DETAILED ACTION
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
This Office Action is in response to the amendment filed on 9/01/2022.
Claims 1-9, 11-17 and 29 have been canceled.
Claims 10, 18-28 and 30-38 have been amended.
Claims 39-41 have been added.
Claims 10, 18-28 and 30-41 are pending for consideration.

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Response to Arguments
The rejection of claims 1, 9 and 17 under 35 U.S.C. 112(b) has been withdraw as the claims have been canceled.  
Applicant’s arguments with respect to claims 110, 18-28 and 30-41 have been considered but are moot.

Claim Objections
Claim 40 is objected to because of the following informalities:  the limitation “an interface…he electronic message comprising a header component” needs to be changed to “an interface…the electronic message comprising a header component”.  Appropriate correction is required.

Claim Rejections - 35 USC § 101
35 U.S.C. 101 reads as follows:
Whoever invents or discovers any new and useful process, machine, manufacture, or composition of matter, or any new and useful improvement thereof, may obtain a patent therefor, subject to the conditions and requirements of this title.


Claims 10, 30-34, 36-38 and 40 are rejected under 35 U.S.C. 101 as being directed to no more than software per se or combination of software per se and signals per se.  The claims 10, 30-34, 36-38 and 40 do not fall within at least one of the four categories of patent eligible subject matter because the claimed invention does not direct to any concrete thing consisting of parts or devices.  
Claim 40 is directed to a system that comprises an interface of one or more servers and at least one classifier component.  The specification as originally filed fails to set forth the metes and bounds of what is meant to be encompassed by the terms “interface”, “servers” and “classifier component”.  As such, it is reasonable to interpret these terms as software per se.  Therefore, claim 40 is not patent-eligible subject matter.
The dependent claims 10, 30-34 and 36-38 are depended on the rejected base claim, and are rejected for the same rationales.

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 10, 18-19, 21-28 and 31-41 are rejected under 35 U.S.C. 103 as being unpatentable over Dreller et al. (US 20140082726) (hereinafter Dreller) in view of Su et al. (US 8424091) (hereinafter Su).
Regarding claim 39, Dreller discloses a method for improving electronic message filtering by one or more servers to detect phishing attempts based on deceptive display names in electronic messages, the method comprising: receiving, by the one or more servers, an electronic message sent over a network to a user, the electronic message comprising a header component and a content component (Dreller: paragraphs 0027-0029, “The Classification servers (103) continuously receive Message Level data including Email Abuse Complaint Messages (201a), Spam Trap Messages (201b), Private Message Level data (201d), DMARC Forensic Messages (201f) and Subscriber Level Data (201g) from the email servers (101) as a set of parsed email fields including the full text of the email. The parsed email fields are FROM DOMAIN, SENDING IP ADDRESS (sometimes referred to as SOURCE IP ADDRESS), MFROM DOMAIN, DKIM DOMAIN, AUTHENTICATION RESULTS header, RECEIVED_SPF header, SUBJECT, and a list of URLS contained in the email body”), the header comprising a first email address of a sender and a first display name associated with the first email address (Dreller: paragraph 0051, “The EMAIL BODY CONTENT includes, but is not limited to, the full FROM HEADER, DISPLAY NAME, SUBJECT LINE, EMAIL BODY and associated ATTACHMENTS.”), the first email address comprising a username and a domain name (Dreller: paragraphs 0027-0029, “The parsed email fields are FROM DOMAIN, SENDING IP ADDRESS (sometimes referred to as SOURCE IP ADDRESS), MFROM DOMAIN, DKIM DOMAIN, AUTHENTICATION RESULTS header, RECEIVED_SPF header, SUBJECT, and a list of URLS contained in the email body”); 
using, by at least one classifier component, Domain-based Message Authentication, Reporting, and Conformance (DMARC) to verify the domain name to determine whether the first email address used to send the electronic message is associated with an authoritative entity (Dreller: paragraphs 0040, “FROM DOMAIN and SENDING IP ADDRESS. The FROM DOMAIN is important because it identifies the purported sender of the email and enables the Classification System (202) to compare the FROM DOMAIN in the email to a known list of customer FROM DOMAINs stored in the Classification data (208)”); 
