JP2011124947A - Electronic mail control apparatus and control method thereof, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To perform transmission control of electronic mail in accordance with the risk of a transmission source of the electronic mail, which is determined from results of transmission control and/or auditing in the past, and the risk of the electronic mail. <P>SOLUTION: In accordance with a risk value of electronic mail transmitted from a transmission source of electronic mail in the past, a transmission source risk value is calculated which indicates a degree of risk relating to the transmission source of the electronic mail and in accordance with contents of electronic mail or a format of attached data, a risk class is determined which indicates a degree of risk relating to the electronic mail. It is then determined whether or not the risk value determined from the calculated transmission source risk value and the determined risk class satisfies conditions of whether to permit transmission of the electronic mail, thereby performing transmission control. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to an electronic mail control apparatus, a control method therefor, and a program, and more particularly to a technique for sending and / or auditing electronic mail.

  In recent years, leakage of personal information and confidential information has been affecting corporate trust. With the enforcement of various laws such as the Personal Information Protection Law, it has become an urgent task for companies to take measures against information leakage. The cause of information leakage may be caused by unauthorized access from outside, but most of them are caused by carelessness of people inside the company.

  One such information leakage countermeasure is a mail filtering system. The e-mail filtering system sets e-mail characteristics such as the presence or absence of keywords that are likely to cause information leakage as filtering conditions, and selects e-mails that are subject to auditing or transmission control. The administrator can efficiently prevent information leakage by visually determining the selected electronic mail.

  As such prior art, in Patent Document 1, based on preset conditions, an email to be audited is selected, and a list of selected emails is sent to an administrator corresponding to the sender of the email. A mechanism for displaying audits and prompting audits is disclosed.

JP 2006-85642 A

  However, as the demand for information leakage prevention increases and diversifies, the number of e-mails subject to auditing or transmission control increases, and the contents become diversified, and the e-mails that the administrator must visually check The number and complexity of judgment is increasing.

  In the above prior art, if the number of e-mails that require visual confirmation is limited to a certain level, by looking at summarized information such as a list of titles, e-mails with a high possibility of information leakage are found and preferentially scrutinized. However, as the number of e-mails that need to be confirmed increases, it becomes difficult to find e-mails that require high-scrutiny audits from the list, increasing the burden on the administrator.

As described above, when performing an email audit (pre-audit and post-audit) in the past, the priority to be audited based on the past transmission control and / or auditing results for the email source and destination group. It was difficult to grasp high-level e-mails, and it was difficult to efficiently audit.
That is, it is difficult for the user to select an e-mail that is estimated to have a high risk from the relationship between the sender and the destination in order to efficiently perform the audit.

  Therefore, according to the past transmission control and / or auditing results for the combination of the transmission source and the transmission destination of the electronic mail to be controlled for transmission, whether or not the risk related to the transmission of the electronic mail is determined and may be sent. Alternatively, a mechanism for determining whether the email is to be audited can be considered.

  However, when such a mechanism is used, if there is no past transmission control and / or auditing record regarding a combination of a transmission source and a transmission destination of an electronic mail for which transmission control is performed, the electronic mail may be sent. It is difficult to appropriately determine whether the email is to be audited.

  In order to improve this, if there is no past transmission control and / or auditing record regarding the combination of the sender and destination of the e-mail for which transmission control is to be performed, it may be possible to hold it, but a new destination E-mail auditing work will be less efficient if it is always put on hold.

  Therefore, an object of the present invention is to efficiently audit by performing the transmission control of the email according to the risk of the email transmission source determined from the past transmission control and / or audit results and the risk of the email. Is to provide a mechanism for

  The present invention is an e-mail control device that is communicable with an e-mail transmission terminal and performs transmission control of an e-mail transmitted by the e-mail transmission terminal,

  Stores link risk information including a group of the e-mail transmission source and destination, and a risk value indicating a risk level related to transmission of the e-mail of the group based on past transmission control and / or audit results. A risk storage means for storing, a condition storage means for storing a risk condition which is a condition for determining whether to permit sending of the e-mail based on the risk value, and an e-mail transmitted by the e-mail transmission terminal Transmission of the e-mail according to the risk value of the e-mail transmitted in the past from the e-mail transmission source acquired by the acquisition means, which is included in the link risk information stored in the risk storage means A calculation means for calculating a sender risk value indicating the degree of risk associated with the source, the content of the email acquired by the acquisition means, or the email In accordance with the format of the attached data, a determination unit that determines a risk type indicating the degree of risk associated with the e-mail, a source risk value calculated by the calculation unit, and a risk type determined by the determination unit And determining whether the risk value related to transmission of the e-mail acquired by the acquiring means and the risk value determined by the determining means satisfy the risk condition stored in the condition storage means And a transmission control unit that determines whether or not to permit transmission of the electronic mail, and performs transmission control of the electronic mail according to the determination result.

  Further, the present invention is communicable with an e-mail transmission terminal, and is based on a combination of an e-mail transmission source and a transmission destination transmitted by the e-mail transmission terminal, and past transmission control and / or audit results. Risk storage means for storing link risk information including a risk value indicating the degree of risk related to transmission of the set of e-mails, and conditions for determining whether to permit e-mail transmission based on the risk values A control method for an e-mail control device comprising condition storage means for storing a certain risk condition, wherein the acquisition means of the e-mail control device acquires an e-mail transmitted by the e-mail transmission terminal And the calculation means of the electronic mail control device includes the electronic mail acquired in the acquisition step included in the link risk information stored in the risk storage means. A calculation step of calculating a sender risk value indicating a degree of risk related to the sender of the email according to a risk value of the email sent in the past from the sender of the sender, and a determination unit of the email controller, A determination step of determining a risk type indicating a degree of risk relating to the e-mail according to the content of the e-mail acquired in the acquisition step or the format of data attached to the e-mail; and the e-mail control device A determining step for determining a risk value related to sending of the e-mail acquired in the acquiring step according to the source risk value calculated in the calculating step and the risk type determined in the determining step; The transmission control means of the electronic mail control device satisfies the risk condition stored in the condition storage means, with the risk value determined in the determination step Determining whether to permit the delivery of the e-mail by determining, characterized in that it and a transmission control step of performing transmission control of the electronic mail according to the determination result.

  Further, the present invention is communicable with an e-mail transmission terminal, and is based on a combination of an e-mail transmission source and a transmission destination transmitted by the e-mail transmission terminal, and past transmission control and / or audit results. Risk storage means for storing link risk information including a risk value indicating the degree of risk related to transmission of the set of e-mails, and conditions for determining whether to permit e-mail transmission based on the risk values A program executable by an e-mail control device comprising a condition storage means for storing a certain risk condition, wherein the e-mail control device obtains an e-mail transmitted by the e-mail transmission terminal; , An e-mail sent in the past from the sender of the e-mail acquired by the acquisition means, which is included in the link risk information stored in the risk storage means And calculating means for calculating a sender risk value indicating the degree of risk relating to the sender of the e-mail according to the risk value of the mail, the contents of the e-mail acquired by the acquiring means, or attached to the e-mail. In accordance with the format of the data, the determination means for determining the risk type indicating the degree of risk associated with the e-mail, the transmission source risk value calculated by the calculation means, and the risk type determined by the determination means, Determining means for determining a risk value related to sending of the e-mail acquired by the acquiring means, and determining whether the risk value determined by the determining means satisfies a risk condition stored in the condition storage means To determine whether to permit sending of the e-mail, and to function as a transmission control means for performing sending control of the e-mail according to the determination result And features.

  According to the present invention, efficient auditing is performed by performing transmission control of the e-mail according to the risk of the e-mail transmission source determined from the past transmission control and / or audit results and the risk of the e-mail. be able to.

1 is a block diagram schematically showing a system configuration of an information processing system according to an embodiment of the present invention. It is a block diagram which shows roughly the hardware constitutions of the mail auditing device in FIG. It is a flowchart which shows the basic process sequence which the mail inspection apparatus in FIG. 1 performs. It is a flowchart which shows the risk value calculation process of a mail auditing device. It is a flowchart which shows the audit target determination processing of a mail auditing device. It is a flowchart which shows the judgment process of mail sender classification. It is a flowchart which shows the judgment processing of an outgoing mail classification. It is a flowchart which shows the initial risk value calculation process of a mail auditing device. It is a flowchart which shows the audit process of an audit object mail. It is a formula which shows an example of caller risk value calculation. It is a calculation formula which shows an example of domain risk value calculation. It is a formula which shows an example of link risk value calculation. It is a calculation formula showing an example of an audit index calculation function. It is a figure which shows an example of a link mail risk value. It is a figure which shows an example of a link risk table | surface. It is a figure which shows an example of a link mail risk table. It is a figure which shows an example of an audit object mail management table | surface. It is a figure which shows an example of an audit object mail list screen. It is a figure which shows an example of the mail detailed screen for preliminary audits. It is a figure which shows an example of the mail detailed screen for a post audit. It is a figure which shows an example of an initial risk value table setting screen. It is a figure which shows an example of a sender | caller threshold value setting screen. It is a figure which shows an example of a delivery rule table | surface. It is a figure which shows an example of the link relationship between e-mail addresses.

  Hereinafter, the present invention will be described in detail according to preferred embodiments with reference to the accompanying drawings.

  FIG. 1 is a diagram illustrating a configuration example of a system according to the present embodiment.

  The configuration of various terminals connected to the network in FIG. 1 is an example, and it goes without saying that there are various configuration examples depending on the application and purpose.

  Reference numeral 100 denotes a mail audit apparatus (electronic mail control apparatus) that provides an electronic mail audit function. The mail auditing apparatus 100 can transmit / receive data to / from the mail transmission / reception terminal 110 (electronic mail transmission terminal), the management operation terminal 120, and the mail delivery apparatus 130 via a network. The mail auditing apparatus 100 receives an electronic mail transmitted from the mail transmitting / receiving terminal 110, and according to a pre-defined condition, a delivery control (transmission control) indicating whether an electronic mail meeting the condition is transmitted, deleted, or suspended. ). In addition, it is determined whether or not to be audited. The electronic mail determined to be transmitted is transmitted to the mail delivery device 130. The mail auditing apparatus 100 includes a mail delivery processing unit 101, a delivery rule database 102, a management information database 103, an audit target mail storage unit 104, and an audit operation processing unit 105.

  The mail delivery processing unit 101 determines whether or not the email received from the mail sending / receiving terminal matches various conditions indicated in the delivery rule stored in the delivery rule database 102, and it is determined that there is a matching delivery rule. If it is, the function (send, delete, or hold) set in the delivery rule is applied to the e-mail. In addition, based on the risk information stored in the management information database 103, it is determined whether or not the email is to be audited. If the email is determined to be audited, the email is sent to the audit email storage unit 104. A function of saving and updating risk information in the management information database 103 is provided. Further, it has a function of transmitting to the mail delivery device 130 an e-mail that is determined to be transmitted or an e-mail that is instructed to be transmitted from the audit operation processing unit 105.

  The delivery rule database 102 is a database in which delivery rules for the email delivery processing unit 101 to determine an email delivery method are stored.

  The audit target mail storage unit 104 is a storage area for storing an electronic mail that is determined as an audit target by the mail delivery processing unit 101.

