The present invention relates to systems, methods and software for dealing with unethical uses of electronic mail and for preventing online fraud.
Electronic mail (“email”) has become a staple of modern communications. Unfortunately, however, anyone who uses email on a regular basis is familiar with the vast quantities of “spam” (unsolicited email) sent to nearly every email addressee from various advertisers. Although somewhat analogous to traditional paper “junk mail,” spam is unique in that, for virtually no cost, a purveyor of spam (“spammer”) can easily and quickly generate and transmit copious amounts of spam. Further, limitations in the Internet-standard simple mail transport protocol (“SMTP”) allow spammers to transmit spam with relative anonymity and, therefore, with correspondingly little accountability. Consequently, even though spam annoys the vast majority of recipients and, thus, generates few successful sales opportunities for the spammer relative to the amount of spam transmitted, the spam “industry” is burgeoning: Given their ability to inexpensively and quickly transmit enormous quantities of spam, spammers can make a handsome profit even from the relatively low response rate to the spam advertising.
By their nature, spammers continually search for new recipients (victims) to which to send spam. The spam “industry,” therefore has launched a derivative industry of “harvesters,” who scour the Internet and other sources to generate lists of valid email addresses, which they then sell to the spammers. (Obviously, since these activities go hand-in-hand, many spammers act as harvesters for themselves or their fellow spammers). Harvesters use a variety of techniques for obtaining email address lists, and often develop automated search programs (commonly referred to as “robots” or “web crawlers”) that continually skulk about the Internet searching for new email addresses. For example, harvesters obtain email addresses from Internet (and other) news groups, chat rooms, and directory service (e.g., white pages) sites, as well as message boards, mailing lists, and web pages, on which users commonly provide email addresses for feedback, etc.
The success of spamming in general has given rise to an even more virulent form of email abuse, know as “spoofing.” This practice involves inserting a false email address in the “From” or “Reply-to” headers of an email message, thereby misleading the recipient into believing that the email originated from a relatively trusted source. Spoofed emails often appear to be from well-known Internet service providers (“ISPs”) (such as, for example, America Online™ and The Microsoft Network™), or other high-profile entities with easily-identifiable email addresses (including, for example IBM™, Microsoft™, General Motors™ and E-Bay™, as well as various financial institutions, online retailers and the like). This spoofing is unacceptable to these entities for many reasons, not the least because it causes customer confusion, destroys the value of a well-cultivated online presence, creates general mistrust of the spoofed brands and largely dilutes the value of a reputable entity's online communications and transactions.
Perhaps most alarmingly, spam (and spoofed spam in particular) has increasingly been used to promote fraudulent activity, including identity theft, unauthorized credit card transactions and/or account withdrawals, and the like. This technique, known in the art as “phishing,” involves masquerading as a trusted business in order to induce an unsuspecting consumer to provide confidential personal information, often in response to a purported request to update account information, confirm an online transaction, etc. Merely by way of example, a “phisher” may send a spoof email purporting to be from the recipient's bank and requesting (ironically) that the recipient “confirm” her identity by providing confidential information by reply email or by logging on to a fraudulent web site. Similarly, a common “phish” message requests that the recipient log on to a well-known e-commerce site and “update” credit card information stored by that site.
The phish email often includes a uniform resource locator (“URL”) purporting to link to the web site of spoofed sender, but which actually redirects the recipient to a spoofed web site (i.e., a web site that imitates or is designed to look like the web site of the spoofed source of the email). Upon visiting the spoofed web site, the recipient may be presented with a form that requests information such as the recipient's address, phone number, social security number, bank account number, credit card number, mother's maiden name, etc. The recipient, believing that she is communicating with a trusted company, may provide some or all of this information, which then is at the spammer's disposal to use for any of a variety of illegitimate purposes.
While such activity is indisputably both illegal and immoral, the relative anonymity of the spammers, as well as the international nature of the Internet, hinders effective legal prosecution for these activities. Merely by way of example, the server associated with the spoofed web site may be located in a country from which prosecution/extradition is highly unlikely. Moreover, these spoofed web sites are often highly transient, existing on a given server or ISP for a short time (perhaps only a matter of days or even hours) before the spammer moves on to a new server or ISP. Compounding the enforcement problem is the fact that many of the servers hosting spoofed web sites are legitimate servers that have been compromised (or “hacked”) by the spammer or his associates, with the owner/operator of the server having no idea that the server is secretly being used for illegitimate purposes.
Accordingly, there is a need for a solution to deal with these email abuses.