CN102571463A - Junk mail host detection method in wide area network and system thereof - Google Patents
Junk mail host detection method in wide area network and system thereof Download PDFInfo
- Publication number
- CN102571463A CN102571463A CN2010105782079A CN201010578207A CN102571463A CN 102571463 A CN102571463 A CN 102571463A CN 2010105782079 A CN2010105782079 A CN 2010105782079A CN 201010578207 A CN201010578207 A CN 201010578207A CN 102571463 A CN102571463 A CN 102571463A
- Authority
- CN
- China
- Prior art keywords
- main frame
- dns
- spam
- suspicious
- host
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention relates to the field of network communication technology, and brings forward a junk mail host detection method in a wide area network and a system thereof. A basic idea of the method is that: through monitoring and counting records that a network host carries out DNS MX query, for a host with two or more query domain names, DNS server and SMTP server examination are carried out, and a list of suspected hosts is obtained. Finally, the suspected hosts are subjected to descending ordering with times of returning NXDOMAIN as a degree of suspicion, and an alarm is carried out to a network administrator.
Description
Technical field
The present invention relates to network communications technology field, relate in particular to a kind of method and system that in wide area network, detects the spam main frame.
Background technology
Spam generally refers in a large number and permits without the user, but is filled in the Email of subscriber mailbox by force.The common contents of spam comprises: money-making information, adult's advertisement, commerce or personal website advertisement, e-magazine, a chain of letter etc.Spam generally has following characteristic: same content repeatedly repeats to send; The improper communication of same sender's special time period; Illegal address; IP request from International Publication RBL tabulation.The spam that spreads unchecked day by day not only can bring many puzzlements to Email User, and also very big occupied bandwidth server resource brings massive losses to social economy.
Anti-spam technologies research at present mainly is divided into three general orientation: the one, revise existing smtp protocol, and formulate a new safe and reliable mail protocol, let spam not have " survival environment "; The 2nd, make the spammer bear " huge cost ", so that come a large amount of advertising messages of sending uneconomical on economic interests, reduce spam through the Email channel; The 3rd, be form according to mail, transmitting time, file size, content and other characteristic, whether be spam, if then fall Spam filtering if discerning this mail.Because preceding two kinds of methods are used comparatively complicated, it is big to implement difficulty, and the third method is simple relatively, detects filter method so present anti-spam technologies mostly belongs to the third.
Black/white list method is a simple effectively the most frequently used detection filter method.Blacklist (Black List) and white list (White List) are respectively known spammer and sender's trusty IP address, addresses of items of mail or domain names.The method of " blacklist " is based on getting rid of, and the server refusal is from the mail of blacklist address.The method of " white list " is to comprise, and it mainly is used for confirming the situation of legal Email source minimizing blacklist eliminating error.At present blacklist technical most popular be RBL (Real-time Blackhole List, be called for short RBL) technology.The IP address that it gets the mail through checking all is checked with the IP address in RBL and to be blocked and being connected of spam.
Black/white list filtering technique is simple; System resources consumption is little, and is easy to implement, but the maintenance of RBL need expend sizable time and efforts; And since the spammer in domain name and the address of constantly changing him; In order to make this technology effective in real time, RBL also constantly upgrade upgrading, this has increased very big difficulty just for again the management of RBL.
Summary of the invention
The present invention's technical problem that will solve provides a kind of spam that in wide area network, detects and sends main frame for this reason, and the spam of can constantly upgrading sends the method and system of Host List.
For addressing the above problem, the invention provides a kind ofly in wide area network, through statistics DNS MX query note, detect the spam main frame, and the spam of constantly upgrading sends the method and system of Host List.DNS MX record is a mail exchange record, and it points to a mail server, locatees mail server according to receiver's address suffix when being used for e-mail system and sending out mail.The concrete treatment step of spam main frame detection method is following in the wide area network provided by the invention:
The DNS MX inquiry that main frame is carried out in 1 monitoring net obtains following information: query time, and the inquiry host ip, whether nslookup returns NXDOMAIN (institute's nslookup does not exist);
2 pairs of query notes carry out statistical analysis, obtain following information: the inquiry host ip, the inquiry field concrete number returns the number of times of NXDOMAIN.
3 pairs of inquiry field concrete numbers are investigated more than or equal to 2 main frame (being called destination host).The machine that transmission DNS MX inquires about a plurality of domain names can be divided into several kinds down:
Class 1:DNS server
Class 2:SMTP server.
Class 3: the normal users of using a plurality of E-mail accounts
Class 4: unusual spam main frame
Concrete investigation flow process is referring to accompanying drawing 1.
1) sends the DNS query requests to destination host, check its response condition, judge whether it is a dns server.If dns server in the destination host tabulation, is designated dns server with it.Otherwise, carry out next step judgement.
2) whether detection of a target main frame opens the SMTP service.If opened the SMTP service, in the destination host tabulation, it is designated smtp server, otherwise is designated suspicious main frame.
3) for suspicious main frame, according to the number of times that returns NXDOMAIN (suspicious degree) descending sort.Rank is high more, and its probability as the spam main frame is big more.
Description of drawings
Fig. 1 provides the schematic flow sheet of spam main frame detection method for the present invention;
Fig. 2 is the structural representation of spam main frame detection system in the embodiment of the invention.
Embodiment
For making the object of the invention, technical scheme and advantage clearer, will combine accompanying drawing and specific embodiment that the present invention is done to describe in detail further below.
The method and system that wide area network spam main frame of the present invention detects comprises some DNS MX monitoring points and a spam main frame investigation subsystem.
DNS MX monitoring point function is the DNS MX inquiry that main frame is carried out in the monitoring net, obtains following information: query time, inquiry host ip, nslookup, whether return NXDOMAIN; And regularly with loopback spam investigation subsystem as a result.On the dns server of subnet or gateway place adopted the passive measurement mode under DNS MX monitoring point was deployed in, and through catching, DNS query message and the response message analyzed through this monitoring point obtain above statistical information.
Spam main frame investigation subsystem is deployed in the wide area network on the main frame.This subsystem is by storage statistical module, destination host investigation module, and suspicious main frame alarm module three parts are formed.Its major function is main frame DNS MX query note in the net that statistical analysis collected by DNS MX monitoring point, obtains the destination host tabulation; Investigate one by one through destination host is tabulated again, obtain suspicious Host List; According to returning NXDOMAIN number (descending) suspicious main frame is sorted at last, rank is forward more, and its probability as the spam main frame is big more.
The storage statistical module is responsible for collecting and is come from the monitoring result information that each DNS MX monitoring point is sent, and it is write database.In 0:00 in morning every day (this time can be adjusted according to the real-time of upgrading the spam Host List), data are carried out merger, statistical disposition according to the inquiry host ip; Obtain new information, data format is following: inquiry host ip, inquiry field concrete number; Return the probability of NXDOMAIN; And therefrom remove after the main frame that the inquiry field concrete number is merely, according to the ordering of DNSMX nslookup number, obtain the destination host tabulation.Reduced data in the while delete database.
Destination host investigation module is responsible for investigating the main frame in the destination host tabulation one by one, gets rid of dns server and smtp server, obtains suspicious Host List.At first the main frame in the destination host tabulation sends the DNS query requests, checks its response condition, judges whether it is a dns server.If dns server in suspicious Host List, is designated dns server with it.Otherwise whether detection of a target main frame opens the SMTP service.If opened the SMTP service, in the destination host tabulation, it is designated smtp server, otherwise is designated suspicious main frame.Final obtain suspicious Host List, and to suspicious Host List according to returning NXDOMAIN several descending sort.
Suspicious main frame alarm module is responsible for the network management personnel's mailbox to system configuration, sends alarm email.The alarm email content comprises the inquiry host ip for by the descending suspicious spam Host List that sorts of suspicious degree, and each host query domain name number returns number NXDOMAIN time.
Visible by above-mentioned exemplifying embodiment, realizability of the present invention and exploitativeness are higher, and can regularly upgrade the suspicious spam Host List.
Claims (4)
1. the method and system that the spam main frame detects in the wide area network is characterized in that:
Carry out DNS MX query note through main frame in the monitoring and statistics net; To the inquiry field concrete number surpass two main frame, carry out dns server, the smtp server investigation; Obtain suspicious Host List, at last suspicious main frame is carried out descending sort to return NXDOMAIN number as suspicious degree.And be responsible for alarming to the network manager by system.
2. spam main frame detection system in a kind of wide area network according to claim 1 is characterized in that:
This system is made up of some DNS MX monitoring points and a spam main frame investigation subsystem.