  The management information database 103 is a storage area for storing risk information related to the relationship between the sender and destination of electronic mail, management information of audit target mail, and other control parameter values.

  The audit operation processing unit 105 has a function of performing an audit process on the audit target mail stored in the audit target mail storage unit 104 in accordance with an instruction received from the management operation unit 121 of the management operation terminal 120. If the delivery of the audit target mail is in a suspended state, it can be sent or deleted. If the sending or deleting process has already been completed, the risk information stored in the management information database 103 is updated. It has a function.

  Reference numeral 110 denotes a mail transmission / reception terminal used by a user who transmits electronic mail. The mail transmission / reception terminal 110 can transmit / receive data to / from the mail auditing apparatus 100 via the network. The mail transmission / reception terminal 110 includes a mail transmission / reception unit 111.

  The mail transmission / reception unit 111 has a function of transmitting an electronic mail to the mail inspection apparatus 100 and a function of receiving an electronic mail from the mail inspection apparatus 100.

  A management operation terminal 120 is used by an administrator who audits electronic mail. The management operation terminal 120 can send and receive data to and from the mail auditing apparatus 100 via the network. The management operation terminal 120 includes a management operation unit 121.

  The management operation unit 121 has a function of instructing the audit operation processing unit 105 of the mail auditing apparatus 100 to send or delete delivery of an audit target email stored in the audit target mail storage unit 104. .

  The management operation unit 121 also has a function of instructing the audit operation processing unit 105 of the mail auditing apparatus 100 to update the risk information of the email stored in the management information database 103.

Also. The management operation unit 121 has a function of setting a sender threshold and / or an initial risk value table value stored in the management information database 103.
FIG. 22 is a diagram illustrating an example of a sender threshold setting screen for setting a sender threshold.

  In FIG. 22, reference numeral 2202 denotes an object for setting a caution sender caller threshold, and reference numeral 2203 denotes an object for setting a highly reliable caller threshold. When each threshold value is input to 2202 and 2203 by the administrator and the OK button 2204 is pressed, a caution sender threshold value and a highly reliable sender threshold value are set in the storage unit. Reference numeral 2205 denotes a cancel button for canceling the setting. 2201 is a graph in which the vertical axis indicates the number of callers and the horizontal axis indicates the risk value of the caller, and is calculated from the link risk table.

  The mail delivery device 130 has a function of delivering the email received from the email auditing device 100 to an appropriate mail server based on the destination address information of the email.

  Hereinafter, the hardware configuration of the mail inspection apparatus 100, the mail transmission / reception terminal 110, the management operation terminal 120, and the mail delivery apparatus 130 illustrated in FIG. 1 will be described with reference to FIG.

  The mail audit device 100, the mail transmission / reception terminal 110, the management operation terminal 120, and the mail delivery device 130 are information processing devices (computers).

  FIG. 2 is a block diagram illustrating a hardware configuration of the information processing apparatus.

  In FIG. 2, reference numeral 201 denotes a CPU that comprehensively controls each device and controller connected to the system bus 204. Further, the ROM 202 or the external memory 211 has a BIOS (Basic Input / Output System) or an operating system program (hereinafter referred to as OS), which is a control program of the CPU 201, and functions executed by each server or each PC (information processing apparatus). Various programs and the like to be described later necessary for the realization are stored.

  A RAM 203 functions as a main memory, work area, and the like for the CPU 201. The CPU 201 implements various operations by loading a program necessary for execution of processing from the ROM 202 or the external memory 211 into the RAM 203 and executing the loaded program.

  An input controller 205 controls input from a keyboard (KB) 209 or a pointing device such as a mouse (not shown). A video controller 206 controls display on a display (display unit) such as a CRT display (CRT) 210. In FIG. 2, although described as CRT 210, the display device may be not only a CRT but also other display devices such as a liquid crystal display. This is used by the administrator as needed.

  A memory controller 207 is provided in an external storage device (hard disk (HD)), a flexible disk (FD), or a PCMCIA card slot for storing a boot program, various applications, font data, user files, editing files, various data, and the like. Controls access to an external memory 211 such as a compact flash (registered trademark) memory connected via an adapter.

  A communication I / F controller 208 connects and communicates with an external device via a network, and executes communication control processing on the network. For example, communication using TCP / IP is possible.

  Note that the CPU 201 enables display on the CRT 210 by executing outline font rasterization processing on a display information area in the RAM 203, for example. In addition, the CPU 201 enables a user instruction with a mouse cursor (not shown) on the CRT 210.

  Various programs to be described later for realizing the present invention are recorded in the external memory 211 and executed by the CPU 201 by being loaded into the RAM 203 as necessary. Furthermore, files and various tables used when executing the program are also stored in the external memory 211.

  Next, a basic processing flow of the mail inspection apparatus will be described with reference to FIG.

  FIG. 3 is a flowchart showing basic processing of the mail inspection apparatus according to the embodiment of the present invention.

  Note that the processing of each step from step S301 to step S312 shown in FIG.

  In step S301, the mail delivery processing unit 101 receives (acquires) the electronic mail transmitted from the mail transmitting / receiving terminal 110, and executes the processes in and after step S302.

  In step S302, the link risk value (risk value) of the email received in step S301 is calculated. The detailed process of the link value calculation process (S302) will be described later with reference to FIG.

  Here, the link risk value is a numerical value representing the degree of risk for a pair of email sender (sender) and receiver (destination). That is, the link risk value is a numerical value indicating the degree of risk related to information such as information leakage, which is set for a connection (link) between a sender (transmission source) and a receiver (transmission destination).

  FIG. 24 is a diagram illustrating an example of a link relationship between mail addresses. FIG. 24 schematically shows an example of link risk related to certain three addresses.

  FIG. 24 shows ito @ aaaa. co. jp (e-mail sender) to mori @ cccc. co. This indicates that the link risk value (γ) related to mail transmission to jp (e-mail transmission destination) is “0.014”. In addition, ito @ aaaa. co. jp (the sender of the e-mail) from abe @ bbbb. co. This indicates that the link risk value (γ) related to mail transmission to jp (e-mail transmission destination) is “0.067”.

  As shown in FIG. co. jp to mori @ cccc. co. Compared to sending mail to jp, ito @ aaaa. co. jp to abe @ bbbb. co. The mail transmission to jp indicates that the link risk value (γ) is higher.

  In step S303, the mail delivery processing unit 101 reads the delivery rule table (FIG. 23) stored in the delivery rule database 102 into a memory such as a RAM. The delivery rule database 102 is stored in a storage unit such as the external memory 211 of the mail auditing apparatus 100. The delivery rule table is an application example of risk conditions, and the delivery rule database 102 is an application example of condition storage means.

  FIG. 23 is a diagram illustrating an example of the delivery rule table 2301.

  Each record in the delivery rule table 2301 indicates a delivery rule. That is, one delivery rule is a record composed of a rule ID, a conditional expression, and an action.

  The delivery rule table 2301 is stored and held in a list format in which the delivery rules are sorted in descending order using the rule ID as a key. It is assumed that the conditional expression describes a condition for specifying an e-mail.

  Examples of conditions set in the conditional expression include, for example, conditions (content conditions) regarding the contents (keywords) of e-mails, conditions regarding e-mail addresses of senders and destinations (transmission destinations), e-mail data size, The presence / absence of an attachment file, the document type (file format) of the attachment file, and the number of destination addresses.

  In the conditional expression of the delivery rule table 2301, the size of the link risk value can be set as a condition (risk condition). For example, the risk condition is set in the conditional expression of the record having the rule ID 4 in FIG. 23, and the condition of whether the link risk value is an email larger than 0.7 is set. The action item stipulates that an electronic mail satisfying the rule ID of 4 is put on hold.

  Next, other delivery rules of the delivery rule table 2301 will be described.

  In the conditional expression of the record with the rule ID 1, a condition is set as to whether the keyword “confidential” is included in the e-mail. Then, it is stipulated in the action item that an e-mail that satisfies the rule ID of 1 is deleted.

  In the conditional expression of the record with the rule ID 2, a condition is set as to whether the keywords “estimate” and “Company A” are included in the e-mail. The action item stipulates that an e-mail satisfying the rule ID of 2 is suspended.

  In the conditional expression of the record with the rule ID 3, a condition is set as to whether the e-mail address of the e-mail transmission source is “*@eeee.co.jp”. Here, * is a wild card (arbitrary character string). That is, eeee. co. A condition is set as to whether the email is sent from the jp domain. The action item stipulates that an electronic mail satisfying the rule ID of 3 is transmitted.

  In the conditional expression of the record with the rule ID 5, a condition is set as to whether or not the e-mail address of the e-mail transmission destination is “*@ffff.co.jp”. Here, * is a wild card (arbitrary character string). That is, ffff. co. A condition is set as to whether the email is addressed to the jp domain. Then, it is stipulated in the action item that an electronic mail satisfying the rule ID of 5 is deleted.

  In the conditional expression of the record with the rule ID 6, a condition is set as to whether or not the data size of the e-mail is smaller than 10 Mbytes. The action item stipulates that an e-mail satisfying the rule ID of 6 is deleted.

  In the example of FIG. 23, risk conditions and other conditions (content conditions, etc.) are set independently. However, conditions (combined with AND conditions) that combine risk conditions and other conditions (content conditions, etc.) (Conditions) may be set.

  The content condition is a condition for determining whether to permit transmission, suspension, or deletion of the electronic mail from the content (keyword) of the electronic mail. The risk condition is a condition for determining whether to permit transmission of the electronic mail, hold it, or delete it based on the size of the link risk value.

  Next, the description returns to the flowchart of FIG.

  In step S304, the delivery rules are acquired one by one from the delivery rule table 2301 in ascending order of the rule ID, and the process of step S305 is repeated.

  In step S305, it is determined whether or not the e-mail acquired in step S301 matches the condition (risk condition) of the conditional expression of the delivery rule acquired in step S304. As a result of the determination, if it is determined that they match (step S305: Yes), the process proceeds to step S308. On the other hand, if it is determined that they do not match (step S305: NO), the process proceeds to step S306.

  In step S306, when the process of step S305 is executed for all the delivery rules in the delivery rule table read in step S303, the process proceeds to step S307. On the other hand, if the processing for all the delivery rules has not been completed, the process returns to step S304, one delivery rule with the next young rule ID is acquired, and the process of step S305 is executed.

  In step S308, the action value of the condition (expression) matched in step S305 is acquired from the delivery rule. If the acquired value is a transmission, the process proceeds to step S307. If the acquired value is a deletion, the process proceeds to step S309. Migrate processing.

  In step S307, the e-mail acquired in step S301 is transmitted to the mail delivery device 130 in order to transmit.

  In step S309, the e-mail acquired in step S301 is deleted.

  In step S310, the electronic mail acquired in step S301 is put on hold without being transmitted.

  When the process of step S307, step S309, or step S310 is executed, the process proceeds to step S311.

  In step S311, it is determined whether the e-mail acquired in step S301 is an e-mail to be audited. If it is determined that the e-mail is an e-mail to be audited, the e-mail is changed to an e-mail to be audited (audit (Target mail) is stored in the audit target mail storage unit 104. Further, in order to determine that the e-mail is to be audited, information (mail ID or the like) for identifying the e-mail is stored in the audit target e-mail management table shown in FIG. Here, the audit target mail management table (FIG. 17) is a table including a list of audit target mails.

