CN103078753B

CN103078753B - The processing method of a kind of mail, device and system

Info

Publication number: CN103078753B
Application number: CN201210580437.8A
Authority: CN
Inventors: 孙灵峰; 诸葛建伟; 郭军权
Original assignee: Huawei Technologies Co Ltd
Current assignee: Huawei Technologies Co Ltd
Priority date: 2012-12-27
Filing date: 2012-12-27
Publication date: 2016-07-13
Anticipated expiration: 2032-12-27
Also published as: CN103078753A

Abstract

The embodiment of the invention discloses the processing method of a kind of mail and device, the method includes: remote host connects open trunking port, or when the destination host port connected by open proxies port is SMTP port, is connected with setting up between remote host；Receive the first mail data that remote host is sent by described connection；For each envelope mail that the first mail data comprises, it is judged that whether this envelope mail is doubtful test mail；If doubtful test mail, this envelope mail is reported to server, in order to server forwards this mail when meeting pre-conditioned；If not doubtful test mail, abandon this envelope mail.The present invention ensure that the stickiness to spammer, and prevents mail honey jar to be abused.

Description

The processing method of a kind of mail, device and system

Technical field

The present invention relates to the communications field, particularly relate to the processing method of a kind of mail, honey client, server and post-processing system.

Background technology

Spam (Spam) is the generic term describing not requested Email.The extensive use of black list techniques, spammer (Spammer) is made to tend to by using open relaying (OpenRelay) or open proxies (OpenProxy), forge sender and the real source IP address information of hiding spammer of spam, change the feature of spam by fair means or foul, break through the interception of mail filtering technology and escape tracking.

Open relaying is without the information of Email Sender is authenticated, it is possible to carry out Simple Mail Transfer protocol (SimpleMailTransferProtocol, the abbreviation: SMTP) service of mail relaying forwarding.Spammer can pass through the random camouflage sender of open relaying and hiding addressee information, to reach fascination mail user, to escape the purpose followed the trail of.Open proxies is to can be carried out, without user authentication, the agency service that data forward, and uses open proxies can hide the source IP address information of mail.The analysis found that, the mail sent by open relaying and open proxies is substantially spam.

Understanding the behavior characteristics (Spammerbehavior) of spammer is do key one step of long-term struggle with spam.How to collect substantial amounts of spam, be the top priority of research spammer's behavior.Traditional spam gathering method does not break away from the passivity defect that defense technique is intrinsic, and mail Honeypot Techniques receives more and more attention with its Initiative Defense characteristic.So-called honey jar, is a kind of resource, and its value is to be hacked or capture.Mail Honeypot Techniques refers to and arranges mail honey jar, lures that spammer uses mail honey jar to carry out the forwarding of spam into, thus catching the technology of spam.The method using mail honey jar can collect up-to-date spam sample, the behavior characteristics of record spammer, and the source IP address information of location spammer, can also consume time and the resource of spammer simultaneously.

Current spam honey jar is all based on the spam honey jar of single SMTP, i.e. open Relay Email honey jar.The method that spam is obtained by open Relay Email honey jar specifically includes that monitoring transmission control protocol (TransmissionControlProtocol, it is called for short: 25 ports TCP), when spammer connects open Relay Email honey jar by remote host, spam spammer sent is saved in this locality, further, described Spam data all forwarded or all abandon.

But, the spam that spammer is sent by remote host is all abandoned, can cause open Relay Email honey jar that the stickiness of spammer is reduced；And if spam is all forwarded, then open Relay Email honey jar can be caused to be abused.

Summary of the invention

The embodiment of the present invention provides processing method and the device of a kind of mail, it is possible to ensure the stickiness to spammer, and prevent mail honey jar to be abused.

First aspect, the embodiment of the present invention provides the processing method of a kind of mail, including:

Honey client connects the open trunking port of described honey client at remote host, or when the destination host port connected by the open proxies port of described honey client is SMTP port, sets up between described honey client with described remote host and be connected；

Described honey client receives the first mail data that described remote host is sent by described connection；

For each envelope mail that the first mail data comprises, described honey client judges whether this envelope mail is doubtful test mail；

If doubtful test mail, this envelope mail is reported to server by described honey client, in order to server forwards this mail when meeting pre-conditioned；

If not doubtful test mail, described honey client abandons this envelope mail.

In conjunction with above-mentioned first aspect, in the first possible implementation of first aspect, described honey client judges whether this envelope mail is that doubtful test mail includes:

Described honey client judges whether the addressee information of this mail meets addressee's condition, it is judged that when result is for being, this envelope mail is doubtful test mail；Otherwise, this envelope mail is not doubtful test mail.

In conjunction with above-mentioned first aspect, and/or, the implementation that the first of first aspect is possible, in the implementation that the second of first aspect is possible, described honey client judges this envelope mail also includes before whether being doubtful test mail:

Described honey client judges whether this envelope mail meets sampling condition；

If meeting sampling condition, this envelope mail is reported to server by described honey client；

If being unsatisfactory for sampling condition, described honey client performs described to judge that whether this envelope mail is the step of doubtful test mail again.

In conjunction with the implementation that the second of above-mentioned first aspect is possible, in the third possible implementation of first aspect, described honey client judges whether this envelope mail meets sampling condition and include:

Described honey client judges whether this envelope mail is described remote host first envelope mail of transmission in this connects, if it is, meet sampling condition；

If it is not, described honey client judges whether this envelope mail sequence number in this locality connects meets sequence number rule, if it is satisfied, then meet sampling condition, if be unsatisfactory for, then it is unsatisfactory for sampling condition.

In conjunction with above-mentioned first aspect, and/or, the implementation that the first of first aspect is possible, and/or, the implementation that the second of first aspect is possible, and/or, the third possible implementation of first aspect, in the 4th kind of possible implementation of first aspect, also includes:

Remote host is connected the link information of open trunking port or open proxies port and reports to server by described honey client；And/or,

The SMTP command information used when setting up described connection is reported to server by described honey client.

In conjunction with above-mentioned first aspect, and/or, the implementation that the first of first aspect is possible, and/or, the implementation that the second of first aspect is possible, and/or, the third possible implementation of first aspect, and/or, the 4th kind of possible implementation of first aspect, in the 5th kind of possible implementation of first aspect, also include:

When described remote host is not SMTP port by the destination host port that the open proxies port of described honey client connects, described honey client judges whether the data that remote host is sent meet forwarding condition；

When meeting forwarding condition, the data sent by remote host are forwarded to destination host；

When being unsatisfactory for forwarding condition, the data sent by remote host abandon.

