CN113381983B - Method and device for identifying fake e-mail - Google Patents

Method and device for identifying fake e-mail Download PDF

Info

Publication number
CN113381983B
CN113381983B CN202110548160.XA CN202110548160A CN113381983B CN 113381983 B CN113381983 B CN 113381983B CN 202110548160 A CN202110548160 A CN 202110548160A CN 113381983 B CN113381983 B CN 113381983B
Authority
CN
China
Prior art keywords
mail
data packet
detection
mail data
detection result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110548160.XA
Other languages
Chinese (zh)
Other versions
CN113381983A (en
Inventor
王楚涵
沈凯文
郭明磊
郑晓峰
段海新
刘武
林延中
潘庆峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Lunkr Technology Guangzhou Co Ltd
Original Assignee
Tsinghua University
Lunkr Technology Guangzhou Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University, Lunkr Technology Guangzhou Co Ltd filed Critical Tsinghua University
Priority to CN202110548160.XA priority Critical patent/CN113381983B/en
Publication of CN113381983A publication Critical patent/CN113381983A/en
Application granted granted Critical
Publication of CN113381983B publication Critical patent/CN113381983B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • G06Q10/107Computer-aided management of electronic mailing [e-mailing]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Human Resources & Organizations (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Strategic Management (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Operations Research (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Data Mining & Analysis (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The application provides a method and a device for identifying fake e-mails, wherein the method comprises the following steps: analyzing the mail data packet through a preset mail security monitoring algorithm to obtain a detection result of the mail data packet; displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet; the preset mail security detection algorithm comprises at least one of substitution detection, source detection, sender detection, high-approximation domain name detection and encryption detection. The detection of the fake electronic mail is more accurately carried out by detecting the mail data packet from multiple angles such as alternate sending detection, source detection, sender detection, high-approximation domain name detection, encryption detection and the like, the detection result of the fake electronic mail is synchronously displayed in the display interface of the electronic mail, the user is helped to identify the fake electronic mail, and the communication safety is ensured.

