US20090113012A1 - System and method for identifying spoofed email by modifying the sender address - Google Patents

System and method for identifying spoofed email by modifying the sender address Download PDF

Info

Publication number
US20090113012A1
US20090113012A1 US12/339,999 US33999908A US2009113012A1 US 20090113012 A1 US20090113012 A1 US 20090113012A1 US 33999908 A US33999908 A US 33999908A US 2009113012 A1 US2009113012 A1 US 2009113012A1
Authority
US
United States
Prior art keywords
sender address
email
network
recipient
modified
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US12/339,999
Inventor
David S. Singer
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
HCL Technologies Ltd
Original Assignee
International Business Machines Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by International Business Machines Corp filed Critical International Business Machines Corp
Priority to US12/339,999 priority Critical patent/US20090113012A1/en
Publication of US20090113012A1 publication Critical patent/US20090113012A1/en
Assigned to HCL TECHNOLOGIES LIMITED reassignment HCL TECHNOLOGIES LIMITED ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: INTERNATIONAL BUSINESS MACHINES CORPORATION
Abandoned legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/48Message addressing, e.g. address format or anonymous messages, aliases
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/212Monitoring or handling of messages using filtering or selective blocking

Definitions

  • This invention generally relates to the field of electronic messaging and more specifically to the identification of spoofed electronic messages.
  • an email addressed to a recipient in a first network is received, with the email including a plurality of headers, and at least one of the plurality of headers including a sender address. It is determined whether the sender address indicates a mailbox from within the first network, and the sender address is modified if it indicates a mailbox within the first network.
  • the email with the modified sender address is sent to the recipient.
  • a second email is received that is from the recipient and that is addressed to the modified sender address, the modified sender address is modified so as to return it to its original form, and the second email is sent.
  • the computer system includes a receiver that receives an email addressed to a recipient in a first network, with the email including a plurality of headers, and at least one of the plurality of headers including a sender address.
  • the computer system also includes a processor that determines whether the sender address indicates a mailbox from within the first network, and modifies the sender address if it indicates a mailbox from within the first network.
  • a transmitter sends the email with the modified sender address to the recipient.
  • FIG. 1 is a block diagram illustrating the process of receiving an email in one embodiment of the present invention.
  • FIG. 2 is a chart showing a list of header fields and header field formats.
  • FIG. 3 is a flowchart depicting the overall operation and control flow of the process of receiving an email in one embodiment of the present invention.
  • FIG. 4 shows the text of an exemplary email before the process of receiving an email in one embodiment of the present invention.
  • FIG. 5 shows the text of the email of FIG. 4 after the process of receiving an email in one embodiment of the present invention.
  • FIG. 6 is a block diagram illustrating the process of sending an email in one embodiment of the present invention.
  • FIG. 7 is a flowchart depicting the overall operation and control flow of the process of sending an email in one embodiment of the present invention.
  • FIG. 8 is a chart showing a list of header fields and header field formats.
  • FIG. 9 the text of an exemplary email before the process of sending an email in one embodiment of the present invention.
  • FIG. 10 the text of the email of FIG. 9 after the process of sending an email in one embodiment of the present invention.
  • FIG. 11 is a block diagram of a computer system useful for implementing the present invention.
  • the present invention overcomes problems with the prior art by providing an efficient and easy-to-implement method for identifying spoofed email.
  • the present invention makes it extremely difficult, if not impossible, for a malicious sender outside of a network, company, Internet domain, Intranet or enterprise to pretend to be a user within that network, so as to make it less likely that a recipient will open harmful or spam email based on the apparent sender.
  • the present invention substantially prevents senders outside of a network from sending email to recipients within that network while falsely claiming that the email originated within the network.
  • Such spoofed email is processed to indicate its external origin before it is received by the intended recipient.
  • the system still allows the recipient to reply to the sender.
  • FIG. 1 is a block diagram illustrating the process of receiving an email in one embodiment of the present invention.
  • FIG. 1 also shows the overall system architecture of one embodiment of the present invention.
  • FIG. 1 shows client computers 102 and 104 operated by users.
  • FIG. 1 also shows a boundary mail server 108 , which provides email processing functions to the local area network (LAN) 110 and is described in greater detail below.
  • the boundary mail server 108 comprises any commercially available email server system that can be programmed to offer the functions of the present invention.
  • FIG. 1 shows the path of an incoming email in this embodiment of the present invention.
  • a client computer 102 sends an email that travels through a wide area network 106 and is received by a boundary mail server 108 , where it is processed according to the present invention.
  • the processed email is sent to the recipient, client computer 104 , via local area network 110 . This process is described in greater detail with reference to FIG. 3 below.
  • the computer systems of client computers 102 and 104 and boundary mail server 108 are one or more Personal Computers (PCs) (e.g., IBM or compatible PC workstations running the Microsoft Windows operating system or Linux OS, Macintosh computers running the Mac OS operating system, or equivalent), Personal Digital Assistants (PDAs), hand held computers, palm top computers, smart phones, game consoles or any other information processing devices.
  • PCs Personal Computers
  • PDAs Personal Digital Assistants
  • hand held computers palm top computers, smart phones, game consoles or any other information processing devices.
  • the computer systems of one or more of client computers 102 and 104 and boundary mail server 108 are a server system (e.g., SUN Ultra workstations running the SunOS operating system, IBM RS/6000 workstations and servers running the AIX operating system, or an IBM zSeries eServer running z/OS, z/VM or Linux OS).
  • a server system e.g., SUN Ultra workstations running the SunOS operating system, IBM RS/6000 workstations and servers running the AIX operating system, or an IBM zSeries eServer running z/OS, z/VM or Linux OS.
  • the wide area network (WAN) 106 is a circuit switched network, such as the Public Service Telephone Network (PSTN).
  • PSTN Public Service Telephone Network
  • the network 106 is a packet switched network.
  • the packet switched network is a wide area network (WAN), such as the global Internet, a private WAN, a telecommunications network or any combination of the above-mentioned networks.
  • the network 106 is a wired network, a wireless network, a broadcast network or a point-to-point network.
  • the LAN 110 is a circuit switched network, such as the Public Service Telephone Network (PSTN).
  • PSTN Public Service Telephone Network
  • the network 110 is a packet switched network.
  • the packet switched network is a local area network (LAN), a telecommunications network or any combination of the above-mentioned networks.
  • the network 110 is a wired network, a wireless network, a broadcast network or a point-to-point network.
  • boundary mail server 108 and client computer 104 are shown as separate entities in FIG. 1 , the functions of both entities may be integrated into one entity. It should also be noted that although FIG. 1 shows two client computers 102 and 104 , the present invention supports any number of client computers.
  • RFC 2822 provides a lexical analysis of a standard email message. Specifically, RFC 2822 describes an email as consisting of multiple header fields followed, optionally, by a body. The header fields are a sequence of lines of characters with special syntax as defined in RFC 2822. The body is simply a sequence of characters that follows the header fields and is separated from the header fields by an empty line (i.e., a line with nothing preceding the Carriage Return Line Feed, or CRLF).
  • RFC 2822 describes an email as consisting of multiple header fields followed, optionally, by a body.
  • the header fields are a sequence of lines of characters with special syntax as defined in RFC 2822.
  • the body is simply a sequence of characters that follows the header fields and is separated from the header fields by an empty line (i.e., a line with nothing preceding the Carriage Return Line Feed, or CRLF).
  • Header fields are lines composed of a field name, followed by a colon (“:”) followed by a field body, and terminated by CRLF.
  • a field name MUST be composed of printable US-ASCII characters (i.e., characters that have values between 33 and 126, inclusive), except colon.
  • a field body may be composed of any US-ASCII characters, except for CR and LF.
  • unstructured field bodies which is specified as any US-ASCII characters, except for CR and LF
  • unstructured field bodies Semantically, unstructured field bodies are simply to be treated as a single line of characters with no further processing.
  • Structured field bodies are sequences of specific lexical tokens. Many of these tokens are allowed (according to their syntax) to be introduced or end with comments as well as the space (SP, ASCII value 32) and horizontal tab (HTAB, ASCII value 9) characters (together known as the white space characters, WSP), and those WSP characters are subject to header “folding” and “unfolding”.
  • SP space
  • HTAB horizontal tab
  • WSP white space characters
  • RFC 2822 further describes that at least one of the multiple header fields includes an address. Addresses occur in several header fields to indicate senders and recipients of messages. An address may either be an individual mailbox, or a group of mailboxes. A mailbox receives mail. It is a conceptual entity that does not necessarily pertain to file storage. For example, some sites may choose to print mail on a printer and deliver the output to the addressee's desk.
