US2009031136A1PendingUtilityA1

Hash-based systems and methods for detecting and preventing transmission of unwanted e-mail

Assignee: MILLIKEN WALTER CLARKPriority: Jun 19, 2000Filed: Oct 1, 2008Published: Jan 29, 2009
Est. expiryJun 19, 2020(expired)· nominal 20-yr term from priority
H04L 51/212H04L 63/145G06F 21/562
57
PatentIndex Score
0
Cited by
0
References
0
Claims

Abstract

A system ( 120 ) detects transmission of potentially unwanted e-mail messages. The system ( 120 ) may receive e-mail messages and generate hash values based on one or more portions of the e-mail messages. The system ( 120 ) may then determine whether the generated hash values match hash values associated with prior e-mail messages. The system ( 120 ) may determine that one of the e-mail messages is a potentially unwanted e-mail message when one or more of the generated hash values associated with the e-mail message match one or more of the hash values associated with the prior e-mail messages.

Claims

exact text as granted — not AI-modified
1 . A mail server, comprising:
 one or more hash memories configured to store count values associated with a plurality of hash values; and   a hash processor configured to:   receive an e-mail message,   hash one or more portions of the e-mail message to generate hash values, as generated hash values,   increment the count values corresponding to the generated bash values, as incremented count values, and   determine whether the e-mail message is a potentially unwanted e-mail message based on the incremented count values.   
   
   
       2 . The server of  claim 1 , wherein when hashing one or more portions of the e-mail message, the hash processor is configured to perform a plurality of hashes on a plurality of variable-sized blocks of a main text of the e-mail message. 
   
   
       3 . The server of  claim 1 , wherein when hashing one or more portions of the e-mail message, the hash processor is configured to perform a plurality of hashes on a plurality of fixed-sized blocks of a main text of the e-mail message. 
   
   
       4 . The server of  claim 1 , wherein when hashing one or more portions of the e-mail message, the hash processor is configured to perform a plurality of hashes on a main text of the e-mail message using a plurality of different hash functions. 
   
   
       5 . The server of  claim 1 , wherein when hashing one or more portions of the e-mail message, the hash processor is configured to:
 attempt to expand an attachment of the e-mail message, and   hash the attachment after attempting to expand the attachment.   
   
   
       6 . The server of  claim 1 , wherein when hashing one or more portions of the e-mail message, the hash processor is configured to perform a plurality of hashes on a plurality of variable-sized blocks of an attachment of the e-mail message. 
   
   
       7 . The server of  claim 1 , wherein when hashing one or more portions of the e-mail message, die hash processor is configured to perform a plurality of hashes on a plurality of fixed-sized blocks of an attachment of the e-mail message. 
   
   
       8 . The server of  claim 1 , wherein when hashing one or more portions of the e-mail message, the hash processor is configured to perform a plurality of hashes on an attachment of the e-mail message using a plurality of different hash functions. 
   
   
       9 . The server of  claim 1 , wherein the hash processor is further configured to compare the generated hash values to hash values corresponding to known unwanted e-mails. 
   
   
       10 . The server of  claim 9 , wherein the known unwanted e-mails include at least one of e-mails containing a virus, e-mails containing a worm, and unsolicited commercial e-mails. 
   
   
       11 . The server of  claim 1 , wherein when hashing one or more portions of the e-mail message, the hash processor is configured to:
 hash at least one of a main text and an attachment of the e-mail message to generate one or more first bash values, and   hash a concatenation of first and second header fields of the e-mail message to generate a second hash value.   
   
   
       12 . The server of  claim 11 , wherein the first and second header fields include a From header field and a To header field. 
   
   
       13 . The server of  claim 11 , wherein when determining whether the e-mail message is a potentially unwanted e-mail message, the hash processor is configured to identify the e-mail message as a potentially unwanted e-mail message when the count value corresponding to one or more first hash values is significantly higher than the count value corresponding to the second hash value. 
   
   
       14 . The server of  claim 1 , wherein the hash processor is further configured to take remedial action when the e-mail message is a potentially unwanted e-mail message, when taking remedial action, the hash processor is configured to at least one of.
 discard the e-mail message,   bounce the e-mail message,   mark the e-mail message with a warning,   subject the e-mail message to a virus or worm detection process,   create a notification message, and   generate a suspicion score for the e-mail message and use the suspicion score to identify further processing for the e-mail message.   
   
