CN101316172B - Exception mail detection system and method - Google Patents
Exception mail detection system and method Download PDFInfo
- Publication number
- CN101316172B CN101316172B CN2008101063394A CN200810106339A CN101316172B CN 101316172 B CN101316172 B CN 101316172B CN 2008101063394 A CN2008101063394 A CN 2008101063394A CN 200810106339 A CN200810106339 A CN 200810106339A CN 101316172 B CN101316172 B CN 101316172B
- Authority
- CN
- China
- Prior art keywords
- attribute
- sender
- examination criteria
- exception
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 73
- 238000000034 method Methods 0.000 title claims abstract description 21
- 230000006854 communication Effects 0.000 claims abstract description 21
- 238000004891 communication Methods 0.000 claims abstract description 11
- 238000001914 filtration Methods 0.000 claims description 12
- 238000012546 transfer Methods 0.000 claims description 11
- 238000012544 monitoring process Methods 0.000 claims description 8
- 238000007689 inspection Methods 0.000 claims description 7
- 230000001960 triggered effect Effects 0.000 claims description 5
- 230000000903 blocking effect Effects 0.000 claims description 3
- 230000002159 abnormal effect Effects 0.000 abstract description 7
- 230000005540 biological transmission Effects 0.000 description 11
- 230000007704 transition Effects 0.000 description 11
- 238000005516 engineering process Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000005242 forging Methods 0.000 description 2
- 238000012360 testing method Methods 0.000 description 2
- 229920006092 Strator® Polymers 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000013467 fragmentation Methods 0.000 description 1
- 238000006062 fragmentation reaction Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Images
Abstract
The invention relates to an abnormal mail detection system and a method, the system includes a state machine generation module used for setting up a state machine including the state of the mail during the communication process, an event driving the status switching and a state variable of information recording the property in the mail communication process according to the mail protocol, and creating a corresponding state machine practical case for the main communication, the state variable corresponding to the state machine practical case is utilized to make real-time recording of the property information of the mail communication; a property detection module that sets the detection standard corresponding to the property, judges if the property information in the state variable corresponding to the state machine practical case meets the corresponding detection standard, if the answer is yes, the mail corresponding to the property information is an abnormal mail. Thereby, the abnormal mail on the trunk network or LAN can be detected in time, which can prevent the outbreak of large-scale safety events.
Description
Technical field
The present invention relates to the E-mail communication field, relate in particular to a kind of exception mail detection method and system.
Background technology
Abnormal flow typically refers to non-operator or the desired various flows of user that carry on network.For the operator that Internet service is provided, network performance and function are impacted and the flow that impacts can be considered to abnormal flow, network application (for example p2p uses and the mass-sending spam), DoS (Denial of Service comprising the abuse bandwidth resources, denial of service)/DDoS (Distributed Denial of Service, distributed denial of service) attack traffic, do not observe the meaningless flow of Internet protocol standard and the caused burst flow of great social event etc.
In the recent period, flow (flow that promptly the contains exception mail) proportion of abusing SMTP (Simple Mail Transfer Protocol, Simple Mail Transfer protocol) in various abnormal flows significantly rises, and endangers increasing.Smtp protocol itself is that the mail of a simplification is submitted agreement, easy-to-use, open and make it become current most important communication mode based on the design concept of trusting, but also making abnormal flows such as spam, worm-type virus, network attack for the lawless person provides convenience.Thereby, at the requirement of the Internet macro network security, need a kind of exception mail detection method of design, can find exception mail in the mail flow in real time in backbone network or local area network (LAN) aspect, when extensive security incident outburst, defend fast and effectively.
Have following four kinds of reasons to cause containing in the mail flow exception mail under normal conditions:
Reason 1, spam.The spammer uses special tool operation spam for the economic interests that guarantee self.This type of instrument can not strictly observe smtp protocol usually and integrated some special function (as automatic generation in a large number at random addresses of items of mail, forge under the sender net domain information, built-in SMTP engine and use original noose word to carry out network service), and special value is write the field of application layer protocol.
Reason 2, the mail worm.The mail worm is when outburst, and DNS (domain name mapping) query flows of failure and the SMTP linking number of failure sharply increase in the local area network (LAN), and this type of phenomenon and network form remarkable difference when normally moving.
Reason 3, malicious attack.For example, mail server in the scanning net territory is collected the user mail address list on the mail server, produces dictionary attack; The assailant initiatively sets up a large amount of empty SMTP sessions, mail server is formed DDOS attack; Use fictitious users address pretends to be the mail net territory that is injured to send mails etc. to a large amount of mail servers.
Reason 4, the escape means.Some senders use data fragmentation, and data subpackage strategy is escaped filtration system and detected; In order to resist delay technology, improve throughput, the sender is placed on all orders even message body in the IP bag and sends, the therefore number of IP bag in mail session, the length of each IP bag is surrounded by obvious difference with normal IP.
At present, the researcher has proposed some exception mail detection techniques, and is comparatively common as feature identification method and historical behavior analytic approach.
Feature identification technique stops exception mail by the method for setting up " exception mail feature database ", compares detection by the loading section to mail, thereby finds the condition code and the mail attack of worm-type virus, and then exception mail is filtered.
The historical behavior analytic approach: the history by the statistics sender mail server sends situation, and it sends the probability of exception mail after can predicting, and obtains as drag:
Wherein i is the IP address of send server, N
Good, N
TotalBe the exception mail of server i transmission and the number of all mails, the ratio P of the two
iFor it sends the probability of legitimate mail.Define a threshold value r, if P
i>r illustrates that then the possibility of this server transmission legitimate mail is bigger, otherwise illustrates that then the ratio of this server transmission exception mail is higher.
