Abstract: Trusted user accounts of an application provider are determined. Graphs, such as trees, are created with each node corresponding to a trusted account. Each of the nodes is associated with a vouching quota, or the nodes may share a vouching quota. Untrusted user accounts are determined. For each of these untrusted accounts, a trusted user account that has a social networking relationship is determined. If the node corresponding to the trusted user account has enough vouching quota to vouch for the untrusted user account, then the quota is debited, a node is added for the untrusted user account to the graph, and the untrusted user account is vouched for. If not, available vouching quota may be borrowed from other nodes in the graph.

Abstract: A method of displaying email messages to a user is provided. Spam classification information and meta data is associated with email messages received for a user. Email message summary information is displayed in a user interface based on whether the meta data associated with the message meets or exceeds a threshold display level for the summary information. The user provides input via the user interface which is an indication to change the threshold display level and the change is dynamically displayed.

Abstract: Detection of user accounts associated with spammer attacks may be performed by constructing a social graph of email users. Biggest connected components (BCC) of the social graph may be used to identify legitimate user accounts, as the majority of the users in the biggest connected components are legitimate users. BCC users may be used to identify more legitimate users. Using degree-based detection techniques and PageRank based detection techniques, the hijacked user accounts and spammer user accounts may be identified. The users' email sending and receiving behaviors may also be examined, and the subgraph structure may be used to detect stealthy attackers. From the social graph analysis, legitimate user accounts, malicious user accounts, and compromised user accounts can be identified.

Abstract: Message management and classification techniques are described. In one or more implementations, a message received from a sender for delivery via a user account is examined to extract one or more features of the message. A determination is then made as to whether the message corresponds to one or more categories based on the extracted features, the categories usable to enable features to be applied to the message in a user interface.

Abstract: Network entities controlling a set of nodes may vary by trustworthiness, such as tolerance for nodes that send spam, distribute malware, or perform denial-of-service attacks. A device receiving such activities may identify a trust rating of the network entity and apply appropriately stringent filtering (such as spam evaluation) to activities received from nodes controlled by the network entity. However, a poor trust rating of a network entity may subject a legitimate node controlled by the network entity to inefficiently or unfairly stringent activity filtering. Instead, the device may evaluate the activities of a particular node, assign a trust rating to the node, and if the trust rating of the node is higher than the trust rating of the network entity, apply less stringent activity filtering to the activities of the node, thereby “rescuing” the node from the more stringent activity filtering applied to the other nodes of the network entity.

Abstract: Systems, methods, and computer-storage media for decreasing web service login latency are provided. Upon a user's initial login to the web service from a web browser, the location of user information is identified. A cookie containing information identifying the location of the user information is generated and stored in association with the web browser. Upon a subsequent login to the web service by the same user, the location information included in the cookie is utilized to direct the user request directly to the correct location, without having to repeat the act of identifying the location, thus providing the user with the desired information more quickly.

Abstract: A system and method for providing information concerning the use of processing devices coupled to a network. Each device has an IP address the system and method: determines whether a user is authorized to receive information about the use of the processing device by reference to the IP address; verifies the authority of the user to receive information about the processing device; and provides aggregated usage information about activities based on the address of the processing device. The information provided can be email protocol command metadata.

Abstract: A computer implemented method for assisting email users. The method determines the relevance of email addresses to users and utilizes the relevance information to assist users in addressing emails. The method may include gathering email addresses from one or more sources including inbound user emails associated with an email user, and determining a relevance of the email address to the user based on a heuristic. Once relevance is determined, the method includes applying relevant email addresses to a user's store of relevant addresses.

Abstract: Geo-data spam filters are described. In one or more implementations, origin data and language data of a message are evaluated to establish a score for the message indicating a likelihood that the message is spam. The evaluation includes comparing the origin data and the language data to ranked lists indicating message origins and languages with which a respective message recipient interacts positively and ranked lists indicating message origins and languages with which the respective recipient interacts negatively. Interactions of the respective recipient with previously sent messages may be tracked to form these lists. Based on the score established by evaluating the origin data and the language data of the message, the message is filtered for delivery.

Abstract: Detection of user accounts associated with spammer attacks may be performed by constructing a social graph of email users. Biggest connected components (BCC) of the social graph may be used to identify legitimate user accounts, as the majority of the users in the biggest connected components are legitimate users. BCC users may be used to identify more legitimate users. Using degree-based detection techniques and PageRank based detection techniques, the hijacked user accounts and spammer user accounts may be identified. The users' email sending and receiving behaviors may also be examined, and the subgraph structure may be used to detect stealthy attackers. From the social graph analysis, legitimate user accounts, malicious user accounts, and compromised user accounts can be identified.

