1. Field of Invention
The present invention relates generally to systems for preventing spam e-mails. More particularly, the present invention relates to preventing spam e-mails from being sent by or via an unsuspecting client machine.
2. Description of the Related Art
Spam is a well-known and serious problem in networks. The volume of spam that is sent through networks is ever increasing, and bandwidth that may otherwise be used for legitimate purposes is used to propagate spam. Users of e-mail are often inundated with spam, and must often spend a significant amount of time sorting through received e-mail messages to identify legitimate e-mail messages.
There are many types of spam. Some spam is sent directly from a server associated with an entity that purposefully propagates spam. Other spam is sent via unsuspecting systems or machines which have effectively been taken over by an entity that intends to propagate spam using the unsuspecting systems. In other words, a system may effectively be broken into and compromised, causing that system to be turned into a zombie system that sends out spam e-mail messages without the knowledge of an owner or user of the system.
FIG. 1 is a diagrammatic representation of a network in which a local machine is used by a server to propagate spam e-mail. In an overall network 100, a spam originating source 104, which may be a server, may send spam e-mail via a local machine 108 to network elements 116, or client machines, that are a part of a network 112. It should be appreciated that network 112 may be a part of overall network 100.
In some instances, a machine 108, e.g., a local machine, may act as a zombie, or a machine that unknowingly creates and sends spam to network elements 116. Spam originating source 104 may relegate machine 108 to zombie status by employing, for example, Trojan horse applications, viruses, or worms. Once machine 108 has been hijacked by spam originating source 104, generally unbeknownst to an owner, machine 108 may be controlled by spam originating source 104 to send spam e-mail messages or may automatically send spam e-mail messages.
Generally, spam control mechanisms are used by internet service provider (ISP) servers and receivers of e-mail messages in an attempt to control spam. ISP servers may utilize filters to identify spam e-mail messages, and to prevent the spam e-mail messages from being further transmitted. With reference to FIG. 2, the use of a filter or a log analyzer in an ISP server to prevent spam from being transmitted through a network will be described. A spam source 204 creates spam intended for elements or systems 216 in a network 212. The spam intended for elements 216 is transmitted from spam source 204 to ISP server 208. ISP server 208 includes a filter or traffic log analyzer 220 that identifies spam and prevents spam from being propagated to elements 216. Using filter or traffic log analyzer 220, ISP server 208 may analyze inbound traffic to identify spam.
While filter or traffic log analyzer 220 is effective in identifying spam and preventing further propagation of spam, the spam that is sent by spam source 204 utilizes valuable bandwidth on network connections or communications links between spam source 204 and ISP server 208. In other words, although filter or traffic log analyzer 220 may reduce the amount of spam received by elements 216 and transmitted on network connections between ISP server 208 and elements 216, the amount of spam on network connections between spam source 204 and ISP server 208 is not reduced.
Client systems, e.g., receivers of e-mail messages, may also identify spam and prevent spam from inundating a preferred mailbox in an e-mail application. FIG. 3 is a diagrammatic representation of a system in which a receiver of spam e-mail filters out the spam e-mail. Spam 328 that is received on receiver 316 is processed by a filter 324. Filter 324 is arranged to identify spam such that a user associated with receiver 316 does not have to sort through all received e-mail messages to differentiate between legitimate e-mail messages and spam e-mail messages. While filter 324 is often effective for identifying spam 328, by the time spam 328 reaches receiver 316, spam 328 has been propagated through a network (not shown). Hence, overall network spam traffic is not reduced by the use of filter 324.
Filtering out spam before spam is sent by a spam source, e.g., an agent such as a zombie, prevents the spam from being sent through a network. In addition to reducing network spam traffic, filtering out spam before spam is sent on a network reduces the volume of spam that potentially reaches a receiver. Spam control mechanisms used to prevent spam from being sent by a spam source generally utilize worm removal and anti-virus measures. For example, zombies are often created using mass mailer worms. An anti-virus agent may scan the zombie and remove a mass mailer worm, provided the anti-virus agent knows the virus signature associated with the mass mailer worm. Anti-virus agents generally include dictionaries of virus signatures that are constantly updated when new worms or viruses are identified. The use of anti-virus agents is typically effective in preventing the transmission of spam by mass mailer worms. However, until the virus signature of a mass mailer worm is identified, an anti-virus agent is unable to remove the mass mailer worm. In other words, new mailer worms or viruses which cause a local machine to become a zombie are likely not to be identified until after they have already caused spam to be transmitted. Further, the need for a creator of an anti-virus agent to identify new virus signatures, as well as the need to subsequently use the anti-virus agent to remove worms or viruses with the identified virus signatures, utilizes a significant amount of overhead.
Therefore, what is needed is a low overhead method and apparatus that prevents spam from being transmitted to an ISP server or through a network. That is, what is desired is a system which enables spam e-mail messages to be identified prior to transmission from a spam source.