Existing exception mail detection technique is mainly used in LAN environment, and mainly is that static mail text or log information on the mail server are carried out the off-line statistics and analysis, only can detect complete mail session, and real-time performance is poor.In addition, these technology have been ignored the network attribute of data and the characteristics of agreement self, and detected parameters is formulated by administrative staff, is not suitable for the detection of exception mail in the backbone network.
Summary of the invention
For addressing the above problem, the invention provides a kind of exception mail detection system and method based on command message, its purpose is, is implemented in and detects exception mail on backbone network or the local area network (LAN) in real time.
The invention discloses a kind of exception mail detection system, comprising:
The state machine generation module is used for according to mail protocol mail communication status of processes machine being set, and described state machine comprises residing state in the mail communication process, drives incident that described state switches and the state variable that is used for the information of record attribute; For mail session is created corresponding states machine example, and use the attribute information of the described mail session of state variable real time record of described state machine instance correspondence, described mail protocol is Simple Mail Transfer protocol or Extended Simple Mail Transfer Protocol, described attribute kit includes network attribute and protocol attribute;
The attribute detection module is used to be provided with the examination criteria of described attribute correspondence, judges whether the attribute information in the state variable of described state machine instance correspondence meets corresponding examination criteria, if meet, the mail of then described attribute information correspondence is an exception mail.
Described system also comprises filtering module and monitoring module, and described examination criteria comprises serious examination criteria and common examination criteria,
Described attribute detection module, also be used for when the mail of determining described attribute information correspondence is exception mail, whether the described examination criteria that inspection is met comprises serious examination criteria, if comprise, then described exception mail is the severely subnormal mail, otherwise described exception mail is common exception mail;
Being connected between described filtering module, the sender mail server that is used to block described severely subnormal mail place mail session and receipt mail server;
Described monitoring module is used to write down the information of described common exception mail, to carry out policer operation.
Described attribute detection module further comprises network attribute detection module and protocol attribute detection module,
Described network attribute detection module, be used to be provided with the examination criteria of described network attribute correspondence, judge whether the network attribute information in the state variable of described state machine instance correspondence meets corresponding examination criteria, if meet, the mail of then described network attribute information correspondence is an exception mail; When the mail of determining described network attribute information correspondence is exception mail, whether the described examination criteria that inspection is met comprises serious examination criteria, if comprise, then described exception mail is the severely subnormal mail, otherwise described exception mail is common exception mail;
Described protocol attribute detection module, be used to be provided with the examination criteria of described protocol attribute correspondence, judge whether the protocol attribute information in the state variable of described state machine instance correspondence meets corresponding examination criteria, if meet, the mail of then described protocol attribute information correspondence is an exception mail; When the mail of determining described protocol attribute information correspondence is exception mail, whether the described examination criteria that inspection is met comprises serious examination criteria, if comprise, then described exception mail is the severely subnormal mail, otherwise described exception mail is common exception mail.
Described network attribute comprises order load length, and described order comprises: sender's order, data command, reset command and exit command;
The serious examination criteria of described order load length attribute correspondence comprises:
The length of described sender's order is less than the minimum value of normal range (NR), and sender address be the sender address form in the error notification mail stipulated of described mail protocol in the described sender order, described normal range (NR) is [max (u-2 δ, l), u+2 δ], wherein l, u and δ are respectively minimum value, desired value and the standard difference that described sender orders length;
Described data command, reset command and the length that exits command are less than normal value;
Described data command length is greater than described normal value;
The common examination criteria of described order load length attribute correspondence comprises:
The length of described sender's order is greater than described normal range (NR);
Described reset command and the length that exits command are greater than described normal value;
Described normal value is 6 bytes.
Described system also comprises parameter configuration module,
Described parameter configuration module is used to be provided with minimum value, desired value and the standard difference that described sender orders length.
Described network attribute comprises sender address;
The serious examination criteria of described sender address attribute correspondence is to exist the sender address of two envelope mails not belong to same net territory in the same mail session at least.
Described protocol attribute comprises incident, and described incident comprises owing to the reception command event that message triggered with owing to not receiving the data duration above the overtime incident that duration triggers is set;
Described state machine comprises the envelope state, and described envelope state representation has received sender and addressee information;
The serious examination criteria of described event attribute correspondence comprises, receives sender's order under described envelope state;
The common examination criteria of described event attribute correspondence comprises:
Produce overtime incident;
Residing state did not meet the regulation of described mail protocol when described command event produced, and did not receive sender's order under described envelope state.
The invention also discloses a kind of exception mail detection method, comprising:
Step 1, according to mail protocol mail communication status of processes machine is set, described state machine comprises residing state in the mail communication process, drive incident that described state switches and the state variable that is used for the information of record attribute, the examination criteria of described attribute correspondence is set, described mail protocol is Simple Mail Transfer protocol or Extended Simple Mail Transfer Protocol, described attribute kit includes network attribute and protocol attribute;
Step 2 for mail session is created corresponding states machine example, and is used the attribute information of the described mail session of state variable real time record of described state machine instance correspondence;
Step 3 judges whether the attribute information in the state variable of described state machine instance correspondence meets corresponding examination criteria, if meet, the mail of then described attribute information correspondence is an exception mail.
Described examination criteria comprises serious examination criteria and common examination criteria,
Described step 3 also comprises, when the mail of determining described attribute information correspondence is exception mail, checks whether the described examination criteria that is met comprises serious examination criteria, if comprise, then described exception mail is the severely subnormal mail, otherwise described exception mail is common exception mail;
Being connected between step 101, the sender mail server of blocking described severely subnormal mail place mail session and receipt mail server;
Step 102 writes down the information of described common exception mail, to carry out policer operation.