3. DNS MX according to claim 2 monitoring point is characterized in that:
Be deployed on gateway place or the dns server, be used for the monitoring of DNS MX record, obtain the inquiry host ip, whether nslookup returns information such as NXDOMAIN, and the result is returned spam main frame investigation subsystem.
4. spam main frame investigation subsystem according to claim 2 is characterized in that:
By the data statistics memory module, destination host investigation module, suspicious main frame alarm module three parts are formed; Be used to collect data from DNS MX monitoring point are carried out statistical analysis, obtain the destination host tabulation; Through dns server, the smtp server investigation obtains suspicious Host List again; At last suspicious main frame is carried out descending sort to return NXDOMAIN number as suspicious degree, and alarm to the network manager.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105782079A CN102571463A (en) | 2010-12-08 | 2010-12-08 | Junk mail host detection method in wide area network and system thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2010105782079A CN102571463A (en) | 2010-12-08 | 2010-12-08 | Junk mail host detection method in wide area network and system thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102571463A true CN102571463A (en) | 2012-07-11 |
Family
ID=46415989
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2010105782079A Pending CN102571463A (en) | 2010-12-08 | 2010-12-08 | Junk mail host detection method in wide area network and system thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102571463A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105187298A (en) * | 2015-08-17 | 2015-12-23 | 武汉闪达科技有限公司 | System and method for building trusted channel in sending mail |
| CN108683589A (en) * | 2018-07-23 | 2018-10-19 | 清华大学 | Detection method, device and the electronic equipment of spam |
-
2010
- 2010-12-08 CN CN2010105782079A patent/CN102571463A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105187298A (en) * | 2015-08-17 | 2015-12-23 | 武汉闪达科技有限公司 | System and method for building trusted channel in sending mail |
| CN108683589A (en) * | 2018-07-23 | 2018-10-19 | 清华大学 | Detection method, device and the electronic equipment of spam |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10129215B2 (en) | Information security threat identification, analysis, and management | |
| US7849142B2 (en) | Managing connections, messages, and directory harvest attacks at a server | |
| US7873695B2 (en) | Managing connections and messages at a server by associating different actions for both different senders and different recipients | |
| CA2476349C (en) | E-mail management services | |
| EP2446411B1 (en) | Real-time spam look-up system | |
| US7921063B1 (en) | Evaluating electronic mail messages based on probabilistic analysis | |
| CN103198123B (en) | For system and method based on user's prestige filtering spam email message | |
| CA2606998C (en) | Detecting unwanted electronic mail messages based on probabilistic analysis of referenced resources | |
| US7603472B2 (en) | Zero-minute virus and spam detection | |
| CN101247406A (en) | Method for local information classification using global information and junk mail detection system | |
| CN101087259A (en) | A system for filtering spam in Internet and its implementation method | |
| CN101188580B (en) | A real time spam filtering method and system | |
| CN102790752A (en) | Fraud information filtering system and method on basis of feature identification | |
| CA2654796A1 (en) | Systems and methods for identifying potentially malicious messages | |
| WO2005119485A1 (en) | Method and apparatus for mail flow monitoring | |
| US20060130147A1 (en) | Method and system for detecting and stopping illegitimate communication attempts on the internet | |
| CN106656728A (en) | Mail detection and monitoring system | |
| US20120331126A1 (en) | Distributed collection and intelligent management of communication and transaction data for analysis and visualization | |
| CN101040279B (en) | System and method for filter rubbish e-mails faced to connection | |
| CN102571463A (en) | Junk mail host detection method in wide area network and system thereof | |
| US7958187B2 (en) | Systems and methods for managing directory harvest attacks via electronic messages | |
| CN100499599C (en) | Rubbish mail filtration system and method based on email server | |
| Chiou et al. | Blocking spam sessions with greylisting and block listing based on client behavior | |
| CN102231874A (en) | Short message processing method, device and system | |
| CN100556041C (en) | Electronic mail abnormal characteristics processing system and method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| DD01 | Delivery of document by public notice |
Addressee: Luo Zhihui Document name: Notification of Publication of the Application for Invention |
|
| DD01 | Delivery of document by public notice |
Addressee: Luo Zhihui Document name: Notification of before Expiration of Request of Examination as to Substance |
|
| DD01 | Delivery of document by public notice |
Addressee: Luo Zhihui Document name: Notification that Application Deemed to be Withdrawn |
|
| DD01 | Delivery of document by public notice | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20120711 |