DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-30 are pending in this application.
Claims 1, 29 and 30 are currently amended.
IDS submitted on 7/23/21 has been considered by the Examiner.

Allowable Subject Matter
Claims 17-28 would be allowable if rewritten to overcome the rejection(s) under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), 1st paragraph or support can be shown to overcome the 112(a), set forth in this Office action and to include all of the limitations of the base claim and any intervening claims.


Claim Objections
Claims 1, 29 and 30 are objected to because of the following:  
Claim 1 recites limitations “displaying a user-selectable icon to report a suspicious electronic message; receiving selections of the electronic message and the user-selectable icon;” These limitations were part of the original claim language and shouldn’t have been underlined. Only new limitations should be presented with underline and any deleted limitations should be strike out.

Appropriate corrections and/or clarifications are required.

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor of carrying out his invention.

Claims 1- 30 are rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention. Claims 1, 29 and 30 
The dependent claims included in the statement of rejection but not specifically addressed in the body of the rejection have inherited the deficiencies of their parent claim and have not resolved the deficiencies.  Therefore, they are rejected based on the same rationale as applied to their parent claims above.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 2, 29 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Higbee et al. (Pub. No.: US 2016/0301705 A1) (hereinafter, “Higbee”) in view of Wood (Pub. No.: US 2010/0153394 A1) (hereinafter, “Wood”).

As to claim 1, Higbee discloses a computer-implemented method, comprising: 
a message is received on a computing device of an individual, the user may report the message as a possible phishing attack.” –e.g. see, [0051]; Fig. 5B; herein a message is received which includes an icon to report phishing); 
displaying a user-selectable icon to report a suspicious electronic message (“… a single graphical user interface action (e.g., one-click of a button, one-touch of a button) may be sufficient to trigger the notification to be sent to the network device. Examples of such a graphical reporting button are illustrated in FIGS. 5A and 5B. The graphical user interface can include a label to the effect of "Report Phishing" as a button 520, or may be presented as a contextual menu item 510.” –e.g. see, [0052]); 
receiving selections of the electronic message and the user-selectable icon (“…identifying information relating to the reported message and/or the user who reported the message may be communicated to the network server device…” –e.g. see, [0052]); 
quarantining the electronic message in response to the selections (“…a message may be set to be inaccessible to the reporting individual upon it being reported (or otherwise quarantined) and remain in such status until there is a resolution to the status of the message.” –e.g. see, [0055]; herein, once a message is reported, it’s being quarantined until there is a resolution of the reported message; see also, [00098]); 
electronically communicating the electronic message to a processor for performing threat analysis in response to the selections (“…reported messages are received at the network server. The reported messages are checked against rules stored in the system. The rules can be written for YARA or another tool that enables determining whether message or attachment data contains defined textual or binary patterns (e.g. regex parsing, etc).” –e.g. see, [0064], see also, [0054]); 
attaching, one or more headers to the electronic message (“The header can include a unique or a substantially unique identifier generated by the system for tracking purposes. In some embodiments, the identifier can be an alphanumeric code. The header may also include, as part of identifier information or separately, an identification of the user for whom the simulated phishing message was generated. This may provide attribution back to the user who reported the suspicious message…” –e.g. see, [0046]); 
receiving the response message in response to the performed threat analysis, the response message comprising the … header and indicating a threat status of the electronic message (“Combined, the other integrations 1840 may characterize a reported e-mail as "good" or "bad", i.e. determine with some probabilistic determination whether the reported e-mail is generally malicious or non-malicious to aid an administrator in responding to threats. Alternatively, the characterization of a message as "good" or "bad" may cause the system to automatically perform some action on the message (e.g., quarantine), or otherwise automate the functions of the administrator.” –e.g. see, [0123]; see also, [0088]: “A recipe or rules can be configured to auto-reply to a user in response to receiving a report from that user. The auto-reply can be to indicate that the reported message is not, in fact, suspicious.”, se also, [0090], [0092]); and 
system to automatically perform some action on the message (e.g., quarantine), or otherwise automate the functions of the administrator.” –e.g. see, [0123], see also, [0054], [0055], [0098]). 
Higbee may not explicitly disclose adding a first header to the electronic message, the first header including an identifier associated with the email address of the user; adding a second header to the electronic message, the second header including a message identifier, an application message identifier, and/or an address to send a response message; receiving the response message…comprising the first header.
However, in analogous art, Wood discloses adding a first header to the electronic message, the first header including an identifier associated with the email address of the user (“Each of the plurality of e-mails may have a message header. In accordance with an embodiment of the disclosed technology an originating Internet Protocol address, a recipient e-mail address, and a message identification may be inserted into the message header to form a modified message header, prior to passing the plurality of e-mails through the spam filter. The modified message headers may be stored in a message database on the mail server computer.” –e.g. see, [0019]; see also, [0039], [0048]; herein, a recipient e-mail address is inserted which is equivalent to adding a first a message identification may be inserted into the message header to form a modified message header, prior to passing the plurality of e-mails through the spam filter. The modified message headers may be stored in a message database on the mail server computer.” –e.g. see, [0019]; see also, [0039], [0048]; herein, a message identification is inserted which is equivalent to adding a second header); receiving the response message…comprising the first header (“…the e-mail with modified missed spam report header is sent to update the mail server computer memory 600 in FIG. 6 of the mail server 102.” –e.g. see, [0039]; herein, message with email address received by the server computer memory).
Therefore, it would have been obvious to one having ordinary skill in the art before the effective filing date of the claimed invention to modify the invention of Higbee with the teaching of Wood to adding a first header to the electronic message, the first header including an identifier associated with the email address of the user; adding a second header to the electronic message, the second header including a message identifier, an application message identifier, and/or an address to send a response message; receiving the response message…comprising the first header in order to properly store a user’s identification in a reputation database to indicate that the user has correctly reported spam that was not classified correctly by the spam filter which can be useful in determining spam in future reports.

