Abstract: A computer implemented method for filtering unwanted bulk email in an email system and providing a positive user experience is provided. The method enables protection of email users from unsolicited bulk email using user-provided data on user interactions at both a user storage level and a global level with an email system. Metadata on user interactions with messages is collected. Messages are received by the system and evaluated using a global filter which assigns a score resulting in a message action. The action may be message delivery, message non-delivery or message routing, based on a score assigned by the global filter. When the message is delivered to user storage, the message may be examined relative to the metadata, and may alter the message action to an action different than the message action resulting from the score. Metadata for a plurality of users is returned to the global filter for use in making filtering future messages and modifies the global filter.

Abstract: The filtering of activities generated by nodes of a network while interacting with a device may be performed by evaluating the desirability of the activities (e.g., a spam or not-spam determination of email messages sent by the node) and assigning a trust rating to the node. However, nodes are often identified by network address, and an operator of a node sending undesirable activities may reassign the network address of the node in order to avoid heavy filtering. Instead, nodes may be identified as being controlled by a network entity (e.g., an autonomous system identified in a border gateway protocol routing table.) The network entity is assigned a network entity trust rating based on the trust ratings of the nodes controlled thereby, and an appropriate level of activity filtering based on the network entity trust rating may be selected for subsequent activities received from all nodes controlled by the network entity.

Abstract: Network entities controlling a set of nodes may vary by trustworthiness, such as tolerance for nodes that send spam, distribute malware, or perform denial-of-service attacks. A device receiving such activities may identify a trust rating of the network entity and apply appropriately stringent filtering (such as spam evaluation) to activities received from nodes controlled by the network entity. However, a poor trust rating of a network entity may subject a legitimate node controlled by the network entity to inefficiently or unfairly stringent activity filtering. Instead, the device may evaluate the activities of a particular node, assign a trust rating to the node, and if the trust rating of the node is higher than the trust rating of the network entity, apply less stringent activity filtering to the activities of the node, thereby “rescuing” the node from the more stringent activity filtering applied to the other nodes of the network entity.

Abstract: Identification of email forwarders is described. In an implementation, a method includes using heuristics to identify email forwarders for use in a reputation system for locating spammers. In another implementation, a method includes determining a likelihood that a particular Internet Protocol (IP) address corresponds to an email forwarder and processing email originating from the particular IP address based on the determined likelihood. In a further implementation, a method includes collecting heuristic data that describes characteristics of emails sent from one or more Internet Protocol (IP) addresses and constructing a model from the heuristic data for identifying whether at least one of the IP address is an email forwarder. In yet a further implementation, a method includes identifying that a particular Internet Protocol (IP) address likely corresponds to an email forwarder and processing email from the particular IP address based on an implied sender of the email.

Abstract: Functionality is described for addressing a threat to the security of a user device that utilizes a network-accessible service. The functionality operates by assessing the likelihood that the user device is infected by the undesirable item. When the user device makes a request to access the network-accessible service, the functionality can interact with the user device in a manner that is governed by the assessed likelihood that the user device is infected by the undesirable item.

Abstract: A system and method of managing unsolicited email sent to an email system over a network. Email messages are received at an message at an inbound mail transfer agent. A determination is made as to whether the email message is suspected to be an unsolicited suspect message. One or more queries for additional information on one or more characteristics of the message is initiated. Determinations are made based on replies to the queries before issuing a message accepted for delivery indication to a sending server.

Abstract: Systems, methods, and computer-storage media for decreasing web service login latency are provided. Upon a user's initial login to the web service from a web browser, the location of user information is identified. A cookie containing information identifying the location of the user information is generated and stored in association with the web browser. Upon a subsequent login to the web service by the same user, the location information included in the cookie is utilized to direct the user request directly to the correct location, without having to repeat the act of identifying the location, thus providing the user with the desired information more quickly.

Abstract: A delivery confirmation is provided to the sender of an e-mail message. When the e-mail message is composed, a link, such as a hyperlink, is inserted into the e-mail message, such as in the body or header. The link can include information such as a message identifier and identifiers of the sender and the recipient, which are provided as a query string of the link, while a host field of the link includes the address of an e-mail/web server. When the recipient receives the e-mail message and opens it, the link is displayed along with text that instructs the user to use the link to confirm delivery. The confirmation can include displaying indicia for the e-mail message in a folder view on an interface of the sender, or sending a confirmation e-mail message to the sender, for instance. Voting by e-mail can also be provided.

Abstract: A method of displaying email messages to a user is provided. Spam classification information and meta data is associated with email messages received for a user. Email message summary information is displayed in a user interface based on whether the meta data associated with the message meets or exceeds a threshold display level for the summary information. The user provides input via the user interface which is an indication to change the threshold display level and the change is dynamically displayed.

