Browse Prior Art Database

A Method for Using One or More Spy E-mail Accounts for Detecting Malicious E-mail Activity

IP.com Disclosure Number: IPCOM000237384D
Publication Date: 2014-Jun-16
Document File: 3 page(s) / 165K

Publishing Venue

The IP.com Prior Art Database

Related People

Yun Chi: INVENTOR [+2]

Abstract

A method is disclosed for using one or more spy e-mail accounts for detecting malicious activity. In order to encourage malicious parties in compromising the spy e-mail accounts, the spy e-mail accounts can be made non-distinguishable from normal accounts. For instance, this can be done, by adding the spy e-mail accounts to the contact lists of normal accounts or by having the spy e-mail accounts emulate the same activities as normal e-mail accounts. In one embodiment, spamming behavior can be detected based on identifying unsolicited e-mail received in the spy account, from another account outside a cluster incorporating the spy account.

This text was extracted from a Microsoft Word document.
At least one non-text object (such as an image or picture) has been suppressed.
This is the abbreviated version, containing approximately 53% of the total text.

A Method for Using One or More Spy E-mail Accounts for Detecting Malicious E-mail Activity

Abstract

A method is disclosed for using one or more spy e-mail accounts for detecting malicious activity.  In order to encourage malicious parties in compromising the spy e-mail accounts, the spy e-mail accounts can be made non-distinguishable from normal accounts.  For instance, this can be done, by adding the spy e-mail accounts to the contact lists of normal accounts or by having the spy e-mail accounts emulate the same activities as normal e-mail accounts.  In one embodiment, spamming behavior can be detected based on identifying unsolicited e-mail received in the spy account, from another account outside a cluster incorporating the spy account.

Description

Disclosed is a method for using one or more spy e-mail accounts for detecting malicious e-mail activity.  A malicious e-mail activity can be one or more of, spamming and hijacking activity.  The one or more spy e-mail accounts can be made non-distinguishable from normal e-mail accounts in order to encourage malicious parties in performing malicious e-mail activity on the spy e-mail accounts.

In one embodiment, the one or more spy e-mail accounts are partitioned into several clusters.  The spy e-mail accounts from one cluster send e-mails to other spy accounts within the same cluster as shown in Figure 1. 

Figure 1

Such e-mail exchanges among spy accounts can make it more difficult for malicious parties to distinguish the spy accounts from normal e-mail accounts.  This may be particularly advantageous, if a malicious party looks into a sent folder of an e-mail account to distinguish between a normal e-mail account and a spy e-mail account.  In an example, spamming e-mails can be identified upon receipt of an unsolicited e-mail in a spy e-mail account from another e-mail account outside a cluster of the spy e-mail account.  Consider an exemplary scenario wherein, a spy e-mail account has been hijacked.  In this scenario, the hijacker can send out spamming e-mails to all contacts of the hijacked spy e-mail account.  By setting all contacts of the spy e-mail accounts to other spy e-mail accounts, such hijacking activity can be detected.

In another embodiment, with the permission of a normal e-mail user, spy e-mail accounts can be added into the contact list of an e-mail account associated with the normal e-mail user, as shown in Figure 2.  

Figure 2

Consider a scenario wherein, a hijacker gains access to the account of the normal e-mail user.  In this scenario, the hijacker can send e-mails to all contacts liste...