PDA) or mobile phone), for example.
The system bus architecture of computer system 60 is represented by arrows 72 in
Although the present invention has been described in accordance with the embodiments shown, one of ordinary skill in the art will readily recognize that there could be variations made to the embodiments without departing from the scope of the present invention. Accordingly, it is intended that all matter contained in the above description and shown in the accompanying drawings shall be interpreted as illustrative and not in a limiting sense.
This application is a continuation-in-part of an application filed Jul. 26, 2001 under application Ser. No. 09/916,599 U.S. Pat. No. 7,016,939.
| Number | Name | Date | Kind |
|---|---|---|---|
| 5121345 | Lentz | Jun 1992 | A |
| 5509120 | Merkin et al. | Apr 1996 | A |
| 5619648 | Canale et al. | Apr 1997 | A |
| 5623600 | Ji et al. | Apr 1997 | A |
| 5765028 | Gladden | Jun 1998 | A |
| 5832208 | Chen et al. | Nov 1998 | A |
| 5870549 | Bobo, II | Feb 1999 | A |
| 5999932 | Paul | Dec 1999 | A |
| 6047277 | Parry et al. | Apr 2000 | A |
| 6052709 | Paul | Apr 2000 | A |
| 6092101 | Birrell et al. | Jul 2000 | A |
| 6199102 | Cobb | Mar 2001 | B1 |
| 6330590 | Cotten | Dec 2001 | B1 |
| 6356935 | Gibbs | Mar 2002 | B1 |
| 6393465 | Leeds | May 2002 | B2 |
| 6421709 | McCormick et al. | Jul 2002 | B1 |
| 6453327 | Nielsen | Sep 2002 | B1 |
| 6609081 | de Varennes et al. | Aug 2003 | B1 |
| 6615242 | Riemers | Sep 2003 | B1 |
| 6650890 | Irlam et al. | Nov 2003 | B1 |
| 6654787 | Aronson et al. | Nov 2003 | B1 |
| 6675162 | Russell-Falla et al. | Jan 2004 | B1 |
| 6687740 | Gough et al. | Feb 2004 | B1 |
| 6691156 | Drummond et al. | Feb 2004 | B1 |
| 6718367 | Ayyadurai | Apr 2004 | B1 |
| 6732157 | Gordon et al. | May 2004 | B1 |
| 6748422 | Morin et al. | Jun 2004 | B2 |
| 6769016 | Rothwell et al. | Jul 2004 | B2 |
| 6915334 | Hall | Jul 2005 | B1 |
| 7209954 | Rothwell et al. | Apr 2007 | B1 |
| 20020016824 | Leeds | Feb 2002 | A1 |
| 20020116463 | Hart | Aug 2002 | A1 |
| 20020120705 | Schiavone et al. | Aug 2002 | A1 |
| 20030088627 | Rothwell et al. | May 2003 | A1 |
| Number | Date | Country |
|---|---|---|
| 0 813 162 | Dec 1997 | EP |
| 9967731 | Dec 1999 | WO |
| Number | Date | Country | |
|---|---|---|---|
| Parent | 09916599 | Jul 2001 | US |
| Child | 10072708 | US |