Described attribute comprises order load length, and described order comprises: sender's order, data command, reset command and exit command;
The serious examination criteria of described order load length attribute correspondence comprises:
The length of described sender order is less than the minimum value of normal range (NR), and sender address be a sender address form in the error notification mail stipulated of described mail protocol in the described sender order; , described normal range (NR) is [max (u-2 δ, l), u+2 δ], wherein l, u and δ are respectively minimum value, desired value and the standard difference that described sender orders length;
Described data command, reset command and the length that exits command are less than normal value;
Described data command length is greater than described normal value;
The common examination criteria of described order load length attribute correspondence comprises:
The length of described sender's order is greater than described normal range (NR);
Described reset command and the length that exits command are greater than described normal value;
Described normal value is 6 bytes.
Described step 1 also comprises:
Step 131 is provided with minimum value, desired value and standard difference that described sender orders length.
Described attribute comprises sender address;
The serious examination criteria of described sender address attribute correspondence is to exist the sender address of two envelope mails not belong to same net territory in the same mail session at least.
Described attribute comprises incident, and described incident comprises owing to the reception command event that message triggered with owing to not receiving the data duration above the overtime incident that duration triggers is set;
Described state machine comprises the envelope state, and described envelope state representation has received sender and addressee information;
The serious examination criteria of described event attribute correspondence comprises, receives sender's order under described envelope state;
The common examination criteria of described event attribute correspondence comprises:
Produce overtime incident;
Residing state did not meet the regulation of described mail protocol when described command event produced, and did not receive sender's order under described envelope state.
Description of drawings
Beneficial effect of the present invention is, can use the network attribute of mail and protocol attribute and detect exception mail in local area network (LAN) and the backbone network in real time, and do not invade privacy of user, and exception mail classified, the mail session of blocking-up severely subnormal, monitor common unusual mail, thereby improve the performance of mail server, and when extensive security incident breaks out, defend fast and effectively by the minimizing exception mail.
Fig. 1 is the structure chart of system of the present invention;
Fig. 2 is the schematic diagram of state machine of the present invention;
Embodiment
Fig. 3 is the flow chart of the inventive method.
Below in conjunction with accompanying drawing, the present invention is described in further detail.
System configuration of the present invention as shown in Figure 1, comprise state machine generation module 101, attribute detection module 102, filtering module 103 and monitoring module 104, parameter configuration module 105, attribute detection module 102 further comprise network attribute detection module 121 and protocol attribute detection module 122.
State machine generation module 101 is used for according to mail protocol mail communication status of processes machine being set, and described state machine comprises residing state in the mail communication process, drives incident that described state switches and the state variable that is used for the information of record attribute; For mail session is created corresponding states machine example, and use the attribute information of the described mail session of state variable real time record of described state machine instance correspondence.
State machine is corresponding with mail protocol, comprises state, event and state variable, is used for the process of simulation process protocol massages.
State is illustrated in residing different phase in the whole mail communication process;
Incident, for making the operation of state machine generation state transitions, the incident that is triggered by the reception message in the mail communication process is a command event, because the duration that does not receive message is overtime incident above the incident that duration triggers is set;
State variable, be used for the information of record attribute and the information of operational applications project, attribute is the project that is used to judge unusually, and the operational applications project is the application message in filtration or policer operation, comprises the IP address and the port of sender mail server and receipt mail server.Attribute further comprises network attribute and protocol attribute, and network attribute comprises address of the addressee attribute, sender address attribute, order length attribute, and protocol attribute comprises event attribute, and incident comprises overtime incident and command event.
Network attribute, be with the relevant attribute of commands for mail, this attribute only in network as seen, terminal can't obtain this attribute, mutual order between receipt mail server and sender mail server when described commands for mail is mail communication, comprise that greeting order (HELO), sender's order (MAIL FROM), addressee order (RCPT TO), data command (DATA), reset command (RSET) and exit command (QUIT);
Protocol attribute is with SMTP or the relevant attribute of expansion smtp protocol.
Each mail session has oneself attribute information and operational applications information corresponding to attribute and operational applications project, uses the state variable of mail session correspondence to carry out record.The state machine that state machine generation module 101 generates as shown in Figure 2.
The mail protocol of present embodiment is smtp protocol or expansion smtp protocol.State machine comprises following 6 states: initial condition (INIT), set up state (HELO), envelope state (ENVELOPE), data mode (DATA), text status (TEXT) and completion status (DONE).
Initial condition, the expression mail session begins, and receives message in initial condition, the trigger command incident, if receive the greeting order, state transitions is to setting up state;
Set up state, the expression receipt mail server is received the greeting order that sender mail server sends, and prepares to receive new mail, receive message at the state of setting up, the trigger command incident, if receive sender's order and addressee's order, state transitions is to the envelope state;
The envelope state, expression has received sender and addressee information, receives message at the envelope state, the trigger command incident, if receive data command, state transitions is to data mode, if receive reset command, state transitions is to setting up state;
Data mode, the expression receipt mail server successfully receives data command, prepare to receive a letter content, a letter content behind data command, send before the text and terminal as seen, receive message in data mode, the trigger command incident, if receive border order (Border), state transitions is to text status;
Text status, the expression receipt mail server prepares to receive message body, receive message in text status, the trigger command incident, receive message body up to receiving the finish command (DOT) that sender mail server sends, the reception message body is finished, and state transitions represents that to setting up state current mail treatment finishes;
Completion status, the expression mail session finishes, owing in the duration that is provided with, not receiving data when triggering overtime incident, state machine by the present located state transitions to completion status, setting up state or envelope state reception message, the trigger command incident, receive exit command after, state transitions is to completion status.
