DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 2/25/2022.
Claims 2-8, 11-16 and 29 have been canceled.
Claims 1, 9, 17, 19-28 and 30-38 have been amended.
Claims 1, 9-10, 17-28 and 30-38 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 3/22/2022 has been entered.
 

Response to Arguments
The objection of claims 19-38 has been withdrawn as the claims have been amended as suggested. 
The objection of claims 19 and 29 under double patenting has been withdraw as claim 29 has been canceled.
Applicant's arguments filed on 9/10/2021 have been fully considered but they are not persuasive. 
Applicant argues on page 9 of the Remarks that Verma in view of Dreller teaches away from whitelists that are specific to the user.
  In response to the above argument, Examiner notes that claim 1 recites only one whitelist specific to the user not multiple whitelists that are specific to the user.  Furthermore, Examiner disagrees with applicant’s argument because Verma does teach a whitelist unique to the user which broadly means the whitelist specific to the user.  Therefore, applicant’s argument is not persuasive.
On page 10 of the Remarks, Applicant further alleges that Verma in view of Dreller fails to teach a whitelist comprising at least a display name and an identification of an email address of an authoritative entity.
In response to the above arguments, Examiner respectfully disagrees.  Verma does teach a whitelist comprising at least one entry that has a display name and an email address of an authoritative entity (Verma: paragraphs 0055, 0057-0059, 0062, 0076-0077, 0089, 0091 and 0158, “For efficiency purposes PhishNet-NLP saves the vocabulary and named-entity information for the context examined, and the corresponding vectors for the emails examined in a database for subsequent reuse”).  As can be seen in the cited paragraphs, PhishNet-NLP is broadly interpreted as the whitelist recited in the claims.  PhishNet-NLP is specific to the user/recipient.  PhishNet-NLP analyzes headers by comparing the display name extracted from the email with the stored named-entity and email address information its database.  The named-entity and email address information are mapped to the at least one entry that has a display name and an email address of an authoritative entity.  Therefore, Verma does teach the disputed limitation.  
Furthermore, not only Verma discloses the whitelist, Dreller also teaches the whitelist comprising at least one entry that has a display name and an email address of an authoritative entity (Dreller: paragraphs 0051-0052, “The Phish Detection Search Engine (110) searches all categorized data (203a-d) stored on the Storage/Database Servers (104) for the EMAIL BODY CONTENT and EMAIL BODY URL CONTENT. The EMAIL BODY CONTENT includes, but is not limited to, the full FROM HEADER, DISPLAY NAME, SUBJECT LINE, EMAIL BODY and associated ATTACHMENTS. The Phish Detection Search Engine (110) also searches all categorized data (203a-d) in real time from the Classification servers (103). The Phish Detection Search Engine (110) also searches the data noted above for the use of display names, trademarks and other terms that may or may not be trademarked by the domain owner for use of their brand in phishing and spoofing attacks.”).  Therefore, Verma in view of Dreller does disclose the disputed limitation.
Accordingly, for reasons of record and as set forth above, the examiner maintains the art rejection of the claims 1, 9-10, 17-28 and 30-38.
Applicant’s arguments with respect to claims 1, 9-10, 17-28 and 30-38 have been considered but are moot.

Claim Rejections - 35 USC § 112
The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claims 1, 9 and 17 are rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.
Claims 1, 9 and 17 recite the limitation "the entry".  There is insufficient antecedent basis for this limitation in the claim.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 1, 9-10, 17-19, 21-28 and 31-38 are rejected under 35 U.S.C. 103 as being unpatentable over Verma et al. (US 20150067833) (hereinafter Verma) in view of Dreller et al. (US 20140082726) (hereinafter Dreller).
