Claims:We Claim:
1. A method of considering whether the message is spam in a system having a plurality of anti-spam modules comprising the steps of:
a) invoking the anti-spam modules
b) receiving a spam confidence level
c) applying, adding and comparing the tuning factor to the spam confidence level to create a tuned spam confidence level;
d) In case if it is greater than the at least one threshold, invoking an action associated with the at least one threshold; then repeating steps if the summed spam confidence level is less than the at least one threshold,
wherein the action includes one of the following: a. dropping a connection if the summed spam confidence level exceeds a first threshold level of the at least one threshold; b. returning a non-delivery message to a sender if the summed spam confidence level exceeds a second threshold level of the at least one threshold and is below the first threshold level; and c. delivering the message to a junk mail folder if the message exceeds a third threshold level of the at least one threshold and is below the second threshold level.
2. The method of claim 1 wherein the at least one threshold comprises a plurality of thresholds containing a top threshold and a bottom threshold, the method further comprising the steps of:
a. comparing the summed spam confidence level to each of the plurality of thresholds;
b. determining if the summed spam confidence level is higher than at least one of the plurality of thresholds;
c. if the summed spam confidence level is higher than at least one of the plurality of thresholds:
d. determining which of the at least one of the plurality of thresholds is closest to the top threshold; and
e. invoking the action associated with the at least one of the plurality of thresholds that is closest to the top threshold.
3. The method of claim 1 wherein, applying a scaling factor to each spam confidence level.
4. The method of claim 3 wherein, the scaling the spam confidence level by one.
5. The method of claim 3 wherein, a user's confidence level in the one of the plurality of anti-spam modules.
6. The method of claim 1 wherein, using a non-linear confidence level normalization.
7. The method of claim 1 wherein, the step of invoking the action includes invoking one of deleting the message, sending a non-delivery notification, and passing the message to a client with the summed spam confidence level.
8. The method of claim 1 wherein, the first threshold is a ninety nine percent spam confidence level, the second threshold is a seventy percent spam confidence level, and the third threshold level is a forty percent spam confidence level.
9. The method of claim 1 wherein, the method further includes the step of adding the summed spam confidence level to the message.
10. The method of claim 1 wherein, the plurality of anti-spam modules includes one of a blackhole list and a turf list.
, Description:Technical Field of the Invention
This invention relates generally to electronic messaging and, more particularly, relates to filtering undesired electronic mail.
Background of the Invention
Electronic messaging, particularly electronic mail (“e-mail”) carried over the Internet, is rapidly becoming not only quite pervasive in society but also, given its informality, ease of use and low cost, a preferred method of communication for many individuals and organizations.
The electronic mailers are continually expanding their distribution lists to reach an increasing number of recipients. For example, recipients who merely provide their e-mail addresses in response to perhaps innocuous appearing requests for visitor information generated by various web sites often receive unsolicited mail and much to their displeasure, they find that they have been included on electronic distribution lists. This occurs without the knowledge, let alone the assent, of the recipients. Furthermore, an electronic mailer will often disseminate its distribution list, whether by sale, lease or otherwise, to another such mailer for its use, and so forth with subsequent mailers. Consequently, over time, e-mail recipients often find themselves increasingly barraged by unsolicited mail resulting from separate distribution lists maintained by a wide and increasing variety of mass mailers. An individual can easily receive hundreds, and even thousands, of pieces of unsolicited e-mail over the course of a year. Individuals on e-distribution lists can expect to receive a considerably larger number of unsolicited messages over a much shorter period. Furthermore, while many unsolicited e-mail messages are benign, such as offers for discount office or computer supplies, mortgage rate quotes, or invitations to attend conferences of one type or another, others, such as pornographic, inflammatory and abusive material, are offensive to their recipients. These unsolicited messages are known as “junk” mail or as “spam.” The e-mail load from spam can be equivalent to the load generated from legitimate e-mail.
What may be spam to one recipient may not be spam to another, which limits the functionality of turf lists. Additionally, an electronic mailer (i.e., a spam generator) will prepare a message such that its true content is not apparent from its subject line and can only be discerned from reading the body of the message. Another technique developed is known as a black hole list. The black hole list is a list of known spam addresses from which spam is sent. The e-mail sender's address is checked against the black hole list. If the address is on the list, the e-mail is not accepted. Spam generators simply change their address to bypass this technique. Other techniques have also been developed. None of the techniques are 100% effective. Innovations by e-mail servers to prevent spam are met with innovations by spam creators to overcome the innovations.
Object of the Invention
The primary object of the present invention is to provide a system & method for framework that enables multiple spam detection solutions to be deployed to work together in a manageable and rational manner and enables new innovations to be created and deployed under a rapid deployment model.
Summary of the Invention
A method is presented that determines if an e-mail message is spam using anti-spam modules. The method invokes one of the anti-spam modules and receives a spam confidence level from the anti-spam module. A tuning factor is applied to the spam confidence level to create a tuned spam confidence level. The tuned spam confidence level is added to a summed spam confidence level and the summed spam confidence level is compared to at least one threshold. If the summed spam confidence level is greater than the threshold, an action associated with the at least one threshold is invoked. The process repeats until either the summed spam confidence level is greater than the threshold or all of the anti-spam modules have been invoked. In one embodiment, a plurality of thresholds including a top threshold is used and the summed spam confidence level is compared to each threshold. If the summed spam confidence level is higher than one or more of the thresholds; the action associated with the threshold that has been exceeded that is closest to the top threshold is invoked.
The tuning factor can range from a simple scaling factor such as multiplying the spam confidence level by one or scaling the spam confidence level by a user's confidence level in the anti-spam module that provided the spam confidence level to a complex tuning factor that normalizes the spam confidence level using a non-linear confidence level normalization.
The actions invoked includes dropping a connection if the summed spam confidence level exceeds a first threshold level, returning a non-delivery message to a sender if the summed spam confidence level exceeds a second threshold level and is below the first threshold level, and delivering the message to a junk mail folder if the message exceeds a third threshold level and is below the second threshold level. Additional features and advantages of the invention will be made apparent from the following detailed description of illustrative embodiments which proceeds with reference to the accompanying figures.
Brief Description of Drawings:
FIG. 1 is a block diagram generally illustrating the framework of the present invention in a system using a SMTP protocol stack;
Detailed Description of Invention:
FIG. 1 the SMTP stack runs inside the Internet information server (IIS), which is web server software sold by Microsoft Corporation installed on server. The IIS communicates via SMTP to other Exchange servers or SMTP servers (not shown) on the Internet. The IIS has a database that is used to store outgoing or incoming messages. When a connection is established to the SMTP protocol for a message coming in, an event is fired and received by the framework. The framework intercepts the message and passes it to one or more filters. The filter analyses the message, determines a confidence level that the filter has that the message is spam and sends the confidence level to the framework. The framework decides based on the confidence level whether it wants to invoke another filter, or an action. The action includes dropping the connection, sending the message to the Exchange transport, and deleting the message. The Exchange transport routes the message. It determines if the message is to be delivered to a mailbox on server or if it needs to go via SMTP to another server.