  Detailed processing of the audit target determination processing (step S311) will be described later with reference to FIG.

  Next, after finishing the process of step S311, the process proceeds to step S312.

  In step S312, the value of the link risk table (FIG. 15) and link mail risk table stored in the management information database 103 from the processing result of the electronic mail acquired in step S301 (transmission in step S307, deletion in step S309). The value of (FIG. 16) is updated. The management information database 103 is an application example of risk storage means.

  FIG. 15 is an example of a link risk table. The link risk table (FIG. 15) and the link mail risk table (FIG. 16) are application examples of link risk information.

  The link risk table shown in FIG. 15 is stored in a storage unit such as the external memory 211 of the mail auditing apparatus 100.

  FIG. 15 stores past transmission control (transmission control result) and / or audit results for a set of an e-mail transmission source and a transmission destination, and indicates the degree of risk of sending an e-mail to the set. A risk value (link risk value) is stored.

  The link risk table (FIG. 15) includes “recipient”, “destination local part”, “destination domain part”, “transmission”, “transmission with caution”, “deletion”, “no problem”, “caution”, “ It consists of items of “Problem”, “Total”, and “Link Risk Value”.

  “Recipient” stores the e-mail address of the e-mail transmission source.

  The “destination local part” stores the local part of the e-mail address of the e-mail transmission destination. The local part is a character string before @ of the electronic mail address. For example, if the e-mail address is kato @ aaaa. co. In the case of jp, “kato” is the local part.

  The “destination domain part” stores the domain part of the e-mail address of the e-mail transmission destination. The domain part is a character string after the @ of the electronic mail address. For example, if the e-mail address is kato @ aaaa. co. In the case of jp, “aaaa.co.jp” is the domain part.

  The items of “transmission”, “transmission with caution”, and “deletion” include the audit result of “preliminary audit” to be described later, and the transmission control results (e-mail transmission and suspension) in steps S307 and S309. The number of times is stored. That is, the “transmission” stores the sum of the number of times “transmission” is instructed by the auditor (administrator) in the preliminary audit and the number of transmissions transmitted in step S307. Further, “transmission with caution” stores the number of times “transmission with caution” is instructed by the auditor (administrator) in the preliminary audit. “Delete” stores the sum of the number of times that the auditor (administrator) has instructed “delete” in the preliminary audit and the number of times deleted in step S309. The audit screen for the pre-audit is shown in FIG.

  Next, in the items of “no problem”, “caution”, and “problem”, the number of audit results of “post audit” described later is stored. That is, “no problem” stores the number of times “no problem” is instructed by the auditor (administrator) in the subsequent audit. In “Caution”, the number of times “Caution” is instructed by the auditor (administrator) in the post-audit is stored. Also, in “There is a problem”, the number of times that “There is a problem” is stored by the auditor (administrator) in the post-audit. The audit screen for the post audit is shown in FIG.

  The “total number” stores the sum of the number of audits performed in the pre-audit and the post-audit and the number of transmission control results (e-mail transmission and suspension) in steps S307 and S309. That is, the number of times audited as “transmission”, “transmission with caution”, “deletion”, “no problem”, “caution”, “with problem”, the number of transmissions in step S307, and deletion in step S309 The total number of times recorded is stored.

  In addition, the item of “link risk value” includes a pre-audit and a post-audit for the combination of the sender and destination of the email indicated in the “recipient”, “destination local part”, and “destination domain part”. The link risk value calculated according to the audit result and the transmission control result (transmission and deletion) in step S307 and step S309 is stored.

  In step S312, when the e-mail acquired in step S301 is transmitted in step S307 or deleted in step S309, the sender address (e-mail address of the sender) of the e-mail and the e-mail Records in the link risk table (FIG. 15) of combinations (groups) with e-mail addresses (destination addresses) of all mail destinations are specified.

  That is, a record of a pair of the sender and destination of the link risk table that matches the pair of the sender and destination of the email acquired in step S301 is specified.

  If the e-mail acquired in step S301 is transmitted in step S307, the value of the item “transmission” of all the specified records is incremented (updated). When the e-mail acquired in step S301 is deleted in step S309, the value of the “delete” item of all the specified records is incremented (updated).

  Here, when there is a set that does not match the set of the source and destination of each record in the link risk table among the sets of the source of the email and the email addresses of all destinations acquired in step S301. Then, the record of the pair of the transmission source and the transmission destination that does not match is added to the link risk table.

  When the e-mail acquired in step S301 is transmitted in step S307, the value of the “transmission” item of the added record is set to 1. When the e-mail acquired in step S301 is deleted in step S309, the value of the “delete” item of the added record is set to 1.

  In this way, when the values of the items “transmission” and “deletion” in the link risk table (FIG. 15) are updated, “transmission”, “transmission with caution” in the updated link risk table (FIG. 18), The link risk value is determined according to the values of “Delete”, “No problem”, “Caution”, and “Problem” (the past transmission control result and / or audit result for the sender and destination of the email). calculate.

  Next, the link risk value calculation procedure will be described.

は、図１２に示す式を用いて算出することができる。 Link risk value

Can be calculated using the equation shown in FIG.

は、送信元Ｓと宛先（送信先）ｒのリンクリスク値を示している。 here,

Indicates link risk values of the transmission source S and the destination (transmission destination) r.

  FIG. 12 is a diagram illustrating an example of a calculation formula for calculating the link risk value.

Are the values of the items “Send”, “Send with caution”, “Delete”, “No problem”, “Caution”, “With problem” in the link risk table, and the link in the link mail risk value table (FIG. 14). This value is calculated from the email risk value.

は、送信元Ｓで宛先ｒの各電子メールｍのリンクメールリスク値である。

Is a link mail risk value of each e-mail m of the transmission source S and the destination r.

は、送信元Ｓと宛先ｒの電子メールの総数であり、リンクリスク表（図１５）中の送信元（発信者）Ｓと宛先ｒのレコードにおける総数の項目の値である。

Is the total number of e-mails of the source S and the destination r, and is the value of the item of the total number in the records of the source (sender) S and the destination r in the link risk table (FIG. 15).

  FIG. 14 is a diagram showing a link mail risk value table. The link mail risk value table is stored in a storage unit such as the external memory 211 of the mail auditing apparatus 100.

  The link mail risk value table has the items “Send”, “Send with Caution”, “Delete”, “No problem”, “Caution”, and “With problem” corresponding to the link risk table (FIG. 15). Each item has a link mail risk value. The link mail risk value is a link risk value per audit and transmission control result for each item, and is set in advance by the administrator.

  Here, a specific example of calculating the link risk value will be described.

  Here, the link risk value of the record whose management ID is 1 in the link risk table (FIG. 15) (a set of transmission source is oka@my.co.jp and transmission destination (destination) is kato@aaa.co.jp). A calculation example will be described.

  A record with a management ID of 1 has a source (S) of oka @ my. co. jp is the destination (destination) (r) is kato @ aaa. co. Number of times jp's e-mail (link mail) has been “sent” 17 times, “sent with caution” has been sent 0 times, and “deleted” has been sent, depending on the pre-audit and / or transmission control results There are four times. In the post-audit, there are 6 audit results of “no problem”, 0 audit results of “caution”, and 1 audit result of “problem”.

である。 When the record having the management ID of 1 is referred to, the total number of times of past transmission control (transmission control result) and / or audit results is obtained.

It is.

  In the link mail risk value table (FIG. 14), the link mail risk value when “sent” is 0.00 according to the pre-audit and / or transmission control result is 0.00, and the case where the link mail risk value is transmitted “attention sent” The link mail risk value is 0.20, which indicates that the link mail risk value is “1.00” when “deleted”.

  In the link mail risk value table (FIG. 14), in the post audit, the link mail risk value in the case of the audit result “no problem” is 0.00, and the link in the case of the audit result of “caution” The mail risk value is 0.20, which indicates that the link mail risk value in the case of the audit result “problem” is 1.00.

は以下の式のように表される。
Substituting these values into the formula in Fig. 12, the link risk value

Is expressed as:

＝（１７×０．００＋０×０．２０＋４×１．００＋６×０．００＋０×０．２０＋１×１．００）÷２１ (Formula of FIG. 12)

= (17 × 0.00 + 0 × 0.20 + 4 × 1.00 + 6 × 0.00 + 0 × 0.20 + 1 × 1.00) ÷ 21

By calculating the above formula, link risk value

Is calculated to be 0.238. Then, the value of the link risk value item of the record having the management ID 1 in the link risk table (FIG. 15) is updated to the calculated link risk value.

を算出するための式について説明する。 Here, the link risk value mentioned above

A formula for calculating the will be described.

は、送信元（Ｓ）がｏｋａ＠ｍｙ．ｃｏ．ｊｐで宛先（ｒ）がｋａｔｏ＠ａａａａ．ｃｏ．ｊｐの電子メールのリンクメールリスク値である。したがって、

Indicates that the sender (S) is oka @ my. co. jp and the destination (r) is kato @ aaaa. co. This is the link mail risk value of jp e-mail. Therefore,

Is “sent” in the pre-audit and / or transmission control result, it takes a value of 0.00 as set in “send” in the link mail risk value table (FIG. 14). In the link risk table (FIG. 15), the number of times of “sending” is 17 times according to the pre-audit and / or transmission control result, and therefore, regarding “sending”, the numerator on the right side of the formula in FIG. It will add. Here, 0.00 is multiplied by 17 to simplify the description. Although “transmission” has been described here, “transmission with attention”, “deletion”, “no problem”, “caution”, and “problem” can be calculated in the same manner as described below.

  A description will be given regarding “sent transmission”.

  When “transmission with caution” is performed according to the preliminary audit and / or transmission control result, the value is 0.20 as set in “transmission with caution” in the link mail risk value table (FIG. 14).

  Since the number of times of “transmission with caution” is 0 based on the pre-audit and / or transmission control result, 0.20 is added to the numerator on the right side of the expression in FIG. 12 for “transmission with caution”. Here, 0.20 is multiplied by 0 to simplify the description.

  The “deletion” will be described.

  When “deleted” due to the pre-audit and / or transmission control result, the value is 1.00 as set in “deleted” in the link mail risk value table (FIG. 14).

  In the link risk table (FIG. 15), the number of times of “deletion” is 4 times due to the pre-audit and / or transmission control result. It will add. Here, in order to simplify the description, 1.00 is multiplied by 4 and shown.

  Explain about “no problem”.

  When the post-audit audits “no problem”, it takes a value of 0.00 as set in the “no problem” of the link mail risk value table (FIG. 14).

  In the link risk table (Fig. 15), the number of times that "no problem" was audited in the post-audit is six, so for "no problem", the denominator on the right side of the formula in Fig. 12 should add 0.00 six times. It becomes. Here, 0.00 is multiplied by 6 to simplify the description.

  The “Caution” will be described.

  When “Caution” is audited in the post-audit, the value is 0.20 as set in “Caution” in the link mail risk value table (FIG. 14).