Description

Method and device for identifying fake e-mail
Technical Field
The present application relates to the field of information processing technologies, and in particular, to a method and an apparatus for identifying a fake email.
Background
Email has been one of the most important typical applications in the interconnect and is an integral part of modern life and work.
However, existing email systems have some security issues that are not negligible. The e-mail receiver can not well screen out malicious attack e-mails, and the e-mail receiver can rarely carry out safety reminding on users. The existing mail interface only has a mail sending prompt and a phishing mail prompt. And the existing solutions are not comprehensive enough and are relatively easy to bypass by attackers.
How to better identify counterfeit emails has become a problem to be solved in the industry.
Disclosure of Invention
The application provides a method and a device for identifying fake electronic mails, which are used for solving the problem that the fake electronic mails cannot be well identified in the prior art.
The application provides a method for identifying fake e-mails, which comprises the following steps:
analyzing the mail data packet through a preset mail security monitoring algorithm to obtain a detection result of the mail data packet;
displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet;
the preset mail security detection algorithm comprises at least one of substitution detection, source detection, sender detection, high-approximation domain name detection and encryption detection.
According to the method for identifying the fake E-mail, provided by the application, the mail data packet is analyzed through a preset mail security monitoring algorithm, and the step of obtaining the detection result of the mail data packet comprises the following steps:
performing transmission substitution detection on the MAIL data packet, wherein the transmission substitution detection is to compare the consistency of MIME From and MAIL From in the MAIL data packet;
and when the substitute sending detection result does not pass, the detection result corresponding to the mail data packet is mail abnormality.
According to the method for identifying the fake E-mail, provided by the application, the mail data packet is analyzed through a preset mail security monitoring algorithm, and the step of obtaining the detection result of the mail data packet comprises the following steps:
performing source detection on the mail data packet, wherein the source detection comprises the steps of performing sender policy architecture verification, domain name key identification mail standard verification and domain-based message identity verification on the mail data packet; simultaneously, identity entities verified by the three verification methods are subjected to consistency comparison with results;
and when the source verification fails, the detection result corresponding to the mail data packet is mail abnormality.
According to the method for identifying the fake E-mail, provided by the application, the mail data packet is analyzed through a preset mail security monitoring algorithm, and the step of obtaining the detection result of the mail data packet comprises the following steps:
detecting a sender of the mail data packet, wherein the sender is used for detecting special characters of a MIME FROM field in the mail data packet;
and when the substitute sending detection result does not pass, the detection result corresponding to the mail data packet is mail abnormality.
According to the method for identifying the fake E-mail, provided by the application, the mail data packet is analyzed through a preset mail security monitoring algorithm, and the step of obtaining the detection result of the mail data packet comprises the following steps:
detecting the high-approximation domain name of the mail data packet, wherein the high-approximation domain name detection is that a From field in the mail data packet is detected;
and under the condition that the From field in the mail data packet is the internationalized domain name, the detection result corresponding to the mail data packet is mail abnormality.
According to the method for identifying the fake E-mail, provided by the application, the mail data packet is analyzed through a preset mail security monitoring algorithm, and the step of obtaining the detection result of the mail data packet comprises the following steps:
detecting the encryption of the mail data packet, wherein the encryption detection is to detect whether the mail data packet is encrypted by a secure transport layer protocol;
and under the condition that the mail data part does not carry out the secure transport layer protocol encryption, the detection result corresponding to the mail data packet is mail abnormality.
The application also provides a device for identifying the fake E-mail, which comprises the following steps:
the analysis module is used for analyzing the mail data packet through a preset mail security monitoring algorithm to obtain a detection result of the mail data packet;
the display module is used for displaying the detection result corresponding to the mail data packet on the display interface of the mail data packet;
the preset mail security detection algorithm comprises at least one of substitution detection, source detection, sender detection, high-approximation domain name detection and encryption detection.
The application also provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the method for identifying counterfeit emails as described in any of the above when executing the program.
The present application also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the method of identifying counterfeit emails as described in any of the above.
The method and the device for identifying the fake E-mail provided by the application detect the fake E-mail through a plurality of angles such as the alternate sending detection, the source detection, the sender detection, the high-approximation domain name detection, the encryption detection and the like of the mail data packet, so that the detection of the fake E-mail is more accurately carried out, the detection result of the fake E-mail is synchronously displayed in the display interface of the E-mail, the fake E-mail is helped to be identified by a user, and the communication safety is ensured.
Drawings
In order to more clearly illustrate the application or the technical solutions of the prior art, the following description will briefly explain the drawings used in the embodiments or the description of the prior art, and it is obvious that the drawings in the following description are some embodiments of the application, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for identifying fake e-mails provided by an embodiment of the application;
FIG. 2 is a schematic diagram of a fake email recognition device provided by the application;
