JP2007172402A - Illegal mail detection system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent an illegal operation of a virus for acquiring a mail server name by eavesdropping a transmitted mail. <P>SOLUTION: In this illegal mail detection system for detecting the delivery of an illegal electronic mail from a terminal 1 infected by the computer virus, the terminal 1 stores mail server information for specifying a normal mail server for transferring the electronic mail, and dummy mail server information dummy to the normal mail server information, in a dummy mail server information storage part 42, a dummy mail transmitting part 41 transmits the electronic mail, using a dummy mail server information at preset timing, and the dummy mail server detects the delivery of the illegal electronic mail, when receiving the electronic mail prepared using the dummy mail server information, at the timing other than the preset timing. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a fraudulent mail detection system for blocking transmission of mail data to which fraudulent application data is attached among viruses on a network.

  Conventionally, as virus detection technology, data that describes characteristic information called definition file for a known virus is prepared in advance, and a file that may be infected with a virus is pattern-matched with the definition file. It has been known. This definition file is a file that contains the characteristics of a computer virus-infected file or a worm program that repeats itself over the network, and is defined by anti-virus software (vaccine software) to detect computer viruses and worms. Each virus pattern recorded in the file is compared with the file to be inspected, and if a match with the pattern is found, it is determined that the file is infected with the virus.

  In addition, as a worm countermeasure that is a type of virus that has been known in the past, for example, one described in "http://www.nttdata.co.jp/netcom/pdf/nc04_ss_03.pdf" Can be mentioned.

  However, the conventional pattern matching type virus detection technology that prepares a virus definition file has a problem that it cannot detect a new type of virus or a subtype of virus that does not have a definition file.

  Therefore, the present invention has been proposed in view of the above-described situation, and an unauthorized mail detection system capable of preventing the operation of an unauthorized virus of a type that eavesdrops a transmitted mail and obtains a mail server name. The purpose is to provide.

  The present invention is a fraudulent mail detection system that detects that a fraudulent e-mail is being distributed from a terminal infected with a computer virus. In order to solve the above-mentioned problem, a legitimate mail that transfers an e-mail is provided. Mail server information for specifying a server, storage means for storing dummy dummy mail server information for the mail server information, and e-mail addressed to a legitimate mail server using the mail server information stored in the storage means A terminal including a transmission unit that performs a transmission process and performs a process of transmitting an e-mail using dummy mail server information stored in the storage unit at a preset timing; and a timing other than a preset timing If an email created using dummy email server information is received, And a dummy mail server detects that the signal.

  The fraudulent mail detection system according to the present invention stores mail server information for specifying a legitimate mail server and dummy dummy mail server information for the mail server information, and the dummy mail server at a preset timing. Create and send e-mail using information, and detect e-mail delivered when the e-mail is received by a dummy mail server at a different timing. In this way, it is possible to detect and prevent the operation of an illegal virus that acquires the mail server name.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  For example, as shown in FIG. 1, the present invention includes terminals 1A and 1B, mail servers 2 and 3, and a dummy mail server 100. The e-mail data transmitted from the terminal 1A is eavesdropped and the mail server name is changed. The present invention is applied to a fraudulent mail detection system that detects the operation of a computer virus that illegally obtains and sends fraudulent e-mail data to the mail server 2. In this embodiment, for example, a case where the terminal 1A is infected with a computer virus and unauthorized e-mail data transmitted from the terminal 1A is detected will be described.

  Normally, in this fraudulent mail detection system, when sending mail data from the terminal 1A to the terminal 1B, the terminal 1A first creates mail data with the destination mail address "hanako@osaka.jp". The e-mail data is transmitted to the mail server (SMTP (Simple Mail Transfer Protocol) server) 2 having the mail server name “mail.tokyo.jp” registered in the mail client setting.

  When this email data is received by the mail server 2 with the host name “mail.tokyo.jp”, the mail server 2 recognizes the destination of the email data included in the email data, and The e-mail data is transferred to the mail server 3 that can be accessed by the destination terminal 1B of the mail data. The terminal 1B can acquire the e-mail data transmitted from the terminal 1A by accessing the mail server 3 and confirming the mail box.

  In contrast to such a normal mail transmission operation, the terminal 1A is infected with an illegal virus of eavesdropping the mail server name from the transmitted e-mail data, and the unauthorized software execution unit 13 as shown in FIG. Once formed, the function of the unauthorized software execution unit 13 eavesdrops on the legitimate mail server name when sending legitimate e-mail data M2 ((1) in FIG. 1). Then, the unauthorized software execution unit 13 transmits the e-mail data M1 to which the address “hanako@osaka.jp” is addressed and a virus file is attached to the e-mail server 2 having the name of the eavesdropping mail server ((2 in FIG. 1). )), The e-mail data M1 is transferred from the mail server 2 to the mail server 3 ((3) in FIG. 1), and the terminal 1B confirms the mailbox of the mail server 3 ((4) in FIG. 1). The e-mail data M1 with the virus file attached is acquired by the terminal 1B ((5) in FIG. 1).

  In the fraudulent mail detection system performing such an operation, the terminal 1A infected with the virus, for example, previews the fraudulent mail content transmitted from another terminal or executes a fraudulent attachment as shown in FIG. Therefore, the unauthorized software execution unit 13 is mounted on the application layer. The terminal 1A also has a basic software execution unit 11 and a mail client software execution unit 12 that executes the mail client software by installing basic software, mail client software, dummy mail server transmission software, and unauthorized mail detection software. And a dummy mail transmission software execution unit 14 and an unauthorized mail detection software execution unit 15.

  The basic software execution unit 11 includes a communication interface unit 21 connected to a network, a TCP (Transmission Control Protocol) / IP (Internet Protocol) communication control unit 22, and an unauthorized software detection unit detected by the unauthorized mail detection software execution unit 15. 13 includes a file management unit 23 that manages a file that may have been created in 13 and a process management unit 24 that can manage the process of the unauthorized software execution unit 13 when the unauthorized software execution unit 13 is installed.

  In the basic software execution unit 11, when the regular email data is created by the mail client software execution unit 12, the email data is transferred to the TCP / IP communication control unit 22. The TCP / IP communication control unit 22 creates an IP packet by adding a transport layer header and an IP layer header of a TCP header or UDP (User Datagram Protocol) header to the head of the delivered electronic mail data, Output to the detection software execution unit 15. The e-mail data is sent to the network after the communication interface unit 21 adds a link layer header or the like to the IP packet, performs a predetermined modulation process, and the like.

  The IP packet including the electronic mail data transmitted from the network to the terminal 1A is subjected to demodulation processing by the communication interface unit 21, and then analyzed by the TCP / IP communication control unit 22 to execute the mail client software. Passed to part 12.

  The mail client software execution unit 12 stores mail server information for specifying a regular mail server 2 to which electronic mail data is transferred. This mail server information includes the mail server name and IP address of the legitimate mail server 2, its own mail address, the mail address book of the e-mail transmission destination, and the like. Data can be created.

  The mail client software execution unit 12 supplies a mail transmission start signal to the mail transmission detection unit 43 when transmitting e-mail data. On the other hand, the mail client software execution unit 12 suspends transmission of e-mail data until a mail transmission start permission signal is received from the mail transmission detection unit 43, and basically receives e-mail data after receiving the mail transmission start permission signal. It is passed to the software execution unit 11.

  The dummy mail transmission software execution unit 14 includes a dummy mail transmission unit 41, a dummy mail server information storage unit 42, and a mail transmission detection unit 43.

  The dummy mail server information storage unit 42 stores dummy mail server information including the dummy mail server name of the dummy mail server 100. This dummy mail server information is read by the dummy mail transmission unit 41 and used by the dummy mail transmission unit 41 to create dummy email data.

  The mail transmission detection unit 43 adjusts the timing at which the dummy email transmission unit 41 transmits dummy email data and the timing at which the email client software execution unit 12 transmits regular email data. When the transmission timing of the dummy e-mail data of the dummy e-mail transmission unit 41 is set by a timer that measures a predetermined time, the e-mail transmission detection unit 43 is properly set at a timing different from the transmission timing of the dummy e-mail data. Send email data.

  As shown in FIG. 3, the process of controlling the transmission timing of the dummy email data by this timer is the timing at which the dummy mail transmission unit 41 is notified by the internal timer measuring the set time of the fixed value or the random value. (Step S1). Then, when notified that the timer has counted the predetermined time, the dummy mail transmission unit 41 reads the dummy mail server information in the dummy mail server information storage unit 42 in step S2, and transmits the dummy mail server 100 as the transmission destination. In step S3, dummy e-mail data is generated. In addition, when the timer measures the predetermined time and the timing for transmitting the dummy electronic mail data is reached, a notification to that effect is also transmitted to the mail transmission detection unit 43.

  In step S4, the dummy mail transmission unit 41 adds a dummy mail identifier that causes the dummy mail server 100 to identify that the generated dummy e-mail data is a dummy that is not legitimate e-mail data. The plurality of dummy e-mail data is transmitted at predetermined time intervals or random time intervals.

  Next, the dummy mail transmission unit 41 sets the time measured by the timer to a fixed value or a random value in order to elapse the timing for transmitting dummy e-mail data next time, and ends the processing.

  Further, the mail transmission detection unit 43 may adjust so that dummy email data is transmitted before and after the transmission timing of regular email data.

  When the mail transmission start signal is supplied from the mail client software execution unit 12, the mail transmission detection unit 43 notifies the dummy mail transmission unit 41 of the mail transmission start signal. In response to this, the dummy mail transmission unit 41 creates one or a plurality of dummy e-mail data at a preset random timing, transmits the dummy e-mail data via the basic software execution unit 11, and then detects the mail transmission. The unit 43 is notified that the transmission of the dummy e-mail data has been completed. When the mail transmission detecting unit 43 receives a notification from the dummy mail transmitting unit 41 that the transmission of the dummy e-mail data has been completed, the mail transmission detecting unit 43 transmits a mail transmission start permission signal to the mail client software executing unit 12, and the mail client software executing unit 12 Legitimate e-mail data is transmitted from the e-mail to the dummy e-mail transmission unit 41. The dummy mail transmission unit 41 transmits one or more dummy e-mail data again at random timing in response to the end of transmission of the e-mail data from the mail client software execution unit 12.

  In this process, as shown in FIG. 4, the mail transmission detecting unit 43 waits for the mail transmission start signal from the mail client software execution unit 12 to be supplied in step S11, and the mail transmission start signal is supplied. Later, in step S12, the transmission number P1 of dummy email data is set by the mail transmission detection unit 43. The transmission number P1 of the dummy e-mail data may be a fixed number or random.

  Next, the dummy mail transmission unit 41 transmits dummy e-mail data by performing the processes of steps S2 to S5 in the same manner as in FIG. 3, and in step S13, the number of times the dummy e-mail data is transmitted is determined in step S12. It is determined whether or not the transmitted number P1 has been reached, and if not, the processes in steps S2 to S5 are repeated. When the number of transmissions of the dummy e-mail data reaches the number of transmissions P1, the e-mail transmission detection unit 43 transmits a normal e-mail data by transmitting an e-mail transmission start permission signal to the e-mail client software execution unit 12 in step S14. Let

  Next, in step S15, the mail transmission detection unit 43 determines the number of transmissions P2 of dummy email data to be transmitted after the regular email data, and the dummy email transmission unit 41 performs the processing of steps S2 to S5. In step S16, it is determined whether or not the number of transmissions of the dummy email data has reached the number of transmissions P2 determined in step S15. The process of S5 is repeated. The process ends when the number of transmissions of the dummy e-mail data reaches the number of transmissions P2.

  When implemented in the terminal 1A, the unauthorized software execution unit 13 is implemented by the TCP / IP communication control unit 22 or the communication interface unit 21 in order to realize the procedures (1) and (2) shown in FIG. When the legitimate e-mail data transmitted is monitored and the mail server name of the mail server 2 or the mail server name of the dummy mail server 100 is eavesdropped, e-mail data is created using any of the mail server names. To be transmitted from the basic software execution unit 11.

  In contrast to the function implemented by the unauthorized software execution unit 13, the terminal 1A monitors the packet created by the TCP / IP communication control unit 22 and blocks the transmission of unauthorized e-mail data. The unauthorized mail detection software execution unit 15 is provided. The unauthorized mail detection software execution unit 15 includes a packet hook unit 31 and a removal unit 32.

  When the packet hook unit 31 intercepts an IP packet created by the TCP / IP communication control unit 22 and passed to the communication interface unit 21, the packet hook unit 31 outputs the IP packet to the removal unit 32.

  The removal unit 32 determines whether the destination of the email data is the dummy mail server 100. The removal unit 32 discards the IP packet when the destination of the electronic mail data is the mail server name of the dummy mail server 100 and the dummy mail identifier is not included. If the destination of the email data is not the dummy mail server 100, or if the destination of the email data is the dummy mail server 100 and includes a dummy email identifier, the IP packet is sent via the packet hook unit 31. Transfer to the communication interface unit 21.

  When the dummy mail server 100 is a destination and the unauthorized e-mail data that does not include the dummy e-mail identifier is determined, the removal unit 32 specifies a process for transmitting the unauthorized e-mail data. Further, the removal unit 32 specifies an execution file for creating unauthorized e-mail data.

  At this time, the removal unit 32 identifies a process for creating and sending unauthorized e-mail data from the information (log information) of the process performed by the basic software and application layer software managed by the process management unit 24 To do. Then, when the removal unit 32 obtains information indicating that the process management unit 24 has detected a process of creating and sending unauthorized e-mail data with the basic software and the application layer software, the removal unit 32 forces the process. Terminate. Further, the removal unit 32 identifies an execution file that is executing a process of creating and sending invalid e-mail data from the execution file managed by the file management unit 23, and deletes the execution file. The file management unit 23 is controlled. Thereby, the unauthorized software execution unit 13 can be deleted.

  As shown in FIG. 5, the processing of the disinfecting unit 32 in the terminal 1A determines whether or not the destination of the IP packet including the electronic mail data is addressed to the dummy mail server 100 in step S21. In step S22, the process proceeds to step S22. If it is determined that the mail server 2 is not addressed to the dummy mail server 100, the process proceeds to step S25.

  In step S22, the removal unit 32 determines whether or not the dummy mail identifier is included in the IP packet. If the dummy mail identifier is not included in the IP packet, the process proceeds to step S23, where the dummy mail identifier is determined. If it is included, the process proceeds to step S25.

  In step S23, the removal unit 32 determines whether the transport layer header of the IP packet is a TCP header. If so, the process proceeds to step S24, and if it is a UDP packet, the process proceeds to step S25. To proceed.

  In step S24, the removal unit 32 determines whether the port number included in the TCP header is addressed to an SMTP (Simple Mail Transfer Protocol) port that is an e-mail data transfer protocol. The process proceeds to S26, and if not, the process proceeds to step S25.

  In step S25, since the IP packet from the packet hook unit 31 does not include illegal email data, the removal unit 32 sends the IP packet including the email data to the packet hook unit 31 and the basic software execution unit 11. To send through. On the other hand, when all the determinations in step S21 to step S24 are “YES”, the removal unit 32 determines that the IP packet includes unauthorized e-mail data, and the unauthorized e-mail data. In order to prevent the transmission of the message, the process proceeds to step S26 and subsequent steps.

  In step S <b> 26, the removal unit 32 specifies a process for creating and transmitting unauthorized e-mail data among the processes managed by the process management unit 24, and the file management unit 23 manages the process in step S <b> 27. Identifies an executable file that creates and sends invalid e-mail data.

  Next, in step S28, the removal unit 32 forcibly terminates the unauthorized process identified in step S26. At this time, the removal unit 32 notifies the user or administrator of the terminal 1A of a process of recording log information of an unauthorized process and transmitting the log information to another apparatus, or an alarm that an unauthorized process has occurred, or other You may perform the process transmitted to an apparatus.

  Next, in step S29, the removal unit 32 discards the IP packet including unauthorized e-mail data, and in step S30, deletes the executable file specified in step S27. At this time, the removal unit 32 notifies the user or the administrator of the terminal 1A of a process of recording log information of an unauthorized execution file and transmitting it to another device, or an alarm that the unauthorized execution file has been installed or You may perform the process transmitted to another apparatus.

  As a result, the removal unit 32 detects the process of the unauthorized software execution unit 13 implemented by the execution file, stops transmission of unauthorized email data, and creates and sends unauthorized email data. And the executable file can be deleted.

  Next, the configuration and operation of the dummy mail server 100 will be described.

  As shown in FIG. 6, the dummy mail server 100 includes basic software and dummy mail server software, and includes a basic software execution unit 101 and a dummy mail server software execution unit 102.

  The basic software execution unit 101 includes a communication interface unit 111 and a TCP / IP communication control unit 112 connected to all network devices via a network.

  The basic software execution unit 101 performs data demodulation processing and data link layer processing by the communication interface unit 111, and performs network layer processing and transport layer processing by the TCP / IP communication control unit 112. The basic software execution unit 101 passes e-mail data included in a packet received from the network to the dummy mail server software execution unit 102, and performs predetermined processing on the data passed from the dummy mail server software execution unit 102. Send as a packet.

  The dummy mail server software execution unit 102 includes a mail reception unit 121, a warning message reception unit 122, a warning message transmission unit 123, an infected host information storage unit 124, and a dummy mail determination unit 125.

  When receiving the email data included in the packet received by the basic software execution unit 101, the email reception unit 121 passes the email data to the dummy email determination unit 125.

  The dummy mail determination unit 125 determines whether or not the dummy e-mail identifier is included in the e-mail data received from the e-mail reception unit 121, and whether the e-mail data is properly created in the terminal 1A or illegal It is determined whether it is created by the software execution unit 13. The dummy mail determination unit 125 discards the electronic mail data including the dummy mail identifier. On the other hand, if the dummy mail determination unit 125 is e-mail data that does not include a dummy e-mail identifier, after creating log information including the transmission source IP address, transmission time, and mail content from the e-mail data, Discard the e-mail data. In addition, the dummy mail determination unit 125 is illegal not only when the dummy mail identifier is included, but also when the terminal 1A receives dummy e-mail data at a timing different from the timing at which the dummy e-mail data is transmitted. The log information may be created by determining the e-mail data, or the log information may be generated by determining invalid e-mail data from the sender name. Then, the dummy mail determination unit 125 passes the log information to the warning message transmission unit 123.

  The warning message transmission unit 123 generates a warning message that warns that invalid e-mail data created using the dummy mail server information is detected, using the log information received from the mail receiving unit 121, Passed to the basic software execution unit 101. This warning message includes information for identifying a terminal that is a source of unauthorized e-mail data and is infected with a computer virus. As a result, the basic software execution unit 101 can transmit a warning message to an administrator's terminal or other network device that is set in advance as a warning message transmission destination.

  Here, the warning message transmission unit 123 may determine whether to transmit the warning message with reference to the infected host information stored in the infected host information storage unit 124 before transmitting the warning message. . The infected host information stored in the infected host information storage unit 124 includes an IP address that identifies a host infected with a computer virus. Then, the warning message transmission unit 123 stops the transmission of the warning message when the transmission source of the unauthorized e-mail data is already stored in the infected host information storage unit 124 as the infected host information.

  Further, when there are a plurality of dummy mail servers 100 in the unauthorized mail detection system, the dummy mail server 100 receives a warning message from another dummy mail server 100 and receives the warning message by the warning message receiving unit 122. . Then, the warning message receiving unit 122 stores, in the infected host information storage unit 124, the IP address or the like of the transmission source of the unauthorized email data included in the warning message as infected host information.

  When such a dummy mail server 100 receives e-mail data by the mail receiving unit 121, as shown in FIG. 7, the dummy mail determining unit 125 includes a dummy mail identifier included in the e-mail data as shown in FIG. Determines that the e-mail data is valid dummy e-mail data, discards the dummy e-mail data in step S32, and ends the process.

  On the other hand, if the dummy mail identifier is not included in step S31, the dummy mail determination unit 125 determines that the dummy email data is not valid, and creates log information in step S33 to generate the dummy email data. In step S 34, the IP address of the transmission source is received from the TCP / IP communication control unit 112, the infected host is identified and passed to the warning message transmission unit 123.

  Next, in step S35, the warning message transmission unit 123 refers to the infected host information stored in the infected host information storage unit 124, and determines whether or not the transmission source IP address received in step S34 is included in the infected host information. It is determined whether or not the information is infected host information for which a warning message has already been distributed. If so, the process ends without transmitting the warning message.

  On the other hand, if the received transmission source IP address is not included in the infected host information, the warning message transmission unit 123 proceeds to step S36 and uses the transmission source IP address as the infected host information. In step S37, a warning message is transmitted via the basic software execution unit 101. Here, the dummy mail server 100 stores the IP address of a terminal infected with a computer virus, and restricts the transmission of a warning message when receiving e-mail data from the terminal for a plurality of times. In order to do so, the number of processings in step S35 may be limited.

  Further, as shown in FIG. 8, when the dummy mail server 100 receives a warning message from the outside by the warning message receiving unit 122 via the basic software execution unit 101 (step S41), in step S42, the dummy message receiving unit 122, the transmission source IP address for identifying the host infected with the computer virus included in the warning message is stored in the infected host information storage unit 124. In this way, the fraudulent email detection system updates its own infected host information when it receives a warning message sent from another network device, so a new type of computer virus has occurred and it has newly infected with a computer virus. The host can be detected in a short time.

  As shown in FIG. 9, when the dummy mail server 100 receives the e-mail data M11 addressed to the dummy mail server 100 from a computer virus infected host such as the terminal 1A, the dummy mail server 100 receives the dummy mail server 100 from the dummy mail server 100. The warning message M12 can be transmitted to the legitimate mail server 2. Thereafter, when the legitimate mail server 2 receives the email data M13 from the infected host included in the warning message, the legitimate mail server 2 can prohibit the transfer of the email data.

  Next, the configuration and operation of the mail server 2 will be described.

  As shown in FIG. 10, the mail server 2 includes basic software and mail server software, and includes a basic software execution unit 51 and a mail server software execution unit 52.

  The basic software execution unit 51 includes a communication interface unit 61 and a TCP / IP communication control unit 62 connected to any network device via a network.

  The basic software execution unit 51 performs data demodulation processing and data link layer processing by the communication interface unit 61, and performs network layer processing and transport layer processing by the TCP / IP communication control unit 62. The basic software execution unit 51 passes e-mail data included in a packet received from the network to the mail server software execution unit 52, and performs predetermined processing on the e-mail data passed from the mail server software execution unit 52. Send as a packet.

  The mail server software execution unit 52 includes a mail reception unit 71, a mail check unit 72, an infected host information storage unit 73, a warning message reception unit 74, a mail transfer unit 75, a suspicious mail processing unit 76, and a mailbox. 77.

  When receiving the e-mail data included in the packet received by the basic software execution unit 51, the mail receiving unit 71 passes the e-mail data to the mail check unit 72.

  The mail check unit 72 acquires the IP address of the transmission source of the email data received from the mail reception unit 71, and whether or not the IP address of the transmission source is registered in the infected host information storage unit 73 as infected host information. Determine whether. When the transmission source IP address is registered in the infected host information storage unit 73, the mail check unit 72 passes the email data transmitted by the transmission source IP address to the suspicious mail processing unit 76. On the other hand, when the transmission source IP address is registered in the infected host information storage unit 73, the mail check unit 72 passes the email data transmitted by the transmission source IP address to the mail transfer unit 75.

  The infected host information stored in the infected host information storage unit 73 is included in the warning message when the warning message receiving unit 74 receives the warning message, similarly to the process of FIG. 8 performed by the dummy mail server 100 described above. The warning message receiving unit 74 registers an IP address that is information for identifying an infected host infected with a computer virus.

  The suspicious mail processing unit 76 performs a modification process for holding the transfer of the e-mail data received from the mail check unit 72, discarding the e-mail data, or removing the computer virus attached to the e-mail data. The suspicious mail processing unit 76 is set in advance as processing information for unauthorized e-mail data, and the e-mail data is suspended, discarded, or modified according to the setting information.

  The suspicious mail processing unit 76 stores illegal electronic mail data in a buffer for illegal electronic mail data (not shown) when the electronic mail data is suspended. In addition, when the email data is altered, the suspicious email processing unit 76 passes the email data to the email transfer unit 75 in order to transfer the email data.

  When the mail transfer unit 75 receives the e-mail data determined by the mail check unit 72 as not being invalid e-mail data and the e-mail data modified by the suspicious mail processing unit 76, the destination IP address of the e-mail data To get. When the mail transfer unit 75 determines from the destination IP address that it is addressed to its own domain, the mail transfer unit 75 stores the mail in the mail box 77 divided for each user. If it is determined from the destination IP address of the received e-mail data that the e-mail data is not addressed to its own domain, the mail transfer unit 75 transfers the e-mail data to the mail server of the destination domain via the basic software execution unit 51.

  As shown in FIG. 11, such a mail server 2 receives e-mail data by the mail receiving unit 71 via the basic software execution unit 51 in step S51, and in step S52, the mail checking unit 72 It is determined whether or not the sender IP address of the email data is registered in the infected host information. If so, the email data is passed to the suspicious email processing unit 76 and the process proceeds to step S53. If not, the electronic mail data is transferred to the mail transfer unit 75 and the process proceeds to step S57.

  In step S53, the suspicious mail processing unit 76 obtains a process for unauthorized e-mail data from the setting data, and discards the e-mail data in step S54. Exit.

  In the case where the unauthorized e-mail data is put on hold, in step S55, it is checked by notifying the administrator of the mail server 2 or the like, and the process proceeds to step S57. In step S55, the suspicious mail processing unit 76 stores invalid e-mail data in the buffer for a certain period of time, and sends the e-mail data to the mail transfer unit 75 regardless of whether or not the administrator checks. It may be transferred.

  Further, when modifying illegal e-mail data, a computer virus may be attached in step S56, so that a warning sentence that warns about handling is added in the mail body, etc., and the attached file is deleted in step S60. Then, the process proceeds to step S57. Examples of the warning sentence include a sentence such as “This email may have been sent by a virus”. Note that the processing in step S56 and step S60 may be set to perform either one.

  In step S57, the mail transfer unit 75 determines whether or not the destination domain of the e-mail data is its own, and if so, stores the e-mail data in the mail box 77 in step S58. If not, the electronic mail data is transferred to the basic software execution unit 51 to transfer the electronic mail data to another mail server in step S59.

  According to such a mail server 2, when the warning message is received and the infected host information is stored, and the e-mail data is transmitted with the IP address of the transmission source registered as the infected host information, Since the e-mail data can be suspended, discarded or altered, it is possible to detect the terminal 1A infected with a computer virus and prevent unauthorized e-mail data from being transferred as it is.

  The above-described embodiment is an example of the present invention. For this reason, the present invention is not limited to the above-described embodiment, and various modifications can be made depending on the design and the like as long as the technical idea according to the present invention is not deviated from this embodiment. Of course, it is possible to change.

  That is, in the above-described unauthorized mail detection system, when the dummy mail server 100 actually exists and the email data is received by the dummy mail server 100, the unauthorized email data is detected. Even if the mail server 100 does not actually exist, the infected host information is registered in the mail servers 2 and 3, and the mail server 2 and 3 detects the email data created using the dummy mail server information. May be. Furthermore, it may be detected not only when the terminal, the mail servers 2 and 3 and the dummy mail server 100 detect unauthorized e-mail data, but also with a relay device and a side device.

  Furthermore, the function for detecting unauthorized e-mail data in the above-described embodiment can be applied to a home network in which household electrical appliance groups are connected to a network, an equipment network in which equipment groups are connected to a network, and the like. For example, even when a home appliance that is connected to a home network and has an email function as an application is infected with a computer virus, an email containing an unauthorized computer virus is transmitted from the home appliance to the external network. Can be detected.

  Here, as a technology for constructing a home network, in addition to the ECHO network, an embedded network technology called EMIT (Embedded Micro Internetworking Technology) can be used. This embedded network technology has a function of incorporating EMIT middleware into a network device and connecting it to a network, and is called EMIT technology.

  More specifically, the EMIT software that realizes the EMIT technology is installed in the network device such as the terminal 1A having the function of detecting the above-described unauthorized e-mail, the dummy mail server 100, and the mail servers 2 and 3, and the EMIT A center server provided on the Internet with software-equipped terminals, relay devices, mail servers 2 and 3, dummy mail server 100, and user devices that remotely control or monitor the terminals, relay devices, and side devices (see FIG. (Not shown). This user device is, for example, an external terminal (not shown) such as a mobile phone, a PC (Personal Computer), a PDA (Personal Digital Assistant), or a PHS (Personal Handy phone System).

  According to such a system in which the EMIT technology is implemented, how often the user device detects unauthorized e-mail data by the terminal, the mail servers 2 and 3, the dummy mail server 100, the relay device, and the lateral device. Remote monitoring is possible, and the sender address for blocking or alarming unauthorized e-mail can be additionally controlled.

It is a system figure explaining the structure and operation | movement of an unauthorized mail detection system to which this invention is applied. It is a block diagram which shows the structure of the terminal which comprises the unauthorized mail detection system to which this invention is applied. It is a flowchart which shows the process sequence which produces and transmits dummy email data with reference to a timer with the terminal which comprises the unauthorized mail detection system to which this invention is applied. It is a flowchart which shows the process sequence which mixes regular e-mail data with transmission, creates dummy e-mail data, and transmits with the terminal which comprises the fraudulent e-mail detection system to which this invention is applied. It is a flowchart which shows the process sequence which interrupts | blocks the process which produces and transmits unauthorized e-mail data with the terminal which comprises the unauthorized mail detection system to which this invention is applied. It is a block diagram which shows the structure of the dummy mail server which comprises the fraudulent mail detection system to which this invention is applied. It is a flowchart which shows the process sequence when electronic mail data is received by the dummy mail server which comprises the fraudulent mail detection system to which this invention is applied. It is a flowchart which shows the process sequence when a warning message is received by the dummy mail server which comprises the fraudulent mail detection system to which this invention is applied. FIG. 3 is a system diagram illustrating a configuration and an operation for transmitting a warning message from a dummy mail server to a mail server when unauthorized e-mail data is transmitted from a terminal in the unauthorized mail detection system to which the present invention is applied. It is a block diagram which shows the structure of the mail server which comprises the unauthorized mail detection system to which this invention is applied. It is a flowchart which shows the process sequence when email data is received by the mail server which comprises the fraudulent mail detection system to which this invention is applied.

Explanation of symbols

1A, 1B Terminals 2, 3 Mail server 11, 51, 101 Basic software execution unit 12 Mail client software execution unit 13 Unauthorized software execution unit 14 Dummy mail transmission software execution unit 15 Unauthorized mail detection software execution unit 21, 61, 111 Communication interface Units 22, 62, 112 TCP / IP communication control unit 23 File management unit 24 Process management unit 31 Packet hook unit 32 Removal unit 41 Dummy mail transmission unit 42 Dummy mail server information storage unit 43 Mail transmission detection unit 52 Mail server software execution unit 71 Mail Receiving Unit 72 Mail Checking Unit 73,124 Infected Host Information Storage Unit 74,122 Warning Message Receiving Unit 75 Mail Forwarding Unit 76 Suspicious Mail Processing Unit 77 Mailbox 100 Dummy Server 101 Basic software execution unit 102 Dummy mail server software execution unit 121 Mail reception unit 123 Warning message transmission unit 125 Dummy mail determination unit

Claims (12)

A fraudulent email detection system that detects that a fraudulent email is being delivered from a terminal infected with a computer virus,
Using mail server information for specifying a legitimate mail server for transferring an electronic mail, storage means for storing dummy dummy mail server information for the mail server information, and mail server information stored in the storage means Transmitting means for transmitting an e-mail addressed to the regular mail server, and transmitting e-mail using dummy mail server information stored in the storage means at a preset timing. Equipped terminal,
A dummy mail server that detects that an illegal e-mail is delivered when an e-mail created using the dummy mail server information is received at a timing other than the preset timing. An illegal email detection system. The transmission means performs a process of transmitting an e-mail using dummy mail server information at a regular timing,
The dummy mail server detects that an illegal e-mail is delivered when an e-mail created using the dummy mail server information is received at a timing other than the regular timing. The unauthorized mail detection system according to claim 1. The transmission means performs a process of transmitting an email using dummy mail server information at random timing,
The dummy mail server detects that an illegal e-mail is delivered when an e-mail created using the dummy mail server information is received at a timing other than the random timing. The unauthorized mail detection system according to claim 1. A plurality of dummy host names are given to the dummy mail server,
The storage means stores dummy mail server information representing the plurality of dummy host names,
The fraudulent mail detection system according to any one of claims 1 to 3, wherein the transmission unit randomly uses any dummy mail server information for each process of transmitting an electronic mail.   The unauthorized terminal detection system according to claim 1, wherein the terminal detects access to the dummy mail server information and detects that an unauthorized electronic mail is distributed.   6. The fraudulent mail detection system according to claim 5, further comprising a blocking unit that terminates the process when the terminal detects a process attempting to access the dummy mail server information.   The unauthorized mail detection system according to claim 6, wherein the blocking unit detects and removes an executable file that is executing a process that is attempting to access the dummy mail server information. The transmission means adds an identifier for identifying an email different from an email created by a computer virus to an email created using the dummy mail server information,
The dummy mail server receives an e-mail addressed to the dummy mail server from the transmission means, and detects that an illegal e-mail is delivered when an identifier is not added to the e-mail. The unauthorized mail detection system according to any one of claims 1 to 4.   The dummy mail server determines whether or not the received mail is a dummy mail, determines that the received mail is not a dummy mail, and determines that the dummy mail is an illegal e-mail. The fraudulent mail detection system according to claim 1, wherein the address is acquired and a warning message including the address is transmitted to the mail transfer server.   The legitimate mail server receives the warning message, and when the address included in the warning message is a transmission source electronic mail, the electronic mail is suspended, discarded, or modified. Item 12. The unauthorized mail detection system according to Item 9.   The dummy mail server stores an address of a terminal infected with the computer virus, and restricts transmission of the warning message when receiving an e-mail from the terminal a plurality of times. The unauthorized mail detection system according to claim 9, wherein   There are a plurality of the dummy mail servers, the warning messages are exchanged between the dummy mail servers, and each dummy mail server stores a terminal of a sender of an illegal email detected by another dummy mail server. The fraudulent mail detection system according to claim 9.

Images