Abstract: A method and apparatus for providing access to resources of a network device is provided. A user instructs a network device to generate a user password that is concealed from the user of the network device. The network device generates the user password based on, at least in part, public input provided by the user, and an algorithm which is concealed from the user, but known to a support service provider. The user communicates the public input to the support service provider. The support service provider uses the public input to generate a provider password based on, at least in part, the algorithm. The support service provider may access the network device via a network by providing the provider password to the network device. If the provider password matches the user password generated, then the support service provider is granted access to resources of the network device.

Abstract: A data processing apparatus, comprising at least one processor and a traffic monitor comprising logic which, when executed by the processor, causes the processor to perform: creating, using forward Domain Name System (DNS) lookups, a mapping of domain names to Internet Protocol (IP) addresses; determining whether a particular domain in the mapping requires handling data traffic to or from the particular domain by performing a particular action; based on the mapping, determining one or more IP addresses that are associated with the particular domain; generating policy for a firewall that instructs the firewall to perform the particular action upon receiving a particular request; wherein the particular request specifies a particular IP address that is within the particular domain.

Abstract: A method and apparatus for controlling access to network resources referenced in electronic mail messages comprises the computer-implemented steps of receiving an electronic mail message that comprises one or more hyperlinks; determining sender information that identifies a sender of the electronic mail message; creating and storing a record that associates the sender information with each of the one or more hyperlinks; receiving a request to access a specified hyperlink among the one or more hyperlinks; retrieving, based on the specified hyperlink, the record; retrieving, based on the sender information associated with the specified hyperlink, sender reputation information associated with the sender; determining, based on the sender reputation information, a particular action among a plurality of allowed actions; and issuing a network request to access the specified hyperlink only when the particular action is allowing user access to the specified hyperlink.

Abstract: A method and apparatus for managing the delivery of electronic messages using bounce profiles is provided. A bounce profile is a set of data that may be used by a mail server in redelivering an electronic message that was not successfully delivered (i.e., bounced) to a recipient of an electronic message. A sender mail server, upon determining that an electronic message sent to a recipient mail server bounced, may select a bounce profile, among a plurality of bounce profiles, that is associated with a trait of the bounced electronic message, such as a domain of the recipient or a message type of the bounced electronic message. The sender mail server determines whether, and how, to redeliver the bounced electronic message to the recipient mail server based on information specified by the selected bounce profile.

Abstract: A method of validating queries for reputation scores of message senders comprises receiving, from a first host computer, a DNS format query to obtain a reputation score associated with a second host computer, wherein the query includes an authentication code; validating the authentication code; and only when validating the authentication code is successful, performing a DNS lookup in a reputation database and returning a DNS response that provides the reputation score associated with the second host computer.

Abstract: A method and apparatus for managing connections and messages at a server by associating different actions for both different senders and different recipients is disclosed. The server manages connections from different senders by receiving incoming connections from the different senders and determining sender identifiers for the incoming connections. The server inspects a mapping of sender identifiers to actions to identify which action should be applied to each incoming connection. The server applies the actions, such as accepting the connection, rejecting the connection, relaying the connection, or refusing the connection. Also, the server manages electronic messages for different recipients by determining recipient identifiers for the electronic messages. The server inspects a mapping of recipient identifiers to actions to identify which action should be applied for the recipients of the email messages.

Abstract: An approach for monitoring electronic messages received at a server is disclosed. Message information for a plurality of electronic messages received at the server is determined and stored in a queue. Based on the queue, aggregate information is generated for a particular network address of a plurality of network addresses. The aggregate information is generated for each time interval of a plurality of time intervals and displayed for the plurality of time intervals. In some implementations, input from a user is received, and based on the input, a modification is made regarding how future electronic messages from the particular network address are handled by the server. In some implementations, combined aggregate information is generated for two or more network addresses and then displayed. In some implementations, aggregate policy information indicating which policies have been applied to the electronic messages is generated and displayed for the time intervals.

Abstract: Early detection of computer viruses and other message-borne threats is provided by applying heuristic tests to message content and examining sender reputation information when no virus signature information is available. As a result, a messaging gateway can suspend delivery of messages early in a virus outbreak, providing sufficient time for updating an anti-virus checker that can strip virus code from the messages. A dynamic and flexible threat quarantine queue is provided with a variety of exit criteria and exit actions that permits early release of messages in other than first in, first-out order. A message scanning method is described in which early exit from parsing and scanning can occur by matching threat rules only to selected message elements and stopping rule matching as soon as a match on one message element exceeds a threat threshold.

Abstract: A data processing apparatus can perform HTTP traffic monitoring and filtering of HTTP requests from clients and responses from servers. Example apparatus comprises a processor; a first network interface to a protected network; a second network interface to an external network; a core hypertext transfer protocol (HTTP) proxy coupled to the processor and coupled to a content cache, wherein the HTTP proxy is configured to receive an HTTP request from a client computer in the protected network, send the request to a network resource in the external network on behalf of the client, and receive an HTTP response from the network resource on behalf of the client computer; and a plurality of spyware scanning engines (SSEs), wherein each of the SSEs is coupled to stored content signatures, and wherein each of the SSEs is configured to detect a particular kind of malicious software in an HTTP response.

Abstract: A data processing apparatus can perform HTTP traffic monitoring and filtering of HTTP requests from clients and responses from servers. Example apparatus comprises a processor, a first network interface to a protected network, a second network interface to an external network, and a traffic monitor having an address-domain name database, a firewall rules manager, and a DNS snooper. The traffic monitor accesses a blacklist and can perform receiving, from a client computer, a request to access a resource in the external network; blocking the request to the resource when a user agent of the client is in the blacklist as malicious software or when a file extension in a response to the request is in the blacklist; requesting, from a web reputation service, and receiving a reputation score indicating a reputation of the resource; blocking sending the request to the resource when the reputation is below a specified threshold.