fig. 3 is a schematic diagram of an entity structure of an electronic device according to the present application.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Fig. 1 is a flow chart of a method for identifying fake emails according to an embodiment of the present application, as shown in fig. 1, including:
step S1, analyzing a mail data packet through a preset mail security monitoring algorithm to obtain a detection result of the mail data packet;
specifically, the application starts SMTP service by the receiving end server, monitors 25 ports, establishes TCP connection with the sender server, and receives SMTP data packets. And sending the SMTP data packet to a mail processing module.
The mail data packet described in the application is a simple mail transmission protocol (Simple Mail Transfer Protocol; SMTP) mail data packet sent by a receiving and sending end server, and the mail data packet is analyzed in the application, specifically, the safety detection is carried out along with the SMTP mail data packet.
The mail data packet described in the present application includes two parts, an envelope and a letter. Wherein the envelope part contains SMTP commands such as HELO, MAIL FROM, RCPT TO and the like, and the letter part contains MAIL header information (fields such as From, to, subject, date and the like) and all MAIL body information and possibly MAIL attachments which are delivered TO a recipient. The relevant protocol content for mail has explicit requirements in Request For Comments (RFC).
Table 1 is a list of UI reminders and detected mail abnormal behavior, as shown in Table 1 below, table 1UI reminders and detected mail abnormal behavior
Step S2, displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet;
the preset mail security detection algorithm comprises at least one of substitution detection, source detection, sender detection, high-approximation domain name detection and encryption detection.
The display interface of the mail data packet described in the present application may specifically refer to a web page interface for displaying an email, or a client interface for displaying an email.
In the application, if the mail detection result shows that the mail has a safety problem, the mail detection result is presented to the user in a UI reminding mode.
The preset mail security monitoring algorithm outputs five types of different UI reminding contents aiming at different mail abnormal behaviors: 1. mail is sent by others instead of 2. Mail source is not trusted 3. Mail sender is not trusted 4. Please take a highly approximate domain name 5. Mail content is not encrypted and not secure. The detection algorithm will detect the mail and send the detection result (UI alert content) to the mail processing module.
The application detects the mail data packet from multiple angles such as alternate sending detection, source detection, sender detection, high-approximation domain name detection, encryption detection and the like, thereby more accurately detecting the fake electronic mail, synchronously displaying the detection result of the fake electronic mail in the display interface of the electronic mail, helping users identify the fake electronic mail and ensuring the safety of communication.
Based on any of the above embodiments, the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain a detection result of the mail data packet includes:
performing transmission substitution detection on the MAIL data packet, wherein the transmission substitution detection is to compare the consistency of MIME From and MAIL From in the MAIL data packet;
and when the substitute sending detection result does not pass, the detection result corresponding to the mail data packet is mail abnormality.
Specifically, the existing proxy detection is not clear, if the mail has multiple MIME FROM fields, the existing proxy detection is likely to be bypassed, but the mail receiver shall reject the mail having multiple FROM fields in the mail message according to the descriptions of RFC7489 and RFC 5322. In the embodiment of the application, if the MIME FROM field is inconsistent with the MAIL FROM field, the UI reminds that the MAIL is sent by others instead.
The application realizes more perfect and accurate fake email detection by carrying out the substitute sending detection on the email data packet.
Based on any of the above embodiments, the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain a detection result of the mail data packet includes:
performing source detection on the mail data packet, wherein the source detection comprises the steps of performing sender policy architecture verification, domain name key identification mail standard verification and domain-based message identity verification on the mail data packet;
and when the source verification fails, the detection result corresponding to the mail data packet is mail abnormality.
Specifically, sender Policy Framework (SPF) sender policy framework, domainKeys Identified Mail (DKIM) Domain name key identification mail standard, domain-based Message Authentication (DMARC) are three protocols used to secure mail. The three protocols can protect mail security to a great extent. However, in the event that the spf/dkim/dmarc protocol fails to verify, the mail manufacturer does not inform the user and mail is likely to enter the inbox. In the application, if spf/dkim/dmarc is not verified or three protocols are verified, but the verified identity entities are different, a UI (user interface) reminding mail source is not trusted.
The application realizes more perfect and accurate fake email detection by detecting the source of the email data packet.
Based on any of the above embodiments, the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain a detection result of the mail data packet includes:
detecting a sender of the mail data packet, wherein the sender is used for detecting special characters of a MIME FROM field in the mail data packet;
and when the substitute sending detection result does not pass, the detection result corresponding to the mail data packet is mail abnormality.
Specifically, although RFC does not explicitly specify that special characters and Unicode reverse order characters cannot be used in the MIME FROM field, mail containing these characters can be utilized by an attacker to send realistic counterfeit mail. The application proposes that if the MIME FROM field contains special characters (containing "\x81\xff, \t\n' and other characters, unicode control characters\u202E and the like), the UI reminds the sender of the mail that the mail is not trusted.
According to the application, the sender detection is carried out on the mail data packet, so that more perfect and accurate fake email detection is realized.
Based on any of the above embodiments, the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain a detection result of the mail data packet includes:
detecting the high-approximation domain name of the mail data packet, wherein the high-approximation domain name detection is that a From field in the mail data packet is detected;
and under the condition that the From field in the mail data packet is the internationalized domain name, the detection result corresponding to the mail data packet is mail abnormality.