  • a mailbox is comprised of two parts: (1) an optional display name that indicates the name of the recipient (which could be a person or a system) that could be displayed to the user of an email application, and (2) an addr-spec address enclosed in angle brackets (“ ⁇ ” and “>”).
  • an addr-spec address enclosed in angle brackets (“ ⁇ ” and “>”).
  • the group construct can be used.
  • the group construct allows the sender to indicate a named group of recipients. This is done by giving a display name for the group, followed by a colon, followed by a comma separated list of any number of mailboxes (including zero and one), and ending with a semicolon. Because the list of mailboxes can be empty, using the group construct is also a simple way to communicate to recipients that the message was sent to one or more named sets of recipients, without actually providing the individual mailbox address for each of those recipients.
  • FIG. 2 is a chart showing an exemplary list of common header fields and header field formats. Specifically, FIG. 2 shows common header fields and header field formats that are pertinent to identifying possibly spoofed email messages. A more detailed list of header fields and formats can be found in sections 2 and 3.6 of “Request for Comments 2822” described above.
  • the format for the “from” header field 202 is shown in cell 212 .
  • This format consists of the characters “From:” followed by a list of mailboxes and a Carriage Return Line Feed (CRLF).
  • the format for the “sender” header field 204 is shown in cell 214 .
  • This format consists of the characters “Sender:” followed by a mailbox and a CRLF.
  • the format for the “reply-to” header field 206 is shown in cell 216 .
  • This format consists of the characters “Reply-To:” followed by a list of mailboxes and a CRLF.
  • the format for the “resent-sender” header field 208 is shown in cell 218 .
  • This format consists of the characters “Resent-Sender:” followed by a mailbox and a CRLF.
  • the format for the “resent-from” header field 210 is shown in cell 220 .
  • This format consists of the characters “Resent-From:” followed by a list of mailboxes and a CRLF.
  • the format for the “resent-reply-to” header field 222 is shown in cell 224 .
  • This format consists of the characters “Resent-Reply-To:” followed by a list of mailboxes and a CRLF. Note that the case of the characters that appear in a header field is immaterial, as explained in RFC 2822.
  • FIG. 3 is a flowchart depicting the overall operation and control flow of the process of receiving an email in one embodiment of the present invention.
  • the operation and control flow of FIG. 3 depicts the processing of incoming email messages so as to allow a recipient to identify an email message that has not originated from within the recipient's local network.
  • the control flow of FIG. 3 depicts the actions taken by the boundary mail server 108 in this embodiment upon receiving each incoming email message.
  • the operation and control flow of FIG. 3 begins with step 302 and proceeds directly to step 304 .
  • step 304 the boundary mail server 108 determines whether there are any header fields remaining to be processed.
  • the boundary mail server 108 iterates through each header field of an incoming email message and processes it. If the result of the determination of step 304 is positive, then control flows to step 306 . If the result of the determination of step 304 is negative, then control flows to step 320 .
  • step 306 the boundary mail server 108 acquires, or reads, the next header field of the incoming email message according to the syntax rules for header fields described in “Request for Comments 2822.”
  • step 308 the boundary mail server 108 determines whether the current header field is pertinent. In one embodiment, the boundary mail server 108 considers any header field specified in FIG. 2 as pertinent. This is because FIG. 2 shows common header fields and header field formats that are pertinent to identifying possibly spoofed email messages. If the result of the determination of step 308 is positive, then control flows to step 310 . If the result of the determination of step 308 is negative, then control flows to step 304 . Note that any headers and mailboxes that are not modified during this email receiving process are passed through unchanged, along with the body of the email.
  • step 310 the boundary mail server 108 determines whether there are any mailboxes in the current header field remaining to be processed.
  • the boundary mail server 108 iterates through each mailbox in the current header field of an incoming email message and processes it. If the result of the determination of step 310 is positive, then control flows to step 312 . If the result of the determination of step 310 is negative, then control flows to step 304 .
  • step 312 the boundary mail server 108 acquires, or reads, the next mailbox in the current header field of the incoming email message according to the syntax rules for mailboxes described in “Request for Comments 2822”.
  • step 314 the boundary mail server 108 determines whether the current mailbox claims to originate from inside the same network (such as LAN 110 ) or the same enterprise as the recipient computer, client computer 104 . If the result of the determination of step 314 is positive, then control flows to step 316 . If the result of the determination of step 314 is negative, then control flows to step 318 .
  • the address of the mailbox is modified so as to identify the mailbox as a possibly spoofed email message.
  • an extra domain is added to the beginning of the mailbox address (that is, a sub-domain is added to the domain), with the extra domain text being used to indicate a possibly spoofed email message. For example, if the original address of the mailbox was “sam.spoofer@example.com”, then the address of the mailbox is modified so as to be “sam.spoofer@externalto.example.com” or so as to be “sam.spoofer@notfromhere.example.com”.
  • the added “externalto” or “notfromhere” text is used to indicate that the email message originated from a network external to the LAN 110 of the recipient computer 104 in this embodiment.
  • the modified mailbox is then emitted, or allowed to pass through the processing phase.
  • the mailbox is emitted, or allowed to pass through the processing phase.
  • the control flow of FIG. 3 stops.
  • FIG. 4 shows the text of an exemplary email message before the process of receiving an email in one embodiment of the present invention. More specifically, FIG. 4 shows the text of an email message before the control flow of FIG. 3 is executed. FIG. 4 shows that the text of the email message contains a “from” field 402 , a “to” field 404 , a “subject” field 406 , a “date” field 408 and a “body” field 410 . Note that the address of the “from” field 402 has not been modified yet.
  • FIG. 5 shows the text of the email message of FIG. 4 after the process of receiving an email in one embodiment of the present invention. More specifically, FIG. 5 shows the text of the email message after the control flow of FIG. 3 is executed. FIG. 5 shows that the text of the email message contains the same “to” field 404 , “subject” field 406 , “date” field 408 and “body” field 410 as FIG. 4 . However, the address of the “from” field 502 has been modified. Whereas the original address in the “from” field 402 was “sam.spoofer@example.com”, the address of the “from” field 502 is modified to be “sam.spoofer@externalto.example.com”.
  • preferred embodiments of the present invention modify the sender's address in such a way as to mark it as not being verifiably from the recipient's network and hence, suspect.
  • the marking should be carried out in such a way as to allow the recipient of the email to correspond with the sender if that is required. This is because there are legitimate reasons for mail to be sent to a network with an apparent origin within the network (for example, email sent from an enterprise to an email reflector outside the network and then distributed to users within the network).
  • one such method of marking the mailbox includes prefacing the domain part of the mailbox with a unique sub-domain, such as “externalto”. Email to this sub-domain will be delivered as if the sub-domain were not part of the mailbox.
  • FIG. 6 is a block diagram illustrating the process of sending an email in one embodiment of the present invention.
  • FIG. 6 also shows the overall system architecture of one embodiment of the present invention, as depicted in FIG. 1 .
  • the client computers 102 and 104 , the boundary mail server 108 , WAN 106 and LAN 110 are identical to those described in FIG. 1 .
  • FIG. 6 shows the path of an outgoing email message in this embodiment of the present invention.
  • a client computer 104 (previously the recipient) sends an email that travels through the LAN 110 and is received by the boundary mail server 108 , where it is processed according to the present invention.
  • the processed email message is sent to the new recipient, client computer 102 , via WAN 106 . This process is described in greater detail below with reference to FIG. 7 .
  • FIG. 8 is a chart showing an exemplary list of common header fields and header field formats. Specifically, FIG. 8 shows common header fields and header field formats that are pertinent to identifying addresses that have been modified by the control flow of FIG. 3 . A more detailed list of header fields and formats can be found in sections 2 and 3.6 of “Request for Comments 2822” described above.
  • the format for the “to” header field 802 is shown in cell 814 .
  • This format consists of the characters “To:” followed by a list of addresses and a CRLF.
  • the format for the “cc” header field 804 is shown in cell 816 .
  • This format consists of the characters “CC:” followed by a list of addresses and a CRLF.
  • the format for the “bcc” header field 806 is shown in cell 818 .
  • This format consists of the characters “bcc:” followed by a list of addresses, a Comment and/or Folding White Space (CFWS) and a CRLF.
  • the format for the “resent-to” header field 808 is shown in cell 820 . This format consists of the characters “Resent-To:” followed by a list of addresses and a CRLF.
  • the format for the “resent-cc” header field 810 is shown in cell 822 .
  • This format consists of the characters “Resent-cc:” followed by a list of addresses and a CRLF.
  • the format for the “resent-bcc” header field 812 is shown in cell 824 .
  • This format consists of the characters “Resent-bcc:” followed by a list of addresses, a CFWS and a CRLF. Note that the case of the characters that appear in a header field is immaterial, as explained in RFC 2822.