Second aspect, the embodiment of the present invention provides the processing method of a kind of mail, including:

Server receives the second mail data that honey client is sent；Described second mail data includes doubtful test mail；

For each envelope mail that the second mail data comprises, described server judges the type of this envelope mail；

If it is determined that this envelope mail is non-test mail, described server does not forward this envelope mail；

If it is determined that this envelope mail is rubbish test mail, described server forwards this envelope mail according to the address information of this envelope mail；

If it is determined that this envelope mail is anti-spam test mail, described server does not forward this envelope mail.

In conjunction with above-mentioned second aspect, in the first possible implementation of second aspect, described server judges that the type of this envelope mail includes:

Described server judges the keyword whether including rubbish test mail in this envelope mail, if not including the keyword of rubbish test mail, then the type of this envelope mail is non-test mail；

If test the keyword of mail including rubbish, described server judges the keyword whether including anti-spam test mail in this envelope mail, if not including the keyword of anti-spam test mail, then the type of this envelope mail is rubbish test mail；If test the keyword of mail including anti-spam, then the type of this envelope mail is anti-spam test mail.

In conjunction with the first possible implementation of above-mentioned second aspect, in the implementation that the second of second aspect is possible, if described second mail data also includes sampling mail；Described server also includes before judging the type of this envelope mail:

Described server judges whether the addressee information of this mail meets addressee's condition, if it is judged that be no, then the type of this envelope mail is non-test mail；

If it is judged that be yes, described server performs the described step judging whether to include the keyword of rubbish test mail in this envelope mail again.

In conjunction with above-mentioned second aspect, and/or, the implementation that the first of second aspect is possible, and/or, the implementation that the second of second aspect is possible, in the third possible implementation of second aspect, also include:

The mail data that described server storage honey client is sent；And/or,

Described server receives and stores the SMTP command information that honey client is sent；And/or,

Described server receives and stores the link information of the remote host that honey client is sent.

The third aspect, the embodiment of the present invention provides a kind of honey client, including:

Connection establishment unit, connects the open trunking port of described honey client for remote host, or when the destination host port connected by the open proxies port of described honey client is SMTP port, is connected with setting up between described remote host；

First receives unit, for receiving the first mail data that described remote host is sent by the described connection that described connection establishment unit is set up；

First judging unit, each envelope mail that the first mail data for receiving unit reception for described first comprises, it is judged that whether this envelope mail is doubtful test mail；

Reporting unit, if judging that mail is doubtful test mail for described first judging unit, this envelope mail being reported to server, in order to server forwards this mail when meeting pre-conditioned；

Discarding unit, if judging that mail is not doubtful test mail for described first judging unit, abandons this envelope mail.

In conjunction with the above-mentioned third aspect, in the first possible implementation of the third aspect, described first judging unit specifically for:

Judging whether the addressee information of this mail meets addressee's condition, it is judged that when result is for being, this envelope mail is doubtful test mail；Otherwise, this envelope mail is not doubtful test mail.

In conjunction with the above-mentioned third aspect, and/or, the implementation that the first of the third aspect is possible, in the implementation that the second of the third aspect is possible, described first judging unit is additionally operable to: each envelope mail comprised for the first mail data, it is judged that whether this envelope mail meets sampling condition；If being unsatisfactory for sampling condition, then perform described to judge that whether this envelope mail is the step of doubtful test mail；

Described unit is reported to be additionally operable to: if the first judging unit judges that mail meets sampling condition, this envelope mail to be reported to server.

In conjunction with the implementation that the second of the above-mentioned third aspect is possible, in the third possible implementation of the third aspect, described first judging unit is specifically for judging whether this envelope mail meets sampling condition in the following manner: judge whether this envelope mail is the described remote host the first envelope mail in this connects, if it is, meet sampling condition；If not, it is judged that whether this envelope mail sequence number in this locality connects meets sequence number rule, if it is satisfied, then meet sampling condition, if be unsatisfactory for, is then unsatisfactory for sampling condition.

In conjunction with the above-mentioned third aspect, and/or, the implementation that the first of the third aspect is possible, and/or, the implementation that the second of the third aspect is possible, and/or, the third possible implementation of the third aspect, in the 4th kind of possible implementation of the third aspect, described in report unit to be additionally operable to:

The link information that remote host connects open trunking port or open proxies port reports to server；And/or,

The SMTP command information used when setting up described connection is reported to server.

In conjunction with the above-mentioned third aspect, and/or, the implementation that the first of the third aspect is possible, and/or, the implementation that the second of the third aspect is possible, and/or, the third possible implementation of the third aspect, and/or, in the 4th kind of possible implementation of the third aspect, in the 5th kind of possible implementation of the third aspect, described first judging unit is additionally operable to:

When remote host is not SMTP port by the destination host port that the open proxies port of described honey client connects, it is judged that whether the data that remote host is sent meet forwarding condition；

This honey client also includes:

First retransmission unit, when judging that the data that remote host is sent meet forwarding condition for described first judging unit, the data sent by remote host are forwarded to destination host；

Described discarding unit is additionally operable to: described first judging unit judges that, when the data that remote host is sent are unsatisfactory for forwarding condition, the data sent by remote host abandon.

Fourth aspect, the embodiment of the present invention provides a kind of server, including:

Second receives unit, for receiving the second mail data that honey client is sent；Described second mail data includes doubtful test mail；

Second judging unit, each envelope mail that the second mail data for receiving unit reception for described second comprises, it is judged that the type of this envelope mail；

E-mail processing element, if judging that this envelope mail is non-test mail for described second judging unit, does not forward this envelope mail；If it is determined that this envelope mail is anti-spam test mail, do not forward this envelope mail；

Second retransmission unit, if judging that this envelope mail is rubbish test mail for described second judging unit, forwards this envelope mail according to the address information of this envelope mail.

In conjunction with above-mentioned fourth aspect, in the first possible implementation of fourth aspect, described second judging unit specifically for:

Judging the keyword whether including rubbish test mail in this envelope mail, if not including the keyword of rubbish test mail, then the type of this envelope mail is non-test mail；

If test the keyword of mail including rubbish, it is judged that whether include the keyword of anti-spam test mail in this envelope mail, if not including the keyword of anti-spam test mail, then the type of this envelope mail is rubbish test mail；If test the keyword of mail including anti-spam, then the type of this envelope mail is anti-spam test mail.