Specifically, as IDN domains become internationalized, mail domains also begin to introduce IDN domains. However, when displayed at the front end, an attacker can initiate mail forgery effects through such techniques. The application proposes that if the From field in the mail is an IDN domain name, there may be phishing behavior using a highly approximated domain name, which alerts the user on the UI to take care of the highly approximated domain name.
The application realizes more perfect and accurate fake email detection by carrying out high-approximation domain name detection on the email data packet.
Based on any of the above embodiments, the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain a detection result of the mail data packet includes:
detecting the encryption of the mail data packet, wherein the encryption detection is to detect whether the mail data packet is encrypted by a secure transport layer protocol;
and under the condition that the mail data part does not carry out the secure transport layer protocol encryption, the detection result corresponding to the mail data packet is mail abnormality.
Specifically, if the mail is transmitted in plaintext without encryption in the transmission process, the mail can be utilized by an attacker in a man-in-the-middle attack mode. The application proposes that if the mail is not encrypted by TLS and possibly attacked by a man-in-the-middle, the UI reminds that the mail content is not encrypted and is not safe.
The application realizes more perfect and accurate fake email detection by carrying out encryption detection on the email data packet.
In another embodiment of the present application, an SMTP mail packet sent from a receiving mail module is first received. Loading the mail data packet into a mail security detection algorithm, sending the detection result and the SMTP data packet to a mail processing module, processing the SMTP data packet into a eml file, sending the eml file and the mail detection result to a webpage end, receiving eml file and the mail detection result transmitted by the mail processing module by a client, displaying the eml file to a user in a front-end display mode, and if the mail detection result shows that the mail has a security problem, displaying the mail detection result to the user in a UI reminding mode.
The application detects the mail data packet from multiple angles such as alternate sending detection, source detection, sender detection, high-approximation domain name detection, encryption detection and the like, thereby more accurately detecting the fake electronic mail, synchronously displaying the detection result of the fake electronic mail in the display interface of the electronic mail, helping users identify the fake electronic mail and ensuring the safety of communication.
Fig. 2 is a schematic diagram of a device for identifying counterfeit emails provided by the present application, as shown in fig. 2, including: an analysis module 210 and a display module 220; the analysis module 210 is configured to analyze the mail data packet through a preset mail security monitoring algorithm, so as to obtain a detection result of the mail data packet; the display module 220 is configured to display, on a display interface of the mail data packet, a detection result corresponding to the mail data packet at the same time; the preset mail security detection algorithm comprises at least one of substitution detection, source detection, sender detection, high-approximation domain name detection and encryption detection.
The application detects the mail data packet from multiple angles such as alternate sending detection, source detection, sender detection, high-approximation domain name detection, encryption detection and the like, thereby more accurately detecting the fake electronic mail, synchronously displaying the detection result of the fake electronic mail in the display interface of the electronic mail, helping users identify the fake electronic mail and ensuring the safety of communication.
Fig. 3 is a schematic physical structure of an electronic device according to the present application, as shown in fig. 3, the electronic device may include: processor 310, communication interface (Communications Interface) 320, memory 330 and communication bus 340, wherein processor 310, communication interface 320, memory 330 accomplish communication with each other through communication bus 340. The processor 310 may invoke logic instructions in the memory 330 to perform a method of identifying counterfeit emails, the method comprising: analyzing the mail data packet through a preset mail security monitoring algorithm to obtain a detection result of the mail data packet; displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet; the preset mail security detection algorithm comprises at least one of substitution detection, source detection, sender detection, high-approximation domain name detection and encryption detection.
In addition, the logic instructions in the memory 330 may be implemented in the form of software functional modules and stored in a computer-readable storage medium for sale or use as a stand-alone product. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
In another aspect, the present application also provides a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform a method of identifying counterfeit emails provided by the methods described above, the method comprising: analyzing the mail data packet through a preset mail security monitoring algorithm to obtain a detection result of the mail data packet; displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet; the preset mail security detection algorithm comprises at least one of substitution detection, source detection, sender detection, high-approximation domain name detection and encryption detection.
In yet another aspect, the present application also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, is implemented to perform the method for identifying counterfeit emails provided by the above embodiments, the method comprising: analyzing the mail data packet through a preset mail security monitoring algorithm to obtain a detection result of the mail data packet; displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet; the preset mail security detection algorithm comprises at least one of substitution detection, source detection, sender detection, high-approximation domain name detection and encryption detection.
The apparatus embodiments described above are merely illustrative, wherein the modules illustrated as separate components may or may not be physically separate, and the components shown as modules may or may not be physical, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present application without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only for illustrating the technical solution of the present application, and are not limiting; although the application has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present application.