  In the link risk table (FIG. 15), the number of times that “Caution” is audited in the post-audit is 0, so for “Caution”, the numerator on the right side of the formula in FIG. 12 adds 0.20 to 0. . Here, 0.20 is multiplied by 0 to simplify the description.

  Explain about “problems”.

  When the post-audit audits “problem”, the value is 1.00 as set in “problem” in the link mail risk value table (FIG. 14).

  In the link risk table (FIG. 15), the number of times that “explained” is audited in the post-audit is one, and therefore the numerator on the right side of the formula in FIG. Here, in order to simplify the description, 1.00 is multiplied by 1.

  The sum of the values of “transmission”, “transmission with caution”, “deletion”, “no problem”, “caution” and “problem” calculated as described above is the value of the numerator on the right side of the expression in FIG. It becomes.

に代入し計算すると、リンクリスク値

を算出することができる。 Then, 21 which is the total number of records having the management ID 1 is represented by the formula of FIG.

Link risk value

Can be calculated.

  Next, the update process of the link mail risk table (FIG. 16) will be described.

  FIG. 16 is an example of a link mail risk table. The link mail risk table is stored in a storage unit such as the external memory 211 of the mail inspection apparatus 100.

  The link mail risk table (FIG. 16) stores a mail ID for uniquely identifying the e-mail and a link mail risk value for a pair of the acquired e-mail transmission source and each transmission destination. That is, the link risk table (FIG. 15) stores risk values based on past transmission control and / or audit results for pairs of transmission sources and transmission destinations. Transmission control and / or each audit result is stored. That is, the link risk table is a table in which each record of the link mail risk table is tabulated by the combination of the transmission source and the transmission destination.

  In step S312, a record including a combination (set) of an e-mail address (sender address) of the acquired e-mail and all e-mail addresses (destination addresses) of the e-mail and a link mail risk value related to the combination To the link email risk table. Here, a unique number for uniquely identifying the acquired electronic mail is stored in the mail ID of the record to be added.

  The link risk update processing in step S312 is not executed when the action of the delivery rule that matched the condition in step S305 is deletion and the link risk value is included in the matched condition (formula).

  That is, here, it is determined whether the action of the delivery rule is deleted and the link risk value is used in the conditional expression. If the action of the delivery rule is deleted and the link risk value is used in the conditional expression, If determined, in step S312, the deletion (column) value and the link risk value (column) value of the link risk table (FIG. 15) are not updated or generated, and the record is recorded in the link mail risk table (FIG. 16). Is not added (generated).

  This is to prevent the processing result from being deleted corresponding to the condition using the link risk value, and the cycle of the link risk value from being automatically raised from the result of the deletion.

  On the other hand, if it is determined that the action of the delivery rule is deletion and the link risk value is not used in the conditional expression, as described above, the transmission (column) or deletion (column) of the link risk table (FIG. 15) The value and the value of the link risk value (column) are updated or generated, and a record is added (generated) to the link mail risk table (FIG. 16).

  The above is the description of the basic processing in the mail auditing apparatus.

  Next, the risk value calculation process in step S302 will be described with reference to the flowchart of FIG.

  FIG. 4 is a flowchart showing detailed processing of risk value calculation processing (step S302).

  Note that the processing of each step from step S401 to step S413 illustrated in FIG. 4 is executed and realized by the CPU 201 of the mail auditing apparatus 100.

  In step S401, a risk value buffer for storing and holding a link risk value relating to a sender address / destination address pair in the electronic mail acquired in step S301 is initialized.

  Next, in step S402, it is determined by searching whether all address pairs of the sender address and all destination addresses of the e-mail exist in the link risk table (FIG. 15).

  That is, it is determined whether or not link risk values for all pairs of e-mail transmission sources and transmission destinations are stored in the link risk table (FIG. 15). If it is determined that the link risk values for all pairs of the sender and destination of the e-mail are not stored (including at least one unstored pair) (step S402: Yes), processing The process proceeds to step S403, and if it is determined that all the sets are stored (step S402: No), the process proceeds to step S405.

  In step S403, processing for determining (determining) the type of the caller (attention required / normal / high reliability) is executed according to the risk value (caller risk value) of the caller (sender).

  A flowchart showing the detailed processing of step S403 is shown in FIG. The description of FIG. 6 will be described later.

  Next, after performing the process of step S403, the process proceeds to step S404.

  In step S404, the type of the acquired electronic mail (the degree of risk of the mail) is determined (determined) according to the content of the mail text, the presence / absence of an attached file, the type of data of the attached file, and the content of the attached file.

  FIG. 7 is a flowchart showing the detailed processing in step S404. The description of FIG. 7 will be described later.

  In step S405, one destination address is acquired from each destination address of the acquired e-mail, and the processing from S406 to S412 is performed for all sender address / destination address pairs (address pairs). repeat.

  In step S406, the link risk table (FIG. 15) is searched for whether or not there is a line that matches the address pair currently being processed. That is, it is determined whether or not the link risk value (risk value) for the set of the sender and destination of the email is stored in the link risk table. If it is determined that it is stored, the process proceeds to step S407, and if it is determined that it is not stored, the process proceeds to step S411.

  The link risk value (risk value) for the email sender and destination pair is stored in the link risk table, which means that the sender has never sent an email to the recipient in the past It will be done.

  In step S407, the link risk table (FIG. 15) is searched for whether there is an address pair other than the current processing target transmission destination and the current processing target transmission source.

  That is, the destination email address of the current processing target is in the destination column of the link risk table (FIG. 15), and the email address other than the source email address of the current processing target is the link risk table (FIG. 15). ) Is searched from the link risk table (FIG. 15) to determine whether or not there is the record.

  In other words, in step S407, it is determined that there is no address pair other than the current processing target transmission destination and the current processing target transmission source. It means that it was determined that there was.

  Also, in step S407, it is determined that there is an address pair other than the current processing target transmission destination and the current processing target transmission source. This means that other transmission sources have transmitted to the transmission destination in the past. It means that it was judged.

  If it is determined in step S407 that there is a destination that is the current processing target and an address pair other than the current processing source, the process proceeds to step S408, and if it is determined that there is no address pair, the process proceeds to step S409.

  In step S409, the initial risk value corresponding to the caller type determined in step S403 and the e-mail type determined in step S404 is determined with reference to the initial risk value table 2101. Reference numeral 2101 denotes an initial risk value table.

  Here, a method for registering the initial risk value table 2101 in the management information database 103 of the mail auditing apparatus 100 and data in the initial risk value table 2101 will be described.

  The CPU 201 of the management operation terminal 120 displays the initial risk value table setting screen (FIG. 21) on the display unit, and accepts input of the initial risk value table 2101 from the administrator via the initial risk value table setting screen. When an “OK” button 2102 is pressed by the administrator, the input initial risk value table 2101 is transmitted to the mail auditing apparatus 100 so as to be stored in the management information database 103 of the mail auditing apparatus 100. Then, the mail inspection apparatus 100 stores the initial risk value table 2101 received from the management operation terminal 120 in the management information database 103.

  In step S409, the initial risk value is determined using the initial risk value table 2101 stored in the management information database 103 in this way.

  The initial risk value table 2101 stores initial risk values corresponding to e-mail risk (low / medium / high) (risk type) and caller type (attention / normal / high reliability). .

  Here, the initial risk value corresponding to the caller type (attention / normal / high reliability) is stored, but instead of the caller type, it corresponds to the caller risk value (source risk value). An initial risk value may be stored. That is, the initial risk value associated with the transmission source risk value and the risk type may be stored.

  In the following description, the sender type is used instead of the sender risk value, but the initial risk value associated with the sender risk value and the risk type may be determined as the risk value.

  Therefore, in step S409, initial risk values corresponding to the sender type determined in step S403 and the e-mail risk level (e-mail type) determined in step S404 are obtained from the initial risk value table 2101. Can be obtained and determined.

  In step S410, the initial risk value determined in step S409 is additionally stored in the risk value buffer as a risk value, and the process proceeds to step S412.

  In the processing of steps S407 to S410, if there is only one address pair for the transmission destination, the communication of the address pair is likely to be personal, and it is considered that there is a high risk of information leakage. The risk value is determined according to the type of sender and the type of outgoing mail without using the link risk value (such as past audit results) of the address pair.

  In step S408, the link risk value determined to be stored in S406 is additionally stored in the risk value buffer, and the process proceeds to step S412.

  In step S411, an initial link risk value for an address pair that is currently determined to be not stored in the link risk table is calculated, and an initial risk value calculation process stored in the risk value buffer is executed.

  Detailed processing of the initial risk value calculation processing (step S411) will be described later with reference to FIG.

  When the process of step S411 is executed, the process proceeds to step S412.

  In step S412, if the processing from S406 to S411 is executed for the set of the sender address and all destination addresses, the processing moves to step S413, and if not, the processing returns to S405.

  In step S413, an e-mail link risk value is calculated from one or more link risk values stored and held in the risk value buffer. For example, the average value of all link risk values stored and held in the risk value buffer is calculated as the link risk value of the e-mail.

  Here, as a calculation method for calculating an e-mail link risk value from one or a plurality of link risk values, among several methods such as an average value, a maximum value, and a minimum value of all link risk values, It can be selected according to the audit policy of the organization used.

  Next, the audit target determination process in step S311 will be described with reference to the flowchart of FIG.

  FIG. 5 is a flowchart showing detailed processing of the audit target determination processing (step S311).

  Note that the processing of each step from step S501 to step S505 shown in FIG. 5 is executed and implemented by the CPU 201 of the mail auditing apparatus 100.

  The audit target e-mail can be specified by the audit target determination process shown in FIG.

  In step S501, it is determined in step S308 that the electronic mail acquired in step S301 is on hold, and it is determined in step S310 whether the hold is on hold.

  If it is determined in step S501 that the e-mail has been suspended (step S501: Yes), the process proceeds to step S502. On the other hand, if it is determined that the e-mail is not suspended (step S501). If the e-mail is transmitted or deleted in step S307 or step S309) (step S501: NO), the process proceeds to step S504.

  In step S502, the e-mail information (mail ID, date and time of reception, sender (sender address), delivery status, link risk value) is stored in the audit target mail management table (FIG. 17) stored in the management information database 103. Is added, and the process proceeds to step S503.

  FIG. 17 is an example of the audit target mail management table.

  The audit target mail management table is stored in a storage unit such as the external memory 211 of the mail auditing apparatus 100.

  The audit target mail management table (FIG. 17) is a management table for managing e-mails to be audited in the mail auditing apparatus 100, and records represented by rows are management IDs for identifying records, audit targets, and the like. ID for identifying the e-mail to be audited, the date and time when the e-mail auditing apparatus 100 received the e-mail to be audited, the sender address of the e-mail to be audited, the delivery status of the e-mail to be audited, the e-mail to be audited The link risk value calculated in step S302 of FIG. The delivery status takes one of the values of transmission, deletion, or hold.

  In step S503, an email corresponding to the email ID stored in the audit target mail management table is stored in the audit target mail storage unit 104. In step S503, the email ID of the email stored in the audit target email storage unit 104 is also stored in association with the email, and the email can be extracted using the email ID as a key as necessary.

  In step S504, using the link risk value of the currently processed email, it is determined whether or not the email is to be subject to post-audit.