In conjunction with the first possible implementation of above-mentioned fourth aspect, in the implementation that the second of fourth aspect is possible, if described second mail data also includes sampling mail；Described second judging unit also particularly useful for:

Judging whether the addressee information of this mail meets addressee's condition, if it is judged that be no, then the type of this envelope mail is non-test mail；

If it is judged that be yes, then judge the keyword whether including rubbish test mail in this envelope mail.

In conjunction with above-mentioned fourth aspect, and/or, the implementation that the first of fourth aspect is possible, and/or, the implementation that the second of fourth aspect is possible, in the third possible implementation of fourth aspect, also include:

Described second receives unit is additionally operable to: receive the SMTP command information that honey client is sent；And/or, receive the link information of the remote host that honey client is sent；

Memory element, for storing the mail data that honey client is sent；And/or, the SMTP command information that storage honey client is sent；And/or, the link information of the remote host that storage honey client is sent.

5th aspect, the embodiment of the present invention provides a kind of post-processing system, including the server described in any one possible implementation of the honey client described in any one possible implementation of the third aspect or the third aspect and described fourth aspect or fourth aspect.

In the embodiment of the present invention, honey client connects open trunking port at remote host, or when the destination host port connected by open proxies port is SMTP port, set up between honey client with remote host and be connected, and receive, by described connection, the first mail data that remote host is sent, for each envelope mail that the first mail data comprises, honey client judges whether this envelope mail is doubtful test mail；If doubtful test mail, this envelope mail is reported to server, in order to server forwards this mail when meeting pre-conditioned；If not doubtful test mail, honey client abandons this envelope mail；Thus the doubtful test mail in the first mail data is reported server, this mail is forwarded when meeting pre-conditioned, it is ensured that the honey client stickiness to spammer, simultaneously by server, the mail not being doubtful test mail is abandoned, it is prevented that honey client is abused.

Accompanying drawing explanation

In order to be illustrated more clearly that the embodiment of the present invention or technical scheme of the prior art, the accompanying drawing used required in embodiment will be briefly described below, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skill in the art, under the premise not paying creative work, it is also possible to obtain other accompanying drawing according to these accompanying drawings.

Fig. 1 is embodiment of the present invention spam honey pot system structure chart；

Fig. 2 is email processing method first embodiment flow chart of the present invention；

Fig. 3 is email processing method of the present invention second embodiment flow chart；

Fig. 4 is email processing method the 3rd embodiment flow chart of the present invention；

Fig. 5 is email processing method the 4th embodiment flow chart of the present invention；

Fig. 6 is mail treatment device first embodiment schematic diagram of the present invention；

Fig. 6 A is mail treatment device of the present invention second embodiment schematic diagram；

Fig. 7 is mail treatment device the 3rd embodiment schematic diagram of the present invention；

Fig. 7 A is mail treatment device the 4th embodiment schematic diagram of the present invention；

Fig. 8 is embodiment of the present invention honey client structural representation；

Fig. 9 is embodiment of the present invention server architecture schematic diagram.

Detailed description of the invention

Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is carried out clear, complete description, it is clear that described embodiment is only a part of embodiment of the present invention, rather than whole embodiments.Based on the embodiment in the present invention, the every other embodiment that those of ordinary skill in the art obtain under not paying creative work premise, broadly fall into the scope of protection of the invention.

Referring to Fig. 1, spam honey pot system provided by the invention includes honey client 110 and server 120 two parts, wherein, honey client 110 is provided with open relay services, the port that open relay services uses can be 25 ports of Transmission Control Protocol, and this port is smtp protocol private port；Optionally, honey client 110 can also arrange open proxies service；The open proxies port that uses of service can be the ports such as 1080 or 8080.Described honey client 110 can be at least one, if system has multiple honey client 110, then multiple honey client 110 can in different address space distributed deployments, by by the distributed deployment of multiple honey client 110, it is possible to make the data that honey client 110 samples have more representativeness more comprehensively.And, honey client 110 is provided with the multiple services that can hide sender's true address information such as open relaying and open proxies, and in heterogeneous networks address space distributed deployment, spammer can be improve to greatest extent and detect the probability of spam honey pot system.

Each honey client 110 is all connected with server 120, can realize communicating by modes such as the Internets between honey client 110 with server 120.

Described server 120 can centralized deployment, the data that at least one honey client 110 is sent carry out centralized stores, and in the mail that can honey client 110 be sent, rubbish test mail carries out centralized forwarding.By server 120 centralized deployment, it is possible to reduce to greatest extent for the various risks forwarding the test mail of spammer to bring to spam honey pot system.

Concrete, the email processing method under above-mentioned scene, honey jar device and honey pot system are described in more detail.

Referring to Fig. 2, for the first embodiment flow chart of email processing method of the present invention, the method is described from the angle of honey client, including:

Step 201: remote host connects the open trunking port of honey client, or when the destination host port connected by the open proxies port of honey client is SMTP port, sets up between described honey client and remote host and be connected；

Wherein, described SMTP port includes the port that open relaying uses and the port that nonopen relaying uses.When connecting the port that nonopen relaying uses, this port needs user is authenticated.

Step 202: honey client receives the mail data that remote host is sent by described connection；

Step 203: each envelope mail comprised for mail data, honey client judges whether this envelope mail is doubtful test mail；If doubtful test mail, perform step 204: if not doubtful test mail, namely be not test mail, perform step 205.

Wherein, described doubtful test mail refers to that mail is the higher mail of probability of test mail；How described honey client specifically judges whether this envelope mail is doubtful test mail, by being illustrated in the step 407 of subsequent drawings 4, does not repeat here.

Step 204: this envelope mail is reported to server by honey client, in order to server forwards this mail when meeting pre-conditioned.

Step 205: honey client abandons this envelope mail.

In the present embodiment, remote host connects open trunking port, or when the destination host port connected by open proxies port is SMTP port, set up between honey client with remote host and be connected, and receive, by described connection, the first mail data that remote host is sent, for each envelope mail that the first mail data comprises, honey client judges whether this envelope mail is doubtful test mail；If doubtful test mail, this envelope mail is reported to server, in order to server forwards this mail when meeting pre-conditioned；If not doubtful test mail, honey client abandons this envelope mail；Thus doubtful test mail is reported server, server forward meeting pre-conditioned mail, it is ensured that the honey client stickiness to spammer, the mail not being doubtful test mail is abandoned, it is prevented that honey client is abused meanwhile.