Regarding claim 1, Verma discloses a method for improving electronic message filtering on a server to detect phishing attempts based on deceptive display names in electronic messages, comprising: 
receiving, by one or more servers, an electronic message sent over a network to a user the electronic message comprising a header component and a content component (Verma: paragraphs 0017, 0023, 0039 and 0094, “The embodiment makes use of information present in the email header, text in the email body, and the links embedded in the email. Inventive techniques are employed to process the header and link information, and deeper natural language techniques are used to process the text information”… “The added advantage of this approach is that internet service providers (ISPs) and email providers may now be able to prevent such emails from being delivered to the user”), the header comprising at least a first display name and a first email address (Verma: paragraphs 0047, 0055, 0064, 0098-0103 and 0153, “For an email text, e, let Named-entity(e) denote the set of named entities … “if the domain in the From Field accepts an IP address as a permitted sender in the Received-SPF field, perform an NSLOOKUP on this IP address, and store the domain name corresponding to this IP address in the variable SPFQuery”); 
accessing, by at least one classifier component executing on one or more processors, a whitelist specific to the user stored in a memory accessible by the one or more servers, the whitelist comprising at least one entry associated with an authoritative entity, including the display name of the authoritative entity, the entry comprising at least a second display name and an identification of a second email address of the authoritative entity, and determine that the first display name matches the second display name (Verma: paragraphs 0055, 0057-0059, 0062, 0076-0077, 0089, 0091 and 0158, “For efficiency purposes PhishNet-NLP.TM. saves the vocabulary and named-entity information for the context examined, and the corresponding vectors for the emails examined in a database for subsequent reuse””); 
responsive to the first display name matching the second display name, determining, by the at least one classifier component, whether the electronic message was sent from the authoritative entity by determining an email authentication is associated with the electronic message, and by determining the first email address of a sender of the electronic message matched the second email address associated with the authoritative entity (Verma: paragraphs 0064, 0068, 0097 and 0102-0103, “A possible second phase involves verifying the data. The data may be verified as follows: [0103] i. If the first Received From field has the same domain name as the FROM FIELD or LOCALHOST or ANY FORWARDING EMAIL ACCOUNT, or if the NSLOOKUP on the IP address of the permitted sender in the Received-SPF field yields the same domain name stored in the variable SPFQuery, then this email is legitimate … “if the SPF query returns "pass," and if the domain in the From Field accepts an IP address as a permitted sender in the Received-SPF field, perform an NSLOOKUP on this IP address, and store the domain name corresponding to this IP address in the variable SPFQuery. [0101] Otherwise, store the RECEIVED FROM field.”); responsive to determining that the electronic message was sent from the authoritative entity, delivering, by the one or more processors, the electronic message (Verma: paragraphs 0076, 0097 and 0105-0111, “SPF allows a domain administrator to specify which hosts on the domain are allowed to send email by creating specific SPF records in the Domain Name System”); and responsive to determining that the electronic message was not sent from the authoritative entity, performing, by the one or more processors, a security action (Verma: paragraphs 0095-0097 and 0150, “Receivers of a message can now check the SPF record and decide whether to accept or reject the message body, thereby reducing the bulk of spam and phishing messages delivered”).
Verma does not explicitly disclose the following limitation which is disclosed by Dreller, determining, using Domain-based Message Authentication, Reporting, and Conformance (DMARC), an email authentication is associated with the electronic message (Dreller: paragraphs 0050 and 0051, “DMARC Aggregate Data (201e), DMARC Forensic Messages (201f), and Subscriber Data (201g) provide information about phishing attacks on customer owned domains. Email Abuse Complaint Messages (201a), Spam Trap Messages (201b), and Subscriber Data (201g) provide information about phishing attacks on customer brands/identities originating from domains not owned by the customer”… “The EMAIL BODY CONTENT includes, but is not limited to, the full FROM HEADER, DISPLAY NAME, SUBJECT LINE, EMAIL BODY and associated ATTACHMENTS. The Phish Detection Search Engine (110) also searches all categorized data (203a-d) in real time from the Classification servers (103). The Phish Detection Search Engine (110) also searches the data noted above for the use of display names, trademarks and other terms that may or may not be trademarked by the domain owner for use of their brand in phishing and spoofing attacks”).  Verma and Dreller are analogous art because they are from the same field of endeavor, Email Classification.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Verma and Dreller before him or her, to modify the system of Verma to include DMARC of Dreller to detect phishing attacks.  The suggestion/motivation for doing so would have been to verify that it does in fact properly authenticate all email messages sent from a given domain (Dreller: paragraph 0014).
