DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
Claims 1-5, 7-15, 17-22 and 24-30 are pending in this application.
Claims 1, 7-11, 17-21 and 24-30 are currently amended.
	Claims 6, 16 and 23 are cancelled.
	No new IDS has been filed.

Response to Arguments
The previous 112(a) rejection to the claims 1-30 has been withdrawn in response to the applicants’ amendments/remarks.

Allowable Subject Matter
Claims 1-5, 7-15, 17-22 and 24-30 are allowed.

EXAMINER’S AMENDMENT
An examiner’s amendment to the record appears below. Should the changes and/or additional be unacceptable to applicants, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of issue fee.
Authorization for this examiner's amendment was given in phone contact with Mark D. Hammond (Reg. no. 75,822) on 5/24/2022.
  
The application has been amended as follows:
IN THE CLAIMS

Claim 1. (Currently Amended) A computer-implemented method, comprising: 
receiving an electronic message associated with an email address of a user into a first folder; 
presenting a user-selectable icon for display to report a suspicious electronic message; 
receiving selections of the user-selectable icon; 
quarantining the electronic message in response to the selections; 
decomposing the electronic message into at least one header or header list, at least one body, and, [[if]] when the electronic message comprises an attachment, at least one attachment; 
generating a header fingerprint for each at the least one header or header list; 
parsing each at the least one body; 
normalizing each at the least one body; 
generating a body fingerprint for each parsed and normalized at the least one body; 
generating, [[if]] when the electronic message comprising an attachment, an attachment fingerprint for each at the least one attachment; and 
aggregating each at the least one header fingerprint, each at the least one body fingerprint, and, [[if]] when the electronic message comprises [[an]] the attachment, each at the least one attachment fingerprint, into a message fingerprint; 
electronically communicating the electronic message to a processor for performing threat analysis; 
attaching the one or more headers to the electronic message; Page 2 of 16Application No. 16/176,791Docket No.: 038202-502001US Amendment Dated May 18, 2022 Reply to Office Action of December 14, 2021 
receiving a response message in response to the performed threat analysis, the response message comprising the one or more headers and indicating a threat status of the electronic message; and 
processing the electronic message in response to the response message, the processing including at least one of deleting the electronic message, leaving the electronic message in quarantine, and/or moving the electronic message to the first folder, 
wherein performing the threat analysis comprises: 
generating at least one of a raw view of the electronic message, a parsed view of the electronic message, and a browser view of the electronic message; 
analyzing at least part of the electronic message to collect the threat status indicators; 
automatically generating the threat status of the electronic message in response to the threat status indicators; 
assigning a confidence level to the threat status of the electronic message; 
requesting manual generation of the threat status of the electronic message [[if]] when the confidence level is below a confidence level threshold; and 
updating the threat status with the manually generated threat status, 
wherein analyzing at least part of the electronic message to collect the threat status indicators comprises identifying a risky command or behavior within the electronic message.  

 
Claim 3. (Currently Amended) The method of claim 1, further comprising electronically communicating the electronic message to the processor for performing the threat analysis in response to at least one of: 
a sender of the electronic message has not sent a previous electronic message to the email address of the user, Page 3 of 16Application No. 16/176,791Docket No.: 038202-502001US Amendment Dated May 18, 2022 Reply to Office Action of December 14, 2021 
a variation in a spelling of a name of the sender as compared to previous electronic messages sent by the sender to the email address of the user, 
the electronic message originating from a sending system that is not associated with other electronic messages received by the email address of the user, or 
the electronic message having a calculated fingerprint that matches a fingerprint in a fingerprint database having a malicious threat status at a confidence level less than a confidence level threshold.  