Referring to Fig. 3, for the second embodiment flow chart of email processing method of the present invention, the method is described from the angle of server, including:

Step 301: server receives the second mail data that honey client is sent；Described second mail data includes doubtful test mail；

Step 302: each envelope mail comprised for the second mail data, server judges the type of this envelope mail；If it is determined that this envelope mail is the anti-spam test mail in non-test mail or test mail, perform step 303；If it is determined that this envelope mail is the rubbish test mail in test mail, perform step 304.

In the embodiment of the present invention, by the Type division of mail for test mail and non-test mail, and described test mail is divided into anti-spam test mail and rubbish test mail；Concrete,

Described rubbish test mail refers to: the test mail that spammer sends, the spam whether open relaying or open proxies for testing an email service provider can correctly forward spammer to send.If email service provider can correctly forward, then after spammer, extended meeting sends a large amount of spam by this email service provider；If email service provider can not correctly forward, then abandon sending spam by this mail provider, then test other email service provider.In subsequent step 304, server forwards rubbish test mail, it is possible to prevent spammer to abandon the honey client of the embodiment of the present invention and server to forward substantial amounts of spam, thus improving described honey client and the server stickiness to spammer.

Described anti-spam test mail refers to: the test mail that anti-rubbish mail tissue or mail service business send, whether forward spam for testing the email service provider providing open proxies service or open relay services, and according to test result, IP address corresponding for the email service provider forwarding spam is piped off.In subsequent step 303, do not forward anti-spam test mail, it is possible in preventing anti-rubbish mail tissue or mail service business from the honey client of the embodiment of the present invention and the IP address at server place being piped off.

The analysis found that, the mail sent by open relaying and open proxies is substantially spam.Therefore, the second mail data that honey client is sent, mail and anti-spam test mail is tested except rubbish, other mails are non-test mail, and these non-test mails are essentially all spam.In subsequent step 303, do not forward non-test mail, namely do not forward spam, it is possible to avoid spammer to pass through honey client and server forwards substantial amounts of spam, it is prevented that the email relaying resource of honey client and server is abused.

Wherein, in this step, server judges the criterion of the type of this envelope mail, judges that this envelope mail be whether the criterion of doubtful test mail will be more strict relative to honey client in step 203.From using, in step 203, honey client judges this envelope mail whether to be doubtful test mail is only to mail it is whether the rough screening of test mail, thus judging that doubtful test mail reports server；Server judges that the type of mail is then the accurate judgement to email type, thus rubbish test mail and anti-spam in the non-test mail determined accurately in mail, test mail test mail, processes accordingly.

In a kind of possible implementation, described server judges that the type of this envelope mail may include that

Server judges the keyword whether including rubbish test mail in this envelope mail, if not including the keyword of rubbish test mail, then the type of this envelope mail is non-test mail；

If test the keyword of mail including rubbish, server judges the keyword whether including anti-spam test mail in this envelope mail, if not including the keyword of anti-spam test mail, then the type of this envelope mail is rubbish test mail；If test the keyword of mail including anti-spam, then the type of this envelope mail is anti-spam test mail.

Step 303: server does not forward this envelope mail；

Step 304: server forwards this envelope mail according to the address information of this envelope mail.

In the present embodiment, server judges the type of the mail that honey client sends, and only the rubbish test mail in test mail is forwarded, thus ensureing the stickiness to spammer；Anti-spam test mail in test mail is not also forwarded, thus preventing from being organized by anti-rubbish mail or mail service business pipes off；Non-test mail is not forwarded, thus preventing honey client to be abused.

Referring to Fig. 4, for email processing method the 3rd embodiment flow chart of the present invention, the method includes:

Step 401: at least one open relaying and at least one open proxies are set in honey client.

General, described opening relays 25 ports that port is Transmission Control Protocol used；The port that described open proxies uses can be 1080 ports or 8080 ports etc..

Honey client can only arrange open relaying, it is also possible to arranging open relaying and open proxies, therefore, described open proxies is optional simultaneously.

Step 402: honey client monitors described open trunking port and described open proxies port, when monitoring remote host and connecting open trunking port, performs step 404；When monitoring remote host and connecting open proxies port, perform step 403.

Remote host can send the link information of remote host when connecting open trunking port or open proxies port, the link information of remote host includes: the IP of remote host, the port of connection, destination host port etc..

Step 402 can also include: remote host is connected the link information of open trunking port or open proxies port and reports to server by honey client.Thus server stores described link information, in order to for the follow-up analysis for spam.

Step 403: honey client judges whether the destination host port that remote host is connected by open proxies port is SMTP port, if it is, perform step 404；Otherwise, step 410 is performed.

Step 404: set up between link information and remote host that honey client is sent according to remote host and be connected.

Wherein, set up between honey client with remote host when being connected and can use smtp protocol, between honey client and remote host, complete described establishment of connection by mutual SMTP command information, specifically how to use smtp protocol to set up connection and do not repeat here.

Step 404 can also include: honey client is connected the SMTP command information used reports to server by setting up with remote host, server carry out centralized stores, in order to provides data basis for the follow-up analysis to spam.

Step 405: honey client receives, by described connection, the first mail data that remote host is sent.

Step 406: each envelope mail comprised for the first mail data, honey client judges whether this envelope mail meets sampling condition, if meeting sampling condition, performs step 408；If being unsatisfactory for sampling condition, perform step 407.

Wherein, honey client judges whether mail meets sampling condition concrete methods of realizing and be not limiting as here.For example, it is possible to according to often sealing mail serial number etc. in this connects.

Possible realizing in method a kind of, honey client can be arranged samples to each mail source IP address the first envelope mail in connecting every time；Or, it is also possible to the mail that each mail source IP address is sent every time in connecting, calculate serial number according to certain rule, mail corresponding for the serial number calculated is sampled.Such as, described rule can be serial number=2^m, m be not less than 0 integer, then serial number is 2^mMail will meet sampling condition.

Step 407: honey client judges whether this envelope mail is doubtful test mail；If doubtful test mail, perform step 408；If not doubtful test mail, perform step 409.

Wherein, described judge whether this envelope mail is that doubtful test mail may include that

Whether the addressee information of this mail meets addressee's condition, it is judged that when result is for being, this envelope mail is doubtful test mail；Otherwise, this envelope mail is not doubtful test mail.