  • FIG. 7 is a flowchart depicting the overall operation and control flow of the process of sending an email in one embodiment of the present invention.
  • the operation and control flow of FIG. 7 depicts the processing of outgoing email messages so as to allow the sender to send an email message to a recipient whose address has been modified by the control flow of FIG. 3 .
  • the control flow of FIG. 7 depicts the actions taken by the boundary mail server 108 in this embodiment upon receiving each outgoing email message.
  • the operation and control flow of FIG. 7 begins with step 702 and proceeds directly to step 704 .
  • step 704 the boundary mail server 108 determines whether there are any header fields remaining to be processed.
  • the boundary mail server 108 iterates through each header field of an outgoing email message and processes it. If the result of the determination of step 704 is positive, then control flows to step 706 . If the result of the determination of step 704 is negative, then control flows to step 720 .
  • step 706 the boundary mail server 108 acquires, or reads, the next header field of the incoming email message.
  • step 708 the boundary mail server 108 determines whether the current header field is pertinent. In one embodiment, the boundary mail server 108 considers any header field specified in FIG. 8 as pertinent. This is because FIG. 8 shows common header fields and header field formats that are pertinent to identifying addresses that have been modified by the control flow of FIG. 3 . If the result of the determination of step 708 is positive, then control flows to step 710 . If the result of the determination of step 708 is negative, then control flows to step 704 .
  • step 710 the boundary mail server 108 determines whether there are any mailboxes in the current header field remaining to be processed.
  • the boundary mail server 108 iterates through each mailbox in the current header field of an incoming email message and processes it. If the result of the determination of step 710 is positive, then control flows to step 712 . If the result of the determination of step 710 is negative, then control flows to step 704 .
  • step 712 the boundary mail server 108 acquires, or reads, the next mailbox in the current header field of the incoming email message.
  • step 714 the boundary mail server 108 determines whether the current mailbox has been marked or otherwise modified by the control flow of FIG. 3 . If the result of the determination of step 714 is positive, then control flows to step 716 . If the result of the determination of step 714 is negative, then control flows to step 718 .
  • step 716 the address of the mailbox is modified to its original state.
  • the extra domain that was added in the control flow of FIG. 3 is deleted. For example, if the address of the mailbox was “sam.spoofer@externalto.example.com”, then the address of the mailbox is modified to be “sam.spoofer@example.com”.
  • the modified mailbox is then emitted, or allowed to pass through the processing phase.
  • step 718 the mailbox is emitted, or allowed to pass through the processing phase.
  • step 720 the control flow of FIG. 7 stops.
  • FIG. 9 shows the text of an exemplary email before the process of sending an email in one embodiment of the present invention. More specifically, FIG. 9 shows the text of an email message before the control flow of FIG. 7 is executed. FIG. 9 shows that the text of the email message contains a “To” field 902 , a “From” field 904 , a “CC” field 905 , a “Subject” field 906 , a “Date” field 908 and a “Body” field 910 . Note that the address of the “CC” field 905 has not been modified yet.
  • FIG. 10 shows the text of the email message of FIG. 9 after the process of sending an email in one embodiment of the present invention. More specifically, FIG. 10 shows the text of the email message after the control flow of FIG. 7 is executed. FIG. 10 shows that the text of the email message contains the same “To” field 902 , “From” field 904 , “Subject” field 906 , “Date” field 908 and “Body” field 910 as FIG. 9 . However, the address of the “CC” field 1002 has been modified. Whereas the original address in the “CC” field 905 was “colleague@externalto.example.com”, the address of the “CC” field 1002 is modified to be “colleague@example.com”. Note that the “externalto” text, which indicates that the email message originated from a network external to the LAN 110 of the recipient computer 104 in this embodiment, has been extracted.
  • the present invention can be realized in hardware, software, or a combination of hardware and software.
  • a system according to a preferred embodiment of the present invention can be realized in a centralized fashion in one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system—or other apparatus adapted for carrying out the methods described herein—is suited.
  • a typical combination of hardware and software could be a general-purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
  • An embodiment of the present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which—when loaded in a computer system—is able to carry out these methods.
  • Computer program means or computer program as used in the present invention indicates any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or, notation; and b) reproduction in a different material form.
  • a computer system may include, inter alia, one or more computers and at least a computer program product on a computer readable medium, allowing a computer system, to read data, instructions, messages or message packets, and other computer readable information from the computer readable medium.
  • the computer readable medium may include non-volatile memory, such as ROM, Flash memory, Disk drive memory, CD-ROM, and other permanent storage. Additionally, a computer readable medium may include, for example, volatile storage such as RAM, buffers, cache memory, and network circuits. Furthermore, the computer readable medium may comprise computer readable information in a transitory state medium such as a network link and/or a network interface, including a wired network or a wireless network, that allow a computer system to read such computer readable information.
  • FIG. 11 is a block diagram of a computer system useful for implementing an embodiment of the present invention.
  • the computer system of FIG. 11 includes one or more processors, such as processor 1104 .
  • the processor 1104 is connected to a communication infrastructure 1102 (e.g., a communications bus, cross-over bar, or network).
  • a communication infrastructure 1102 e.g., a communications bus, cross-over bar, or network.
  • the computer system can include a display interface 1108 that forwards graphics, text, and other data from the communication infrastructure 1102 (or from a frame buffer not shown) for display on the display unit 1110 .
  • the computer system also includes a main memory 1106 , preferably random access memory (RAM), and may also include a secondary memory 1112 .
  • the secondary memory 1112 may include, for example, a hard disk drive 1114 and/or a removable storage drive 1116 , representing a floppy disk drive, a magnetic tape drive, an optical disk drive, etc.
  • the removable storage drive 1116 reads from and/or writes to a removable storage unit 1118 in a manner well known to those having ordinary skill in the art.
  • Removable storage unit 1118 represents, for example, a floppy disk, magnetic tape, optical disk, etc. which is read by and written to by removable storage drive 1116 .
  • the removable storage unit 1118 includes a computer usable storage medium having stored therein computer software and/or data.
  • the secondary memory 1112 may include other similar means for allowing computer programs or other instructions to be loaded into the computer system.
  • Such means may include, for example, a removable storage unit 1122 and an interface 1120 .
  • Examples of such may include a program cartridge and cartridge interface (such as that found in video game devices), a removable memory chip (such as an EPROM, or PROM) and associated socket, and other removable storage units 1122 and interfaces 1120 which allow software and data to be transferred from the removable storage unit 1122 to the computer system.
  • the computer system may also include a communications interface 1124 .
  • Communications interface 1124 allows software and data to be transferred between the computer system and external devices. Examples of communications interface 1124 may include a modem, a network interface (such as an Ethernet card), a communications port, a PCMCIA slot and card, etc.
  • Software and data transferred via communications interface 1124 are in the form of signals which may be, for example, electronic, electromagnetic, optical, or other signals capable of being received by communications interface 1124 . These signals are provided to communications interface 1124 via a communications path (i.e., channel) 1126 .
  • This channel 1126 carries signals and may be implemented using wire or cable, fiber optics, a phone line, a cellular phone link, an RF link, and/or other communications channels.
  • the terms “computer program medium,” “computer usable medium,” and “computer readable medium” are used to generally refer to media such as main memory 1106 and secondary memory 1112 , removable storage drive 1116 , a hard disk installed in hard disk drive 1114 , and signals. These computer program products are means for providing software to the computer system.
  • the computer readable medium allows the computer system to read data, instructions, messages or message packets, and other computer readable information from the computer readable medium.
  • the computer readable medium may include non-volatile memory, such as Floppy, ROM, Flash memory, Disk drive memory, CD-ROM, and other permanent storage. It is useful, for example, for transporting information, such as data and computer instructions, between computer systems.
  • the computer readable medium may comprise computer readable information in a transitory state medium such as a network link and/or a network interface, including a wired network or a wireless network, that allow a computer to read such computer readable information.
  • Computer programs are stored in main memory 1106 and/or secondary memory 1112 . Computer programs may also be received via communications interface 1124 . Such computer programs, when executed, enable the computer system to perform the features of the present invention as discussed herein. In particular, the computer programs, when executed, enable the processor 1104 to perform the features of the computer system. Accordingly, such computer programs represent controllers of the computer system.