Regarding claim 9, claim 9 discloses a system claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 9 and rejected for the same reasons.
Regarding claim 17, claim 17 discloses a system claim that is substantially equivalent to the method of claim 1.  Therefore, the arguments set forth above with respect to claim 1 are equally applicable to claim 17 and rejected for the same reasons.
Regarding claim 10, Verma as modified discloses wherein performing a security action further comprises: one or more of not delivering the electronic message, placing the electronic message in a spam folder, notifying a third party, sending a warning, and generating statistics (Verma: paragraphs 0077, 0097 and 0150, “On a database of 2000 phishing emails (using the same phishing corpus as a current phishing scheme available), the percentage of emails that are marked by PhishNet-NLP.TM. as phishing is over 98% compared to other phishing schemes that had results in the low 80%”…“Receivers of a message can now check the SPF record and decide whether to accept or reject the message body, thereby reducing the bulk of spam and phishing messages delivered. The classifier described herein assigns an email a score of 1 for phishing and 0 for legitimate”).
Regarding claim 18, Verma as modified discloses further comprising: responsive to no output of the indicator of risk, delivering, by the one or more processors, the electronic message (Verma: paragraphs 0043, 0076, 0097, 0105-0111 and 0129, “Recall that a score of 1 represents phishing and 0 stands for legitimate. If the combined score of the three classifiers (header, link and text) is .gtoreq.2, PhishNet-NLP.TM. labels the email phishing, otherwise it labels it legitimate”).
Regarding claim 19, Verma as modified discloses wherein the identification of the second email address specifies from what domain the electronic message must be sent (Verma: paragraphs 0062 and 0064-0071, “The header analysis classifier employed in the inventive scheme differs from the routine presented by other available schemes in several aspects including, but not limited to: (i) dealing with email forwarding issues, (ii) making use of DomainKeys Identified Mail (DKIM) and Sender Policy Framework (SPF) information whenever they are available, and (iii) accounting for the differences in the headers based on whether the email is sent from a mobile device or relayed by multiple servers in the user's domain. The headerAnalysis( ) classifier performs analysis on the data from the extracted headers to determine whether the email is phishing”).
Regarding claims 21 and 31, Verma as modified discloses wherein the security action comprises filtering out the electronic message (Verma: paragraphs 0014 and 0153, “One scheme currently available employs a heuristic algorithm that performs simple header, link and a cursory text analysis (scanning for the presence of certain text filters) of incoming emails. Some researchers have studied the evolution of phishing email messages and developed a classification of phishing messages into two groups: flash and non-flash attacks, and classify phishing features into transitory and pervasive” … “The goal is to filter words that imply an awareness, action or urgency, which are common in subjects of phishing emails”).
Regarding claims 22 and 32, Verma as modified discloses wherein the security action comprises placing the electronic message in a spam folder (Verma: paragraphs 0092, 0097 and 0129, “As DKIM becomes widely deployed, sending domains will develop reputations as sources of spam or useful messages”).
Regarding claims 23 and 33, Verma as modified discloses wherein the security action comprises delivering the electronic message (Verma: paragraphs 0023 and 0097, “Receivers of a message can now check the SPF record and decide whether to accept or reject the message body, thereby reducing the bulk of spam and phishing messages delivered”).
Regarding claims 24 and 34, Verma as modified discloses wherein the security action comprises quarantining the electronic message (Dreller: paragraphs 0014, 0075 and 0079, “Suspicious Messages category (203a) provides the forensic analysis capabilities to isolate the source of the malicious traffic, understand the magnitude of the problem, and gather data that provides additional protection to email users (protect them from phish, etc.) and quite possibly surface data that can be used in the criminal prosecution of the malicious email perpetrator.”).  The same motivation to modify Verma in view of Dreller, as applied in claim 1 above, applies here.