11. (Currently amended) The method of claim 1, wherein normalizing the at least one body comprises at least one of normalizing white spaces, transposing letters to correct spelling, removing excess punctuation, removing hyphenation, removing hypertext markup language, and/or replacing incorrectly substituted characters


20. (Currently amended) The method of claim 1, wherein analyzing at least part of the electronic message to collect threat status indicators comprises: 
querying a URL threat database for [[the]] at least a URL and URL threat status, for each URL in the electronic message to identify whether the at least one URL in the electronic message comprises at least one URL in the at least one URL threat database, each identified URL in the URL threat database and corresponding URL threat status corresponding to the threat status indicator for the URL threat database query.  


24. (Currently Amended) The method of claim 1, wherein the risky command or behavior comprises executing code or a macro when [[a]] the user opens the electronic message or one of the at least one attachments.  


29. (Currently Amended) A system, comprising: 
at least one data processor; and 
memory storing instructions which, when executed by the at least one data processor, result in operations comprising: 
receiving an electronic message associated with an email address of a user into a first folder; 
quarantining the electronic message; 
decomposing the electronic message into at least one header or header list, at least one body, and, [[if]] when the electronic message comprises an attachment, at least one attachment; 
generating a header fingerprint for each at the least one header or header list; 
parsing each at the least one body; 
normalizing each at the least one body; 
generating a body fingerprint for each parsed and normalized at the least one body; 
generating, [[if]] when the electronic message comprising an attachment, an attachment fingerprint for each at the least one attachment; 
aggregating each at least one header fingerprint, each at least one body fingerprint, and, [[if]] when the electronic message comprises an attachment, each at least one attachment fingerprint, into a message fingerprint; Page 9 of 16Application No. 16/176,791Docket No.: 038202-502001US Amendment Dated May 18, 2022 Reply to Office Action of December 14, 2021 
electronically communicating the electronic message to a processor for performing threat analysis; 
attaching the one or more headers to the electronic message; 
receiving a response message in response to the performed threat analysis, the response message comprising the one or more headers and indicating a threat status of the electronic message; and
 processing the electronic message in response to the response message the processing including at least one of deleting the electronic message, leaving the electronic message in quarantine, and/or moving the electronic message to the first folder, 
wherein performing the threat analysis comprises: 
generating at least one of a raw view of the electronic message, a parsed view of the electronic message, and a browser view of the electronic message; 
analyzing at least part of the electronic message to collect threat status indicators; 
automatically generating the threat status of the electronic message in response to the threat status indicators; 
assigning a confidence level to the threat status of the electronic message; 
requesting manual generation of the threat status of the electronic message [[if]] when the confidence level is below a confidence level threshold; and 
updating the threat status with the manually generated threat status, wherein analyzing at least part of the electronic message to collect threat the status indicators comprises identifying a risky command or behavior within the electronic message.  

30. (Currently Amended) A non-transitory computer-readable medium storing instructions, which when executed by at least one data processor, result in operations comprising: 
receiving an electronic message associated with an email address of a user into a first folder; 
quarantining the electronic message; 
decomposing the electronic message into at least one header or header list, at least one body, and, [[if]] when the electronic message comprises an attachment, at least one attachment; 
generating a header fingerprint for each at the least one header or header list; 
parsing each at the least one body; 
normalizing each at the least one body;
generating a body fingerprint for each parsed and normalized at the least one body; 
generating, [[if]] when the electronic message comprising an attachment, an attachment fingerprint for each at the least one attachment; 
aggregating each at the least one header fingerprint, each at the least one body fingerprint, and, [[if]] when the electronic message comprises [[an]] the attachment, each at the least one attachment fingerprint, into a message fingerprint; 
electronically communicating the electronic message to a processor for performing threat analysis; 
attaching the one or more headers to the electronic message; 
receiving a response message in response to the performed threat analysis, the response message comprising the one or more headers  and indicating a threat status of the electronic message; and Page 11 of 16Application No. 16/176,791Docket No.: 038202-502001US Amendment Dated May 18, 2022 Reply to Office Action of December 14, 2021 
processing the electronic message in response to the response message, the processing including at least one of deleting the electronic message, leaving the electronic message in quarantine, and/or moving the electronic message to the first folder, 
wherein performing the threat analysis comprises: 
generating at least one of a raw view of the electronic message, a parsed view of the electronic message, and a browser view of the electronic message; 
analyzing at least part of the electronic message to collect threat status indicators; 
automatically generating the threat status of the electronic message in response to the threat status indicators; 
assigning a confidence level to the threat status of the electronic message; 
requesting manual generation of the threat status of the electronic message [[if]] when the confidence level is below a confidence level threshold; and 
updating the threat status with the manually generated threat status, 
wherein analyzing at least part of the electronic message to collect the threat status indicators comprises identifying a risky command or behavior within the electronic message.