Abstract

A system, method and computer program product are provided for identifying spoofed emails. According to the method, an email addressed to a recipient in a first network is received, with the email including a plurality of headers, and at least one of the plurality of headers including a sender address. It is determined whether the sender address indicates a mailbox from within the first network, and the sender address is modified if it indicates a mailbox within the first network. The email with the modified sender address is sent to the recipient. In one embodiment, a second email is received that is from the recipient and that is addressed to the modified sender address, the modified sender address is modified so as to return it to its original form, and the second email is sent.

Description

    CROSS-REFERENCE TO RELATED APPLICATIONS
  • This is a continuation of application Ser. No. 10/754,220, filed Jan. 9, 2004, now Ser. No. ______. The entire disclosure of prior application Ser. No. 10/754,220 is herein incorporated by reference.
  • BACKGROUND OF THE INVENTION
  • 1. Field of the Invention
  • This invention generally relates to the field of electronic messaging and more specifically to the identification of spoofed electronic messages.
  • 2. Description of Related Art
  • Internet electronic mail (email) was created in an environment where there were relatively few users of the system, most of whom were known to one another (either directly or through a very short chain of acquaintances), and where it was reasonable to be able to trust information supplied by other users (for example, the user's name and email address). With the growth of the Internet, however, those assumptions have proven not to be tenable, and there is now a large industry of spammers—people who send unsolicited email to millions of recipients in the hopes of getting them to read the email and respond to it. At present, the millions of people who use email are being overwhelmed by billions of unwanted email messages. Surveys show spam now accounts for about half of all email and frequently includes messages that are fraudulent or pornographic. Email is also used to spread viruses and worms. In order for the virus to spread, the email must be opened by the recipient (rather than being discarded unread).
  • In both of these cases, one of the tricks that the sender uses to cause the recipient to open the email is “spoofing”—pretending to send email from an address other than the sender's own, one which the recipient may be more likely to trust (for example, another user in the same company).
  • Therefore a need exists to overcome the problems discussed above, and particularly for a way to more efficiently identify spoofed email.
  • SUMMARY OF THE INVENTION
  • Briefly, in accordance with the present invention, disclosed is a system, method and computer program product for identifying spoofed emails. In a method according to a preferred embodiment of the present invention, an email addressed to a recipient in a first network is received, with the email including a plurality of headers, and at least one of the plurality of headers including a sender address. It is determined whether the sender address indicates a mailbox from within the first network, and the sender address is modified if it indicates a mailbox within the first network. The email with the modified sender address is sent to the recipient. In one embodiment, a second email is received that is from the recipient and that is addressed to the modified sender address, the modified sender address is modified so as to return it to its original form, and the second email is sent.
  • Also disclosed is a computer system for identifying spoofed emails. The computer system includes a receiver that receives an email addressed to a recipient in a first network, with the email including a plurality of headers, and at least one of the plurality of headers including a sender address. The computer system also includes a processor that determines whether the sender address indicates a mailbox from within the first network, and modifies the sender address if it indicates a mailbox from within the first network. A transmitter sends the email with the modified sender address to the recipient.
  • The foregoing and other features and advantages of the present invention will be apparent from the following more particular description of the preferred embodiments of the invention, as illustrated in the accompanying drawings.
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • The subject matter, which is regarded as the invention, is particularly pointed out and distinctly claimed in the claims at the conclusion of the specification. The foregoing and other features and also the advantages of the invention will be apparent from the following detailed description taken in conjunction with the accompanying drawings. Additionally, the left-most digit of a reference number identifies the drawing in which the reference number first appears.
  • FIG. 1 is a block diagram illustrating the process of receiving an email in one embodiment of the present invention.
  • FIG. 2 is a chart showing a list of header fields and header field formats.
  • FIG. 3 is a flowchart depicting the overall operation and control flow of the process of receiving an email in one embodiment of the present invention.
  • FIG. 4 shows the text of an exemplary email before the process of receiving an email in one embodiment of the present invention.
  • FIG. 5 shows the text of the email of FIG. 4 after the process of receiving an email in one embodiment of the present invention.
  • FIG. 6 is a block diagram illustrating the process of sending an email in one embodiment of the present invention.
  • FIG. 7 is a flowchart depicting the overall operation and control flow of the process of sending an email in one embodiment of the present invention.
  • FIG. 8 is a chart showing a list of header fields and header field formats.
  • FIG. 9 the text of an exemplary email before the process of sending an email in one embodiment of the present invention.
  • FIG. 10 the text of the email of FIG. 9 after the process of sending an email in one embodiment of the present invention.
  • FIG. 11 is a block diagram of a computer system useful for implementing the present invention.
  • DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 1. Introduction
  • The present invention, according to a preferred embodiment, overcomes problems with the prior art by providing an efficient and easy-to-implement method for identifying spoofed email. The present invention makes it extremely difficult, if not impossible, for a malicious sender outside of a network, company, Internet domain, Intranet or enterprise to pretend to be a user within that network, so as to make it less likely that a recipient will open harmful or spam email based on the apparent sender. The present invention substantially prevents senders outside of a network from sending email to recipients within that network while falsely claiming that the email originated within the network. Such spoofed email is processed to indicate its external origin before it is received by the intended recipient. Preferably, the system still allows the recipient to reply to the sender.
  • 2. Overview of the System
  • FIG. 1 is a block diagram illustrating the process of receiving an email in one embodiment of the present invention. FIG. 1 also shows the overall system architecture of one embodiment of the present invention. FIG. 1 shows client computers 102 and 104 operated by users. FIG. 1 also shows a boundary mail server 108, which provides email processing functions to the local area network (LAN) 110 and is described in greater detail below. The boundary mail server 108 comprises any commercially available email server system that can be programmed to offer the functions of the present invention.
  • FIG. 1 shows the path of an incoming email in this embodiment of the present invention. A client computer 102 sends an email that travels through a wide area network 106 and is received by a boundary mail server 108, where it is processed according to the present invention. Next, the processed email is sent to the recipient, client computer 104, via local area network 110. This process is described in greater detail with reference to FIG. 3 below.
  • In preferred embodiments of the present invention, the computer systems of client computers 102 and 104 and boundary mail server 108 are one or more Personal Computers (PCs) (e.g., IBM or compatible PC workstations running the Microsoft Windows operating system or Linux OS, Macintosh computers running the Mac OS operating system, or equivalent), Personal Digital Assistants (PDAs), hand held computers, palm top computers, smart phones, game consoles or any other information processing devices. In other embodiments, the computer systems of one or more of client computers 102 and 104 and boundary mail server 108 are a server system (e.g., SUN Ultra workstations running the SunOS operating system, IBM RS/6000 workstations and servers running the AIX operating system, or an IBM zSeries eServer running z/OS, z/VM or Linux OS). An exemplary computer system for client computers 102 and 104 and boundary mail server 108 is described in greater detail below with reference to FIG. 11.
  • In an embodiment of the present invention, the wide area network (WAN) 106 is a circuit switched network, such as the Public Service Telephone Network (PSTN). In another embodiment, the network 106 is a packet switched network. The packet switched network is a wide area network (WAN), such as the global Internet, a private WAN, a telecommunications network or any combination of the above-mentioned networks. In yet another embodiment, the network 106 is a wired network, a wireless network, a broadcast network or a point-to-point network.
  • In an embodiment of the present invention, the LAN 110 is a circuit switched network, such as the Public Service Telephone Network (PSTN). In another embodiment, the network 110 is a packet switched network. The packet switched network is a local area network (LAN), a telecommunications network or any combination of the above-mentioned networks. In yet another embodiment, the network 110 is a wired network, a wireless network, a broadcast network or a point-to-point network.
  • It should be noted that although boundary mail server 108 and client computer 104 are shown as separate entities in FIG. 1, the functions of both entities may be integrated into one entity. It should also be noted that although FIG. 1 shows two client computers 102 and 104, the present invention supports any number of client computers.
  • 3. Email Messages
  • Currently, “Request for Comments 2822”, published by the Internet Society in April 2001 (and available on the Internet at www.ietf.org/rfc/rfc2822.txt?number=2822) is the industry standard that specifies a syntax for email text messages that are sent between computer users. This document is herein incorporated by reference. Section 2 of “Request for Comments 2822” (RFC 2822) provides a lexical analysis of a standard email message. Specifically, RFC 2822 describes an email as consisting of multiple header fields followed, optionally, by a body. The header fields are a sequence of lines of characters with special syntax as defined in RFC 2822. The body is simply a sequence of characters that follows the header fields and is separated from the header fields by an empty line (i.e., a line with nothing preceding the Carriage Return Line Feed, or CRLF).
  • Header fields are lines composed of a field name, followed by a colon (“:”) followed by a field body, and terminated by CRLF. A field name MUST be composed of printable US-ASCII characters (i.e., characters that have values between 33 and 126, inclusive), except colon. A field body may be composed of any US-ASCII characters, except for CR and LF.
  • Some field bodies in this standard are defined simply as “unstructured” (which is specified as any US-ASCII characters, except for CR and LF) with no further restrictions. These are referred to as unstructured field bodies. Semantically, unstructured field bodies are simply to be treated as a single line of characters with no further processing.