Wherein, described addressee's condition can independently set in actual applications, is not intended to here.

In the first implementation, described addressee's condition can be: addressee's number is less than predetermined number threshold value；

In the second implementation, addressee's white list can be pre-set, in described addressee's white list, storage has the test normally used address of the addressee information of mail, and described addressee's condition can be: there is at least one addressee in the addressee of mail and is arranged in described addressee's white list.

The first implementation described and the second implementation in conjunction with use, can implement and not repeat.

Step 408: this envelope mail is reported to server by honey client；Currently processed branch terminates.

Sampling mail and doubtful test mail are reported server by honey client, server store, such that it is able to provide data basis for the follow-up analysis carrying out spam.

And, doubtful test mail and sampling mail are reported server, such that it is able to doubtful test mail and sampling mail described in server identification is the rubbish test mail in non-test mail, test mail or the anti-spam test mail in test mail, rubbish test mail is forwarded by server, do not forward anti-spam test mail, abandon non-test mail, thus while ensureing the stickiness to spammer, it is prevented that the IP address of honey client and server is piped off by anti-rubbish mail tissue or mail service business.

Step 409: this envelope mail is abandoned by honey client；Currently processed branch terminates.

Step 410: honey client judges whether the data that remote host is sent meet forwarding condition, if meeting forwarding condition, performs step 411；If being unsatisfactory for forwarding condition, perform step 412.

Wherein, when remote host is not SMTP port by the destination host port that open proxies port connects, then remote host is probably the forwarding etc. wishing to be realized network connection or other non-mail data by honey client, accordingly, the data that described remote host is sent can be the non-mail data such as Internet data, does not repeat here.

Wherein, honey client judges whether the data that remote host is sent meet how forwarding condition specifically realizes, and is not limiting as here.For example, it is possible to according to the IP address of remote host, in nearest a period of time connect number of times, in nearest a period of time honey client be this remote host forward data total amount etc..

In one implementation, in advance IP address white list can be set in honey client, in this step, honey client judges whether the IP address of remote host is arranged in described IP address white list, if located in, then honey client judges that the data that remote host is sent meet forwarding condition, if be not at, then honey client judges that the data that remote host is sent are unsatisfactory for forwarding condition；

In another kind of implementation, the connection frequency threshold value of remote host can be set in advance in honey client, and the connection number of times in honey client record nearest a period of time and between remote host, in this step, honey client judges whether the connection number of times within nearest a period of time and between remote host exceedes described connection frequency threshold value, if it exceeds, then honey client judges that the data that remote host is sent meet forwarding condition, if less than, then honey client judges that the data that remote host is sent are unsatisfactory for forwarding condition；

In the third implementation, data-quantity threshold can be set in advance in honey client, and the data total amount forwarded for remote host in honey client record nearest a period of time, in this step, honey client judges the summation of the data volume sent with this remote host in nearest a period of time as the data total amount of remote host forwarding, judge whether described summation exceedes described data-quantity threshold, if it exceeds, then honey client judges that the data that remote host is sent meet forwarding condition, if less than, then honey client judges that the data that remote host is sent are unsatisfactory for forwarding condition.

Three of the above implementation can be combined with each other, and implements and does not repeat.

Step 411: the data that remote host is sent by honey client are forwarded to destination host；Currently processed branch terminates.

Step 412: the data that remote host is sent by honey client abandon；Currently processed branch terminates.In step 410 ~ step 412, the destination host port sent for remote host is not the data of SMTP port, being generally the non-mail data such as Internet data, honey client forwards according to forwarding condition, thus preventing the non-mail data for honey client to forward the abuse of resource.

In the present embodiment, the link information of remote host, SMTP command information, doubtful test mail, sampling mail are all sent to server by honey client, so that server carries out centralized stores, provide basic data for the follow-up spammer's behavior analysis that carries out；It addition, honey client is for the data that the destination host port that remote host is sent is not SMTP port, forward according to forwarding condition, it is prevented that the non-mail data of honey client are forwarded the abuse of resource by remote host.

Referring to Fig. 5, for embodiment of the present invention email processing method the 4th embodiment flow chart, the method includes:

Step 501: server receives and store the link information of the remote host that honey client is sent, SMTP command information and the second mail data；Described second mail data includes: sampling mail and doubtful test mail.

Wherein, described link information and SMTP command information are optional information, information-related with whether sending these in honey client.Server accepts and stores the link information of remote host, SMTP command information and mail data, thus being analyzed providing important evidence to spammer's behavior for follow-up.

Step 502: each envelope mail comprised for the second mail data, server judges whether this mail is doubtful test mail, if it is judged that be yes, performs step 503；If it is judged that be no, perform step 505.

Wherein, the concrete methods of realizing of this step may refer to the associated description in step 407, does not repeat here.

Wherein, sampling mail is included at the second mail data, and mail of sampling is it is also possible to be test mail, therefore, first to whether mail is that doubtful test mail judges in the embodiment of the present invention, thus filter out from the second mail data doubtful test mail that honey client reports at the same time it can also be filter out doubtful test mail from the sampling mail of the second mail data.

Preferably, the doubtful test mail that honey client reports can carry out special mark, then in this step server when judging whether mail is doubtful test mail, can first judge whether this mail has described special mark, if having described special mark, then show that this mail is the doubtful test mail that honey client reports, if not having described special mark, then show that this mail is the sampling mail that honey client reports, then it is referred in step 407 judge whether mail is doubtful test mail, do not repeat here.

Step 503: server judges the keyword whether including rubbish test mail in this envelope mail, if included, performs step 504；If do not included, perform step 505.

Wherein, the keyword of rubbish test mail may include that the IP address of honey client, relay, test etc..

In actual applications, it is possible to pre-set the set of keywords of rubbish test mail in the server, when performing this step, server searches for each keyword in the set of keywords whether comprising described rubbish test mail in this envelope mail successively.

Step 504: server judges the keyword whether including anti-spam test mail in this envelope mail, if included, performs step 505；If do not included, perform step 506.

Wherein, the keyword of anti-spam test mail may include that dnsbl, ordb, sorbs etc..

In actual applications, it is possible to pre-set the set of keywords of anti-spam test mail in the server, when performing this step, server searches for each keyword in the set of keywords whether comprising described anti-spam test mail in this envelope mail successively.

Step 505: server does not forward this envelope mail；Currently processed branch terminates.

Step 506: server forwards this envelope mail according to the address information of this envelope mail；Currently processed branch technique.