To the packet parsing process be, receive message, the trigger command incident is resolved line by line to the message load part, obtains to order in the message.
The state variable of state machine comprises: envelope variable, address variable, order length variable, command event variable and overtime event variable.
The envelope variable, address of the addressee attribute and outbox address properties corresponding to current mail, if comprise many envelope mails in the mail session, this variable also should comprise the address of the addressee attribute and the sender address attribute of the first envelope mail, use the storage of linked list mode, be used to write down the addressee of the first envelope mail and current mail and sender's address information, when setting up state exchange, add attribute information to the envelope state;
The address variable corresponding to the address function application item, is used to write down the IP address and the port of sender mail server and receipt mail server, is transformed into record when setting up state in initial condition;
The order length variable, corresponding to the order length attribute, comprise the load length that 4 numerical variables write down sender's order, data command, reset command respectively and exit command, when receiving sender's order, data command, reset command or exiting command, upgrade the record of corresponding numerical variable;
The command event variable corresponding to the command event attribute, is used for the state that the record order incident produces and the order of reception, new record more when receiving message trigger command incident;
Overtime event variable corresponding to overtime event attribute, is used to write down the state that overtime incident produces, new record more when overtime incident produces.
State machine generation module 101 is at initial definite state machine, for each mail session generates a state machine instance, and the state variable of state machine instance correspondence joined in the session description information table, with hash table form storage, wherein the quaternary group information formed of the IP address of the receipt mail server of mail session and sender mail server and port is as the index of state machine instance.The state variable of state machine instance correspondence is used for the attribute information and the operational applications information of real time record mail session process.
When state machine instance is initial, be in initial condition, when incident produces, carry out state transitions.For example, when the envelope state, receive data command, then state transitions is to data mode, and update command length variable and command event variable, the data command load length of order in the length variable is updated to the load length of this data command, and the state that incident in the command event variable is produced is updated to the envelope state, and the order of reception is updated to data command.
When state machine instance at the envelope state, receive reset command, transfer to when setting up state all historical informations of discarding state variable; When state machine instance is transferred to completion status, state variable information is write daily record, from the descriptor tabulation, remove corresponding state variable, and discharge all related resources.
After state machine generation module 101 receives message, finishes packet parsing and completion status variable update, the state variable that notification properties detection module 102 is updated.
Attribute detection module 102 comprises network attribute detection module 121 and protocol attribute detection module 122.
Network attribute detection module 121, be used to be provided with the examination criteria of network attribute correspondence, examination criteria comprises serious examination criteria and common examination criteria, judge whether the network attribute information in the state variable meets described examination criteria, if all do not meet, then the mail of current network attribute information correspondence is a normal email, otherwise, be exception mail, and judge in the examination criteria that meets whether comprise serious examination criteria, if comprise, then mail is the severely subnormal mail, if only comprise common examination criteria, then be common exception mail.
Network attribute comprises order load length and sender address, when initial, the examination criteria of network attribute is set.
Order the serious examination criteria of load length attribute to be,
Standard 1, the length of sender's order is less than normal range (NR) [max (u-2 δ, l), u+2 δ], l wherein, u and δ are respectively the minimum value that described sender orders length, desired value and standard difference, residing network environment was relevant when parameter value was with system implementation in this normal range (NR), general statistics by big-sample data obtains, can dynamically arrange by parameter configuration module 105, network attribute detection module 121 read described parameter again before the detection sender orders length, and sender address is not the sender address form in the error notification mail of mail protocol regulation in described sender's order, and outbox people is the error notification mail for the mail of postmast@domain or admini strator@domain;
Standard 2, data command, reset command and the length that exits command are less than 6 bytes;
Standard 3, data command length is greater than 6 bytes;
In the standard 1, if sender address shape such as abgsh@, then this mail is an address mail lack of standardization; If sender address is not shape such as abgsh@, then this mail is that message splits the transmission mail, and these two kinds of situations are divided into severely subnormal.
In standard 2, data command, reset command and the length that exits command are less than 6 bytes, and wherein 6 bytes are normal value, and then this mail is that message splits and sends mail, and this kind situation is divided into severely subnormal.
In standard 3, data command length is greater than 6 bytes, and wherein 6 bytes are normal value, and then this mail is the mail of not observing mail protocol, and this kind situation is divided into severely subnormal.
Common examination criteria is,
Standard 4, the length of sender order is greater than described normal range (NR) [max (u-2 δ, l), u+2 δ];
Standard 5, reset command and the length that exits command are greater than normal value, and normal value is 6 bytes.
Read the numerical variable that is updated in sender address variable and the order length variable, judge the numerical value of the numerical variable that is updated and the examination criteria whether the sender address variable meets corresponding order load length attribute, if meet wherein any one, the then current mail that communicates is an exception mail, if all do not meet, the then current mail that communicates is a normal email.If the current mail that communicates is an exception mail, then judge in the examination criteria that meets whether comprise serious examination criteria, if comprise, then Dui Ying mail is the severely subnormal mail, notification filter module 103 is carried out filtration treatment, and no longer carries out the state variable comparison of corresponding examination criteria together of the renewal of sender address attribute correspondence, if do not comprise, then be common exception mail, carry out the state variable comparison of corresponding examination criteria together of the renewal of sender address attribute correspondence.