  • Some field bodies in this standard have specific syntactical structure more restrictive than the unstructured field bodies described above. These are referred to as “structured” field bodies. Structured field bodies are sequences of specific lexical tokens. Many of these tokens are allowed (according to their syntax) to be introduced or end with comments as well as the space (SP, ASCII value 32) and horizontal tab (HTAB, ASCII value 9) characters (together known as the white space characters, WSP), and those WSP characters are subject to header “folding” and “unfolding”.
  • RFC 2822 further describes that at least one of the multiple header fields includes an address. Addresses occur in several header fields to indicate senders and recipients of messages. An address may either be an individual mailbox, or a group of mailboxes. A mailbox receives mail. It is a conceptual entity that does not necessarily pertain to file storage. For example, some sites may choose to print mail on a printer and deliver the output to the addressee's desk.
  • Normally, a mailbox is comprised of two parts: (1) an optional display name that indicates the name of the recipient (which could be a person or a system) that could be displayed to the user of an email application, and (2) an addr-spec address enclosed in angle brackets (“<” and “>”). There is also an alternate simple form of a mailbox where the addr-spec address appears alone, without the recipient's name or the angle brackets.
  • When it is desirable to treat several mailboxes as a single unit (i.e., in a distribution list), the group construct can be used. The group construct allows the sender to indicate a named group of recipients. This is done by giving a display name for the group, followed by a colon, followed by a comma separated list of any number of mailboxes (including zero and one), and ending with a semicolon. Because the list of mailboxes can be empty, using the group construct is also a simple way to communicate to recipients that the message was sent to one or more named sets of recipients, without actually providing the individual mailbox address for each of those recipients.
  • FIG. 2 is a chart showing an exemplary list of common header fields and header field formats. Specifically, FIG. 2 shows common header fields and header field formats that are pertinent to identifying possibly spoofed email messages. A more detailed list of header fields and formats can be found in sections 2 and 3.6 of “Request for Comments 2822” described above.
  • The format for the “from” header field 202 is shown in cell 212. This format consists of the characters “From:” followed by a list of mailboxes and a Carriage Return Line Feed (CRLF). The format for the “sender” header field 204 is shown in cell 214. This format consists of the characters “Sender:” followed by a mailbox and a CRLF. The format for the “reply-to” header field 206 is shown in cell 216. This format consists of the characters “Reply-To:” followed by a list of mailboxes and a CRLF. The format for the “resent-sender” header field 208 is shown in cell 218. This format consists of the characters “Resent-Sender:” followed by a mailbox and a CRLF. The format for the “resent-from” header field 210 is shown in cell 220. This format consists of the characters “Resent-From:” followed by a list of mailboxes and a CRLF. The format for the “resent-reply-to” header field 222 is shown in cell 224. This format consists of the characters “Resent-Reply-To:” followed by a list of mailboxes and a CRLF. Note that the case of the characters that appear in a header field is immaterial, as explained in RFC 2822.
  • 4. Processing Incoming Email Messages
  • FIG. 3 is a flowchart depicting the overall operation and control flow of the process of receiving an email in one embodiment of the present invention. The operation and control flow of FIG. 3 depicts the processing of incoming email messages so as to allow a recipient to identify an email message that has not originated from within the recipient's local network. Specifically, the control flow of FIG. 3 depicts the actions taken by the boundary mail server 108 in this embodiment upon receiving each incoming email message. The operation and control flow of FIG. 3 begins with step 302 and proceeds directly to step 304.
  • In step 304, the boundary mail server 108 determines whether there are any header fields remaining to be processed. The boundary mail server 108 iterates through each header field of an incoming email message and processes it. If the result of the determination of step 304 is positive, then control flows to step 306. If the result of the determination of step 304 is negative, then control flows to step 320. In step 306, the boundary mail server 108 acquires, or reads, the next header field of the incoming email message according to the syntax rules for header fields described in “Request for Comments 2822.”
  • In step 308, the boundary mail server 108 determines whether the current header field is pertinent. In one embodiment, the boundary mail server 108 considers any header field specified in FIG. 2 as pertinent. This is because FIG. 2 shows common header fields and header field formats that are pertinent to identifying possibly spoofed email messages. If the result of the determination of step 308 is positive, then control flows to step 310. If the result of the determination of step 308 is negative, then control flows to step 304. Note that any headers and mailboxes that are not modified during this email receiving process are passed through unchanged, along with the body of the email.
  • In step 310, the boundary mail server 108 determines whether there are any mailboxes in the current header field remaining to be processed. The boundary mail server 108 iterates through each mailbox in the current header field of an incoming email message and processes it. If the result of the determination of step 310 is positive, then control flows to step 312. If the result of the determination of step 310 is negative, then control flows to step 304. In step 312, the boundary mail server 108 acquires, or reads, the next mailbox in the current header field of the incoming email message according to the syntax rules for mailboxes described in “Request for Comments 2822”.
  • In step 314, the boundary mail server 108 determines whether the current mailbox claims to originate from inside the same network (such as LAN 110) or the same enterprise as the recipient computer, client computer 104. If the result of the determination of step 314 is positive, then control flows to step 316. If the result of the determination of step 314 is negative, then control flows to step 318.
  • In step 316, the address of the mailbox is modified so as to identify the mailbox as a possibly spoofed email message. In one embodiment of the present invention, an extra domain is added to the beginning of the mailbox address (that is, a sub-domain is added to the domain), with the extra domain text being used to indicate a possibly spoofed email message. For example, if the original address of the mailbox was “sam.spoofer@example.com”, then the address of the mailbox is modified so as to be “sam.spoofer@externalto.example.com” or so as to be “sam.spoofer@notfromhere.example.com”. The added “externalto” or “notfromhere” text (i.e., sub-domain) is used to indicate that the email message originated from a network external to the LAN 110 of the recipient computer 104 in this embodiment. The modified mailbox is then emitted, or allowed to pass through the processing phase. In step 318, the mailbox is emitted, or allowed to pass through the processing phase. In step 320, the control flow of FIG. 3 stops.
  • FIG. 4 shows the text of an exemplary email message before the process of receiving an email in one embodiment of the present invention. More specifically, FIG. 4 shows the text of an email message before the control flow of FIG. 3 is executed. FIG. 4 shows that the text of the email message contains a “from” field 402, a “to” field 404, a “subject” field 406, a “date” field 408 and a “body” field 410. Note that the address of the “from” field 402 has not been modified yet.
  • FIG. 5 shows the text of the email message of FIG. 4 after the process of receiving an email in one embodiment of the present invention. More specifically, FIG. 5 shows the text of the email message after the control flow of FIG. 3 is executed. FIG. 5 shows that the text of the email message contains the same “to” field 404, “subject” field 406, “date” field 408 and “body” field 410 as FIG. 4. However, the address of the “from” field 502 has been modified. Whereas the original address in the “from” field 402 was “sam.spoofer@example.com”, the address of the “from” field 502 is modified to be “sam.spoofer@externalto.example.com”. Note that the “externalto” text indicates that the email message originated from a network external to the LAN 110 of the recipient computer 104 in this embodiment. This change can then be used by the recipient, or by computer programs running on behalf of the recipient, as an indication of a possibly suspicious email.
  • As explained above, preferred embodiments of the present invention modify the sender's address in such a way as to mark it as not being verifiably from the recipient's network and hence, suspect. However, the marking should be carried out in such a way as to allow the recipient of the email to correspond with the sender if that is required. This is because there are legitimate reasons for mail to be sent to a network with an apparent origin within the network (for example, email sent from an enterprise to an email reflector outside the network and then distributed to users within the network). As explained above, one such method of marking the mailbox includes prefacing the domain part of the mailbox with a unique sub-domain, such as “externalto”. Email to this sub-domain will be delivered as if the sub-domain were not part of the mailbox.
  • 5. Processing Outgoing Email Messages
  • FIG. 6 is a block diagram illustrating the process of sending an email in one embodiment of the present invention. FIG. 6 also shows the overall system architecture of one embodiment of the present invention, as depicted in FIG. 1. The client computers 102 and 104, the boundary mail server 108, WAN 106 and LAN 110 are identical to those described in FIG. 1.
  • FIG. 6 shows the path of an outgoing email message in this embodiment of the present invention. A client computer 104 (previously the recipient) sends an email that travels through the LAN 110 and is received by the boundary mail server 108, where it is processed according to the present invention. Next, the processed email message is sent to the new recipient, client computer 102, via WAN 106. This process is described in greater detail below with reference to FIG. 7.
  • FIG. 8 is a chart showing an exemplary list of common header fields and header field formats. Specifically, FIG. 8 shows common header fields and header field formats that are pertinent to identifying addresses that have been modified by the control flow of FIG. 3. A more detailed list of header fields and formats can be found in sections 2 and 3.6 of “Request for Comments 2822” described above.
  • The format for the “to” header field 802 is shown in cell 814. This format consists of the characters “To:” followed by a list of addresses and a CRLF. The format for the “cc” header field 804 is shown in cell 816. This format consists of the characters “CC:” followed by a list of addresses and a CRLF. The format for the “bcc” header field 806 is shown in cell 818. This format consists of the characters “bcc:” followed by a list of addresses, a Comment and/or Folding White Space (CFWS) and a CRLF. The format for the “resent-to” header field 808 is shown in cell 820. This format consists of the characters “Resent-To:” followed by a list of addresses and a CRLF.
  • The format for the “resent-cc” header field 810 is shown in cell 822. This format consists of the characters “Resent-cc:” followed by a list of addresses and a CRLF. The format for the “resent-bcc” header field 812 is shown in cell 824. This format consists of the characters “Resent-bcc:” followed by a list of addresses, a CFWS and a CRLF. Note that the case of the characters that appear in a header field is immaterial, as explained in RFC 2822.