Abstract: A method and apparatus for managing connections, email messages, and directory harvest attacks at a server is disclosed. The server maintains a count of a parameter and compares the count to a specified maximum value, such that when the specified maximum value is met or exceeded, an action is taken by the server to limit the connections, email messages, or directory harvest attack. Actions include controlling the number of connections to the server from senders, controlling the flow of email messages injected to the server by senders, and controlling when rejection response messages are sent for invalid recipient email addresses to thwart a directory harvest attack. Senders are identified by one or more sender identifiers, which can be used to group senders together so that the same maximum value is applied collectively to all senders in the group.

Abstract: In one embodiment, detecting unwanted electronic mail messages based on probabilistic analysis of referenced resources comprises receiving a whitelist and a blocklist each having a plurality of network resource identifiers that have appeared in prior messages; retrieving a particular network resource identifier; generating a list of properties for the particular network resource identifier; training a probabilistic filter using the properties; and repeating the retrieving, generating and training for all the network resource identifiers in the whitelist and blocklist. Thereafter, when an electronic mail message is received and contains a URL or other network resource identifier, a spam score or threat score can be generated for the message by testing properties of the network resource identifier using the trained probabilistic filter.

Abstract: A method and apparatus for controlling access to network resources referenced in electronic mail messages comprises the computer-implemented steps of receiving an electronic mail message that comprises one or more hyperlinks; determining sender information that identifies a sender of the electronic mail message; creating and storing a record that associates the sender information with each of the one or more hyperlinks; receiving a request to access a specified hyperlink among the one or more hyperlinks; retrieving, based on the specified hyperlink, the record; retrieving, based on the sender information associated with the specified hyperlink, sender reputation information associated with the sender; determining, based on the sender reputation information, a particular action among a plurality of allowed actions; and issuing a network request to access the specified hyperlink only when the particular action is allowing user access to the specified hyperlink.

Abstract: Techniques are provided for determining a reputation of a message sender by obtaining two or more lists from two or more list providers; determining which lists of the two or more lists indicate the message sender; and determining a reputation score for the message sender based on which lists of the two or more lists indicate the message sender. Techniques are also provided for indicating that a message is unsolicited based on a reputation score.

Abstract: Message delivery approaches are disclosed in which senders can define filters with associated actions for evaluation in relation to specified messages. After creating and storing filters with specified actions, senders dispatch messages to a processing system, which evaluates the filters against the messages. If a match occurs, the processing system performs the specified actions on the messages. In one embodiment, the processing system can send the same message multiple times to different receiving systems, and can modify the source IP address and outbound interface of the message for each receiving system. Further, the source IP address or interface may be modified by a filter in response to external events, such as a receiving system blocking another copy of the message.

Abstract: Early detection of computer viruses is provided by collecting information about suspicious messages and generating virus outbreak information. In one embodiment, a method comprises receiving the virus outbreak information that has been determined by receiving message information for messages that have characteristics associated with computer viruses, wherein the messages were determined by a virus-check component as not comprising a virus, and mapping the message information received in a specified time period to the virus outbreak information; and when the virus outbreak information indicates initiation of a virus attack, performing a message flow control action for additional messages that have the same characteristics associated with computer viruses as the first messages. As a result, a messaging gateway can suspend delivery of messages early in a virus outbreak, providing sufficient time for updating an anti-virus checker that can strip virus code from the messages.

Abstract: Controlling a message quarantine is disclosed. A message scanning method is described in which early exit from parsing and scanning can occur by matching threat rules only to selected message elements and stopping rule matching as soon as a match on one message element exceeds a threat threshold.

Abstract: A method and apparatus for managing information relating to electronic messages is provided. A first set of data related to one or more message senders is obtained from a first source, such as an email sever or email gateway. Each message sender has sent one or more electronic messages. A second set of data related to the one or more message senders is obtained from a second source. Message volume information that describes the messages sent by the one or more message senders for a period of time is determined based on the first set of data and the second set of data. The message volume information may be used to determine whether a particular message sent by a particular message sender is unsolicited. If a particular message is determined to be unsolicited, various actions may be performed on messages sent by the sender of the particular message.

Abstract: A method and apparatus for controlling access to network resources referenced in electronic mail messages comprises the computer-implemented steps of receiving an electronic mail message that comprises one or more hyperlinks; modifying the one or more hyperlinks by associating an identifier value with each of the one or more hyperlinks; receiving a request to access a specified hyperlink among the one or more hyperlinks; determining, based on the identifier value that is associated with the specified hyperlink, a particular action among a plurality of allowed actions; and issuing a network request to access the specified hyperlink only when the particular action is allowing user access to the specified hyperlink.

Abstract: In one embodiment, a method comprises computer-implemented steps of receiving a plurality of electronic mail messages containing sender address information that is non-trusted. For each electronic mail message, information about the message is stored, and one or more receiving node identifiers in association with respective connected node identifiers is created, wherein the receiving node identifier identifies receiving mail server that received the particular message and the connected node identifier identifies a connected mail server that directly connected to the receiving node identifier to send the particular message directly to the receiving mail server. For each electronic mail message a receiving node identifier that has a largest number of connected node identifiers associated therewith is selected, and a connected node identifier that is associated with the one particular receiving node identifier that sent the particular message to the associated receiving node is selected and stored.