In the present embodiment, server judges that each mail is the rubbish test mail in non-test mail, test mail or the anti-spam test mail in test mail, for non-test mail, do not forward, to prevent the email relaying resource of honey client and server to be abused；For the anti-spam test mail in test mail, do not forward, thus preventing anti-rubbish mail tissue from being piped off the IP address of honey client and server；For the rubbish test mail in test mail, forward according to the address information of mail, thus ensureing the stickiness to spammer.

Corresponding with said method, the embodiment of the present invention also provides for the process device of a kind of mail.

Referring to Fig. 6, for embodiment of the present invention mail treatment device first embodiment schematic diagram, this mail treatment device 600 can be arranged in honey client, and this device includes:

Connection establishment unit 610, connects the open trunking port of described honey client for remote host, or when the destination host port connected by the open proxies port of described honey client is SMTP port, is connected with setting up between described remote host；

First receives unit 620, for receiving the first mail data that described remote host is sent by the described connection that described connection establishment unit 610 is set up；

When remote host is directly connected to the open trunking port of described honey client, remote host transmission is pass-through to connection establishment unit 610 or first reception unit 620 with the mail data sent to the first reception unit 620 by open relaying to the SMTP command information of connection establishment unit 610；The SMTP command information that connection establishment unit 610 sends to remote host is also pass-through to remote host by open relaying.

When remote host is SMTP port by the port of the open proxies port linking objective main frame of described honey client, remote host transmission is first passed through open proxies port by remote host to send to open proxies to SMTP command information and transmission to the mail data that first receives unit 620 of connection establishment unit 610, sent to open relaying by open trunking port by open proxies again, and then be pass-through to connection establishment unit 610 or the first reception unit 620 by this opening relaying.The SMTP command information that connection establishment unit 610 sends to remote host is to be pass-through to open proxies by open relaying by open trunking port, then is forwarded to remote host by open proxies by open proxies port.

First judging unit 630, each envelope mail that the first mail data for receiving unit 620 reception for described first comprises, it is judged that whether this envelope mail is doubtful test mail；

Reporting unit 640, if judging that mail is doubtful test mail for described first judging unit 630, this envelope mail being reported to server, in order to server forwards this mail when meeting pre-conditioned；

Discarding unit 650, if judging that mail is not doubtful test mail for described first judging unit 630, abandons this envelope mail.

Preferably, described first judging unit 630 specifically may be used for:

Preferably, the first judging unit 630 can be also used for: each envelope mail comprised for the first mail data, it is judged that whether this envelope mail meets sampling condition；If being unsatisfactory for sampling condition, then perform described to judge that whether this envelope mail is the step of doubtful test mail；

Accordingly, unit 630 is reported to can be also used for described in: if the first judging unit 630 judges that mail meets sampling condition, this envelope mail to be reported to server.

Preferably, described first judging unit 630 specifically may be used for judging whether this envelope mail meets sampling condition in the following manner: judges whether this envelope mail is the described remote host the first envelope mail in this connects, if it is, meet sampling condition；If not, it is judged that whether this envelope mail sequence number in this locality connects meets sequence number rule, if it is satisfied, then meet sampling condition, if be unsatisfactory for, is then unsatisfactory for sampling condition.

Preferably, unit 630 is reported to can be also used for:

Preferably, the first judging unit 630 can be also used for:

Preferably, shown in Fig. 6 A, this device can also include:

First retransmission unit 660, when judging that the data that remote host is sent meet forwarding condition for described first judging unit 630, the data sent by remote host are forwarded to destination host；

Accordingly, described discarding unit 650 is additionally operable to: described first judging unit 630 judges that, when the data that remote host is sent are unsatisfactory for forwarding condition, the data sent by remote host abandon.

In the present embodiment, remote host connects open trunking port, or when the destination host port connected by open proxies port is SMTP port, it is connected with setting up between remote host, and receive, by described connection, the mail data that remote host is sent, for each envelope mail that mail data comprises, it is judged that whether this envelope mail is test mail；If test mail, this envelope mail is reported to server, in order to server determines whether to forward this envelope mail；If not test mail, abandon this envelope mail；Thus test mail is reported server, server determine whether to forward, it is ensured that the honey client stickiness to spammer, the mail not being test mail is abandoned, it is prevented that honey client is abused meanwhile.

Referring to Fig. 7, for process device the second embodiment schematic diagram of embodiment of the present invention mail, this device can be arranged in server, and this device 700 includes:

Second receives unit 710, for receiving the second mail data that honey client is sent；Described second mail data includes doubtful test mail；

Second judging unit 720, each envelope mail that the second mail data for receiving unit 710 reception for described second comprises, it is judged that the type of this envelope mail；

E-mail processing element 730, if judging that this envelope mail is non-test mail for described second judging unit 720, does not forward this envelope mail；If it is determined that this envelope mail is the anti-spam test mail in test mail, do not forward this envelope mail；

Second retransmission unit 740, if judging that this envelope mail is the rubbish test mail in test mail for described second judging unit 720, forwards this envelope mail according to the address information of this envelope mail.

Preferably, described second judging unit 720 specifically may be used for:

Preferably, if described second mail data also includes sampling mail；Described second judging unit 720 can also be specifically for:

Judge whether this envelope mail is doubtful test mail, for instance, it is judged that whether the addressee information of this mail meets addressee's condition, if it is judged that be no, then the type of this envelope mail is non-test mail；If it is judged that be yes, then judge the keyword whether including rubbish test mail in this envelope mail.

Preferably, described second reception unit 710 can be also used for: receives the SMTP command information that honey client is sent；And/or, receive the link information of the remote host that honey client is sent

, shown in Fig. 7 A, this device 700 can also include: memory element 750, for storing the mail data that honey client is sent；And/or, the SMTP command information that storage honey client is sent；And/or, the link information of the remote host that storage honey client is sent.

In the present embodiment, it is judged that the type of the mail that honey client is sent, only rubbish is tested mail and forward, thus ensureing the stickiness to spammer；Anti-spam is tested mail also do not forward, thus preventing from being organized by anti-rubbish mail or mail service business pipes off；Non-test mail is not forwarded, thus preventing honey client to be abused.