The examination criteria of sender address attribute is to have at least the sender address of two envelope mails not belong to same net territory in the same described mail session, and this examination criteria is serious examination criteria.If contain many envelope mails in the mail session, the non-first envelope mail of current mail.
Read the current mail envelope variable that is updated, obtain the outbox address of current mail, compare the sender address of current mail in the envelope and the sender address of the first envelope mail, whether meet this examination criteria, if meet, then all mails in the mail session are exception mail, and because this examination criteria is serious examination criteria, so this exception mail is the severely subnormal mail, notification filter module 103 is carried out filtration treatment, and protocol attribute detection module 122 does not detect; If do not meet, then with testing result notification protocol attribute detection module 122, and notification protocol attribute detection module 122 begins to detect.
Protocol attribute detection module 122, be used to be provided with the examination criteria of described protocol attribute correspondence, this examination criteria comprises serious examination criteria and common examination criteria, judge whether the protocol attribute information in the described state variable meets described examination criteria, if all do not meet, the mail of then current protocol attribute information correspondence is a normal email, otherwise, the mail of current protocol attribute information correspondence is an exception mail, and judge in the examination criteria that meets whether comprise serious examination criteria, if comprise, then mail is the severely subnormal mail.
Protocol attribute comprises event attribute, and incident comprises overtime incident and command event.
Overtime incident, the incident that duration triggers is set is overtime incident owing to the duration that does not receive message surpasses, produce overtime incident reason may for, the assailant sends a large amount of greeting orders (HELO), carry out HELO and attack or the behavior of SMTP TCP,, produce a large amount of incomplete sessions in order to consume server or network bandwidth resources, under this kind reason, state machine is in the HELO state before end; The session stop that network congestion, network failure or invalid event cause; Catch in the packet procedures at backbone link, mail message dropping phenomenon takes place.State machine may be in any state except that completion status when the two kinds of reasons in back caused overtime incident before end.
Command event, the incident that triggers owing to reception message in the mail communication process is a command event, stipulates in the inconsistent context environmental that then the command event of Chu Faing is an invalid event if order is created in smtp protocol.For example, receive sender order, receive in data mode and reset or exit command, receive in text status and reset or exit command at the envelope state.When invalid event took place, mail server can not correctly be resolved the order of reception.Can not impact reception server although produce invalid event, the network data that does not meet mail protocol is meaningless flow, causes the network bandwidth resources waste, is decided to be exception mail so will produce the mail of invalid event.
When initial, the examination criteria of protocol attribute is set, comprise serious examination criteria and common examination criteria.
Serious examination criteria is to receive sender's order under the envelope state.Receive sender order under the envelope state, the mail that sends for the configuration error server of this mail then is so this kind situation is divided into severely subnormal.
Common examination criteria is:
Produce overtime incident;
The state that command event produces does not meet the mail protocol regulation, and does not belong to above-mentioned serious examination criteria, does not promptly receive sender's order under the envelope state.
Read the protocol attribute corresponding states variable of renewal, compare with examination criteria, to judge whether the current mail that communicates is exception mail, if the mail that communicates is an exception mail, then judge whether to meet described serious examination criteria, if meet, it then is severely subnormal, filter by filtering module 103, otherwise,, determine whether to be common exception mail according to the check result of network attribute detection module 121 and protocol attribute detection module 122, if then monitor by monitoring module 104.
Whether the state variable that inspection is updated comprises overtime event variable, if overtime event variable is updated, the then current mail that communicates is an exception mail; Read the command event variable that is updated, check whether the order generation state that writes down in the command event variable meets the mail protocol regulation, if do not meet, the mail that then communicates is an exception mail; Check whether the order generation state that writes down in the command event variable is to receive the sender to order under the envelope state, if, then meet serious examination criteria, be the severely subnormal mail, otherwise, be common exception mail.
The network attribute detection module in the foregoing description and the boot sequence of protocol attribute detection module can be changed.Start the protocol attribute detection module earlier and detect, if determine that by detecting mail is the severely subnormal mail, then the notification filter module is carried out filtration treatment, and the network attribute detection module does not detect; Otherwise with testing result informing network attribute detection module, and informing network attribute detection module begins to detect.
Being connected between filtering module 103, the transmitting terminal that is used to block described severely subnormal mail place mail session and receiving terminal.
After obtaining the notice of attribute detection module 102, the IP address and the port that read the sender mail server that writes down in the variable of address and receipt mail server send the IP message of forging to sender mail server and receipt mail server respectively, end the transmission of this mail in advance.
For being in the mail that the sender orders the transmission stage, contain the IP message of 5xx order (according to smtp protocol to the sender mail server transmission, 551 orders show does not have this user on the receipt mail server), receipt mail server is sent the message that resets, cut off this and connect.
For being in the mail that the mail user data send the stage, send the message that resets to sender mail server and receipt mail server simultaneously, cut off this and connect.
Usually, for guaranteeing higher throughput, spammer or assailant can not retransmit trial to the mail that sends failure, therefore adopt said method can effectively reduce spam.
Monitoring module 104 is used to write down the information of described common exception mail, to carry out policer operation.
After obtaining the notice of attribute detection module 102, monitoring module 104 begins this mail is monitored.For example, the historical information of record mail is found to surpass default value setting up the overtime incident that takes place on the state by overtime event variable, then thinks to exist HELO to attack in the network.
A system parameter table is set up and safeguarded to parameter configuration module 105, by administrative staff by data on flows is added up, find l, the u of use in the network attribute detection module 121 and the value of δ, wherein l, u and δ are respectively minimum value, desired value and the standard difference that the sender orders length.When changing, but by parameter configuration module 105 real-time update above-mentioned parameters, network attribute detection module 121 all can read described parameter again before the detection sender orders length.