Claims (8)

1. A method for identifying counterfeit emails, comprising:
analyzing the mail data packet through a preset mail security monitoring algorithm to obtain a detection result of the mail data packet;
displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet;
wherein, the detection result is: mail is sent by other persons instead, the mail source is not trusted, the mail sender is not trusted, the domain name or the mail content which is carefully and highly similar is not encrypted and is not safe;
the mail sender is not trusted and is obtained under the condition that the MIME From is detected to contain special characters and is not regulated, wherein the MIME From is not regulated to have multiple values for a plurality of From header fields or From;
the preset mail security monitoring algorithm comprises at least one of generation detection, source detection, sender detection, high-similarity domain name detection and encryption detection;
the method comprises the steps of analyzing a mail data packet by a preset mail security monitoring algorithm to obtain a detection result of the mail data packet, and comprises the following steps:
performing source detection on the mail data packet, wherein the source detection comprises the steps of performing sender policy architecture verification, domain name key identification mail standard verification and domain-based message identity verification on the mail data packet; simultaneously, identity entities verified by the three verification methods are subjected to consistency comparison with results;
and when the source verification fails, the detection result corresponding to the mail data packet is mail abnormality.
2. The method for identifying counterfeit e-mail according to claim 1, wherein the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain a detection result of the mail data packet comprises the steps of:
performing transmission substitution detection on the MAIL data packet, wherein the transmission substitution detection is to compare the consistency of MIME From and MAIL From in the MAIL data packet;
and when the substitute sending detection result does not pass, the detection result corresponding to the mail data packet is mail abnormality.
3. The method for identifying counterfeit e-mail according to claim 1, wherein the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain a detection result of the mail data packet comprises the steps of:
detecting a sender of the mail data packet, wherein the sender is used for detecting special characters of a MIME FROM field in the mail data packet;
and when the detection result of the sender fails, the detection result corresponding to the mail data packet is mail abnormality.
4. The method for identifying counterfeit e-mail according to claim 1, wherein the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain a detection result of the mail data packet comprises the steps of:
detecting the high-approximation domain name of the mail data packet, wherein the high-approximation domain name detection is that a From field in the mail data packet is detected;
and under the condition that the From field in the mail data packet is the internationalized domain name, the detection result corresponding to the mail data packet is mail abnormality.
5. The method for identifying counterfeit e-mail according to claim 1, wherein the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain a detection result of the mail data packet comprises the steps of:
detecting the encryption of the mail data packet, wherein the encryption detection is to detect whether the mail data packet is encrypted by a secure transport layer protocol;
and under the condition that the mail data packet is detected not to be encrypted by the secure transport layer protocol, the detection result corresponding to the mail data packet is mail abnormality.
6. A fake e-mail identifying device, comprising:
the analysis module is used for analyzing the mail data packet through a preset mail security monitoring algorithm to obtain a detection result of the mail data packet;
the display module is used for displaying the detection result corresponding to the mail data packet on the display interface of the mail data packet;
wherein, the detection result is: mail is sent by other persons instead, the mail source is not trusted, the mail sender is not trusted, the domain name or the mail content which is carefully and highly similar is not encrypted and is not safe;
the mail sender is not trusted and is obtained under the condition that the MIME From is detected to contain special characters and is not regulated, wherein the MIME From is not regulated to have multiple values for a plurality of From header fields or From;
the preset mail security monitoring algorithm comprises at least one of generation detection, source detection, sender detection, high-similarity domain name detection and encryption detection;
wherein the device is further for:
performing source detection on the mail data packet, wherein the source detection comprises the steps of performing sender policy architecture verification, domain name key identification mail standard verification and domain-based message identity verification on the mail data packet; simultaneously, identity entities verified by the three verification methods are subjected to consistency comparison with results;
and when the source verification fails, the detection result corresponding to the mail data packet is mail abnormality.
7. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor performs the steps of the method of identifying counterfeit emails according to any one of claims 1 to 5 when the program is executed.
8. A non-transitory computer readable storage medium having stored thereon a computer program, wherein the computer program when executed by a processor implements the steps of the method of identifying counterfeit emails according to any one of claims 1 to 5.
CN202110548160.XA 2021-05-19 2021-05-19 Method and device for identifying fake e-mail Active CN113381983B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110548160.XA CN113381983B (en) 2021-05-19 2021-05-19 Method and device for identifying fake e-mail

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110548160.XA CN113381983B (en) 2021-05-19 2021-05-19 Method and device for identifying fake e-mail

Publications (2)

Publication Number Publication Date
CN113381983A CN113381983A (en) 2021-09-10
CN113381983B true CN113381983B (en) 2023-09-22