Shown in Figure 8, the embodiment of the present invention also provides for a kind of honey client, it is shown that honey client 800 may include that first processor 810, first memory 820, first transceiver 830 and the first bus 840；

First processor 810, first memory 820, first transceiver 830 are connected with each other by the first bus 840；First bus 840 can be isa bus, pci bus or eisa bus etc..Described first bus 840 can be divided into address bus, data/address bus, control bus etc..For ease of representing, Fig. 8 only represents with a thick line, it is not intended that only have a bus or a type of bus.

First memory 820, is used for depositing program.Specifically, program can include program code, and described program code includes computer-managed instruction.First memory 820 is likely to comprise high-speed RAM memorizer, it is also possible to also include nonvolatile memory (non-volatilememory), for instance at least one disk memory.

Described first processor 810 reads and performs the described program code of storage in first memory 820, for each envelope mail comprised for the first mail data, it is judged that whether this envelope mail is doubtful test mail；If not doubtful test mail, abandon this envelope mail.

First transceiver 830 is used for connecting other equipment, such as server and remote host etc., and communicates with other equipment.Concrete, first transceiver 830, connect open trunking port for remote host, or when the destination host port connected by open proxies port is SMTP port, be connected with setting up between remote host；Receive the first mail data that remote host is sent by described connection；If being additionally operable to first processor 810 to judge that mail is doubtful test mail, this envelope mail is reported to server, in order to server forwards this mail when meeting pre-conditioned.

Preferably, first processor 810 specifically may be used for: judges whether the addressee information of this mail meets addressee's condition, it is judged that when result is for being, this envelope mail is doubtful test mail；Otherwise, this envelope mail is not doubtful test mail.

Preferably, first processor 810 specifically may be used for: judges whether this envelope mail is before doubtful test mail, it is judged that whether this envelope mail meets sampling condition；If being unsatisfactory for sampling condition, then perform described to judge that whether this envelope mail is the step of doubtful test mail.

First transceiver 830 specifically may be used for: if first processor 810 judges that mail meets sampling condition, and this envelope mail is reported to server.

Preferably, first processor 810 specifically may be used for: judges whether this envelope mail is the source IP address the first envelope mail in this connects, if it is, meet sampling condition；If not, it is judged that whether this envelope mail sequence number in this locality connects meets sequence number rule, if it is satisfied, then meet sampling condition, if be unsatisfactory for, is then unsatisfactory for sampling condition.

Preferably, first transceiver 830 specifically may be used for: the link information that remote host connects open trunking port or open proxies port reports to server；And/or, the SMTP command information used when setting up described connection is reported to server.

Preferably, first processor 810 specifically may be used for: when remote host is not SMTP port by the destination host port that open proxies port connects, it is judged that whether the data that remote host is sent meet forwarding condition；When being unsatisfactory for forwarding condition, the data sent by remote host abandon；

First transceiver 830 specifically may be used for: first processor 810 judges that, when the data that remote host is sent meet forwarding condition, the data sent by remote host are forwarded to destination host.

Shown in Figure 9, the embodiment of the present invention also provides for a kind of server, it is shown that server 900 may include that the second processor 910, second memory 920, second transceiver the 930, second bus 940；

Second processor 910, second memory 920, second transceiver 930 are connected with each other by the second bus 940；Second bus 840 can be isa bus, pci bus or eisa bus etc..Described second bus 940 can be divided into address bus, data/address bus, control bus etc..For ease of representing, Fig. 9 only represents with a thick line, it is not intended that only have a bus or a type of bus.

Second memory 920, is used for depositing program.Specifically, program can include program code, and described program code includes computer-managed instruction.Second memory 920 is likely to comprise high-speed RAM memorizer, it is also possible to also include nonvolatile memory (non-volatilememory), for instance at least one disk memory.

Described second processor 910 reads and performs the described program code of storage in second memory 920, for each envelope mail comprised for the second mail data, it is judged that the type of this envelope mail；

Second transceiver 930 is used for connecting other equipment, such as server and remote host etc., and communicates with other equipment.Concrete, second transceiver 930, for receiving the second mail data that honey client is sent；Described second mail data includes doubtful test mail；If being additionally operable to the second processor 910 to judge that mail is rubbish test mail, forward this mail according to the address information of mail；If the second processor 910 judges that mail is non-test mail, do not forward this mail；If the second processor 910 judges that mail is anti-spam test mail, do not forward this mail.

Preferably, described second processor 910 specifically may be used for: judging the keyword whether including rubbish test mail in this envelope mail, if not including the keyword of rubbish test mail, then the type of this envelope mail is non-test mail；If test the keyword of mail including rubbish, it is judged that whether include the keyword of anti-spam test mail in this envelope mail, if not including the keyword of anti-spam test mail, then the type of this envelope mail is rubbish test mail；If test the keyword of mail including anti-spam, then the type of this envelope mail is anti-spam test mail.

Preferably, described second mail data can also include sampling mail；Described second processor 910 can also be specifically for: judging whether the addressee information of this mail meets addressee's condition, if it is judged that be no, then the type of this envelope mail is non-test mail；If it is judged that be yes, then judge the keyword whether including rubbish test mail in this envelope mail.

Preferably, second transceiver 930 is for receiving the SMTP command information that honey client is sent；And/or, receive the link information of the remote host that honey client is sent.

Second memory 920 can be also used for: deposits the mail data that honey client reports；Can be also used for depositing the link information of the remote host that honey client reports, SMTP command information etc..

In the present embodiment, server judges the type of the mail that honey client sends, and only rubbish is tested mail and forwards, thus ensureing the stickiness to spammer；Anti-spam is tested mail also do not forward, thus preventing from being organized by anti-rubbish mail or mail service business pipes off；Non-test mail is not forwarded, thus preventing honey client to be abused.

The embodiment of the present invention additionally provides a kind of post-processing system, and this post-processing system includes the server shown in accompanying drawing 7 or accompanying drawing 9, and the honey client shown at least one accompanying drawing 6 or accompanying drawing 8, and the structure chart of this system is as shown in Figure 1.

Wherein, honey client in post-processing system for connecting the open trunking port of described honey client at remote host, or when the destination host port connected by the open proxies port of described honey client is SMTP port, it is connected with setting up between described remote host；Receive the first mail data that described remote host is sent by described connection；For each envelope mail that the first mail data comprises, it is judged that whether this envelope mail is doubtful test mail；If doubtful test mail, this envelope mail is reported to server, in order to server forwards this mail when meeting pre-conditioned；If not doubtful test mail, abandon this envelope mail；

Wherein, the server in post-processing system is for receiving the second mail data that honey client is sent；Described second mail data includes doubtful test mail；For each envelope mail that the second mail data comprises, it is judged that the type of this envelope mail；If it is determined that this envelope mail is non-test mail, do not forward this envelope mail；If it is determined that this envelope mail is rubbish test mail, forward this envelope mail according to the address information of this envelope mail；If it is determined that this envelope mail is anti-spam test mail, do not forward this envelope mail.

