Abstract: A method creating a heuristic rule to identify Business Email Compromise (BEC) attacks includes filtering text of received email messages, using a first classifier, to extract one or more terms indicative of a BEC attack from the text of the received email messages, wherein the first classifier includes a trained recurrent neural network that includes a language model, generating, using the first classifier, one or more n-grams based on the extracted terms, wherein each of the n-grams characterizes a particular extracted term, generating, using a second classifier, a vector representation of the extracted terms based on the generated n-grams, assigning a weight coefficient to each of the extracted terms, wherein a higher weight coefficient indicates higher relevancy to BEC attack of the corresponding extracted term, and generating a heuristic rule associated with the BEC attack by combining the weight coefficients of a combination of the extracted terms.

Abstract: Disclosed herein are systems and method for spam identification. A spam filter module may receive an email at a client device and may determine a signature of the email. The spam filter module may compare the determined signature with a plurality of spam signatures stored in a database. In response to determining that no match exists between the determined signature and the plurality of spam signatures, the spam filter module may placing the email in quarantine. A spam classifier module may extract header information of the email and determine a degree of similarity between known spam emails and the email. In response to determining that the degree of similarity exceeds a threshold, the spam filter module may transfer the email from the quarantine to a spam repository.

Abstract: A method for creating a heuristic rule to identify Business Email Compromise (BEC) attacks includes filtering text of received email messages, using a first classifier, to extract one or more terms indicative of a BEC attack from the text of the received email messages. One or more n-grams are generated, using the first classifier, based on the extracted terms. A vector representation of the extracted terms is generated, using a second classifier, based on the generated one or more n-grams. The second classifier includes a logit model. A weight coefficient is assigned to each of the one or more extracted terms based on an output of the trained logit model. A higher weight coefficient indicates higher relevancy to BEC attack of the corresponding term. A heuristic rule associated with the BEC attack is generated by combining the weight coefficients of a combination of the one or more extracted terms.

Abstract: Disclosed herein are systems and method for spam identification. A spam filter module may receive an email at a client device and may determine a signature of the email. The spam filter module may compare the determined signature with a plurality of spam signatures stored in a database. In response to determining that no match exists between the determined signature and the plurality of spam signatures, the spam filter module may placing the email in quarantine. A spam classifier module may extract header information of the email and determine a degree of similarity between known spam emails and the email. In response to determining that the degree of similarity exceeds a threshold, the spam filter module may transfer the email from the quarantine to a spam repository.

Abstract: A method for restricting reception of e-mail messages from a sender of bulk spam mail includes identifying an unknown sender of received e-mail messages. A set of e-mail messages received from the identified sender is selected. A type of bulk spam mailing is determined based on the selected set of e-mail messages using one or more spam identification signatures. Restrictions on reception of e-mail messages from a sender distributing bulk spam of the determined type are generated.

Abstract: Disclosed herein are systems and methods for identifying a phishing email message. In one aspect, an exemplary method comprises, identifying an email message as a suspicious email message by applying a first machine learning model, identifying the suspicious email message as a phishing message by applying a second machine learning model, and taking an action to provide information security against the identified phishing message. In one aspect, the first machine learning model is pre-trained on first attributes comprising values of Message_ID header, X-mail headers, or sequences of values of headers. In one aspect, the second machine learning model is pre-trained on second attributes comprising attributes related to at least one of: reputation of links, categories of email messages, flag indicating domains of blocked or known senders, a degree of similarity of the domain with those of known senders, flags indicating HTML code or script in the body of the email.

Abstract: Disclosed herein are systems and methods for generating heuristic rules for identifying spam emails based on fields in headers of emails. In one aspect, an exemplary method comprises, collecting statistical data on contents of a plurality of emails; analyzing the statistical data to identify different types of content, including headers or hyperlinks in said emails; grouping the emails into clusters based on types of content identified in said emails, wherein at least one cluster group being based on fields in headers of said emails; generating a hash from the most frequent combination of group of data in each cluster; formulating regular expressions based on analysis of hyperlinks of emails corresponding to the generated hashes; and generating heuristic rule for identifying spam emails by combining the hashes and the corresponding regular expressions, wherein the hash is generated based on fields in the headers of said emails.

Abstract: A method for generating a signature of a spam message includes determining one or more classification attributes and one or more clustering attributes contained in successively intercepted first and second electronic messages. The first electronic message is classified using a trained classification model for classifying electronic messages based on the one or more classification attributes. The first electronic message is classified as spam if a degree of similarity of the first electronic message to one or more spam messages is greater than a predetermined value. A determination is made whether the first electronic message and the second electronic message belong to a single cluster based on the determined one or more clustering attributes. A signature of a spam message is generated based on the the identified single cluster of electronic messages.

Abstract: Disclosed herein are systems and methods for clustering email messages identified as spam using a trained classifier. In one aspect, an exemplary method comprises, selecting at least two characteristics from each received email message, for each received email message, using a classifier containing a neural network, determining whether or not the email message is a spam based on the at least two characteristics of the email message, for each email message determined as being a spam email, calculating a feature vector, the feature vector being calculated at a final hidden layer of the neural network, and generating one or more clusters of the email messages identified as spam based on similarities of the feature vectors calculated at the final hidden layer of the neural network.

Abstract: A method for creating a heuristic rule to identify Business Email Compromise (BEC) attacks includes filtering text of received email messages, using a first classifier, to extract one or more terms indicative of a BEC attack from the text of the received email messages. One or more n-grams are generated, using the first classifier, based on the extracted terms. A vector representation of the extracted terms is generated, using a second classifier, based on the generated one or more n-grams. The second classifier includes a logit model. A weight coefficient is assigned to each of the one or more extracted terms based on an output of the trained logit model. A higher weight coefficient indicates higher relevancy to BEC attack of the corresponding term. A heuristic rule associated with the BEC attack is generated by combining the weight coefficients of a combination of the one or more extracted terms.

Abstract: Disclosed herein are systems and methods for generating heuristic rules for identifying spam emails based on fields in headers of emails. In one aspect, an exemplary method comprises, collecting statistical data on contents of a plurality of emails; analyzing the statistical data to identify different types of content, including headers or hyperlinks in said emails; grouping the emails into clusters based on types of content identified in said emails, wherein at least one cluster group being based on fields in headers of said emails; generating a hash from the most frequent combination of group of data in each cluster; formulating regular expressions based on analysis of hyperlinks of emails corresponding to the generated hashes; and generating heuristic rule for identifying spam emails by combining the hashes and the corresponding regular expressions, wherein the hash is generated based on fields in the headers of said emails.

Abstract: Disclosed herein are systems and methods for generating heuristic rules for identifying spam emails. In one aspect, an exemplary method comprises, collecting and analyzing statistical data on contents of a emails to identify different types of content, including headers or hyperlinks, grouping the emails into clusters based on identified types of content, at least one cluster including groups of fields in the headers of said emails, selecting at least one most frequent combination of groups of data in each cluster, generating a hash from the at least one most frequent combination of groups, formulating at least one regular expression based on an analysis of hyperlinks corresponding to the generated hashes, and generating at least one heuristic rule for identifying emails containing spam by combining at least one hash and the corresponding regular expression, wherein at least one hash is from sequences of fields in the headers of said emails.

Abstract: Disclosed herein are systems and method for spam identification. A spam filter module may receive an email at a client device and may determine a signature of the email. The spam filter module may compare the determined signature with a plurality of spam signatures stored in a database. In response to determining that no match exists between the determined signature and the plurality of spam signatures, the spam filter module may placing the email in quarantine. A spam classifier module may extract header information of the email and determine a degree of similarity between known spam emails and the email. In response to determining that the degree of similarity exceeds a threshold, the spam filter module may transfer the email from the quarantine to a spam repository.

Abstract: Disclosed herein are systems and methods for generating heuristic rules for identifying spam emails. In one aspect, an exemplary method comprises, collecting and analyzing statistical data on contents of a emails to identify different types of content, including headers or hyperlinks, grouping the emails into clusters based on identified types of content, at least one cluster including groups of fields in the headers of said emails, selecting at least one most frequent combination of groups of data in each cluster, generating a hash from the at least one most frequent combination of groups, formulating at least one regular expression based on an analysis of hyperlinks corresponding to the generated hashes, and generating at least one heuristic rule for identifying emails containing spam by combining at least one hash and the corresponding regular expression, wherein at least one hash is from sequences of fields in the headers of said emails.