Family

ID=77571362

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110548160.XA Active CN113381983B (en) 2021-05-19 2021-05-19 Method and device for identifying fake e-mail

Country Status (1)

Country Link
CN (1) CN113381983B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115037542A (en) * 2022-06-09 2022-09-09 北京天融信网络安全技术有限公司 Abnormal mail detection method and device

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106992926A (en) * 2017-06-13 2017-07-28 深信服科技股份有限公司 A kind of method and system for forging mail-detection
CN108347370A (en) * 2017-10-19 2018-07-31 北京安天网络安全技术有限公司 A kind of detection method and system of targeted attacks mail
CN109474611A (en) * 2018-12-11 2019-03-15 四川大学 It is a kind of that detection technique is protected based on multifactor E mail safety
CN110061981A (en) * 2018-12-13 2019-07-26 成都亚信网络安全产业技术研究院有限公司 A kind of attack detection method and device
CN110519150A (en) * 2018-05-22 2019-11-29 深信服科技股份有限公司 Mail-detection method, apparatus, equipment, system and computer readable storage medium
CN110661750A (en) * 2018-06-28 2020-01-07 深信服科技股份有限公司 Mail sender identity detection method, system, equipment and storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050097177A1 (en) * 2003-10-31 2005-05-05 Mcumber William E. Business process for improving electronic mail
US8856525B2 (en) * 2009-08-13 2014-10-07 Michael Gregor Kaplan Authentication of email servers and personal computers

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106992926A (en) * 2017-06-13 2017-07-28 深信服科技股份有限公司 A kind of method and system for forging mail-detection
CN108347370A (en) * 2017-10-19 2018-07-31 北京安天网络安全技术有限公司 A kind of detection method and system of targeted attacks mail
CN110519150A (en) * 2018-05-22 2019-11-29 深信服科技股份有限公司 Mail-detection method, apparatus, equipment, system and computer readable storage medium
CN110661750A (en) * 2018-06-28 2020-01-07 深信服科技股份有限公司 Mail sender identity detection method, system, equipment and storage medium
CN109474611A (en) * 2018-12-11 2019-03-15 四川大学 It is a kind of that detection technique is protected based on multifactor E mail safety
CN110061981A (en) * 2018-12-13 2019-07-26 成都亚信网络安全产业技术研究院有限公司 A kind of attack detection method and device

Also Published As

Publication number Publication date
CN113381983A (en) 2021-09-10

Similar Documents

Publication Publication Date Title
KR101137089B1 (en) Validating inbound messages
US8132011B2 (en) System and method for authenticating at least a portion of an e-mail message
WO2019118838A1 (en) Using a measure of influence of sender in determining a security risk associated with an electronic message
US8443447B1 (en) Apparatus and method for detecting malware-infected electronic mail
US20060015726A1 (en) Apparatus for partial authentication of messages
US20130103944A1 (en) Hypertext Link Verification In Encrypted E-Mail For Mobile Devices
US20070226804A1 (en) Method and system for preventing an unauthorized message
EP2036246A2 (en) Systems and methods for identifying potentially malicious messages
KR20060074861A (en) Secure safe sender list
US20210211462A1 (en) Malicious Email Mitigation
US8381262B2 (en) Blocking of spoofed E-mail
CN113381983B (en) Method and device for identifying fake e-mail
KR101238527B1 (en) Reducing unwanted and unsolicited electronic messages
Gupta et al. Forensic analysis of E-mail address spoofing
CA2793422C (en) Hypertext link verification in encrypted e-mail for mobile devices
WO2014038246A1 (en) E-mail monitoring
Crain et al. Fighting phishing with trusted email
Fowdur et al. An email application with active spoof monitoring and control
US9049169B1 (en) Mobile email protection for private computer networks
Zadgaonkar et al. Developing a Model to Enhance E-Mail Authentication against E-Mail Address Spoofing Using Application
Zadgaonkar et al. Developing a model to detect e-mail address spoofing using biometrics technique
US20240113893A1 (en) Protecting Against DKIM Replay
Schwenk Email: Protocols and SPAM
Fagerland Automatic Analysis of Scam Emails
EP2490383A1 (en) Systems and methods of probing data transmissions for detecting spam bots

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant