Abstract: The spam blocker monitors the SMTP/TCP/IP conversation between a sending message transfer agent MTA—0 and a receiving message transfer agent MTA—1; catches MTA—0's IP address IP—0, MTA—0's declared domain D—0, from-address A—0; and to-address A—1; and uses this source and content based information to test for unsolicited messages. It interrupts the conversation when MTA—0 sends a command_specifying the recipient (an “RCPT” command) and uses the various test results to decide if the message is suspected of being unsolicited. If the message is suspected of being unsolicited then it logs the rejected message, sends an error reply to MTA—0 which forces MTA—0 to terminate the connection with MTA—1 before the body of the message is transmitted; else it logs the allowed message, releases the intercepted RCPT command which allows the conversation between MTA—0 and MTA—1 to proceed.

Abstract: The spam blocker monitors the SMTP/TCP/IP conversation between a sending message transfer agent MTA—0 and a receiving message transfer agent MTA—1; catches MTA—0's IP address IP—0, MTA—0's declared domain D—0, from-address A—0; to-address A—1, and the body of the message; and uses this source and content information to test for unsolicited messages. It alters the conversation to reject, divert or intercept the message if the message is suspected of being unsolicited.

Abstract: Most unsolicited commercial email (UCE) countermeasures call for a message by message analysis. However, some UCE attacks occur when a single sender of UCE floods a mail transfer agent (MTA) with a number of copies of a UCE, in a mail flood attack. The attacks rarely rise to the level of denial of service attacks but are significant enough to place a strain on MTAs and anti-UCE countermeasures. The anti-mail flood methodology disclosed herein provides a system and method for protecting mail systems from such mail flood attacks enabling anti-UCE countermeasures to work more efficiently.

Abstract: Most unsolicited commercial email (UCE) countermeasures call for a message by message analysis. However, some UCE attacks occur when a single sender of UCE floods a mail transfer agent (MTA) with a number of copies of a UCE, in a mail flood attack. The attacks rarely rise to the level of denial of service attacks but are significant enough to place a strain on MTAs and anti-UCE countermeasures. The anti-mail flood methodology disclosed herein provides a system and method for protecting mail systems from such mail flood attacks enabling anti-UCE countermeasures to work more efficiently.

Abstract: Protective proxies are used to shield a destination agent from undesirable source agents or transactions. Because protective proxies are usually tied to one but sometimes more fixed destination agents, they are usually configured directly to the destination agent. As a result, many protective proxies are lightweight and allow the destination agent to manage the protocol. As a result, a catastrophic condition can occur if the protective proxy is inadvertently misconfigured so that a connectivity loop occurs. A low level loop detected can be incorporated into the protective proxy. Alternatively, a loop detector which augments the existing application layer protocol can also be employed in a protective proxy.

Abstract: The spam blocker monitors the SMTP/TCP/IP conversation between a sending message transfer agent MTA—0 and a receiving message transfer agent MTA—1; catches MTA—0's IP address IP—0, MTA—0's declared domain D—0, from-address A—0; and to-address A—1; and uses this source and content based information to test for unsolicited messages. It interrupts the conversation when MTA—0 sends a RCPT command and uses the various test results to decide if the message is suspected of being unsolicited. If the message is suspected of being unsolicited and to-address is not in the save_spam database then the spam blocker logs the rejected message, sends an error reply to MTA—0 which forces MTA—0 to terminate the connection before the body of the message is transmitted.

Abstract: The spam blocker monitors the SMTP/TCP/IP conversation between a sending message transfer agent MTA—0 and a receiving message transfer agent MTA—1; catches MTA—0's IP address IP—0, MTA—0's declared domain D—0, from-address A—0; to-address A—1, and the body of the message; and uses this source and content information to test for unsolicited messages. It interrupts the conversation when MTA—0 sends a .\r\n end-of-message indicator and uses the various test results to decide if the message is suspected of being unsolicited. If the message is suspected of being unsolicited then it logs the rejected message and sends an error reply to MTA—0 which forces MTA—0 to send a QUIT command before the body of the message is transmitted; else it logs the allowed message and releases the intercepted RCPT command which allows the conversation between MTA—0 and MTA—1 to proceed.

Abstract: The spam blocker monitors the SMTP/TCP/IP conversation between a sending message transfer agent MTA—0 and a receiving message transfer agent MTA—1; catches MTA—0's IP address IP—0, MTA—0's declared domain D—0, sender_address A—0; and recipient A—1; and uses this source and content based information to test for unsolicited messages. It interrupts the conversation when MTA—0 sends a command specifying the recipient (an “RCPT” command) and uses the various test results to decide if the message is suspected of being unsolicited. If the message is suspected of being unsolicited then it logs the rejected message, sends an error reply to MTA—0 which forces MTA—0 to terminate the connection with MTA—1 before the body of the message is transmitted; else it logs the allowed message, releases the intercepted RCPT command which allows the conversation between MTA—0 and MTA—1 to proceed.

Abstract: A set of unsolicited e-mail messages is collected and “finger printed” by either sampling the unsolicited message and using portions of the samples to form the identifier or by hashing a portion of the message. These “finger prints” are used to construct an unsolicited message database. The client's e-mail messages are processed in off-line manner by periodically fetching their messages; “finger printing” each message in a manner identical to the unsolicited messages; checking to see if the “finger print” is in the unsolicited message database; discarding any messages with a “finger print” in the unsolicited message database; and forwarding any message with a “finger print” not in the unsolicited message database to the “clean” POP server.