Abstract: Methods for assisting email users manage email messages received in an email account. An event is triggered by an action performed by an email user with respect to an email message in an email account. The event identifies an entity associated with the email message (e.g., sender address, domain, keyword, etc.). A determination is made whether to assist the user manage their email based on a heuristic. The heuristic assigns weights based on prior events associated with the same entity to determine whether the user is interested in receiving emails from the sender. Based on the heuristics, the method may add the sender to the user's block-list or unsubscribe the user from a mailing list.

Abstract: In a distributed email system, user preferences respected more effectively by presenting messages marked for deletion to secondary messaging servers having access to user preferences. Messages marked for deletion by inbound servers are presented to secondary level servers having access to user white lists and the choice of whether to delete the suspect message is made by the secondary server.

Abstract: A method for throttling inbound email messages in an enterprise email system including a plurality of inbound mail servers and at least one management server is provided. Policies defining message event limits for each unique sender are applied to messaging events from the unique sender at each inbound server. Feedback from each of the inbound mail servers to the management server is provided. When events from a unique sender exceed a threshold, as determined by the management server using the feedback, an alert is generated and a new, more restrictive policy for the unique sender is created. The more restrictive policy is broadcast the more restrictive policy to each of the inbound mail servers.

Abstract: The subject invention provides for a system and method that facilitates detecting and preventing spam in a variety of networked communication environments. In particular, the invention provides several techniques for monitoring outgoing communications to identify potential spammers. Identification of potential spammers can be accomplished at least in part by a detection component that monitors per sender at least one of volume of outgoing messages, volume of recipients, and/or rate of outgoing messages. In addition, outgoing messages can be scored based at least in part on their content. The scores can be added per message per sender and if the total score(s) per message or per sender exceeds some threshold, then further action can be taken to verify whether the potential spammer is a spammer. Such actions include human-inspecting a sample of the messages, sending challenges to the account, sending a legal notice to warn potential spammers and/or shutting down the account.

Abstract: Computer implemented methods are disclosed for detecting bot-user groups that send spam email over a web-based email service. Embodiments of the present system employ a two-prong approach to detecting bot-user groups. The first prong employs a historical-based approach for detecting anomalous changes in user account information, such as aggressive bot-user signups. The second prong of the present system entails constructing a large user-user relationship graph, which identifies bot-user sub-graphs through finding tightly connected subgraph components.

Abstract: A system and method for sending email. The method includes the steps of receiving: an email address including a destination domain from a user; prior to sending a message to the destination domain, determining whether the destination domain will receive email; and providing an indication to the user that the email may not be deliverable to the address. In one embodiment, the step of determining includes maintaining a list of problematic destination domains and checking the destination domain against said list.

Abstract: A system and method for providing email using a flexible routing technique based on MX records. The method includes the steps of creating an MX record for a user, the MX record identifying a storage location for the user within the system; and routing mail within the enterprise email system using the information contained in the MX record. A system may include an inbound mail transfer agent coupled to an external network and an internal network; user email data storage having an address within the internal network; a user location database server containing a unique user token identifying a storage location for user email data in the user email data storage; and an internal DNS server including MX records for storage domains on the internal network.

Abstract: A system and method for verifying messages. The method may include the steps of receiving an inbound message and characterizing the inbound message by analyzing a latent cryptographic identifier in the inbound message. The identifier is generated by a recognized message system, which may be the receiving system itself, for an outbound message. Characterizing may involve detecting if the latent cryptographic identifier is present and determining if the cryptographic identifier is valid. The step of determining can be performed using symmetric or asymmetric methods of verifying the authenticity of the message.

Abstract: A method for balancing load in a network system, having a plurality of clients initiating transactions with a plurality of servers. For each transaction a host name associated with one or more servers capable of completing the transaction is specified. The client initiates a request to resolve the host name and a plurality of IP addresses are returned. The client randomly communicates with one of the IPs identified as capable of completing the transaction and reports on the success of the transaction. If multiple attempts to the same IP fail, the IP is removed from service by the client.

Abstract: Functionality is described for addressing a threat to the security of a user device that utilizes a network-accessible service. The functionality operates by assessing the likelihood that the user device is infected by the undesirable item. When the user device makes a request to access the network-accessible service, the functionality can interact with the user device in a manner that is governed by the assessed likelihood that the user device is infected by the undesirable item.

Abstract: A computer implemented computer method for assisting email users. When a user selects an action with respect to email source such as an email address, the user's intended action is inferred. The source validity is checked. Where a user provides input identifying an email as spam, the inferred action may be to add the email address associated with the message to a user block list. The address may be added only where the address or domain are identified as valid sources of email.