  • FIG. 7 is a flowchart depicting the overall operation and control flow of the process of sending an email in one embodiment of the present invention. The operation and control flow of FIG. 7 depicts the processing of outgoing email messages so as to allow the sender to send an email message to a recipient whose address has been modified by the control flow of FIG. 3. Specifically, the control flow of FIG. 7 depicts the actions taken by the boundary mail server 108 in this embodiment upon receiving each outgoing email message. The operation and control flow of FIG. 7 begins with step 702 and proceeds directly to step 704.
  • In step 704, the boundary mail server 108 determines whether there are any header fields remaining to be processed. The boundary mail server 108 iterates through each header field of an outgoing email message and processes it. If the result of the determination of step 704 is positive, then control flows to step 706. If the result of the determination of step 704 is negative, then control flows to step 720. In step 706, the boundary mail server 108 acquires, or reads, the next header field of the incoming email message.
  • In step 708, the boundary mail server 108 determines whether the current header field is pertinent. In one embodiment, the boundary mail server 108 considers any header field specified in FIG. 8 as pertinent. This is because FIG. 8 shows common header fields and header field formats that are pertinent to identifying addresses that have been modified by the control flow of FIG. 3. If the result of the determination of step 708 is positive, then control flows to step 710. If the result of the determination of step 708 is negative, then control flows to step 704.
  • In step 710, the boundary mail server 108 determines whether there are any mailboxes in the current header field remaining to be processed. The boundary mail server 108 iterates through each mailbox in the current header field of an incoming email message and processes it. If the result of the determination of step 710 is positive, then control flows to step 712. If the result of the determination of step 710 is negative, then control flows to step 704. In step 712, the boundary mail server 108 acquires, or reads, the next mailbox in the current header field of the incoming email message.
  • In step 714, the boundary mail server 108 determines whether the current mailbox has been marked or otherwise modified by the control flow of FIG. 3. If the result of the determination of step 714 is positive, then control flows to step 716. If the result of the determination of step 714 is negative, then control flows to step 718.
  • In step 716, the address of the mailbox is modified to its original state. In one embodiment of the present invention, the extra domain that was added in the control flow of FIG. 3 is deleted. For example, if the address of the mailbox was “sam.spoofer@externalto.example.com”, then the address of the mailbox is modified to be “sam.spoofer@example.com”. The modified mailbox is then emitted, or allowed to pass through the processing phase. In step 718, the mailbox is emitted, or allowed to pass through the processing phase. In step 720, the control flow of FIG. 7 stops.
  • FIG. 9 shows the text of an exemplary email before the process of sending an email in one embodiment of the present invention. More specifically, FIG. 9 shows the text of an email message before the control flow of FIG. 7 is executed. FIG. 9 shows that the text of the email message contains a “To” field 902, a “From” field 904, a “CC” field 905, a “Subject” field 906, a “Date” field 908 and a “Body” field 910. Note that the address of the “CC” field 905 has not been modified yet.
  • FIG. 10 shows the text of the email message of FIG. 9 after the process of sending an email in one embodiment of the present invention. More specifically, FIG. 10 shows the text of the email message after the control flow of FIG. 7 is executed. FIG. 10 shows that the text of the email message contains the same “To” field 902, “From” field 904, “Subject” field 906, “Date” field 908 and “Body” field 910 as FIG. 9. However, the address of the “CC” field 1002 has been modified. Whereas the original address in the “CC” field 905 was “colleague@externalto.example.com”, the address of the “CC” field 1002 is modified to be “colleague@example.com”. Note that the “externalto” text, which indicates that the email message originated from a network external to the LAN 110 of the recipient computer 104 in this embodiment, has been extracted.
  • 6. Exemplary Implementations
  • The present invention can be realized in hardware, software, or a combination of hardware and software. A system according to a preferred embodiment of the present invention can be realized in a centralized fashion in one computer system, or in a distributed fashion where different elements are spread across several interconnected computer systems. Any kind of computer system—or other apparatus adapted for carrying out the methods described herein—is suited. A typical combination of hardware and software could be a general-purpose computer system with a computer program that, when being loaded and executed, controls the computer system such that it carries out the methods described herein.
  • An embodiment of the present invention can also be embedded in a computer program product, which comprises all the features enabling the implementation of the methods described herein, and which—when loaded in a computer system—is able to carry out these methods. Computer program means or computer program as used in the present invention indicates any expression, in any language, code or notation, of a set of instructions intended to cause a system having an information processing capability to perform a particular function either directly or after either or both of the following a) conversion to another language, code or, notation; and b) reproduction in a different material form.
  • A computer system may include, inter alia, one or more computers and at least a computer program product on a computer readable medium, allowing a computer system, to read data, instructions, messages or message packets, and other computer readable information from the computer readable medium. The computer readable medium may include non-volatile memory, such as ROM, Flash memory, Disk drive memory, CD-ROM, and other permanent storage. Additionally, a computer readable medium may include, for example, volatile storage such as RAM, buffers, cache memory, and network circuits. Furthermore, the computer readable medium may comprise computer readable information in a transitory state medium such as a network link and/or a network interface, including a wired network or a wireless network, that allow a computer system to read such computer readable information.
  • FIG. 11 is a block diagram of a computer system useful for implementing an embodiment of the present invention. The computer system of FIG. 11 includes one or more processors, such as processor 1104. The processor 1104 is connected to a communication infrastructure 1102 (e.g., a communications bus, cross-over bar, or network). Various software embodiments are described in terms of this exemplary computer system. After reading this description, it will become apparent to a person of ordinary skill in the relevant art(s) how to implement the invention using other computer systems and/or computer architectures.
  • The computer system can include a display interface 1108 that forwards graphics, text, and other data from the communication infrastructure 1102 (or from a frame buffer not shown) for display on the display unit 1110. The computer system also includes a main memory 1106, preferably random access memory (RAM), and may also include a secondary memory 1112. The secondary memory 1112 may include, for example, a hard disk drive 1114 and/or a removable storage drive 1116, representing a floppy disk drive, a magnetic tape drive, an optical disk drive, etc. The removable storage drive 1116 reads from and/or writes to a removable storage unit 1118 in a manner well known to those having ordinary skill in the art. Removable storage unit 1118, represents, for example, a floppy disk, magnetic tape, optical disk, etc. which is read by and written to by removable storage drive 1116. As will be appreciated, the removable storage unit 1118 includes a computer usable storage medium having stored therein computer software and/or data.
  • In alternative embodiments, the secondary memory 1112 may include other similar means for allowing computer programs or other instructions to be loaded into the computer system. Such means may include, for example, a removable storage unit 1122 and an interface 1120. Examples of such may include a program cartridge and cartridge interface (such as that found in video game devices), a removable memory chip (such as an EPROM, or PROM) and associated socket, and other removable storage units 1122 and interfaces 1120 which allow software and data to be transferred from the removable storage unit 1122 to the computer system.
  • The computer system may also include a communications interface 1124. Communications interface 1124 allows software and data to be transferred between the computer system and external devices. Examples of communications interface 1124 may include a modem, a network interface (such as an Ethernet card), a communications port, a PCMCIA slot and card, etc. Software and data transferred via communications interface 1124 are in the form of signals which may be, for example, electronic, electromagnetic, optical, or other signals capable of being received by communications interface 1124. These signals are provided to communications interface 1124 via a communications path (i.e., channel) 1126. This channel 1126 carries signals and may be implemented using wire or cable, fiber optics, a phone line, a cellular phone link, an RF link, and/or other communications channels.
  • In this document, the terms “computer program medium,” “computer usable medium,” and “computer readable medium” are used to generally refer to media such as main memory 1106 and secondary memory 1112, removable storage drive 1116, a hard disk installed in hard disk drive 1114, and signals. These computer program products are means for providing software to the computer system. The computer readable medium allows the computer system to read data, instructions, messages or message packets, and other computer readable information from the computer readable medium. The computer readable medium, for example, may include non-volatile memory, such as Floppy, ROM, Flash memory, Disk drive memory, CD-ROM, and other permanent storage. It is useful, for example, for transporting information, such as data and computer instructions, between computer systems. Furthermore, the computer readable medium may comprise computer readable information in a transitory state medium such as a network link and/or a network interface, including a wired network or a wireless network, that allow a computer to read such computer readable information.
  • Computer programs (also called computer control logic) are stored in main memory 1106 and/or secondary memory 1112. Computer programs may also be received via communications interface 1124. Such computer programs, when executed, enable the computer system to perform the features of the present invention as discussed herein. In particular, the computer programs, when executed, enable the processor 1104 to perform the features of the computer system. Accordingly, such computer programs represent controllers of the computer system.
  • Although specific embodiments of the invention have been disclosed, those having ordinary skill in the art will understand that changes can be made to the specific embodiments without departing from the spirit and scope of the invention. The scope of the invention is not to be restricted, therefore, to the specific embodiments. Furthermore, it is intended that the appended claims cover any and all such applications, modifications, and embodiments within the scope of the present invention.