As to claims 29 and 30, these are rejected using the similar rationale as for the rejection of clam 1.

As to claim 2, Higbee discloses further comprising updating a blacklist and/or a predelivery checklist in response to the threat status of the electronic message (“The threat information can also be provided to blocklists and/or blacklists 1820. For example, information relating to certain message addresses, IP addresses, and URLs can be provided.” –e.g. see, [0122]). 
Claims 4-5 are rejected under 35 U.S.C. 103 as being unpatentable over Higbee in view of Wood and further in view of Xiong (2007/0136808 A1).

As to claim 4, neither Higbee nor Wood explicitly disclose wherein the threat status comprises a traffic light indicator, the traffic light indicator red or stop for electronic messages corresponding to a known threat, the traffic light indicator yellow or caution for electronic messages corresponding to a possible threat, the traffic light indicator green or proceed for electronic messages not associated with a known threat or suspected of being a threat, and wherein the threat status comprises a threat category. 
We choose the color code warning system since similar schemes, such as the traffic light signaling and the terror threat warning schemes, have been used widely in people's daily lives. So people understand the meaning of them almost subconsciously. The color code warning system is made known to all email users. A red flag is added to every email with attachment sent from a probable host. A yellow flag is added to every email with attachment sent from a potential host.” –e.g. see, [0061]). 
Therefore it would have been obvious to one of ordinary skill in the art before the filing date of the invention to modify teaching of Higbee and Wood to include the threat status comprises a traffic light indicator, the traffic light indicator red or stop for electronic messages corresponding to a known threat, the traffic light indicator yellow or caution for electronic messages corresponding to a possible threat, the traffic light indicator green or proceed for electronic messages not associated with a known threat or suspected of being a threat, and wherein the threat status comprises a threat 

As to claim 5, the combination of Higbee, Wood and Xiong disclose wherein the threat category comprises at least one of a safe message, a malicious message, a phishing message, a virus, a spam message, and/or a pornographic message (Higbee: [0123]: herein, Combined, the other integrations 1840 may characterize a reported e-mail as "good" or "bad", i.e. determine with some probabilistic determination whether the reported e-mail is generally malicious or non-malicious to aid an administrator in responding to threats). 