Honey client and the detailed operation flow process of server in post-processing system refer to the description in previous embodiments, are here not repeated.

Those skilled in the art is it can be understood that can add the mode of required general hardware platform by software to the technology in the embodiment of the present invention and realize.Based on such understanding, the part that prior art is contributed by technical scheme in the embodiment of the present invention substantially in other words can embody with the form of software product, this computer software product can be stored in storage medium, such as ROM/RAM, magnetic disc, CD etc., including some instructions with so that a computer equipment (can be personal computer, server, or the network equipment etc.) perform the method described in some part of each embodiment of the present invention or embodiment.

Each embodiment in this specification all adopts the mode gone forward one by one to describe, between each embodiment identical similar part mutually referring to, what each embodiment stressed is the difference with other embodiments.Especially for system embodiment, owing to it is substantially similar to embodiment of the method, so what describe is fairly simple, relevant part illustrates referring to the part of embodiment of the method.

Invention described above embodiment, is not intended that limiting the scope of the present invention.Any amendment, equivalent replacement and improvement etc. made within the spirit and principles in the present invention, should be included within protection scope of the present invention.

Claims

1. the processing method of a mail, it is characterised in that including:

Honey client connects the open trunking port of described honey client at remote host, or when the destination host port connected by the open proxies port of described honey client is Simple Mail Transfer protocol SMTP port, sets up between described honey client with described remote host and be connected；

If not doubtful test mail, described honey client abandons this envelope mail；

Wherein, described doubtful test mail refers to the mail that the probability of test mail is higher, and described test mail includes rubbish test mail and anti-spam test mail；Described rubbish test mail is the test mail that spammer sends, for whether the open relaying or open proxies testing an email service provider can correctly send the spam that spammer sends；Described anti-rubbish mail is anti-rubbish mail tissue or the test mail of mail service business transmission, for testing whether the email service provider providing open proxies service or open relay services forwards spam.

2. method according to claim 1, it is characterised in that described honey client judges whether this envelope mail is that doubtful test mail includes:

3. method according to claim 1 and 2, it is characterised in that described honey client judges this envelope mail also includes before whether being doubtful test mail:

4. method according to claim 3, it is characterised in that described honey client judges whether this envelope mail meets sampling condition and include:

5. the method according to claim 1,2 or 4, it is characterised in that also include:

6. the method according to claim 1,2 or 4, it is characterised in that also include:

7. the processing method of a mail, it is characterised in that including:

If it is determined that this envelope mail is rubbish test mail, described server forwards this envelope mail according to the address information of this envelope mail；Described rubbish test mail is the test mail that spammer sends, for whether the open relaying or open proxies testing an email service provider can correctly send the spam that spammer sends；

If it is determined that this envelope mail is anti-spam test mail, described server does not forward this envelope mail；Described anti-rubbish mail is anti-rubbish mail tissue or the test mail of mail service business transmission, for testing whether the email service provider providing open proxies service or open relay services forwards spam.

8. method according to claim 7, it is characterised in that described server judges that the type of this envelope mail includes:

9. method according to claim 8, it is characterised in that if described second mail data also includes sampling mail；Described server also includes before judging the type of this envelope mail:

10. the method according to any one of claim 7 to 9, it is characterised in that also include:

The mail data that described server storage honey client is sent；And/or,

Described server receives and stores the Simple Mail Transfer protocol SMTP command information that honey client is sent；And/or,

11. a honey client, it is characterised in that including:

Connection establishment unit, the open trunking port of described honey client is connected for remote host, or when the destination host port connected by the open proxies port of described honey client is Simple Mail Transfer protocol SMTP port, it is connected with setting up between described remote host；

Discarding unit, if judging that mail is not doubtful test mail for described first judging unit, abandons this envelope mail；

12. honey client according to claim 11, it is characterised in that described first judging unit specifically for:

13. the honey client according to claim 11 or 12, it is characterised in that described first judging unit is additionally operable to: each envelope mail that the first mail data is comprised, it is judged that whether this envelope mail meets sampling condition；If being unsatisfactory for sampling condition, then perform described to judge that whether this envelope mail is the step of doubtful test mail；

14. honey client according to claim 13, it is characterized in that, described first judging unit is specifically for judging whether this envelope mail meets sampling condition in the following manner: judge whether this envelope mail is the described remote host the first envelope mail in this connects, if it is, meet sampling condition；If not, it is judged that whether this envelope mail sequence number in this locality connects meets sequence number rule, if it is satisfied, then meet sampling condition, if be unsatisfactory for, is then unsatisfactory for sampling condition.

15. according to the honey client described in claim 11,12 or 14, it is characterised in that described in report unit to be additionally operable to:

16. according to the honey client described in claim 11,12 or 14, it is characterised in that described first judging unit is additionally operable to:

This honey client also includes:

17. a server, it is characterised in that including:

E-mail processing element, if judging that this envelope mail is non-test mail for described second judging unit, does not forward this envelope mail；If it is determined that this envelope mail is anti-spam test mail, do not forward this envelope mail；Described anti-rubbish mail is anti-rubbish mail tissue or the test mail of mail service business transmission, for testing whether the email service provider providing open proxies service or open relay services forwards spam；

Second retransmission unit, if judging that this envelope mail is rubbish test mail for described second judging unit, forwards this envelope mail according to the address information of this envelope mail；Described rubbish test mail is the test mail that spammer sends, for whether the open relaying or open proxies testing an email service provider can correctly send the spam that spammer sends.

18. server according to claim 17, it is characterised in that described second judging unit specifically for:

19. server according to claim 18, it is characterised in that if described second mail data also includes sampling mail；Described second judging unit also particularly useful for:

20. according to the server described in any one of claim 17 to 19, it is characterised in that also include:

Described second receives unit is additionally operable to: receive the Simple Mail Transfer protocol SMTP command information that honey client is sent；And/or, receive the link information of the remote host that honey client is sent；

21. a post-processing system, it is characterised in that include as arbitrary in claim 11 to 16 as described in honey client and as arbitrary in claim 17 to 20 as described in server.