Claims (18)

1. A method for identifying spoofed emails, the method comprising the steps of:
receiving an email addressed to a recipient in a first network, the email including a plurality of headers, wherein at least one of the plurality of headers includes a sender address;
determining whether the sender address indicates a mailbox from within the first network;
when the sender address indicates a mailbox from within the first network, modifying at least a portion of the sender address so as to produce a modified sender address that indicates to the recipient that the email is associated with a mailbox that is external to the first network; and
sending the email with the modified sender address to the recipient, the modified sender address being visible to the recipient.
2. The method of claim 1, wherein the receiving step comprises:
receiving the email that includes a “sender” header field that includes the sender address.
3. The method of claim 1, wherein the receiving step comprises:
receiving the email that includes a “from” header field that includes the sender address.
4. The method of claim 1, wherein the receiving step comprises:
receiving the email that includes a “reply-to” header field that includes the sender address.
5. The method of claim 1, wherein the step of determining comprises:
determining whether the sender address matches any one of a plurality of domains or sub-domains associated with the first network.
6. The method of claim 1, wherein the step of modifying comprises:
appending a predetermined sub-domain to the sender address.
7. The method of claim 1, wherein the step of modifying comprises:
modifying at least one of a domain and a sub-domain of the sender address.
8. The method of claim 1, further comprising:
receiving a second email, the second email being from the recipient and being addressed to the modified sender address;
modifying the modified sender address so as to produce the sender address; and
sending the second email with the sender address.
9. A tangible computer readable storage medium encoded with a program for identifying spoofed emails, the program comprising instructions for performing a method comprising the steps of:
receiving an email addressed to a recipient in a first network, the email including a plurality of headers, wherein at least one of the plurality of headers includes a sender address;
determining whether the sender address indicates a mailbox from within the first network;
when the sender address indicates a mailbox from within the first network, modifying at least a portion of the sender address so as to produce a modified sender address that indicates to the recipient that the email is associated with a mailbox that is external to the first network; and
sending the email with the modified sender address to the recipient, the modified sender address being visible to the recipient.
10. The tangible computer readable storage medium of claim 9, wherein the receiving step of the method comprises:
receiving the email that includes a “sender” header field that includes the sender address.
11. The tangible computer readable storage medium of claim 9, wherein the receiving step of the method comprises:
receiving the email that includes a “from” header field that includes the sender address.
12. The tangible computer readable storage medium of claim 9, wherein the modifying step of the method comprises:
appending a predetermined sub-domain to the sender address.
13. The tangible computer readable storage medium of claim 9, wherein the modifying step of the method comprises:
modifying at least one of a domain and a sub-domain of the sender address.
14. The tangible computer readable storage medium of claim 9, wherein the method further comprises the steps of:
receiving a second email, the second email being from the recipient and being addressed to the modified sender address;
modifying the modified sender address so as to produce the sender address; and
sending the second email with the sender address.
15. A computer system for identifying spoofed emails, the computer system comprising:
a receiver receiving an email addressed to a recipient in a first network, the email including a plurality of headers, wherein at least one of the plurality of headers includes a sender address;
a processor determining whether the sender address indicates a mailbox from within the first network, the processor modifying at least a portion of the sender address so as to produce a modified sender address that indicates to the recipient that the email is associated with a mailbox that is external to the first network when the sender address indicates a mailbox from within the first network; and
a transmitter sending the email with the modified sender address to the recipient, the modified sender address being visible to the recipient.
16. The computer system of claim 15, wherein the receiver receives the email that includes a “sender” header field that includes the sender address.
17. The computer system of claim 15, wherein the processor modifies the sender address by appending a predetermined sub-domain to the sender address.
18. The computer system of claim 15, wherein the processor determines whether the sender address indicates a mailbox from within the first network by determining whether the sender address matches any one of a plurality of domains or sub-domains associated with the first network, and
the processor modifies the sender address by modifying the sender address when the sender address matches any one of the domains or sub-domains associated with the first network.
US12/339,999 2004-01-09 2008-12-19 System and method for identifying spoofed email by modifying the sender address Abandoned US20090113012A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US12/339,999 US20090113012A1 (en) 2004-01-09 2008-12-19 System and method for identifying spoofed email by modifying the sender address