Claims 3, 6-16 are rejected under 35 U.S.C. 103 as being unpatentable over Higbee in view of Wood and further in view of Benishti (US 2017/0244736 A1).

As to claim 3, neither Higbee nor Wood explicitly disclose further comprising electronically communicating the electronic message to the processor for performing threat analysis in response to at least one of: a sender of the electronic message has not sent a previous electronic message to the email address of the user, a variation in a spelling of a name of the sender as compared to previous electronic messages sent by the sender to the email address of the user, the electronic message originating from a 
However, in an analogous art, Benishti discloses disclose further comprising electronically communicating the electronic message to the processor for performing threat analysis in response to at least one of: a sender of the electronic message has not sent a previous electronic message to the email address of the user, a variation in a spelling of a name of the sender as compared to previous electronic messages sent by the sender to the email address of the user, the electronic message originating from a sending system that is not associated with other electronic messages received by the email address of the user, or the electronic message having a calculated fingerprint that matches a fingerprint in a fingerprint database having a malicious threat status at a confidence level less than a confidence level threshold (“Comparing the signatures and features to previous reports (step 33), and scoring the message based on features similarity, for example, same sending name or address, same origin SMTP server or same SMTP servers path, same links name and addresses or same attachments filename or signature (Hash or FuzzyHash), or any other feature similarity that might indicate that the messages are basically the same message with some changes. Each feature has a predefined, configurable, score, that is added (step 33) to the overall score of the message.” –e.g. see, [0082]; see also [0084]; the message is treated as suspicious (step 35). For example, if the FuzzyHash compare score is above a predefined threshold the messages will be treated as similar or suspected similar.). 


As to claim 6, neither Higbee nor Wood explicitly disclose further comprising: decomposing the electronic message into at least one header or header list, at least one body, and, if the electronic message comprises an attachment, at least one attachment; generating a header fingerprint for each at least one header or header list; parsing each at least one body; normalizing each at least one body; generating a body fingerprint for each parsed and normalized at least one body; generating, if the electronic message comprising an attachment, an attachment fingerprint for each at least one attachment; and aggregating each at least one header fingerprint, each at least one body fingerprint, and, if the electronic message comprises an attachment, each at least one attachment fingerprint, into a message fingerprint. 
However, in an analogous art, Benishti discloses decomposing the electronic message into at least one header or header list, at least one body, and, if the electronic message comprises an attachment, at least one attachment; generating a header fingerprint for each at least one header or header list; parsing each at least one body; normalizing each at least one body; generating a body fingerprint for each parsed and normalized at least one body; generating, if the electronic message comprising an attachments type name, signatures and any other metadata that is extractable from the structure of the message, its content and metadata (step 31); [0081] Creating signatures based on the above extracted features and properties (step 32a), for example, MD5/SHA 1 and CTPH (computing Context Triggered Piecewise Hashes such as FuzzyHash), the signatures can be set on any subset of the message features, for example, the CTPH signature can be created using the message subject and body.). 
Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the invention to modify the teaching of Higbee and Wood as taught by Benishti in order to provide a way to mitigate a phishing attach in particular when a message is altered and manipulated across different recipients to avoid signature and exact match comparison and detection as suggested by Benishti (para 3).

As to claim 7, neither Higbee nor Wood explicitly disclose comprising moving to quarantine other electronic messages with message fingerprints in a fingerprint database that match the message fingerprint of the electronic message.
predefined threshold will be classified as malicious (e.g., a spear-phishing e-mail message) and will be controlled by the system (e.g., deleted/quarantined/disabled), …” –e.g. see, Benishti: [0066]). 
Therefore, it would have been obvious to one of ordinary skill in the art before the filing date of the invention to modify the teaching of Higbee and Wood as taught by Benishti in order to provide a way to mitigate a phishing attach in particular when a message is altered and manipulated across different recipients to avoid signature and exact match comparison and detection.


As to claim 8, the combination of Higbee, Wood and Benishti disclose wherein each at least one body comprises at least one of a uniform resource locator (URL), a text formatted body, and a binary formatted body, and wherein each attachment comprises at least one of a text formatted attachment and a binary formatted attachment (Benishti: “Extracting from the reported message features and properties such as sender name and address, message headers, message subject, body, links--name and address, attachments type name, signatures and any other metadata that is extractable from the structure of the message, its content and metadata (step 31);” –e.g. see, Benishti:[0080]). 

As to claim 9, the combination of Higbee, Wood and Benishti disclose wherein generating a header fingerprint for each at least one header or header list comprises at least one of: lexically analyzing each at least one header or header list, wherein lexically analyzing comprises at least one of identifying the number of each type of header or header list, analyzing the lexical format of each header or header list, analyzing frequency and patterns of white space within each header or header list, analyzing frequency and patterns of special characters within each header or header list, and comparing the source and message routing in a header list for consistency; applying, for each header, a header hash algorithm to the at least one header; and/or applying, for each header list, a header list hash algorithm (Benishti: “Comparing the signatures and features to previous reports (step 33), and scoring the message based on features similarity, for example, same sending name or address, same origin SMTP server or same SMTP servers path, same links name and addresses or same attachments filename or signature (Hash or FuzzyHash), or any other feature similarity that might indicate that the messages are basically the same message with some changes. Each feature has a predefined, configurable, score, that is added (step 33) to the overall score of the message.” –Benishti: [0082]). 



As to claim 11, the combination of Higbee, Wood and Benishti disclose wherein normalizing the at least one body comprises at least one of normalizing white spaces, transposing letters to correct spelling, removing excess punctuation, removing hyphenation, removing hypertext markup language, and/or replacing incorrectly substituted characters, such as Os for zeros, or unaccented characters for accented characters with diacritical marks (Benishti: [0081;  herein, CTPH (computing Context Triggered Piecewise Hashes such as FuzzyHash), the signatures can be set on any subset of the message features, for example, the CTPH signature can be created using the message subject and body). 

As to claim 12, the combination of Higbee, Wood and Benishti disclose wherein generating a body fingerprint for each parsed and normalized at least one body comprises: applying, for each URL, a URL hash algorithm to generate a URL body fingerprint for each URL; applying, for each text formatted body, a text body hash algorithm to generate a text body fingerprint for each text body; and applying, for each binary formatted body, a binary body hash algorithm to generate a binary body 
As to claim 13, the combination of Higbee, Wood and Benishti disclose wherein the URL hash algorithm comprises a traditional hash, wherein the text body hash algorithm comprises a similarity hash, and wherein the binary body hash algorithm comprises a fuzzy hash (Benishti: [0081], herein, the signatures can be set on any subset of the message features, for example, the CTPH signature can be created using the message subject and body).. 
As to claim 14, the combination of Higbee, Wood and Benishti disclose wherein generating an attachment fingerprint for each attachment comprises: applying, for each text formatted attachment, a text attachment hash algorithm to generate a text attachment fingerprint for each text attachment; and applying, for each binary formatted attachment, a binary attachment hash algorithm to generate a binary attachment fingerprint for each binary formatted attachment (Benishti: [0081], herein, the signatures can be set on any subset of the message features, for example, the CTPH signature can be created using the message subject and body).. 
As to claim 15, the combination of Higbee, Wood and Benishti disclose wherein the text attachment hash algorithm comprises a similarity hash, and wherein the binary attachment hash algorithm comprises a fuzzy hash (Benishti: [0081], herein, the signatures can be set on any subset of the message features, for example, the CTPH signature can be created using the message subject and body).. 
. 

Response to Arguments
Applicant has amended the independent claims 1, 29 and 30 which necessitated new ground of rejection. Examiner has cited a new art for the limitations that were argued as part of remark, thus, arguments are moot, see rejection above.

Conclusion
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within 


Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and 

SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495                                                                                                                                                                                                        

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495