The inventive method comprises as shown in Figure 3:
Step S301, according to mail protocol mail communication status of processes machine is set, state machine comprises state, event and state variable, the state machine of present embodiment as shown in Figure 2, and the examination criteria of the attribute correspondence of state variable record is set, examination criteria comprises serious examination criteria and common examination criteria.
State variable comprises: envelope variable, address variable, order length variable, command event variable and overtime event variable.
The envelope variable, address of the addressee attribute and outbox address properties corresponding to current mail, if comprise many envelope mails in the mail session, this variable also should comprise the address of the addressee attribute and the sender address attribute of the first envelope mail, use the storage of linked list mode, be used to write down addressee and sender's address information, when setting up state exchange, add attribute information to the envelope state;
The address variable corresponding to the address function application item, is used to write down the IP address and the port of sender mail server and receipt mail server, is transformed into record when setting up state in initial condition;
The order length variable, corresponding to the order length attribute, comprise the load length that 4 numerical variables write down sender's order, data command, reset command respectively and exit command, when receiving sender's order, data command, reset command or exiting command, upgrade the record of corresponding numerical variable;
The command event variable corresponding to the command event attribute, is used for the state that the record order incident produces and the order of reception, new record more when receiving message trigger command incident;
Overtime event variable corresponding to overtime event attribute, is used to write down the state that overtime incident produces, new record more when overtime incident produces.
Order the serious examination criteria of load length attribute to be,
Standard 1, the length of sender's order is less than normal range (NR) [max (u-2 δ, l), u+2 δ], wherein l, u and δ are respectively minimum value, desired value and the standard difference that described sender orders length, the parameter of described normal range (NR) during with system implementation residing network environment relevant, generally the statistics by big-sample data obtains, can dynamically arrange, system all can read these parameters again before the detection sender orders length.And sender address is not the sender address form in the error notification mail of mail protocol regulation in described sender's order, and outbox people is the error notification mail for the mail of postmast@domain or administrator@domain;
Standard 2, data command, reset command and the length that exits command are less than 6 bytes;
Standard 3, data command length is greater than 6 bytes;
In the standard 1, if sender address shape such as abgsh@, then this mail is an address mail lack of standardization; If sender address is not shape such as abgsh@, then this mail is that message splits the transmission mail, and these two kinds of situations are divided into severely subnormal.
In standard 2, data command, reset command and the length that exits command are less than 6 bytes, and wherein 6 bytes are normal value, and then this mail is that message splits and sends mail, and this kind situation is divided into severely subnormal.
In standard 3, data command length is greater than 6 bytes, and wherein 6 bytes are normal value, and then this mail is the mail of not observing mail protocol, and this kind situation is divided into severely subnormal.
Order the common examination criteria of load length attribute to be,
Standard 4, the length of sender order is greater than described normal range (NR) [max (u-2 δ, l), u+2 δ];
Standard 5, reset command and the length that exits command are greater than normal value, and normal value is 6 bytes.
The examination criteria of sender address attribute is that the sender address of at least two envelope mails in the same described mail session does not belong to same net territory, and this examination criteria is serious examination criteria.
The serious examination criteria of event attribute is to receive sender's order under the envelope state.Receive sender order under the envelope state, the mail that sends for the configuration error server of this mail then is so this kind situation is divided into severely subnormal.
The common examination criteria of event attribute is:
Produce overtime incident;
The state that command event produces does not meet the mail protocol regulation, and does not receive sender's order under the envelope state.
Step S302 creates corresponding states machine example for mail session, and state machine instance is in initial condition.
Step S303 receives message trigger command incident or produces overtime incident owing to do not receive message in the time that is provided with, and upgrades the attribute information of corresponding states variable record.
Step S304 judges whether current sessions finishes, if end, then execution in step S310; Otherwise execution in step S305.
Step S305 judges whether current mail finishes, if finish, then waits pending next envelope mail, execution in step S303; Otherwise execution in step S306.
Step S306, read the state variable of renewal one by one, judge whether the attribute information that writes down in the update mode variable meets corresponding examination criteria, if there is the attribute information of coincidence detection standard, the mail of then described attribute information correspondence is an exception mail, execution in step S307, if the attribute information in the update mode variable does not all meet examination criteria, execution in step S303 then.
Step S307 judges in the examination criteria met whether comprise serious examination criteria, if comprise, and execution in step S308 then, otherwise execution in step S309.
Being connected between step S308, the sender mail server of blocking described severely subnormal mail place mail session and receipt mail server is to filter.
The IP address of sender mail server that writes down in the application address variable and receipt mail server and port send the IP message of forging to sender mail server and receipt mail server respectively, end the transmission of this mail in advance.
For being in the mail that the sender orders the transmission stage, contain the IP message of 5xx order (according to smtp protocol to the sender mail server transmission, 551 orders show does not have this user on the receipt mail server), receipt mail server is sent the message that resets, cut off this and connect.
For being in the mail that the mail user data send the stage, send the message that resets to sender mail server and receipt mail server simultaneously, cut off this and connect.
Step S309 writes down the information of described common exception mail, to carry out policer operation.
For example, the historical information of record mail is found to surpass default value setting up the overtime incident that takes place on the state by overtime event variable, then thinks to exist HELO to attack in the network.
Step S310 finishes the shared resource of delivery system.
Those skilled in the art can also carry out various modifications to above content under the condition that does not break away from the definite the spirit and scope of the present invention of claims.Therefore scope of the present invention is not limited in above explanation, but determine by the scope of claims.