Examiner’s Statement for Reasons for Allowance
The following is an examiner’s statement of reasons for allowance:

Regarding independent claims 1, 29 and 30,

	Higbee et al. (Pub. No.: US 2016/0301705 A1) teaches receiving an electronic message associated with an email address of a user; displaying a user-selectable icon to report a suspicious electronic message; receiving selections of the electronic message and the user-selectable icon; quarantining the electronic message in response to the selections; electronically communicating the electronic message to a processor for performing threat analysis in response to the selections; attaching, one or more headers to the electronic message; processing the electronic message in response to the response message, wherein processing comprises at least one of deleting the electronic message, leaving the electronic message in quarantine, and/or moving the electronic message to the first folder. -e.g. see, [0046], [0051], [0052], [0054], [0064], [0123] of Higbee.

	Wood (Pub. No.: US 2010/0153394 A1) teaches adding a first header to the electronic message, the first header including an identifier associated with the email address of the user -e.g. see, [0019], [0039] of Wood.

However, the prior art of record does not teach or render obvious:
the limitations in independent claims 1, 29 and 30, specific to the other limitations combination with:

decomposing the electronic message into at least one header or header list, at least one body, and, when the electronic message comprises an attachment, at least one attachment; 
generating a header fingerprint for each at the least one header or header list; 
parsing each at the least one body; 
normalizing each at the least one body; 
generating a body fingerprint for each parsed and normalized at the least one body; 
generating, when the electronic message comprising an attachment, an attachment fingerprint for each at the least one attachment; and 
aggregating each at the least one header fingerprint, each at the least one body fingerprint, and, when the electronic message comprises the attachment, each at the least one attachment fingerprint, into a message fingerprint; 
wherein performing the threat analysis comprises: 
generating at least one of a raw view of the electronic message, a parsed view of the electronic message, and a browser view of the electronic message; 
analyzing at least part of the electronic message to collect the threat status indicators; 
automatically generating the threat status of the electronic message in response to the threat status indicators; 
assigning a confidence level to the threat status of the electronic message; 
requesting manual generation of the threat status of the electronic message when the confidence level is below a confidence level threshold; and 
updating the threat status with the manually generated threat status, 
wherein analyzing at least part of the electronic message to collect the threat status indicators comprises identifying a risky command or behavior within the electronic message.  

Dependent claims 2-5, 7-15, 17-22 and 24-28 are allowed as they depend from allowable independent claim 1.

Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee. Such submissions should be clearly labeled "Comments on Statement of Reasons for Allowance".

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to SUMAN DEBNATH whose telephone number is (571)270-1256. The examiner can normally be reached Mon-Fri; 9:00am-5:00pm.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Farid Homayounmehr can be reached on 571-272-3739. The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of published or unpublished applications may be obtained from Patent Center. Unpublished application information in Patent Center is available to registered users. To file and manage patent submissions in Patent Center, visit: https://patentcenter.uspto.gov. Visit https://www.uspto.gov/patents/apply/patent-center for more information about Patent Center and https://www.uspto.gov/patents/docx for information about filing in DOCX format. For additional questions, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.

SUMAN DEBNATH
Patent Examiner
Art Unit 2495



/S.D/Examiner, Art Unit 2495  

/FARID HOMAYOUNMEHR/Supervisory Patent Examiner, Art Unit 2495