  Specifically, it is determined whether or not the link risk value (the link risk value calculated in step S302) of the currently processed email is equal to or greater than a post-audit threshold (threshold) (for example, 0.75). Based on the above, it is determined whether or not to be subject to post-audit. Here, the post-audit threshold value (threshold value) is stored in the management information database 103.

  If it is determined in step S504 that it is to be subject to subsequent audit (step S504: Yes), the process proceeds to step S502. On the other hand, if it is determined not to be subject to subsequent audit (step S505: no), The electronic mail to be processed is deleted (step S505).

  When the process of step S503 or step S505 ends, the process proceeds to step S312 in FIG.

  Here, a case where it is desired to select an e-mail to be subjected to the post-audit at random to some extent in step S504 will be described.

  Here, an example of a technique that can be an object of post-audit for an e-mail with a link risk value that is lower than the post-audit threshold (threshold value) (an e-mail that is not subject to auditing in the processing in step S504 described above) will be described.

は、ボックス・ミュラー法による正規乱数を生成するための計算式である。 Included in the calculation formula of FIG.

Is a calculation formula for generating normal random numbers by the Box-Muller method.

  In the calculation formula of FIG. 13, R is an average value of link risk values, σ is a parameter of standard deviation indicating a link risk value and the degree of randomness, and α and β are uniform random numbers (0, 1).

  By solving the calculation formula of FIG. 13, it is possible to obtain a link risk value in which the link risk value of the e-mail that is the object of the determination process in step S504 is randomly changed.

  Therefore, in step S504, an e-mail with a link risk value that is below the post-audit threshold (threshold) may be subject to post-audit.

  When the calculation formula as shown in FIG. 13 is used, the link risk value of the e-mail can be set as a mode value, and a value that varies depending on the degree of σ before and after that can be compared with a threshold value in step S504. Therefore, it is possible to realize an audit target selection method that is based on the link risk value but also adds a certain degree of randomness.

  For example, emails with a link risk value of less than 0.75 against the threshold of 0.75 will not be subject to post-audit if randomness is not added, but these emails can be added by adding randomness. The value to be compared becomes 0.75 or more, and there is a possibility of being subject to post-audit. By using the standard deviation calculated from the set of link risk values as the value of σ, it is possible to add randomness reflecting the characteristics of the link risk values of the entire stored email. Moreover, you may use the fixed value which an administrator sets.

  Next, the caller type determination process in step S403 will be described with reference to the flowchart of FIG.

  FIG. 6 is a flowchart showing a detailed process of the caller type determination process (step S403).

  Note that the processing of each step from step S601 to step S606 shown in FIG. 6 is executed and implemented by the CPU 201 of the mail auditing apparatus 100.

を算出する。図１０は、発信者（送信元）のリスク値

を算出する計算式の一例であり、適宜、必要に応じて異なる計算式を用いて、発信者（送信元）のリスク値を算出してもよい。 First, in step S601, the risk value (sender risk value) of the sender (sender) using the calculation formula of FIG.

Is calculated. Figure 10 shows the risk value of the sender (sender)

The risk value of the sender (transmission source) may be calculated using a different calculation formula as necessary.

は、送信先のドメインのリンクリスク値を表す項である。 Included in the formula of FIG.

Is a term representing the link risk value of the destination domain.

は、送信元の電子メールのリンクリスク値を表す項である。 Also included in the formula of FIG.

Is a term representing the link risk value of the source e-mail.

は、図１１の計算式

により算出される値

の平均値である。 Included in the calculation formula of FIG.

Is the calculation formula of FIG.

Value calculated by

Is the average value.

  Here, the calculation formula of FIG. 11 will be described.

As shown in FIG.

Is an average value of all link mail risk values stored in the link mail risk table. In the example of FIG. 16, 0.00, 1, 00, 1, 00, 0, 20 are stored as the link mail risk value.

は、（（０．００＋１，００＋１，００＋０，２０）／４）＝０．５５となる。

Becomes ((0.00 + 1, 00 + 1, 00 + 0, 20) / 4) = 0.55.

は、ステップＳ３０１で取得した電子メールの送信元から過去に送信された送信先のドメインのリンクリスク値である。 Also shown in FIG.

Is the link risk value of the domain of the transmission destination transmitted in the past from the transmission source of the electronic mail acquired in step S301.

について具体的に説明する。 here,

Will be described in detail.

For example, the transmission source is ito @ my. co. jp and the domain included in the destination address is aaa. co. jp and bbbb. co. If you get an email address that is jp,

Includes aaa. co. link risk value of each email sent to the domain of jp, bbbb. co. The link risk value of each email sent to the jp domain is substituted.

に代入される。図１６の例では、

の値は０．５５であるので、管理ＩＤが１のメールに関しては、

＝０．００−０．５５＝−０．５５と算出される。 Referring to FIG. 16 as an example, the destination domain is aaa. co. The link mail risk value (0.00) with management ID 1 is jp is

Is assigned to In the example of FIG.

Since the value of 0.55 is 0.55, the mail with management ID 1 is

= 0.00−0.55 = −0.55

に代入される。したがって、管理ＩＤが３のメールに関しては、

＝１．００−０．５５＝０．４５と算出される。 Next, if the destination domain is aaa. co. The link mail risk value (1.00) with management ID 3 is jp is

Is assigned to Therefore, for emails with management ID 3,

= 1.00−0.55 = 0.45.

に代入される。したがって、管理ＩＤが４のメールに関しては、

＝０．２０−０．５５＝−０．３５と算出される。 Similarly, if the destination domain is aaa. co. The link mail risk value (0.20) with management ID 4 is jp

Is assigned to Therefore, for mail with management ID 4,

= 0.20-0.55 = -0.35.

は、−０．５５＋０．４５−０．３５＝−０．４５となる。 Therefore, the destination domain is aaa. co. jp

Is −0.55 + 0.45-0.35 = −0.45.

を算出する。 Next, the destination domain is bbbb. co. jp

Is calculated.

に代入される。したがって、管理ＩＤが２のメールに関しては、

＝１．００−０．５５＝０．４５と算出される。 Referring to FIG. 16, the destination domain is bbbb. co. The link mail risk value (1.00) with management ID 2 is jp

Is assigned to Therefore, for mail with management ID 2,

= 1.00−0.55 = 0.45.

は、０．４５となる。 In the example of FIG. 16, bbbb. co. Since the record of the domain whose destination is jp is only the mail with the management ID 2, bbbb. co. jp

Is 0.45.

を算出することができる。図１６の例では、ａａａａ．ｃｏ．ｊｐのリスク値

は０．４５と算出され、ドメインｂｂｂｂ．ｃｏ．ｊｐのリスク値

は０．４５と算出される。
取得した電子メールの送信先の各ドメインのリスク値

の平均値

は、（０．４５＋０．４５）÷２＝０．４５と算出される。 With the above process, the risk value of each domain to which the acquired email is sent

Can be calculated. In the example of FIG. co. jp risk value

Is calculated to be 0.45, and domain bbbb. co. jp risk value

Is calculated to be 0.45.
Risk value of each domain to which the acquired email is sent

Average value

Is calculated as (0.45 + 0.45) ÷ 2 = 0.45.

The domain of the destination of the acquired e-mail is aaa. co. jp and bbbb. co. In the case of jp,

Are aaa. co. -0.55 + 0.45-0.35 = -0.45 for the domain of jp, and bbbb. co. For the domain of jp, it is -0.45.

が、ａａａａ．ｃｏ．ｊｐのドメインの

となり、宛先のドメインがｂｂｂｂ．ｃｏ．ｊｐの

が、ｂｂｂｂ．ｃｏ．ｊｐのドメインの

となる。 Here, the destination domain calculated above is aaa. co. jp

But aaa. co. jp domain

And the destination domain is bbbb. co. jp

Bbbb. co. jp domain

It becomes.

に代入すると、（−０．４５−０．４５）＋（−０．４５−０．４５）となり、

＝−１．８となる。 Therefore, the value calculated above is

Substituting into (−0.45−0.45) + (− 0.45−0.45)

= -1.8.

について計算する。 Next, the second item in FIG.

Calculate about.

は、リンクメールリスク表（図１６）に記憶されているリンクメールリスク値の平均値である。

Is an average value of link mail risk values stored in the link mail risk table (FIG. 16).

を算出する。 As shown in FIG. 16, since the e-mail with the mail ID 102 has two transmission destinations, each is stored as a separate record. The average link mail risk value calculated here is Since it is the average value of the risk value of the electronic mail, the link mail risk value with the mail ID 102 is calculated as the average value of these. That is, the average value (1.00) of the link mail risk values (1.00 and 1.00) with the management IDs 2 and 3 is used as the link mail risk value of the email with the mail ID 102.

Is calculated.

である。 Therefore, in the example of FIG. 16, the sum of the link mail risk values of the mail IDs 101, 102, and 103 is 0.00 + 1.00 + 0.20 = 1.20, and the average value is 1.20 ÷. 3 = 0.40. The value calculated here (0.40) is

It is.

は、ステップＳ３０１で取得した電子メールの送信元から過去に送信された電子メールのリンクリスク値である。 next,

Is the link risk value of the email sent in the past from the email sender acquired in step S301.

For example, the sender of the acquired email is too @ my. co. In the case of jp, referring to FIG. co. Since the link mail risk value that is jp is 1.00,

に代入することとなる。 Substitute 1.00 for. In addition, in the link mail risk table, the sender is “ito @ my. co. If there is an e-mail with jp, the link mail risk value (n) of the e-mail is

Will be assigned to.

As described above, substituting into the second term of the equation of FIG.

= (1.00−0.40) + (n−0.40) +... By calculating this, the risk value of the e-mail transmitted from the transmission source (sender) is calculated. be able to.

＝（１．００−０．４０）＝０．６となる。 In the example of FIG. 16, since there is only a mail with the mail ID 102,

= (1.00-0.40) = 0.6.

と

を図１０の式に代入すると、

となり、取得した電子メールの発信者（送信元）のリスク値

を算出することができる。 Calculated above

When

Is substituted into the equation of FIG.

The risk value of the sender (sender) of the acquired email

Can be calculated.

  The above is the description of the process in step S601.

  Next, when the risk value (sender risk value) of the sender (sender) of the e-mail is calculated in step S601, the calculated sender risk value is stored (stored) in the management information database 103. It is determined whether or not the caller threshold value needs attention is exceeded (step S602).

  If it is determined that the calculated sender risk value is equal to or greater than the caution sender threshold (step S602: Yes), the type of the sender is determined to be caution (step S603).

  On the other hand, when it is determined that the calculated sender risk value is not equal to or greater than the caution sender threshold value (step S602: No), the calculated sender risk value is stored (stored) in the management information database 103. It is determined whether or not it is equal to or less than the high-reliable sender threshold value (step S604). If it is determined that the calculated sender risk value is equal to or less than the highly reliable sender threshold value, the type of the sender is determined to be highly reliable (step S606). If it is determined that the calculated sender risk value is greater than the highly reliable sender threshold, the type of the sender is determined to be normal (step S605).

  After executing the processes of step S603, step S605, and step S606, the process proceeds to step S404.

  Next, the outgoing mail type determination process in step S404 will be described with reference to the flowchart of FIG.