Regarding claims 25 and 35, Verma as modified discloses wherein the security action comprises alerting an admin of the electronic message (Dreller: paragraphs paragraphs 0032, 0034 and 0054, “Alerting servers (105) and Reporting Servers (106). This allows the system to combine both the domain and non-domain phishing attacks together if necessary or leave the non-domain phishing attacks separate and send appropriate outbound messages (107) including by not limited to an email, SMS, iOS alert, Android alert to users detailing the event and include it in the outbound data reports (108) including but not limited to URL feeds and Domain Blacklists to third parties including but not limited to clients, partners, ISPs, Mailbox Providers and Security Take Down Vendors”).  The same motivation to modify Verma in view of Dreller, as applied in claim 1 above, applies here.
Regarding claims 26 and 36, Verma as modified discloses wherein the security action comprises notifying a third party of statistics relating to the electronic message (Verma: paragraphs 0159 and 0161, “Toward this end, statistical analysis on words is performed taking account of their POS tags and senses, to train the classifier. Then this classifier is designed to look for patterns that match selected features up to their senses whenever the classifier analyzes an email.”).  
Regarding claims 27 and 37, Verma as modified discloses wherein the security action comprises marking up the electronic message by adding a warning or explanation (Dreller: paragraph 0007, “Most email mailbox providers (e.g., Yahoo!, AOL, Gmail) offer a way for email mailbox owners to flag a received email as unwanted. This is usually called the "Spam" button. When an email recipient determines that a received email is unwanted they simply click the "Spam" or equivalent button”).  The same motivation to modify Verma in view of Dreller, as applied in claim 1 above, applies here.
Regarding claim 28 and 38, Verma as modified discloses wherein the security action comprises flagging the message (Dreller: paragraph 0007, “Most email mailbox providers (e.g., Yahoo!, AOL, Gmail) offer a way for email mailbox owners to flag a received email as unwanted. This is usually called the "Spam" button. When an email recipient determines that a received email is unwanted they simply click the "Spam" or equivalent button”).  The same motivation to modify Verma in view of Dreller, as applied in claim 1 above, applies here.

Claims 20 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Verma in view of Dreller, and further in view of Pantalone (US 20070288578) (hereinafter Pantalone).
Regarding claims 20 and 30, Verma in view of Dreller does not explicitly disclose the following limitation which is disclosed by Pantalone, wherein the matching of the first display name and the second display name comprises computing a Hamming distance between the first display name and the second display name and determining that the Hamming distance is below a first threshold value, computing an edit distance between the first display name and the second display name and determining that the edit distance below is a second threshold value, or determining that a support vector machine indicates a similarity based on previously trained examples (Pantalone: paragraphs 0022-0023, “An algorithm may be used to identify similar addresses, such as an algorithm to identify similar names by evaluating differences or distances between the partial e-mail address and each address in the address book. For example, the partial e-mail address may be checked for possible matches by determining either a Hamming distance or a Levenshtein distance between the partial address and each address in the electronic address book”).  Verma in view of Dreller and Pantalone are analogous art because they are from the same field of endeavor, Email Classification.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Verma in view of Dreller and Pantalone before him or her, to modify the system of Verma in view of Dreller to include the Hamming distance of Pantalone to detect phishing attacks.  The suggestion/motivation for doing so would have been to detect ambiguities or similar improper addresses (Pantalone: paragraph 0001).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed here and on the enclosed PTO-892 form, 
Commer (US 8255572) discloses a method and apparatus for identifying 419 messages in a live message stream whereby an incoming message in a live message stream is subjected to an anti-spam pipeline made up of multiple anti-spam stages or filters including a whitelist filter stage, a dynamic feedback-based heuristic filter stage, a 419 text-based heuristic filter stage, one or more metadata creating heuristic filter stages, and a metadata analysis stage.
Fenton (US 8090940 B1) discloses an electronic message is accessed. The message comprises a number of headers and a signature comprising a digital signature and a version of the headers. The message is verified based on analysis of the version of the headers and the digital signature. The version of the headers is compared with the headers and a policy is applied based on results of the comparison to determine further processing of the electronic message.
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/TRANG T DOAN/Primary Examiner, Art Unit 2431