Abstract: Various features are provided for analyzing and processing email messages including determining if an email message is unwanted, and blocking unwanted messages. Email traffic is monitored by analyzing email messages addressed to known invalid email addresses. Email messages addressed to invalid email addresses are sent to a central control site for analysis. One embodiment tries to ensure that the distance between the invalid addresses and closest valid addresses is significant enough so that the invalid addresses are not inadvertently used for non-spam purposes. Another embodiment of the invention provides for distributed “thin client” processes to run on computer systems or other processing platforms. The thin clients emulate an open relay computer. Attempts at exploiting the apparent open relay computer are reported to a control center and the relay of email messages can be inhibited. Another embodiment provides for analysis and tuning of rules to detect spam and legitimate email.

Abstract: Translation of text or messages provides a message that is more reliably or efficiently analyzed for purposes as, for example, to detect spam in email messages. One translation process takes into account statistics of erroneous and intentional misspellings. Another process identifies and removes characters or character codes that do not generate visible symbols in a message displayed to a user. Another process detects symbols such as periods, commas, dashes, etc., interspersed in text such that the symbols do not unduly interfere with, or prevent, a user from perceiving a spam message. Another process can detect use of foreign language symbols and terms. Still other processes and techniques are presented to counter obfuscating spammer tactics and to provide for efficient and accurate analysis of message content. Groups of similar content items (e.g., words, phrases, images, ASCII text, etc.

Abstract: A system for suppressing delivery of undesirable messages through vulnerable systems. The system includes an emulator that emulates one or more of the vulnerable systems. A module associated with the emulator intercepts undesirable messages, which were originally intended to be sent through a vulnerable system. One embodiment includes plural emulators, which include one or more servers that are part of a network of servers. A controller communicates with one or more servers. In this embodiment, the controller includes a database capable of storing statistics pertaining to undesirable messages blocked by one or more of the servers. The statistics may include information pertaining to the sender(s) of the undesirable messages. Undesirable messages intercepted by the network of servers include email spam.

Abstract: Similarity of email message characteristics is used to detect bulk and spam email. A determination of “sameness” for purposes of both bulk and spam classifications can use any number and type of evaluation modules. Each module can include one or more rules, tests, processes, algorithms, or other functionality. For example, one type of module may be a word count of email message text. Another module can use a weighting factor based on groups of multiple words and their perceived meanings. In general, any type of module that performs a similarity analysis can be used. A preferred embodiment of the invention uses statistical analysis, such as Bayesian analysis, to measure the performance of different modules against a known standard, such as human manual matching. Modules that are performing worse than other modules can be valued less than modules having better performance. In this manner, a high degree of reliability can be achieved.