FIG. 7 is a flowchart showing detailed processing of outgoing mail type determination processing (step S404). By the processing shown in FIG. 7, the degree of risk of the acquired electronic mail (outgoing mail) can be determined.
Note that the processing of each step from step S701 to step S708 shown in FIG. 7 is executed and realized by the CPU 201 of the mail auditing apparatus 100.

  In step S701, it is determined whether an attached file is attached to the electronic mail acquired in step S301. If it is determined that an attached file is attached, the process proceeds to step S704. If it is determined that no attached file is attached, the process proceeds to step S702.

  Next, in step S702, the contents of the data included in the e-mail (the contents of the e-mail and / or the contents of the attached file) are inspected to perform a process of calculating the risk level of the e-mail.

  Specifically, the risk level of the e-mail is calculated based on whether or not a predetermined keyword such as “undisclosed settlement data” is included in the content of the data included in the e-mail.

  That is, the risk level of the e-mail is calculated according to such predetermined keywords and the number of the keywords.

  When a predetermined keyword and a risk level for the keyword are stored in a storage unit such as an external memory, and the data included in the e-mail includes the predetermined keyword stored in the storage unit with reference to this When the determination is made, the risk level for the predetermined keyword is counted up.

  The risk level of the e-mail counted up in this way is calculated.

  The method for calculating the email risk shown here is an example, and any method may be used as long as the email risk is calculated according to the data included in the email.

  In other words, the calculation method of the risk level of e-mail may be arbitrarily selected by the administrator depending on the operation mode of the system of the organization.

  Next, when the risk level of the e-mail is calculated in step S702, it is determined from the calculated risk level whether the risk level (risk type) of the e-mail is high, medium, or low (step S703).

  Here, in step S703, two threshold values for determining whether the risk level of the email is high, medium, or low are stored in the storage unit of the mail auditing apparatus 100, and the threshold values and the calculation in step S702 are performed. Judgment is based on the assigned risk. The two threshold values described here are the high risk threshold value and the low risk threshold value.

  If it is determined in step S703 that the risk calculated in step S702 is greater than or equal to the high risk threshold (step S703: high), the risk (risk type) of the e-mail is set to “high” (step S703). S708).

  In step S703, if it is determined that the risk calculated in step S702 is less than the low risk threshold (step S703: low), the risk (risk type) of the e-mail is set to “low”. (Step S706).

  If it is determined in step S703 that the degree of risk calculated in step S702 is less than the high risk threshold and is greater than or equal to the low risk threshold (step S703: medium), the risk (risk type) of the email Is set to “medium” (step S707).

  In step S704, it is determined whether the attached file attached to the e-mail is a text file. This can be determined by analyzing the data in the attached file. Here, the text file is a file format in which the data in the attached file is composed of a character code string in a natural language, and the computer can easily extract characters and / or sentences constituting the file. File. For example, document files such as text files, WORD files, EXCEL files, and HTML files correspond to text files.

  If it is determined in step S704 that the attached file is a text file, the process proceeds to step S702 (step S704: Yes). On the other hand, if it is determined that the attached file is not a text file, the process proceeds to step S705 (step S704: NO).

  In step S705, the attached file attached to the e-mail is analyzed to determine whether the attached file is encrypted. If it is determined that the attached file is encrypted, the process proceeds to step S708, and the risk of the electronic mail is set to “high” (step S708). On the other hand, if it is determined that the attached file is not encrypted, the process proceeds to step S707, and the risk level of the electronic mail is set to “medium” (step S707).

  As described above, when the processes of step S706, step S707, and step S708 are executed, the process shown in FIG. 7 is terminated, and the process proceeds to step S405.

  Next, the initial risk value calculation process in step S411 will be described with reference to the flowchart of FIG.

  FIG. 8 is a flowchart showing detailed processing of the initial risk value calculation processing (step S411). With the process shown in FIG. 8, it is possible to calculate a new link risk value of an email that has never been transmitted in the past and that is a combination (set) of a transmission source and a transmission destination.

  8 is executed by the CPU 201 of the mail auditing apparatus 100 and realized.

  First, in step S801, the destination email address of the address pair currently being processed is the destination email address in the link risk table (FIG. 15) (the destination email composed of the destination local part and the destination domain part). It is determined by searching the link risk table whether there is a row (record) that matches (address) (link determination means). This is to determine whether there is an e-mail that has been sent to the destination address of the e-mail from another sender (for example, another account in the company) other than the e-mail sender acquired in step S301. It is processing to do.

  If it is determined that the destination e-mail address currently being processed has at least one row that matches the destination e-mail address in the link risk table (FIG. 15) (step S801: Yes), A temporary area for storing a plurality of link risk values related to the current destination e-mail address is initialized (step S802). On the other hand, if it is determined that there is no matching row (step S801: NO), the process proceeds to step S808.

After initializing the temporary area in step S802, in step S803, link risk values are extracted one by one from the set of link risk table rows (records) matched in step S801, and the processing in steps S804 to S805 is repeated.
Next, the link risk value extracted in step S803 is added to the temporary area and stored (step S804).

  If the process of S804 has been executed for all the rows (records) in the link risk table that matched in step S801, the process proceeds to step S806, and if not, the process returns to step S803.

  Then, when the link risk values of all the rows (records) of the link risk table matched in step S801 are stored in the temporary area, all of the link risk values stored in the temporary area are included in the link risk table. It is determined whether it is larger than the average value of the link risk values (step S806).

  If it is determined in step S806 that the maximum value of the link risk value stored in the temporary area is larger than the average value, the process proceeds to step S807, and the process is stored in the temporary area. If it is determined that the maximum link risk value is equal to or less than the average value, the process proceeds to step S813.

  In step S807, it is determined whether or not the type of the sender of the e-mail has been determined to be cautioned in step S603. If it is determined that the caller type is determined to be sensitive (step S807: Yes), the process proceeds to step S811, and the caller type is not determined to be sensitive (ie, the caller type is determined). Is determined to be normal or highly reliable) (step S807: NO), the process proceeds to step S812.

  If it is determined in step S801 that there is no row in which the destination email address of the address pair currently being processed matches the destination email address in the link risk table (step S801: NO), the current processing It is determined by searching the link risk table whether the destination domain of the target address pair has a row (record) that matches the domain of the destination domain portion of the link risk table (domain determination means) ( Step S808).

  This is to determine whether there is an e-mail that has been sent to the destination domain of the e-mail from another sender (for example, another account in the company) other than the e-mail sender acquired in step S301. It is processing to do.

  Then, when it is determined that the destination domain of the address pair currently being processed has a line in the link risk table that matches the domain of the destination domain portion of the link risk table (step S808: Yes), FIG. Using the calculation formula, the risk value of the destination (transmission destination) domain is calculated (step S809). On the other hand, if it is determined that the destination domain of the address pair currently being processed does not have any row in the link risk table that matches the domain in the destination domain part of the link risk table (step S808: NO), the processing Goes to step S813.

  In step S809, the link risk value of the destination domain is calculated using the calculation formula of FIG.

の算出方法について説明する。 Next, the link risk value of the destination domain according to the calculation formula of FIG. 11 in step S809.

The calculation method of will be described.

As shown in FIG.

Is an average value of all link risk values stored in the link risk table (FIG. 15). The average link risk value may be an average value of all link mail risk values stored in the link mail risk table (FIG. 16).

となる。このようにして算出された値を図１１の式に代入する。 In the example of FIG. 15, the average value of link risk values is calculated as (0.238 + 0.083 + 0.171) ÷ 3 = 0.164.

It becomes. The value calculated in this way is substituted into the equation of FIG.

Also shown in FIG.

Is the link risk value of the row having the destination domain portion determined to match the destination domain of the address pair currently being processed in step S808. Therefore, the link risk value of the row of the destination domain part determined to match is substituted into the equation of FIG.

に代入される値となる。 For example, in the example of FIG. 15, if the destination domain of the address pair currently being processed is “aaaa.co.jp”, the link risk values (0.238 and 0.171) with management IDs 1 and 3 are used. )But

The value assigned to.

＝（０．２３８−０．１６４）＋（０．１７１−０．１６４）＝０．０８１ Thus, for example, the destination domain of the address pair currently being processed is aaa. co. In the case of jp, the link risk value of the destination domain is calculated as follows.

= (0.238-0.164) + (0.171-0.164) = 0.081

  As described above, the link risk value of the domain of the transmission destination (destination) of the e-mail address pair acquired in step S301 can be calculated using the equation of FIG. 11 (step S809).

  Next, it is determined whether or not the link risk value calculated in step S809 is greater than 0 (zero) (step S810). If it is determined that the link risk value is greater than 0 (zero) (step S810). S810: Yes) The process proceeds to step S807, and if it is determined that the link risk value is 0 (zero) or less (step S810: No), the process proceeds to step S813.

  Next, in step S811, the risk value is set to 1.0, and the process proceeds to step S814.

  Also, in step S812, if the caller type is determined to be highly reliable in step S606, the caller type is set to “normal”, and if the caller type is determined to be normal in step S605. Downgrades the type of the caller by changing to "Needs Attention".

  When the process of step S812 is executed, the process proceeds to step S813.

  In step S813, the initial risk value corresponding to the type of sender determined in step S403 or step S812 and the risk level (email type) of the e-mail determined in step S404 is stored in the initial risk value table 2101. Refer to and decide.

  When step S813 is executed after the caller type is changed by the process of step S812, the caller type changed (determined) in step S812 and the e-mail risk (email) determined in step S404. The initial risk value corresponding to the type) is determined with reference to the initial risk value table 2101.

  FIG. 21 is a diagram illustrating an example of the initial risk value table setting screen.

  Here, FIG. 21 will be described.

  Reference numeral 2101 denotes an initial risk value table.

  The CPU 201 of the management operation terminal 120 displays the initial risk value table setting screen (FIG. 21) on the display unit, and accepts input of the initial risk value table 2101 from the administrator via the initial risk value table setting screen. When an “OK” button 2102 is pressed by the administrator, the input initial risk value table 2101 is transmitted to the mail auditing apparatus 100 so as to be stored in the management information database 103 of the mail auditing apparatus 100. Then, the mail auditing apparatus 100 stores the initial risk value table 2101 received from the management operation terminal 120 in the management information database 103 (risk value storage means).

  In step S813, the initial risk value is determined using the initial risk value table 2101 stored in the management information database 103 in this way.

  The initial risk value table 2101 stores initial risk values corresponding to e-mail risk levels (low / medium / high) and sender types (attention / normal / high reliability).

  Therefore, in step S813, the initial risk value corresponding to the sender type determined in step S403 or step S812 and the email risk (type of email) determined in step S404 is set as the initial risk value. It can be obtained from the table 2101 and determined.

  As described above, when the initial risk value is determined in step S813 or the risk value (1.0) is set in step S811, the initial risk value or the risk value (1 set in step S811) is set. .0) is added to the risk value buffer and stored (step S814).

  When the process of step S814 is executed, the process proceeds to step S412.

  The above is the description of the processing in the mail auditing apparatus 100 that has received an electronic mail from the mail transmitting / receiving terminal 110.

  Next, processing for auditing an audit target electronic mail (audit target mail) stored in the audit target mail storage unit 104 of the mail auditing apparatus 100 by an operation by the administrator will be described with reference to the flowchart of FIG.

  FIG. 9 is a flowchart showing the audit processing of the audit target mail.

  Note that the processing of each step from step S901 to step S913 illustrated in FIG.

  The administrator accesses the audit operation processing unit 105 of the mail auditing apparatus 100 using the program represented by the management operation unit 121 from the management operation terminal 120.

  The management operation unit 121 is assumed to be software such as a web browser, and the audit operation processing unit 105 is assumed to be a CGI program on a web server.

  When the management operation terminal 120 accesses the mail auditing apparatus 100 in accordance with an operation instruction by the administrator, the mail auditing apparatus 100 performs a login process and the like, and the management operation terminal 120 displays an audit target mail list screen that is a management target of the administrator. Display information for displaying is transmitted (step S901).

  The display information transmitted here includes the contents of the electronic mail in the audit target mail management table (FIG. 17) stored in the management information database 103. Specifically, e-mail data (“date and time of reception (date and time of 1802)”, “sender”, “destination”, “title”) specified by the mail ID included in the audit target mail management table (FIG. 17). And the “delivery status” and “link risk value” of the e-mail are included in the display information.

  Next, when receiving the display information for displaying the audit target mail list screen from the mail auditing apparatus 100, the management operation terminal 120 displays the audit target mail list screen on the display unit according to the display information. An example of the audit target mail list screen is shown in FIG.

  FIG. 18 is a diagram illustrating an example of the audit target mail list screen.

  The audit target mail displayed here displays the contents of the audit target mail management table stored in the management information database 103.

However, the displayed range is limited to an e-mail in which the management target e-mail address determined from the management authority of the logged-in administrator is the sender.
At this time, the list of audit target mails is sorted (sorted) in the order according to the link risk value and displayed (output).

Here, the list of emails to be audited is displayed arranged in descending order of link risk values. Furthermore, it is assumed that the descending order and the ascending order of the display order can be switched by a sort button represented by 1803.
This makes it easier for the administrator to preferentially audit from emails that are estimated to be high risk.

In the audit target mail list screen (FIG. 18), in addition to the audit target mail list 1802 which is the management target of the administrator, the total of all link risk values of the audit target mail (residual risk value 1804) In addition, the index information of the audit work such as the audit execution rate 1805 is displayed. Therefore, the display information to be transmitted includes index information such as the residual risk value 1804 and the audit execution rate 1805, and is displayed according to this information.
Here, the audit execution rate is a numerical value indicating how many e-mails are audit-processed among the audit target mails received within a certain period.

  After transmitting the display information in step S901, the mail auditing apparatus 100 receives from the management operation terminal 120 an email selected by the administrator via the audit target mail list screen (step S902). Here, the administrator selects and instructs the audited e-mail line among the audited e-mail lines displayed on the audit target e-mail list screen. Then, the mail auditing apparatus 100 receives the e-mail of the line instructed to be selected from the management operation terminal 120.

  Next, the audit operation processing unit 105 acquires information on the email selected by the administrator in step S902 from the audit target email management table (FIG. 17), and the “delivery status” of the email is displayed. It is determined whether it is on hold (step S903). That is, it is determined whether or not the e-mail selected and instructed by the administrator is a held e-mail (pending mail).

  If it is determined in step S903 that the e-mail selected and instructed by the administrator is a pending mail (step S903: Yes), the audit operation processing unit 105 displays the e-mail pre-audit screen (FIG. 19). Display information to be displayed on the display unit of the management operation terminal 120 is transmitted to the management operation terminal 120 (step S904).

  On the other hand, if it is determined in step S903 that the e-mail selected and instructed by the administrator is not a hold mail (step S903: No), the audit operation processing unit 105 displays the e-mail post-audit screen (FIG. 20). Display information to be displayed on the display unit of the management operation terminal 120 is transmitted to the management operation terminal 120 (step S909).

  Here, the display information transmitted in step S904 or step S909 includes the data of the email to be audited selected and instructed in step S902. The e-mail data is acquired from the audit target mail storage unit 104.

The management operation terminal 120 that has acquired the display information from the mail auditing apparatus 100 by the processing in step S904 displays an email pre-audit screen (FIG. 19) on the display unit according to the display information.
FIG. 19 is a diagram illustrating an example of an e-mail preliminary audit screen.
In step S904, since the delivery status of the audit target mail is pending, display information for displaying an email pre-audit screen for performing a pre-audit is output.

  The e-mail pre-audit screen (FIG. 19) includes an area (1901) for displaying the header part and body part of the e-mail to be audited, an area for displaying the delivery status (1902), and an area for displaying the link risk value (1903). ), Send (1904), send with caution (1905), and delete (1906).

  The administrator confirms the email pre-audit screen, determines the delivery processing of the email to be audited, and presses one of the buttons 1904 to 1906. In this way, the management operation terminal 120 that has received the selection instruction by the administrator transmits the pressed information (audit result information by the administrator) to the mail auditing apparatus 100. Then, the mail auditing apparatus 100 receives the audit result information selected and instructed by the administrator via the e-mail pre-audit screen from the management operation terminal 120 (step S905).

  Next, the email auditing apparatus 100 determines whether the “send” button 1904 or the “send with caution” button 1905 is pressed by the administrator from the audit result information received from the management operation terminal 120 or the “delete” button 1906 is pressed. It is determined whether it has been done (step S906).

  If it is determined in step S906 that the “send” button 1904 or the “send with caution” button 1905 is pressed, the mail auditing apparatus 100 proceeds to step S908.

  In step S908, the e-mail to be audited received in step S902 is transferred to the mail delivery processing unit 101, and the mail delivery processing unit 101 sends the e-mail to the mail delivery device 130 for transmission. Then, the electronic mail stored in the audit target mail storage unit 104 is deleted, and the process proceeds to step S911.

  On the other hand, if it is determined in step S906 that the “delete” button 1906 has been pressed, the audit operation processing unit 105 of the mail auditing apparatus 100 converts the audit target email received in step S902 into the audit target mail storage unit. It deletes from 104 (step S907).

  After executing the process of step S907 or 908, the process proceeds to step S911.

  Next, the processing after step S909 will be described.

The management operation terminal 120 that has acquired the display information from the mail auditing apparatus 100 by the processing in step S909 displays an e-mail post-audit screen (FIG. 20) on the display unit according to the display information.
FIG. 20 is a diagram showing an example of an e-mail post-audit screen.

  In step S909, since the delivery status of the audit target mail is transmission or deletion, display information for displaying an e-mail post-audit screen for performing post-audit is output.

  The e-mail post-audit screen (FIG. 20) includes an area (2001) for displaying the header part, book, and body part of the e-mail to be audited, an area for displaying the delivery status (2002), and an area for displaying the link risk value ( 2003), no problem (2004), attention (2005), and problem (2006) buttons.

  Here, in the area 2002 for displaying the delivery status, if the delivery status is deleted, the record of the link risk table (FIG. 15) for all the sender address / destination address pairs of the e-mail has already been obtained in step S312. Since the number of deletions and the link risk value are added, a message that the link risk value of the e-mail has already been added to the link risk table is also displayed.

  The administrator confirms the e-mail post-audit screen, determines the delivery process of the e-mail to be audited, and presses one of the buttons 2004 to 2006. In this way, the management operation terminal 120 that has received the selection instruction by the administrator transmits the pressed information (audit result information by the administrator) to the mail auditing apparatus 100. Then, the mail auditing apparatus 100 receives the audit result information selected and instructed by the administrator via the e-mail post-audit screen from the management operation terminal 120 (step S910). After performing the process of step S910, the process proceeds to step S911.

In step S911, the audit operation processing unit 105 follows the audit result information received in any of step S907, step S908, and step S910 (transmission, transmission with attention, deletion, no problem, attention, or problem). The link risk value in the link mail risk table (FIG. 16) stored in the management information database 103 relating to the audit target mail received in step S902 is updated.
Here, the update process of the link mail risk table in step S911 will be specifically described.

  When the audit result of the audit of the e-mail that is suspended in step S310 and is subject to the pre-audit is received in step S904, the e-mail ID of the e-mail, the sender address of the e-mail with the e-mail ID, and all the destinations A column (record) including a combination of addresses (address pair) and a link mail risk value is not stored in the link mail risk table (FIG. 16).

  Therefore, when the audit result of the audit of the email that has been suspended in step S310 and is subject to the pre-audit is received in step S905, the records for all the address pairs of the email are linked mail risk table (FIG. 16). ) Newly generated. In the generated record, the mail ID of the e-mail, the sender address of the e-mail with the mail ID, all destination addresses (address pairs), and the link mail risk value of each address pair are stored. . At that time, a unique management ID is also stored in each address pair.

  The link mail risk value stored here is a value determined from the audit result information (transmission, transmission with attention, deletion) accepted in step S905 and the link mail risk value table (FIG. 14).

  That is, if the received audit result information is “send”, the link mail risk value of transmission in the link mail risk value table (FIG. 14) is 0.00. 00 is stored. Further, if the received audit result information is “transmission with caution”, the link mail risk value of the transmission with caution in the link mail risk value table (FIG. 14) is 0.20. The value is stored as 0.20. If the received audit result information is “deleted”, the link mail risk value for deletion in the link mail risk value table (FIG. 14) is 1.00. 00 is stored.

  Further, when the audit result information of the e-mail subject to the post-audit is received in step S910, the row (record) of the combination (address pair) of the sender address and all the destination addresses of the e-mail is displayed as the link mail risk. The table (FIG. 16) is searched and specified.

  Then, the link mail risk value of the record of the identified address pair is updated according to the audit result information (no problem, caution, and problem) accepted in step S910.

  The link mail risk value updated here is a value determined from the audit result information received in step S910 (no problem, caution, and problem) and the link mail risk value table (FIG. 14).

  That is, if the received audit result information is “no problem”, the link mail risk value in the link mail risk value table (FIG. 14) is 0.00, so the link mail risk value in the link mail risk table is 0. Updated to .00. If the received audit result information is “caution”, the link mail risk value of the link mail risk table (FIG. 14) is 0.20, so the link mail risk value of the link mail risk table is 0.20. Updated to If the received audit result information is “problem”, the link mail risk value in the link mail risk value table (FIG. 14) is 1.00, so the link mail risk value in the link mail risk table is 1. Updated to .00.

Through the processing described above, in step S911, the link mail risk value of the record in the link mail risk table (FIG. 16) regarding the audit target mail accepted in step S902 can be updated (generated).
When the link mail risk table (FIG. 16) is updated (generated) in step S911, the process proceeds to step S912.

In step S912, the link risk table (FIG. 15) is updated according to the audit result information received in step S905 or step S909 (either transmission, transmission with attention, deletion, no problem, attention, or problem).
Here, the update process of the link risk table (FIG. 15) in step S912 will be specifically described.

  In step S912, when the audit result information of the email to be audited is received in step S905 or step S910, the combination (set) of the sender address of the email and all the destination addresses of the email is: A record in the link risk table (FIG. 15) is specified.

  That is, the record of the pair of the transmission source and the transmission destination in the link risk table that matches the combination of the transmission source and the destination (transmission destination) of the electronic mail that has received the audit result information is specified.

  When audit result information (send, send with caution, delete, no problem, caution, with problem) is received in step S905 or step S910, the link risk table corresponding to the received audit result information Increment (update) the value of the item. For example, when the audit result information of the pre-audit is “send”, the value of the “send” item of the specified record is incremented (updated). Similarly, when the audit result information of the post audit is “problem”, the value of the “problem” item of the specified record is incremented (updated). The same applies to other audit result information (sent with caution, deleted, no problem, caution).

  Here, if there is a pair that does not match the source and destination of each record in the link risk table among the pairs of senders and email addresses of audited emails, Add records that do not match source and destination to the link risk table.

  Then, the value of the item of the added record corresponding to the audit result information is set to 1. For example, when the audit result information is “send”, the value of the item “send” of the added record is set to 1. The same applies when other audit result information (sent with caution, deleted, no problem, caution, with problem) is accepted.

  However, if the audit result information (no problem, caution, and problem) of the post-audit is received in step S910, the combination of the sender address and all the destination addresses of the e-mail subject to the audit of the post-audit (address pair) Decrement (update) the value of the pre-audit item in the row (record) of the link risk table.

  Specifically, in step S911, the audit result in the pre-audit is calculated from the link mail risk value by the pre-audit stored before updating the link mail risk value of the link mail risk table according to the audit result information of the post-audit. It is determined whether the information is “transmission”, “transmission with caution”, or “deletion”. For example, if the link mail risk value by the pre-audit is 0.00, it is determined as “send”, 0.20 is determined as “transmit with caution”, and 1.00 is determined as “delete”. .

  Then, among the items of the pre-audit of the link risk table row (record) of the combination (address pair) of the sender address and all the destination addresses of the e-mail that is the audit target of the audit result information received in step S910 Decrement (update) the value of the audit result information item in the pre-audit.

  This is because the pre-audit link mail risk value in the link mail risk table (Fig. 16) is updated according to the audit result information from the post-audit, so the pre-audit audit stored in the link risk table (Fig. 15) This is because the link risk table (FIG. 15) and the link mail risk table (FIG. 16) cannot be matched unless the result value is decremented.

  Further, as described above, when the value of the item corresponding to the audit result information in the link risk table (FIG. 15) is updated, the total number of the link risk table (FIG. 15) is also updated according to the updated value of the item.

  Thus, when the values of “transmission”, “transmission with caution”, “deletion”, “no problem”, “caution”, and “problem” are updated in the link risk table (FIG. 15) The link risk value is also updated according to the value.

  The updated link risk value can be calculated by using the calculation formula shown in FIG.

  Since the link risk value calculation procedure has been described in step S312, it is omitted here.

  When the link risk value is calculated using the calculation formula shown in FIG. 12, the link risk value of the record of the pair of the transmission source and the transmission destination in the link risk table (FIG. 15) is calculated as the calculated link. Update to risk value.

By performing the above-described processing, the value of the link risk table (FIG. 15) can be updated in step S912.
When the value of the link risk table (FIG. 15) is updated in step S912, the process proceeds to step S913.

  In step S913, since the audit of the audit target mail is completed, the audit target mail record that has been audited is deleted from each record of the audit target mail management table (FIG. 17).

  Thereafter, the audit screen displayed on the management operation unit 121 returns to the screen in step S901, and repeats the processing from step S901 to step S913 described above for other audit target mails. Also good.

  The above is the description of the process for auditing the audit target electronic mail (audit target mail) stored in the audit target mail storage unit 104 of the mail auditing apparatus 100 by the operation of the administrator.

  As described above, according to the present embodiment, the transmission control of the e-mail is performed according to the risk of the e-mail transmission source determined from the past transmission control and / or auditing results and the risk of the e-mail. As a result, the auditor can be audited efficiently and appropriately.

  As described above, various embodiments of the present invention have been described. However, the present invention may take the form of, for example, a system, apparatus, method, program (computer program) or storage medium that can be read and executed by the apparatus. Specifically, the present invention may be applied to a system composed of a plurality of devices, or may be applied to an apparatus composed of a single device.

  Another object of the present invention is to supply a storage medium storing software program codes for realizing the functions of the above-described embodiments to a system or apparatus, and the computer (or CPU or MPU) of the system or apparatus stores the storage medium. Needless to say, this can also be achieved by reading and executing the program code stored in.

  In this case, the program code itself read from the storage medium realizes the functions of the above-described embodiments, and the program code itself and the storage medium storing the program code constitute the present invention.

  As a storage medium for supplying the program code, for example, a flexible disk, a hard disk, an optical disk, a magneto-optical disk, a CD-ROM, a CD-R, a magnetic tape, a nonvolatile memory card, a ROM, or the like can be used.

  Further, by executing the program code read by the computer, not only the functions of the above-described embodiments are realized, but also an OS (basic system or operating system) running on the computer based on the instruction of the program code. Needless to say, a case where the function of the above-described embodiment is realized by performing part or all of the actual processing and the processing is included.

  Further, after the program code read from the storage medium is written in a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer, the function expansion is performed based on the instruction of the program code. It goes without saying that the CPU or the like provided in the board or the function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

DESCRIPTION OF SYMBOLS 100 Mail inspection apparatus 101 Mail delivery process part 102 Delivery rule database 103 Management information database 104 Audit object mail preservation | save part 105 Audit operation process part 110 Mail transmission / reception terminal 111 Mail transmission / reception part 120 Management operation terminal 121 Management operation part 130 Mail delivery apparatus 140 External network

Claims (7)

An e-mail control device that is communicable with an e-mail transmission terminal and performs transmission control of an e-mail transmitted by the e-mail transmission terminal,
Stores link risk information including a group of the e-mail transmission source and destination, and a risk value indicating a risk level related to transmission of the e-mail of the group based on past transmission control and / or audit results. Risk storage means to
Condition storage means for storing a risk condition which is a condition for determining whether to permit transmission of the e-mail based on the risk value;
Obtaining means for obtaining an email sent by the email sending terminal;
In accordance with the risk value of the email sent in the past from the sender of the email acquired by the acquisition means, included in the link risk information stored in the risk storage means, the risk of the email sender Calculating means for calculating a source risk value indicating the degree;
A determination unit that determines a risk type indicating a degree of risk associated with the e-mail according to the content of the e-mail acquired by the acquisition unit or the format of data attached to the e-mail;
Determining means for determining a risk value related to sending of the e-mail acquired by the acquiring means according to the sender risk value calculated by the calculating means and the risk type determined by the determining means;
It is determined whether the risk value determined by the determining means satisfies the risk condition stored in the condition storage means to permit transmission of the email, and according to the determination result, the email value of the email is determined. Transmission control means for performing transmission control;
An e-mail control device comprising: It is determined according to the link risk information stored in the risk storage means whether there is an email sent from a sender other than the sender of the email obtained by the obtaining means to the destination of the email. Link determination means;
In the link determination means, it is determined that there is an email sent from a sender other than the sender of the email acquired by the acquiring means to the destination of the email, other than the sender of the email A change unit that changes a risk type determined by the determination unit according to a risk value of a set of a transmission source and a transmission destination of the e-mail;
Further comprising
The electronic mail control apparatus according to claim 1, wherein the determining means determines a risk value related to sending of the electronic mail acquired by the acquiring means according to the risk type changed by the changing means. When the link determination unit determines that there is no email transmitted from a transmission source other than the transmission source of the email acquired by the acquisition unit to the transmission destination of the email, the link determination unit acquires the email. Domain determination means for determining whether or not there is an e-mail transmitted from a sender other than the sender of the e-mail to the domain of the e-mail transmission destination according to the link risk information stored in the risk storage means Further comprising
The change unit according to claim 2, wherein the change unit changes the risk type determined by the determination unit according to a risk value of an email determined to be transmitted to the domain by the domain determination unit. E-mail control device. The risk value based on the past transmission control and / or audit performance of the pair of the transmission source and the transmission destination of the email acquired by the acquisition unit is included in the link risk information stored in the risk storage unit A risk value judging means for judging whether or not
Further comprising
The transmission control means is determined by the determination means when the risk value determination means determines that the risk value of the sender and destination of the email is not included in the link risk information It is determined whether a risk value satisfies a risk condition stored in the condition storage means to permit transmission of the electronic mail, and transmission control of the electronic mail is performed according to the determination result. The electronic mail control device according to any one of claims 1 to 3. A risk value storage means for storing a risk value associated with the source risk value and the risk type;
The determination means associates the risk value stored in the risk value storage means with the transmission source risk value calculated by the calculation means and the risk type determined by the determination means, as the acquisition means. The electronic mail control apparatus according to claim 1, wherein the electronic mail control apparatus is determined as a risk value related to transmission of the electronic mail acquired in step 1. Communication with an e-mail transmission terminal, and a group of e-mails transmitted by the e-mail transmission terminal, based on past transmission control and / or audit results, Risk storage means for storing link risk information including a risk value indicating a risk level related to transmission, and a risk condition that is a condition for determining whether transmission of the e-mail is permitted based on the risk value A control method for an e-mail control device comprising condition storage means,
The acquisition step of the e-mail control device acquires an e-mail transmitted by the e-mail transmission terminal; and
The calculation means of the electronic mail control device is included in the link risk information stored in the risk storage means, according to the risk value of the electronic mail transmitted in the past from the transmission source of the electronic mail acquired in the acquisition step, A calculation step of calculating a sender risk value indicating a degree of risk relating to the sender of the email;
The determination unit of the electronic mail control device determines a risk type indicating the degree of risk associated with the electronic mail according to the content of the electronic mail acquired in the acquiring step or the format of the data attached to the electronic mail. A determination process;
According to the sender risk value calculated in the calculation step and the risk type determined in the determination step, the determination unit of the e-mail control device is a risk value related to transmission of the e-mail acquired in the acquisition step. A determination step for determining
Whether the transmission control unit of the electronic mail control device permits the transmission of the electronic mail by determining whether the risk value determined in the determination step satisfies the risk condition stored in the condition storage unit. A transmission control step of determining and performing transmission control of the e-mail according to the determination result;
A control method for an electronic mail control apparatus, comprising: Communication with an e-mail transmission terminal, and a group of e-mails transmitted by the e-mail transmission terminal, based on past transmission control and / or audit results, Risk storage means for storing link risk information including a risk value indicating a risk level related to transmission, and a risk condition that is a condition for determining whether transmission of the e-mail is permitted based on the risk value A program executable by an e-mail control device comprising a condition storage means,
The e-mail control device;
Obtaining means for obtaining an email sent by the email sending terminal;
In accordance with the risk value of the email sent in the past from the sender of the email acquired by the acquisition means, included in the link risk information stored in the risk storage means, the risk of the email sender Calculating means for calculating a source risk value indicating the degree;
A determination unit that determines a risk type indicating a degree of risk associated with the e-mail according to the content of the e-mail acquired by the acquisition unit or the format of data attached to the e-mail;
Determining means for determining a risk value related to sending of the e-mail acquired by the acquiring means according to the sender risk value calculated by the calculating means and the risk type determined by the determining means;
It is determined whether the risk value determined by the determining means satisfies the risk condition stored in the condition storage means to permit transmission of the email, and according to the determination result, the email value of the email is determined. A program that functions as transmission control means for performing transmission control.

Images