Abstract: Methods for assisting email users manage email messages received in an email account. An event is triggered by an action performed by an email user with respect to an email message in an email account. The event identifies an entity associated with the email message (e.g., sender address, domain, keyword, etc.). A determination is made whether to assist the user manage their email based on a heuristic. The heuristic assigns weights based on prior events associated with the same entity to determine whether the user is interested in receiving emails from the sender. Based on the heuristics, the method may add the sender to the user's block-list or unsubscribe the user from a mailing list.

Abstract: In embodiments of trusted email sender indicators, email messages are received for distribution, and validation techniques can be applied to determine whether a sender of an email message is trusted. If the sender of the email message is determined to be trusted, a trusted sender indicator can be associated with the email message for display with the email message. The trusted sender indicator indicates that the email message is from a trusted sender, such as when the trusted sender indicator is displayed along with the email message at a recipient client device.

Abstract: In embodiments of an email trust service, an email message is received at an email distribution service for distribution to a client device that corresponds to a recipient of the email message. Authentication techniques can be applied to verify that the email message is received from an authorized domain as specified in a sender address field of the email message. Additionally, it can be determined whether an Extended Validation certificate is associated with the authorized domain. Responsive to determining that an Extended Validation certificate is associated with the authorized domain, a trust indicator is associated with the email message to generate a trusted email message. The trust indicator indicates that the trusted email message is from an authorized domain when the email message is displayed at the client device.

Abstract: In a distributed email system, user preferences respected more effectively by presenting messages marked for deletion to secondary messaging servers having access to user preferences. Messages marked for deletion by inbound servers are presented to secondary level servers having access to user white lists and the choice of whether to delete the suspect message is made by the secondary server.

Abstract: A computer implemented method for assisting email users recognizes deviations in characteristics of emails sent from a particular source identifier or “source ID” to a user. After one or more emails having a pattern of characteristics are received, an action on subsequent emails is performed, such as warning users when the subsequent emails received from the source ID match or don't match the pattern. Characteristics from a particular source ID are determined based on whether the addressee reads the email from the source ID. Various levels of warning based on the characteristics identified and the deviation of any email from the characteristics of previous emails.

Abstract: User account behavior techniques are described. In implementations, a determination is made as to whether interaction with a service provider via a user account deviates from a model. The model is based on behavior that was previously observed as corresponding to the user account. Responsive to a determination that the interaction deviates from the model, the user account is flagged as being potentially compromised by a malicious party.

Abstract: Campaign detection techniques are described. In implementations, a signature is computed for each of a plurality of emails to be communicated by a service provider to respective intended recipients. A determination is made that two or more of the plurality of emails is similar based on the respective signatures. Responsive to a finding that a number of similar emails exceeds a threshold, an indication is output that the similar emails have a likelihood of being involved in a spam campaign.

Abstract: Computer implemented methods are disclosed for detecting bot-user groups that send spam email over a web-based email service. Embodiments of the present system employ a two-prong approach to detecting bot-user groups. The first prong employs a historical-based approach for detecting anomalous changes in user account information, such as aggressive bot-user signups. The second prong of the present system entails constructing a large user-user relationship graph, which identifies bot-user sub-graphs through finding tightly connected subgraph components.

Abstract: Email tags are described. In embodiments, email messages are received for distribution to client devices that correspond to respective recipients of the email messages. Email routing decisions are applied to route an email message to an email folder for a recipient of the email message, where the email folder may include an email inbox, a junk folder, or a user-created folder. The email message is then tagged with an email tag to generate a tagged email message. The email tag includes a routing description that indicates why the email message was routed to the particular email folder.

Abstract: A computer implemented system and method to enable protection of email users from unsolicited bulk email using a message delivery delay based on characteristics detected in selected messages. Messages are evaluated for characteristics resembling unsolicited bulk email. A determination is made whether a message passing through the email system exhibits such characteristics and whether to delay the message. Suspect messages may be delayed for a period of time, the delay period being dependent on the characteristics giving rise to a determination to delay. Following the period, additional information received during the delay period characterizing the message is used to determine whether to dispose or deliver the message. Messages evaluated can be inbound to the email system, outbound to other email systems, or moving within the email system.