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US10/754,220 US7472164B2 (en) 2004-01-09 2004-01-09 System and method for identifying spoofed email by modifying the sender address
US12/339,999 US20090113012A1 (en) 2004-01-09 2008-12-19 System and method for identifying spoofed email by modifying the sender address

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
US10/754,220 Continuation US7472164B2 (en) 2004-01-09 2004-01-09 System and method for identifying spoofed email by modifying the sender address

Publications (1)

Publication Number Publication Date
US20090113012A1 true US20090113012A1 (en) 2009-04-30

Family

ID=34860711

Family Applications (2)

Application Number Title Priority Date Filing Date
US10/754,220 Active 2026-02-24 US7472164B2 (en) 2004-01-09 2004-01-09 System and method for identifying spoofed email by modifying the sender address
US12/339,999 Abandoned US20090113012A1 (en) 2004-01-09 2008-12-19 System and method for identifying spoofed email by modifying the sender address

Family Applications Before (1)

Application Number Title Priority Date Filing Date
US10/754,220 Active 2026-02-24 US7472164B2 (en) 2004-01-09 2004-01-09 System and method for identifying spoofed email by modifying the sender address

Country Status (1)

Country Link
US (2) US7472164B2 (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130305367A1 (en) * 2012-05-10 2013-11-14 Fujitsu Limited Detecting method and device
US9059870B1 (en) * 2012-10-05 2015-06-16 Symantec Corporation Techniques for managing electronic message distribution

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6826407B1 (en) 1999-03-29 2004-11-30 Richard J. Helferich System and method for integrating audio and visual messaging
US7003304B1 (en) 1997-09-19 2006-02-21 Thompson Investment Group, Llc Paging transceivers and methods for selectively retrieving messages
US6636733B1 (en) 1997-09-19 2003-10-21 Thompson Trust Wireless messaging method
US6253061B1 (en) 1997-09-19 2001-06-26 Richard J. Helferich Systems and methods for delivering information to a transmitting and receiving device
US6983138B1 (en) 1997-12-12 2006-01-03 Richard J. Helferich User interface for message access
US20060211406A1 (en) * 2005-03-17 2006-09-21 Nokia Corporation Providing security for network subscribers
US20060242251A1 (en) * 2005-04-04 2006-10-26 Estable Luis P Method and system for filtering spoofed electronic messages
US8495146B2 (en) * 2006-08-09 2013-07-23 International Business Machines Corporation Source initiated autonomic recipient e-mail address correction redistribution
US8135780B2 (en) * 2006-12-01 2012-03-13 Microsoft Corporation Email safety determination
US20180013710A1 (en) * 2016-03-25 2018-01-11 Zafar Khan Email Sender and Reply-To Authentication to Prevent Interception of Email Replies
JP6897257B2 (en) * 2017-04-12 2021-06-30 富士フイルムビジネスイノベーション株式会社 E-mail processor and e-mail processing program
US11870807B2 (en) * 2019-11-19 2024-01-09 Jpmorgan Chase Bank, N.A. System and method for phishing email training

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6072942A (en) * 1996-09-18 2000-06-06 Secure Computing Corporation System and method of electronic mail filtering using interconnected nodes
US6266692B1 (en) * 1999-01-04 2001-07-24 International Business Machines Corporation Method for blocking all unwanted e-mail (SPAM) using a header-based password
US6321267B1 (en) * 1999-11-23 2001-11-20 Escom Corporation Method and apparatus for filtering junk email
US6356935B1 (en) * 1998-08-14 2002-03-12 Xircom Wireless, Inc. Apparatus and method for an authenticated electronic userid
US20030233418A1 (en) * 2002-06-18 2003-12-18 Goldman Phillip Y. Practical techniques for reducing unsolicited electronic messages by identifying sender's addresses
US20040148356A1 (en) * 2002-11-04 2004-07-29 Bishop James William System and method for private messaging
US20040193691A1 (en) * 2003-03-31 2004-09-30 Chang William I. System and method for providing an open eMail directory

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CA2392397A1 (en) 1999-11-23 2001-05-31 Escom Corporation Electronic message filter having a whitelist database and a quarantining mechanism

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6072942A (en) * 1996-09-18 2000-06-06 Secure Computing Corporation System and method of electronic mail filtering using interconnected nodes
US6356935B1 (en) * 1998-08-14 2002-03-12 Xircom Wireless, Inc. Apparatus and method for an authenticated electronic userid
US6266692B1 (en) * 1999-01-04 2001-07-24 International Business Machines Corporation Method for blocking all unwanted e-mail (SPAM) using a header-based password
US6321267B1 (en) * 1999-11-23 2001-11-20 Escom Corporation Method and apparatus for filtering junk email
US20030233418A1 (en) * 2002-06-18 2003-12-18 Goldman Phillip Y. Practical techniques for reducing unsolicited electronic messages by identifying sender's addresses
US20040148356A1 (en) * 2002-11-04 2004-07-29 Bishop James William System and method for private messaging
US20040193691A1 (en) * 2003-03-31 2004-09-30 Chang William I. System and method for providing an open eMail directory

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130305367A1 (en) * 2012-05-10 2013-11-14 Fujitsu Limited Detecting method and device
US8931098B2 (en) * 2012-05-10 2015-01-06 Fujitsu Limited Detecting method and device
US9059870B1 (en) * 2012-10-05 2015-06-16 Symantec Corporation Techniques for managing electronic message distribution

Also Published As

Publication number Publication date
US7472164B2 (en) 2008-12-30
US20050188024A1 (en) 2005-08-25

Similar Documents

Publication Publication Date Title
US20090113012A1 (en) System and method for identifying spoofed email by modifying the sender address
US8145710B2 (en) System and method for filtering spam messages utilizing URL filtering module
US10185479B2 (en) Declassifying of suspicious messages
US7801960B2 (en) Monitoring electronic mail message digests
US7831667B2 (en) Method and apparatus for filtering email spam using email noise reduction
US20030229672A1 (en) Enforceable spam identification and reduction system, and method thereof
US6829631B1 (en) Method and system for screening electronic messages
US20030220978A1 (en) System and method for message sender validation
US7428579B2 (en) Method and system for segmentation of a message inbox
US20050198518A1 (en) Method for blocking Spam
US9246860B2 (en) System, method and computer program product for gathering information relating to electronic content utilizing a DNS server
US20050177599A1 (en) System and method for complying with anti-spam rules, laws, and regulations
US20120296988A1 (en) Email spam elimination using per-contact address
US20040254990A1 (en) System and method for knock notification to an unsolicited message
US20060075099A1 (en) Automatic elimination of viruses and spam
US7257773B1 (en) Method and system for identifying unsolicited mail utilizing checksums
US20060168042A1 (en) Mechanism for mitigating the problem of unsolicited email (also known as &#34;spam&#34;
US20070118484A1 (en) Conveying reliable identity in electronic collaboration
US8635286B2 (en) Mailing list expansion trace
US20090094333A1 (en) Collaborative Electronic Mail Filtering
US20050289239A1 (en) Method and an apparatus to classify electronic communication
US8707425B2 (en) System, method, and computer program product for preventing scanning of a copy of a message
Ross X. 400-the military implications

Legal Events

Date Code Title Description
STCB Information on status: application discontinuation

Free format text: ABANDONED -- FAILURE TO RESPOND TO AN OFFICE ACTION

AS Assignment

Owner name: HCL TECHNOLOGIES LIMITED, INDIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:INTERNATIONAL BUSINESS MACHINES CORPORATION;REEL/FRAME:050186/0482

Effective date: 20190802