Claims (13)
1. an exception mail detection system is characterized in that, comprising:
The state machine generation module is used for according to mail protocol mail communication status of processes machine being set, and described state machine comprises residing state in the mail communication process, drives incident that described state switches and the state variable that is used for the information of record attribute; For mail session is created corresponding states machine example, and use the attribute information of the described mail session of state variable real time record of described state machine instance correspondence, described mail protocol is Simple Mail Transfer protocol or Extended Simple Mail Transfer Protocol, described attribute kit includes network attribute and protocol attribute;
The attribute detection module is used to be provided with the examination criteria of described attribute correspondence, judges whether the attribute information in the state variable of described state machine instance correspondence meets corresponding examination criteria, if meet, the mail of then described attribute information correspondence is an exception mail.
2. exception mail detection system as claimed in claim 1 is characterized in that described system also comprises filtering module and monitoring module, and described examination criteria comprises serious examination criteria and common examination criteria,
Described attribute detection module, also be used for when the mail of determining described attribute information correspondence is exception mail, whether the described examination criteria that inspection is met comprises serious examination criteria, if comprise, then described exception mail is the severely subnormal mail, otherwise described exception mail is common exception mail;
Being connected between described filtering module, the sender mail server that is used to block described severely subnormal mail place mail session and receipt mail server;
Described monitoring module is used to write down the information of described common exception mail, to carry out policer operation.
3. exception mail detection system as claimed in claim 2 is characterized in that, described attribute detection module further comprises network attribute detection module and protocol attribute detection module,
Described network attribute detection module, be used to be provided with the examination criteria of described network attribute correspondence, judge whether the network attribute information in the state variable of described state machine instance correspondence meets corresponding examination criteria, if meet, the mail of then described network attribute information correspondence is an exception mail; When the mail of determining described network attribute information correspondence is exception mail, whether the described examination criteria that inspection is met comprises serious examination criteria, if comprise, then described exception mail is the severely subnormal mail, otherwise described exception mail is common exception mail;
Described protocol attribute detection module, be used to be provided with the examination criteria of described protocol attribute correspondence, judge whether the protocol attribute information in the state variable of described state machine instance correspondence meets corresponding examination criteria, if meet, the mail of then described protocol attribute information correspondence is an exception mail; When the mail of determining described protocol attribute information correspondence is exception mail, whether the described examination criteria that inspection is met comprises serious examination criteria, if comprise, then described exception mail is the severely subnormal mail, otherwise described exception mail is common exception mail.
4. exception mail detection system as claimed in claim 3 is characterized in that,
Described network attribute comprises order load length, and described order comprises: sender's order, data command, reset command and exit command;
The serious examination criteria of described order load length attribute correspondence comprises:
The length of described sender's order is less than the minimum value of normal range (NR), and sender address be the sender address form in the error notification mail stipulated of described mail protocol in the described sender order, described normal range (NR) is [max (u-2 δ, l) u+2 δ], wherein l, u and δ are respectively minimum value, desired value and the standard difference that described sender orders length;
Described data command, reset command and the length that exits command are less than normal value;
Described data command length is greater than described normal value;
The common examination criteria of described order load length attribute correspondence comprises:
The length of described sender's order is greater than described normal range (NR);
Described reset command and the length that exits command are greater than described normal value;
Described normal value is 6 bytes.
5. exception mail detection system as claimed in claim 4 is characterized in that described system also comprises parameter configuration module,
Described parameter configuration module is used to be provided with minimum value, desired value and the standard difference that described sender orders length.
6. exception mail detection system as claimed in claim 3 is characterized in that,
Described network attribute comprises sender address;
The serious examination criteria of described sender address attribute correspondence is to exist the sender address of two envelope mails not belong to same net territory in the same mail session at least.
7. exception mail detection system as claimed in claim 3 is characterized in that,
Described protocol attribute comprises incident, and described incident comprises owing to the reception command event that message triggered with owing to not receiving the data duration above the overtime incident that duration triggers is set;
Described state machine comprises the envelope state, and described envelope state representation has received sender and addressee information;
The serious examination criteria of described event attribute correspondence comprises, receives sender's order under described envelope state;
The common examination criteria of described event attribute correspondence comprises:
Produce overtime incident;
Residing state did not meet the regulation of described mail protocol when described command event produced, and did not receive sender's order under described envelope state.
8. an exception mail detection method is characterized in that, comprising:
Step 1, according to mail protocol mail communication status of processes machine is set, described state machine comprises residing state in the mail communication process, drive incident that described state switches and the state variable that is used for the information of record attribute, the examination criteria of described attribute correspondence is set, described mail protocol is Simple Mail Transfer protocol or Extended Simple Mail Transfer Protocol, described attribute kit includes network attribute and protocol attribute;
Step 2 for mail session is created corresponding states machine example, and is used the attribute information of the described mail session of state variable real time record of described state machine instance correspondence;
Step 3 judges whether the attribute information in the state variable of described state machine instance correspondence meets corresponding examination criteria, if meet, the mail of then described attribute information correspondence is an exception mail.
9. exception mail detection method as claimed in claim 8 is characterized in that, described examination criteria comprises serious examination criteria and common examination criteria,
Described step 3 also comprises, when the mail of determining described attribute information correspondence is exception mail, checks whether the described examination criteria that is met comprises serious examination criteria, if comprise, then described exception mail is the severely subnormal mail, otherwise described exception mail is common exception mail;
Being connected between step 91, the sender mail server of blocking described severely subnormal mail place mail session and receipt mail server;
Step 92 writes down the information of described common exception mail, to carry out policer operation.