responsive to the domain name failing verification, determining that the electronic message was not sent from the authoritative entity and performing a security action by the one or more servers (Dreller: paragraphs 0047, 0054 and 0058, “The bottom portion of FIG. 4 shows the Suspicious Messages (203a) output (412) and details (402-404). These details inform users about fraudulent messages and their origin to allow the end users to take action”); 
responsive to the verification of the domain name: accessing from a memory, by at least one classifier component executing on the one or more servers, a whitelist associated to the user that includes contact information of contacts of the user for which the user had previous electronic communications, the whitelist further including at least one entry associated with an authoritative entity, the at least one entry comprising at least a second display name and an identification of a second email address associated with the authoritative entity (Dreller: paragraphs 0037, 0040 and 0051, “The EMAIL BODY CONTENT includes, but is not limited to, the full FROM HEADER, DISPLAY NAME, SUBJECT LINE, EMAIL BODY and associated ATTACHMENTS. The Phish Detection Search Engine (110) also searches all categorized data (203a-d) in real time from the Classification servers (103). The Phish Detection Search Engine (110) also searches the data noted above for the use of display names, trademarks and other terms that may or may not be trademarked by the domain owner for use of their brand in phishing and spoofing attacks. An example of the distinction is the ownership of bigbank.com by the company Bigbank. The domain classification system (202) described above (FIGS. 2, 3) determines whether the mail originating from bigbank.com domain that is owned by bigbank.com is legitimate (203d) or whether it is suspicious”); 
comparing, by the one or more servers, the first display name of the sender from the electronic message with the second display name associated with the authoritative entity from the whitelist (Dreller: paragraphs 0037, 0040 and 0051, “The Phish Detection Search Engine (110) also searches the data noted above for the use of display names, trademarks and other terms that may or may not be trademarked by the domain owner for use of their brand in phishing and spoofing attacks. An example of the distinction is the ownership of bigbank.com by the company Bigbank. The domain classification system (202) described above (FIGS. 2, 3) determines whether the mail originating from bigbank.com domain that is owned by bigbank.com is legitimate (203d) or whether it is suspicious”); 
responsive to the first display name matching the second display name, comparing, by the one or more servers, the first email address of the sender with the second email address from the whitelist (Dreller: paragraphs 0051 and 0082, “ach of those steps can be utilized with one or more of the other steps, by itself, or with other steps. Thus, for instance, the Authorized IP Check (304) is useful independent of the Classification System (202). The SENDING IP ADDRESSES from any email message can be processed by the Authorized IP Check (304). In combination with the Customer Data (302) the Authorized IP Check is a reliable way to determine if an email was sent by a domain owner. In addition, the Known Forwarder Check (306) Forward DKIM Check (307) are useful independent of the Classification System (202) for determining if an email message sent from a forwarding IP Address is not Suspicious”); 
responsive to the first email address matching second email address, determining that the electronic message was sent from the authoritative entity, and delivering the electronic message by the one or more servers (Dreller: paragraphs 0046 and 0048, “If all Authentication Checks, DKIM, SPF and Identity Alignment pass the email processing is complete and the email is sent to the No Problem category”); and 
responsive to the first email address failing to match second email address, determining that the electronic message was not sent from the authoritative entity and performing a security action by the one or more servers (Dreller: paragraphs 0048 and 0084, “If the DKIM Result is a pass, processing is complete and the email is sent to the No Problem category (203d). If the DKIM Result is a not pass, processing is complete and the email is sent to the Forwarding Problems category”… “The message (1101) is classified as Suspicious (203a) and stored on the Storage/Database Servers (104) and sent to the Phish Detection Search Engine (110), Alerting Servers (105), and Reporting Servers (106) for immediate action if deemed necessary.”).
Dreller does not explicitly disclose the following limitation which is disclosed by Su, accessing a whitelist specific to the user (Su: column 10 lines 43-50, “In the example of FIG. 6, the filtering module 191A utilizes plug-in filters comprising a whitelist filter, a language filter, and a property filter. The whitelist filter can be customized by users, and could be configured to filter out sender names, sender domains, sender IP, or subject indicated in the whitelist filter. That is, emails having characteristics matching those in the whitelist filter are deemed to be normal, and can thus be forwarded to the user without further analysis”).
Dreller and Su are analogous art because they are from the same field of endeavor, Email Classification.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Dreller and DreSuller before him or her, to modify the system of Dreller to include a whitelist that is specific configured for a user of Su to detect phishing attacks.  The suggestion/motivation for doing so would have been to detect unknown security threats (Su: column 5 lines 42-43).
Regarding claim 40, claim 40 discloses a system claim that is substantially equivalent to the method of claim 39.  Therefore, the arguments set forth above with respect to claim 39 are equally applicable to claim 40 and rejected for the same reasons.
Regarding claim 41, claim 41 discloses a medium claim that is substantially equivalent to the method of claim 39.  Therefore, the arguments set forth above with respect to claim 39 are equally applicable to claim 41 and rejected for the same reasons.
Regarding claim 10, Dreller as modified discloses wherein performing a security action further comprises: one or more of not delivering the electronic message, placing the electronic message in a spam folder, notifying a third party, sending a warning, and generating statistics (Dreller: paragraphs 0018, 0060 and 0077, “take action on fraudulent email messages”… “or instance in FIG. 4, the number 627 is the number of messages that the ISP partner(s) took action on the message (rejected or placed in the spam folder for example) that contained the subject line "Fraudulent Message Subject Line One" The result of the policy as determined by the ISP or Mailbox provider is referred to as the message disposition (204b)”… “This allows the domain owner to assert different blocking policies at different mailbox providers.”).
Regarding claim 18, Dreller as modified discloses further comprising: responsive to no output of the indicator of risk, delivering, by the one or more processors, the electronic message (Dreller: paragraphs 0048, 0087 and 0088, “the DKIM RESULT is provided in the aggregate data. If the DKIM Result is a pass, processing is complete and the email is sent to the No Problem category”).
Regarding claim 19, Dreller as modified discloses wherein the identification of the second email address specifies from what domain the electronic message must be sent (Dreller: paragraphs 0045-0046 and 0085, “the SPF RESULT is extracted from the RECEIVED-SPF header or the AUTHENTICATION-RESULTS header including the original email.” … “The Email Servers (101) parse the message into a set of parsed fields: FROM DOMAIN=badguy.com (1102a), SENDING IP ADDRESS=10.10.10.56 (1102b), MFROM DOMAIN=badguy.com (1102c), DKIM DOMAIN=badguy.com (1102d), DKIM RESULT=none (1102e), SPF RESULT=fail (1102f), COUNT=1. The Classification Servers (103) receive the parsed fields and start the Classification System (202) process. The first step is the Authorized IP check (304). The FROM DOMAIN (1102a) of the message (1102), "badguy.com" is looked up in the customer data (302), defined by FIG. 11f, 1106. `badguy.com` is not present therefore the Authorized IP check result is a NO and the message moves to the Known Forwarder Check (306). In the Known Forwarder Check (306) the SENDING IP ADDRESS (1102b), from the message (1102) is looked up in the Known Forwarder List (303) defined by FIG. 11f, 1106. The SENDING IP ADDRESS (1102b), 10.10.10.56, does not exist in the Known Forwarder List (303) therefore the Known Forwarder Check returns NO. The message (11b) is classified as Suspicious”).
Regarding claims 21 and 31, Dreller as modified discloses wherein the security action comprises filtering out the electronic message (Dreller: paragraphs 0042, 0078 and 0079, “Categorizing email message traffic displays the information needed to fix a network (such as authentication problems (203b)), the malicious traffic (Suspicious (203a), the legitimate messages that have failed authentication beyond my control (forwarding (203c)). It also highlights where everything is going well (No Problems (203d)). The present invention provides the information quickly and accurately. The categories allow the user to think about the problems on his/her network.”).
Regarding claims 22 and 32, Dreller as modified discloses wherein the security action comprises placing the electronic message in a spam folder (Dreller: paragraphs 0018, 0060 and 0077, “take action on fraudulent email messages”… “or instance in FIG. 4, the number 627 is the number of messages that the ISP partner(s) took action on the message (rejected or placed in the spam folder for example)).
Regarding claims 23 and 33, Dreller as modified discloses wherein the security action comprises delivering the electronic message (Dreller: paragraph 0078, “Categorizing email message traffic displays the information needed to fix a network (such as authentication problems (203b)), the malicious traffic (Suspicious (203a), the legitimate messages that have failed authentication beyond my control (forwarding (203c)). It also highlights where everything is going well (No Problems (203d)). The present invention provides the information quickly and accurately. The categories allow the user to think about the problems on his/her network.”).
Regarding claims 24 and 34, Dreller as modified discloses wherein the security action comprises quarantining the electronic message (Dreller: paragraphs 0014 and 0079, “the policy can instruct the receiver to quarantine or reject the email message.”… “getting to the point where the user can enforce a blocking policy on the unauthenticated traffic. Then, the Suspicious Messages category (203a) provides the forensic analysis capabilities to isolate the source of the malicious traffic, understand the magnitude of the problem, and gather data that provides additional protection to email users (protect them from phish, etc.) and quite possibly surface data that can be used in the criminal prosecution of the malicious email perpetrator.”).  
Regarding claims 25 and 35, Dreller as modified discloses wherein the security action comprises alerting an admin of the electronic message (Dreller: paragraphs 0026, 0034-0035 and 0084, “the alerting servers (105) continuously receive and examine (in real-time) the data from the Classification Servers (103), the Storage/Database Servers (104) and the Phish Detection Search Engine (110) for user defined events, such as but not limited to the number of Suspicious messages over a user defined threshold in a user specified time period, and send messages (107) to users detailing the event, including by not limited to an email, SMS, iOS alert, Android alert”).  
Regarding claims 26 and 36, Dreller as modified discloses wherein the security action comprises notifying a third party of statistics relating to the electronic message (Dreller: paragraphs 0067 and 0075, “detailed Authentication Results (205d) is a summary of the DKIM and SPF results, presented in a grid with DKIM results on the y axis and SPF results on the x axis. This provides a matrix of result combinations to the user. In each intersecting box is the count of email messages or a count of SENDING IP ADDRESSES. Clicking the number of IPs (601) links to FIG. 5 which includes detailed IP Address information, specifically highlighting the rDNS hostname (502), Return Path Senderscore (504), geographic location of IP Address (505) and the option to display a sample message from each IP Address (507).”… “another example of differential analysis is variance in DKIM or SPF verification practices across receiving networks. This is the same concept as above, but instead of within a single network the same problem persists across networks. For example, receiving network A may possess entirely different authentication verification technology than receiving network B, this it is common to experience variances in authentication results even when a domain owner is following published guidelines (RFC specifications.) As a domain owner, having this information greatly reduces troubleshooting time and allows them to configure different authentication signing policies and practices depending on the receiving network. The variance data are presented graphically and in data tables to quickly isolate variance-contributing authentication verification points.”).  
Regarding claims 27 and 37, Dreller as modified discloses wherein the security action comprises marking up the electronic message by adding a warning or explanation (Dreller: paragraph 0007, “The email mailbox provider then creates a message called a "complaint" containing a small report and a copy of the unwanted message. Normally the complaint is sent to the "domain owner" of the unwanted email as defined by the "return-path" header within the email message, RFC 3834. Return Path Inc. hosts "Feedback Loops" on behalf of various mailbox providers. The data generated by the "Feedback Loops" is referred to as "Complaint" data”).  
Regarding claim 28 and 38, Dreller as modified discloses wherein the security action comprises flagging the message (Dreller: paragraph 0007, “Most email mailbox providers (e.g., Yahoo!, AOL, Gmail) offer a way for email mailbox owners to flag a received email as unwanted. This is usually called the "Spam" button. When an email recipient determines that a received email is unwanted they simply click the "Spam" or equivalent button”).  

Claims 20 and 30 are rejected under 35 U.S.C. 103 as being unpatentable over Dreller in view of Su, and further in view of Pantalone (US 20070288578) (hereinafter Pantalone).
Regarding claims 20 and 30, Dreller in view of Su does not explicitly disclose the following limitation which is disclosed by Pantalone, wherein the comparing of the first display name and the second display name comprises computing a Hamming distance between the first display name and the second display name and determining that the Hamming distance is below a first threshold value, computing an edit distance between the first display name and the second display name and determining that the edit distance below is a second threshold value, or determining that a support vector machine indicates a similarity based on previously trained examples (Pantalone: paragraphs 0022-0023, “An algorithm may be used to identify similar addresses, such as an algorithm to identify similar names by evaluating differences or distances between the partial e-mail address and each address in the address book. For example, the partial e-mail address may be checked for possible matches by determining either a Hamming distance or a Levenshtein distance between the partial address and each address in the electronic address book”).  Dreller in view of Su and Pantalone are analogous art because they are from the same field of endeavor, Email Classification.  Before the effective filing date of the claimed invention, it would have been obvious to one of ordinary skill in the art, having the teachings of Dreller in view of Su and Pantalone before him or her, to modify the system of Dreller in view of Su to include the Hamming distance of Pantalone to detect phishing attacks.  The suggestion/motivation for doing so would have been to detect ambiguities or similar improper addresses (Pantalone: paragraph 0001).

Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure is listed here and on the enclosed PTO-892 form, 
Commer (US 8255572) discloses a method and apparatus for identifying 419 messages in a live message stream whereby an incoming message in a live message stream is subjected to an anti-spam pipeline made up of multiple anti-spam stages or filters including a whitelist filter stage, a dynamic feedback-based heuristic filter stage, a 419 text-based heuristic filter stage, one or more metadata creating heuristic filter stages, and a metadata analysis stage.
Fenton (US 8090940 B1) discloses an electronic message is accessed. The message comprises a number of headers and a signature comprising a digital signature and a version of the headers. The message is verified based on analysis of the version of the headers and the digital signature. The version of the headers is compared with the headers and a policy is applied based on results of the comparison to determine further processing of the electronic message.
Applicant's amendment necessitated the new ground(s) of rejection presented in this Office action.  Accordingly, THIS ACTION IS MADE FINAL.  See MPEP § 706.07(a).  Applicant is reminded of the extension of time policy as set forth in 37 CFR 1.136(a).  
A shortened statutory period for reply to this final action is set to expire THREE MONTHS from the mailing date of this action.  In the event a first reply is filed within TWO MONTHS of the mailing date of this final action and the advisory action is not mailed until after the end of the THREE-MONTH shortened statutory period, then the shortened statutory period will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of the advisory action.  In no event, however, will the statutory period for reply expire later than SIX MONTHS from the date of this final action. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to TRANG T DOAN whose telephone number is (571)272-0740.  The examiner can normally be reached on Monday-Friday 7-4 ET.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Lynn D Feild can be reached on (571)272-2092.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.






/TRANG T DOAN/Primary Examiner, Art Unit 2431