This specification relates to communication characteristics of unsolicited messages.
By all estimates, unsolicited or undesired electronic mail (“email”), which is often referred to as “spam” (as opposed to valid email, which may be referred to as “ham”), is a pressing and continuing problem on the Internet. A consortium of service providers reports that across more than 500M monitored mailboxes, 75% of all received email is spam, amounting to more than 390B spam messages over a single quarter. Spam clogs mailboxes, slows servers and lowers productivity. Not only is spam annoying, it adversely affects the reliability and stability of the global email system.
Popular methods for mitigating spam include content analysis, collaborative filtering, reputation analysis, and authentication schemes. While some of these methods may be effective, none of these methods offer a panacea; spam is an arms race where spammers quickly adapt to, and work around, the latest prevention techniques.
Referring to FIG. 1, in some examples, email flows via a core network 110, such as the Internet, and makes use of data connections between computers, including mail servers, which are connected to the network. Today, the majority of email on the Internet makes use of data connections between mail servers over which email either is passed directly from an email source to the destination mail server, or is passed via an intermediate mail server where it may be queued before being forwarded to the destination server to another intermediate server. The virtually universal protocol for connection between mail servers on the Internet today is the Simple Mail Transfer Protocol (SMTP). SMTP is an application layer protocol that is generally passed over Transport Control Protocol (TCP) sessions, which in turn use the Internet Protocol (IP) at the network layer.
As an example, a large mail server 120 may service a number of email clients 122, which use the server to send or retrieve email. An example of software used at the mail client is Microsoft Outlook. When an email client 122 sends email, the email may pass to the large mail server 120 where it is queued, and then pass over the network 110 to the destination mail server 160 using a TCP session between the mail servers. A mail client 162 associated with the addressee of the email may then access the mail received at the mail server 160. Similarly, a small mail server 130 may service a number of email clients 132. In some examples, an email client 132 sends email via the mail server 130 to the destination mail server 110 over a similar TCP session. In some examples, a mail client 132 may also connect to the destination mail server directly without first passing the email to the email server 130. In some examples, the small mail server 130 or the mail client 132 may be connected to the network over a relatively low capacity link, for example, over a 256 kb/s link, while the large mail server may be connected to the network over a very high capacity link, for example, 10 Mb/s or greater. Therefore, characteristics of the communication session between the large mail server and the destination and the small mail server and the destination may differ, for example, in the average data rate of the transfer between the servers.
Other computers may be coupled to the network 110 via service providers 112, e.g., Internet Service Providers (ISPs), who operate an access network 114, such as a cable television network or digital subscriber lines (DSL), for linking computers to the core network. For example, a valid source of email may be a mail client application executing on a computer 150 coupled via the access network 114 to the service provider.
Spam mail may originate from a variety of sources. In some cases, the sources include compromised computers, such as a compromised computer 140 that is infected by a virus. The compromised computer sends spam to destinations, such as the destination mail server 160, typically as part of a very large number of attempted transmissions of mail messages to a large number of mail servers.