   
       15 . The server of  claim 1 , wherein the hash processor is further configured to:
 generate a suspicion score for the e-mail message based on the incremented count values,   determine whether a newly received e-mail message exceeds a mail quota,   identify an earlier-received e-mail message with a highest suspicion score,   determine whether a suspicion score of the newly received e-mail message is lower than the suspicion score of the earlier-received e-mail message when the newly received e-mail message exceeds the mail quota,   delete the earlier-received e-mail message when the suspicion score of the newly received e-mail message is lower than the suspicion score of the earlier-received e-mail message, and   store the newly received e-mail message.   
   
   
       16 . The server of  claim 1 , wherein the hash processor is configured to hash the one or more portions of the e-mail message and increment the count values incrementally as the e-mail message is being received. 
   
   
       17 . The server of  claim 16 , wherein the hash processor is further configured to:
 generate a suspicion score for the e-mail message based on the incremented count values,   reject the e-mail message when the suspicion score of the e-mail message is above a threshold.   
   
   
       18 . The server of  claim 17 , wherein the rejecting occurs before the e-mail message is completely received. 
   
   
       19 . The server of  claim 1 , wherein the hash processor is further configured to:
 compare the generated hash values to known legitimate mailing lists, and   pass the e-mail message without further examination when the generated hash values match one of the known legitimate mailing lists.   
   
   
       20 . The server of  claim 19 , wherein the hash processor is configured to:
 determine whether the e-mail message originated from one of the known legitimate mailing lists.   
   
   
       21 . The server of  claim 1 , wherein the hash processor is configured to:
 hash a main text of the e-mail message to generate a first hash value, and   hash sender-related header fields of the e-mail message to generate one or more second hash values.   
   
   
       22 . The server of  claim 21 , wherein the sender-related header fields include at least one of a From header field, a Sender header field, and a Reply-To header field. 
   
   
       23 . The server of  claim 21 , wherein when determining whether the e-mail message is a potentially unwanted e-mail message, the hash processor is configured to identify the e-mail message as a potentially unwanted e-mail message when the count value corresponding to the first hash value is higher than the count values corresponding to the one or more second hash values. 
   
   
       24 . The server of  claim 1 , wherein when hashing one or more portions of the e-mail message, the hash processor is configured to:
 perform a plurality of hashes on a main text of the e-mail message to generate main text hashes, and   hash at least one header field of the e-mail message to generate at least one header hash.   
   
   
       25 . The server of  claim 24 , when determining whether the e-mail message is a potentially unwanted e-mail message, the hash processor is configured to:
 generate a score for the main text based on count values corresponding to the main text hashes and a score for the at least one header field based on the count value corresponding to the at least one header hash, and   identify the e-mail message as a potentially unwanted e-mail message when the score for the main text is substantially higher than the score for the at least one header hash.   
   
   
       26 . A mail server, comprising:
 one or more hash memories configured to store count values associated with a plurality of hash values; and   a hash processor configured to:   receive e-mail messages,   hash one or more portions of the received e-mail messages to generate hash values, as generated hash values,   increment the count values corresponding to the generated hash values, as incremented count values, and   generate suspicion scores for the received e-mail messages based on the incremented count values.   
   
   
       27 . The server of  claim 26 , wherein the hash processor is further configured to:
 maintain a counter corresponding to each of the one or more hash memories, and   decrement ones of the count values based on the counter.   
   
   
       28 . The server of  claim 27 , wherein the hash processor is configured to:
 determine when a value of the counter reaches a threshold, and   decrement one of the count values each time another one of the count values is incremented after the value of the counter reaches the threshold.   
   
   
       29 . The server of  claim 28 , wherein the hash processor is further configured to:
 identify a count value to decrement,   determine whether the identified count value is non-zero, and   decrement the identified count value when the identified count value is non-zero.   
   
   
       30 . The server of  claim 29 , wherein the hash processor is further configured to:
 examine next sequential ones of the count values until a non-zero count value is found when the identified count value is zero, and   decrement the non-zero count value.

Join the waitlist — get patent alerts

Track US2009031136A1 — get alerts on status changes and closely related new filings.

We store only your email — no account needed. See our privacy policy.