10. exception mail detection method as claimed in claim 9 is characterized in that,
Described attribute comprises order load length, and described order comprises: sender's order, data command, reset command and exit command;
The serious examination criteria of described order load length attribute correspondence comprises:
The length of described sender order is less than the minimum value of normal range (NR), and sender address be a sender address form in the error notification mail stipulated of described mail protocol in the described sender order; , described normal range (NR) is [max (u-2 δ, l), u+2 δ], wherein l, u and δ are respectively minimum value, desired value and the standard difference that described sender orders length;
Described data command, reset command and the length that exits command are less than normal value;
Described data command length is greater than described normal value;
The common examination criteria of described order load length attribute correspondence comprises:
The length of described sender's order is greater than described normal range (NR);
Described reset command and the length that exits command are greater than described normal value;
Described normal value is 6 bytes.
11. exception mail detection method as claimed in claim 10 is characterized in that, described step 1 also comprises:
Step 101 is provided with minimum value, desired value and standard difference that described sender orders length.
12. exception mail detection method as claimed in claim 9 is characterized in that,
Described attribute comprises sender address;
The serious examination criteria of described sender address attribute correspondence is to exist the sender address of two envelope mails not belong to same net territory in the same mail session at least.
13. exception mail detection method as claimed in claim 9 is characterized in that,
Described attribute comprises incident, and described incident comprises owing to the reception command event that message triggered with owing to not receiving the data duration above the overtime incident that duration triggers is set;
Described state machine comprises the envelope state, and described envelope state representation has received sender and addressee information;
The serious examination criteria of described event attribute correspondence comprises, receives sender's order under described envelope state;
The common examination criteria of described event attribute correspondence comprises:
Produce overtime incident;
Residing state did not meet the regulation of described mail protocol when described command event produced, and did not receive sender's order under described envelope state.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101063394A CN101316172B (en) | 2008-05-12 | 2008-05-12 | Exception mail detection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101063394A CN101316172B (en) | 2008-05-12 | 2008-05-12 | Exception mail detection system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101316172A CN101316172A (en) | 2008-12-03 |
| CN101316172B true CN101316172B (en) | 2010-07-21 |
Family
ID=40107030
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101063394A Active CN101316172B (en) | 2008-05-12 | 2008-05-12 | Exception mail detection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101316172B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102546210A (en) * | 2010-12-27 | 2012-07-04 | 无锡华润上华科技有限公司 | Monitoring method for e-mail server |
| CN102223318A (en) * | 2011-07-08 | 2011-10-19 | 中国联合网络通信集团有限公司 | Method and system for processing emails |
| CN108268467B (en) * | 2016-12-30 | 2021-08-06 | 广东精点数据科技股份有限公司 | Attribute-based abnormal data detection method and device |
| CN108880990B (en) * | 2018-06-14 | 2021-02-05 | 深信服科技股份有限公司 | Method, system, device and readable storage medium for detecting outgoing spam |
| CN111083110A (en) * | 2019-11-14 | 2020-04-28 | 国网河南省电力公司驻马店供电公司 | Information network abnormal mail monitoring system linked with manageable switch |
| CN111404805B (en) * | 2020-03-12 | 2022-11-22 | 深信服科技股份有限公司 | Junk mail detection method and device, electronic equipment and storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101026619A (en) * | 2006-02-23 | 2007-08-29 | 腾讯科技(深圳)有限公司 | Electronic mail abnormal characteristics processing system and method |
| CN101141416A (en) * | 2007-09-29 | 2008-03-12 | 北京启明星辰信息技术有限公司 | Real-time rubbish mail filtering method and system used for transmission influx stage |
-
2008
- 2008-05-12 CN CN2008101063394A patent/CN101316172B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101026619A (en) * | 2006-02-23 | 2007-08-29 | 腾讯科技(深圳)有限公司 | Electronic mail abnormal characteristics processing system and method |
| CN101141416A (en) * | 2007-09-29 | 2008-03-12 | 北京启明星辰信息技术有限公司 | Real-time rubbish mail filtering method and system used for transmission influx stage |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101316172A (en) | 2008-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1407377B1 (en) | Apparatus and method for handling electronic mail | |
| CA2476349C (en) | E-mail management services | |
| US7610344B2 (en) | Sender reputations for spam prevention | |
| CN101316172B (en) | Exception mail detection system and method | |
| US7886066B2 (en) | Zero-minute virus and spam detection | |
| EP2446411B1 (en) | Real-time spam look-up system | |
| EP1675333B1 (en) | Detection of unwanted messages (spam) | |
| US8601064B1 (en) | Techniques for defending an email system against malicious sources | |
| Twining et al. | Email Prioritization: Reducing Delays on Legitimate Mail Caused by Junk Mail. | |
| US20060168017A1 (en) | Dynamic spam trap accounts | |
| US20060265459A1 (en) | Systems and methods for managing the transmission of synchronous electronic messages | |
| AU2009299539B2 (en) | Electronic communication control | |
| CN101877680A (en) | Junk mail sending behavior control system and method | |
| CN101040279B (en) | System and method for filter rubbish e-mails faced to connection | |
| US7958187B2 (en) | Systems and methods for managing directory harvest attacks via electronic messages | |
| Xiaofeng et al. | Flow-based anti-spam | |
| CN102571463A (en) | Junk mail host detection method in wide area network and system thereof | |
| Lieven | Pre-MX spam filtering with adaptive greylisting based on retry patterns | |
| KR20090000073A (en) | Method and apparatus for removing spam connection by applying plural blocking criteria |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |