CN109672607A - A kind of email processing method, device and storage equipment, program product - Google Patents
A kind of email processing method, device and storage equipment, program product Download PDFInfo
- Publication number
- CN109672607A CN109672607A CN201811564850.9A CN201811564850A CN109672607A CN 109672607 A CN109672607 A CN 109672607A CN 201811564850 A CN201811564850 A CN 201811564850A CN 109672607 A CN109672607 A CN 109672607A
- Authority
- CN
- China
- Prior art keywords
- detected
- content
- client
- detection
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/42—Mailbox-related aspects, e.g. synchronisation of mailboxes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L51/00—User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
- H04L51/21—Monitoring or handling of messages
- H04L51/23—Reliability checks, e.g. acknowledgments or fault reporting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1466—Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The embodiment of the present application discloses a kind of email processing method, device and storage equipment, program product, and when server sends mail to client, Mail Gateway obtains the mail, as mail to be detected.Then content to be detected is isolated from mail to be detected, content to be detected is replaced with into indicating risk information, and the mail after recombination is sent to client by the mail after regeneration recombination.That is, first coming out the linking separated in the email attachment file and/or message body in mail, APT is avoided to attack client by way of email attachment file and/or link, guarantees the safety of client.And the mail after recombinating includes content corresponding access address in Mail Gateway to be detected in mail to be detected, if the content to be detected is safety, user can obtain the attachment files and/or link by the access address;If content to be detected be it is dangerous, to user carry out indicating risk, thus realize effectively defence APT attack.
Description
Technical field
This application involves Internet technical fields, and in particular to a kind of email processing method, device and storage equipment, program
Product.
Background technique
With the further development of information age, IT application in enterprises is also deepening continuously, and various IT application in enterprises solve
Scheme (such as mailing system, Database Systems etc.) has become the infrastructure of enterprise.But thus generate problem of data safety
Also it gets worse, various enterprise's leakages of a state or party secret occur repeatedly, and the existence and legal competition to enterprise cause to seriously threaten, or even danger
And the information security of country.
APT (Advanced Persistent Threat) refers to that advanced duration threatens.Utilize advanced attack means
The attack form of long duration network attack is carried out to specific objective, the principle of APT attack attacks forms more relative to other
To be advanced and advanced, advanced property is mainly reflected in APT and needs operation flow and mesh to object of attack before offensive attack
Mark system is accurately collected.APT attack most common means are exactly harpoon attack (Spear Phishing).This attack method
It is the network fraud behavior for specific organization, it is therefore an objective to which, not by authorizing confidential data, wherein most straightforward approach is
By being sent to specific target of attack for trojan horse program as the attachment of Email, and lure that target opens the attachment into.
Although the existing anti-spam technologies based on mail security gateway can prevent the reception of the improper mail in part,
But be different from spam, harpoon attack used in Email pass through and have with extremely strong fascination, attacker can be directed to
Unique individual, tissue or enterprise carry out the transmission of mail.Usually, attacker can take time to understand the name of target of attack,
The network informations such as email address, and then the name of the authoritative institutions such as company, tissue even government organs is palmed off, it sends in falseness
Appearance, malicious file or malicious link lure victim's click or login account password etc. into.
Spear type fishing has the characteristic of customization, precision, and traditional safety measure can not usually prevent these attacks,
Spear type fishing is increasingly difficult to be detected.One employee accidentally drops and clicks fishing mail, may to enterprise, government or even
Nonprofit organization has serious consequences.Therefore, the prior art effectively can not defend APT to attack.
Summary of the invention
In view of this, the embodiment of the present application provides a kind of email processing method, device and storage equipment, program product, with
Solve the technical issues of prior art effectively can not defend APT to attack.
To solve the above problems, technical solution provided by the embodiments of the present application is as follows:
A kind of email processing method, the method are applied to Mail Gateway, which comprises
Receive the mail to be detected that server is sent to client;
Isolate content to be detected from the mail to be detected, the content to be detected include email attachment file and/
Or the link in message body;
Content to be detected in the mail to be detected is replaced with into the mail after indicating risk information generates recombination, by institute
Mail after stating recombination is sent to the client, and the indicating risk information includes to be detected interior in the mail to be detected
Hold the corresponding access address in the Mail Gateway.
In one possible implementation, the method also includes:
Malicious act detection is carried out to the content to be detected, obtains the testing result of the content to be detected.
In one possible implementation, described that malicious act detection is carried out to the content to be detected, it obtains described
The testing result of content to be detected, comprising:
The content to be detected is added to backstage detection queue and carries out malicious act detection, obtains the content to be detected
Testing result.
In one possible implementation, the method also includes:
Request is checked to target content to be detected by what the triggering access address was sent in response to the client,
Obtain the testing result of target content to be detected, the target content to be detected be one in the content to be detected or
It is multinomial;
It is if the testing result of the target content to be detected is not detect malicious act, the target is to be detected interior
Appearance is sent to the client;
If the testing result of the target content to be detected is to detect malicious act, Xiang Suoshu client sends prompt
Information.
In one possible implementation, the method also includes:
Request is checked to target content to be detected by what the triggering access address was sent in response to the client,
If not acquiring the testing result of target content to be detected, target content to be detected is detected into team from the backstage
Column are moved to real-time detection queue and carry out malicious act detection, obtain the testing result of target content to be detected;The mesh
It is one or more in the content to be detected for marking content to be detected;
It is if the testing result of the target content to be detected is not detect malicious act, the target is to be detected interior
Appearance is sent to the client;
If the testing result of the target content to be detected is to detect malicious act, Xiang Suoshu client sends prompt
Information.
In one possible implementation, the malicious act detection includes to known to email attachment file progress
Malicious Code Detection carries out unknown malicious code detection to the email attachment file and to the link in the message body
Carry out one of malicious link detection or a variety of.
In one possible implementation, known malicious code detection is carried out by virus investigation mould to the email attachment file
Block is realized, is carried out unknown malicious code detection to the email attachment file and is realized by sandbox module, in the message body
Link carry out malicious link detection by malice network address detection module realize.
In one possible implementation, the method also includes:
If not isolating the content to be detected from the mail to be detected, the mail to be detected is directly transmitted
To the client.
A kind of mail treatment device, described device are applied to Mail Gateway, and described device includes:
Receiving unit, the mail to be detected sent for receiving server to client;
Separative unit, for isolating content to be detected from the mail to be detected, the content to be detected includes postal
Link in part attachment files and/or message body;
First transmission unit is generated for the content to be detected in the mail to be detected to be replaced with indicating risk information
Mail after the recombination is sent to the client by the mail after recombination, and the indicating risk information includes described to be checked
Survey the corresponding access address in the Mail Gateway of the content to be detected in mail.
In one possible implementation, described device further include:
Detection unit obtains the inspection of the content to be detected for carrying out malicious act detection to the content to be detected
Survey result.
In one possible implementation, the detection unit, after being added to the content to be detected
Platform detects queue and carries out malicious act detection, obtains the testing result of the content to be detected.
In one possible implementation, which is characterized in that described device further include:
Acquiring unit, it is to be detected to target interior for being sent in response to the client by the triggering access address
That holds checks request, obtains the testing result of target content to be detected, and the target content to be detected is described to be detected
It is one or more in content;
Second transmission unit, if the testing result for target content to be detected is not detect malicious act,
Target content to be detected is sent to the client;
Third transmission unit, if the testing result for target content to be detected is to detect malicious act, to
The client sends prompt information.
In one possible implementation, described device further include:
Mobile unit, it is to be detected to target interior for being sent in response to the client by the triggering access address
Hold check request, if not acquiring the testing result of target content to be detected, by target content to be detected from
The backstage detection queue is moved to real-time detection queue and carries out malicious act detection, obtains the inspection of target content to be detected
Survey result;The target content to be detected is one or more in the content to be detected;
Third transmission unit, if the testing result for target content to be detected is not detect malicious act,
Target content to be detected is sent to the client;
4th transmission unit, if the testing result for target content to be detected is to detect malicious act, to
The client sends prompt information.
In one possible implementation, the malicious act detection includes to known to email attachment file progress
Malicious Code Detection carries out unknown malicious code detection to the email attachment file and to the link in the message body
Carry out one of malicious link detection or a variety of.
In one possible implementation, known malicious code detection is carried out by virus investigation mould to the email attachment file
Block is realized, is carried out unknown malicious code detection to the email attachment file and is realized by sandbox module, in the message body
Link carry out malicious link detection by malice network address detection module realize.
In one possible implementation, first transmission unit, if be also used to from the mail to be detected
The content to be detected is not isolated, and the mail to be detected is transmitted directly to the client.
A kind of computer readable storage medium is stored with instruction in the computer readable storage medium storing program for executing, works as described instruction
When running on the terminal device, so that the terminal device executes above-mentioned email processing method.
A kind of computer program product, when the computer program product is run on the terminal device, so that the terminal
Equipment executes above-mentioned email processing method.
It can be seen that the embodiment of the present application has the following beneficial effects:
In the embodiment of the present application, when server sends mail to client, Mail Gateway obtains the mail first, by it
As mail to be detected.Then, content to be detected is isolated from mail to be detected, which is replaced with into risk and is mentioned
Show information, the mail after recombination is sent to client by the mail after regeneration recombination.It is, first by the mail in mail
Linking separated in attachment files and/or message body comes out, and avoids APT by way of email attachment file and/or link
Client is attacked, guarantees the safety of client.Moreover, the mail after recombination include in mail to be detected content to be detected in postal
Corresponding access address in part gateway, if the content to be detected is safety, user can be somebody's turn to do by the access address
Attachment files and/or link;If content to be detected be it is dangerous, indicating risk is carried out to user, to realize effectively anti-
Imperial APT attack.
Detailed description of the invention
Fig. 1 is the block schematic illustration of exemplary application scene provided by the embodiments of the present application;
Fig. 2 is a kind of flow chart of email processing method provided by the embodiments of the present application;
Fig. 3 is the frame diagram of email processing method provided by the embodiments of the present application;
Fig. 4 is Application Scenarios-Example figure provided by the embodiments of the present application;
Fig. 5 is a kind of mail treatment structure drawing of device provided by the embodiments of the present application.
Specific embodiment
In order to make the above objects, features, and advantages of the present application more apparent, with reference to the accompanying drawing and it is specific real
Mode is applied to be described in further detail the embodiment of the present application.
Technical solution provided by the present application for ease of understanding will first be illustrated the background technique of the application below.
It is customized since spear type fishing has, the characteristic of precision, traditional safety measure can not prevent such attack.
Moreover, the consequence of harpoon attack is also very serious, harpoon attacker divulges business sensitive information and manipulation using the data stolen
Market.In addition, spear type phishing attack, which can also dispose huge Malware, kidnaps computer, by the network where the computer
Become the huge Botnet that can be used for DoS (Denial of Service, refusal service), seriously affects network security.
In addition, APT attack is attacked frequently with dedicated Malware, that is, for some enterprise's bespoke
Special Malware.Based on the main killing known software of common antivirus software, the APT Malware attacked can not be looked into
It kills.Although sandbox can detecte unknown malware, working efficiency is lower, and directly applies to the inspection of office network mail
Very big resource can be occupied by looking into.Meanwhile APT attack does not have rubbish usually mainly by great fraudulent Email attack
The feature of rubbish mail, traditional anti-spam technologies can not be blocked effectively.Moreover, not only attachment, message body
Link may also be used as vulnerability exploit means.Furthermore traditional malware detection mode is slower, no matter in client or service
Device is detected, and access delay can be generated, and can not be judged in time to the safety of mail.
Based on this, the embodiment of the present application provides a kind of email processing method and device, the application can be by Mail Gateways
Between a client and a server, when server sends mail to client, Mail Gateway first obtains the mail for deployment.Then
Content to be detected is isolated from the mail and is saved, that is, isolates the link in email attachment file and/or message body.So
Content to be detected is replaced with into indicating risk information afterwards, and generates the mail after recombination using the indicating risk information, then by postal
Mail after recombination is sent to client by part gateway.Exist in indicating risk information including the content to be detected in mail to be detected
Corresponding access address in Mail Gateway, if the content to be detected is safety, user can be obtained by the access address
The attachment files and/or link;If content to be detected be it is dangerous, indicating risk is carried out to user, to avoid APT logical
The mode for crossing email attachment file and/or link attacks client, improves internet security and privacy of user.
Referring to Fig. 1, which is the block schematic illustration of exemplary application scene provided by the embodiments of the present application.Wherein, this Shen
Please embodiment provide test object know method for distinguishing can be applied in Mail Gateway 20.
In practical application, client 101 and client 102 can initiate the connection request, mail to server 30 respectively
Gateway 20 first receives the request, and sends the request to server 30.Server 30 receive connection and with client 101 and visitor
Family end 102 interacts.When server 30 sends mail to client 101 and/or client single 102, mail security gateway 20
The mail that server 30 is sent is obtained, and the mail is parsed, the content to be detected in mail is separated, and saves
In the memory space of Mail Gateway 30.And the content to be detected in mail is replaced with into indicating risk information, carry out mail weight
Mail after recombination is sent to client 101 and/or client 102 by group.
It should be noted that Mail Gateway 20 can provide mail malicious act detection service simultaneously for multiple client.
Wherein, Mail Gateway 20 can be deployed in server 30, the network that can also be deployed between client 101 and server 30
In.For the resource for being not take up server 30, Mail Gateway is deployed between client 101 and server 30 under normal conditions
In network.
It will be understood by those skilled in the art that block schematic illustration shown in FIG. 1 is only that presently filed embodiment can be
An example being wherein achieved.The scope of application of the application embodiment is not limited by any aspect of the frame.
It should be noted that client 101 and client 102 can be carried on terminal, terminal can be existing,
It is research and development or research and development in the future, can be by any type of wiredly and/or wirelessly connection (for example, Wi-Fi, LAN, honeycomb, same
Shaft cable etc.) any user equipment for interacting, including but not limited to: existing, researching and developing or research and development in the future intelligence
Can wearable device, smart phone, non-smart mobile phone, tablet computer, laptop PC, desktop personal computer,
Minicomputer, medium-size computer, mainframe computer etc., presently filed embodiment is unrestricted in this regard.Also need
Pay attention to, server 30 can be existing, researching and developing or research and development in the future, setting of can providing a user mail service
A standby example, presently filed embodiment is in this regard without any restrictions.
Email processing method provided by the present application for ease of understanding says the processing method below in conjunction with attached drawing
It is bright.
Referring to fig. 2, which is a kind of flow chart of email processing method provided by the embodiments of the present application, as shown in Fig. 2, should
Method is applied to Mail Gateway, which comprises
S201: the mail to be detected that server is sent to client is received.
In the present embodiment, when server sends mail to client, Mail Gateway first obtains the mail from server, and will
It is as mail to be detected.
It is understood that between a client and a server due to Mail Gateway deployment, when server is to client
When sending mail, Mail Gateway can first receive the mail, to be then forwarded to client after the mail treatment, to guarantee
The safety of client.In practical applications, client can initiate the connection request to server, and Mail Gateway can receive
The connection request is sent to server by the connection request, and server responds the connection request, and mail is sent to client,
To which Mail Gateway can first receive the mail, using the mail as mail to be detected.
S202: content to be detected is isolated from mail to be detected.
In the present embodiment, after Mail Gateway gets mail to be detected, which is parsed, it will be to be checked
The content to be detected surveyed in mail is separated, and can save the content to be detected in the memory space of Mail Gateway, with
Just Mail Gateway can carry out safety detection to the content to be detected.
Wherein, content to be detected includes the link in email attachment file and/or message body, and email attachment file can
Think the various files such as document, picture, program.When content to be detected includes multiple email attachment files, Mail Gateway difference
Multiple email attachment files are separated, multinomial content to be detected is obtained;When in content to be detected including multiple links, point
Multiple linking separateds are not come out, obtain multinomial content to be detected.That is, each email attachment file or each link are used as one
Item content to be detected.
In specific implementation, Mail Gateway can according to electronic mail network application layer protocol, to the mail to be detected into
Row parsing, and contents extraction to be detected therein is come out.The common application layer protocol of electronic mail network includes simple mail
Transport protocol (Simple Mail Transfer Protocol, SMTP), post office protocol (Post Office Protocol,
POP), Mail Access Protocol (Internet Mail Access Protocol, Internet, IMAP) agreement etc..
S203: replacing with the mail after indicating risk information generates recombination for the content to be detected in mail to be detected, will
Mail after recombination is sent to client.
In the present embodiment, after Mail Gateway separates content to be detected, content to be detected is replaced with safe
Indicating risk information, with there may be risk of attacks using the content of indicating risk information alert client user's original mail.
Then, the mail after recombination is generated using indicating risk information, which is sent to client.
Wherein, indicating risk information includes content to be detected in the mail to be detected corresponding access in Mail Gateway
Location.When user checks mail, it can be seen that then indicating risk information can judge whether to need to access according to business demand to be somebody's turn to do
Address is with request content to be detected.
It should be noted that each content to be detected is right respectively when in content to be detected including multinomial content to be detected
Answer an access address.I.e. when content to be detected includes multiple email attachment files, each email attachment file is one corresponding
Access address;And/or including when multiple links, each link respectively corresponds an access address, to facilitate user by should
The corresponding access address of content to be detected, the request content to be detected.For example, including Email attachment text in content to be detected
Part 1, email attachment file 2, link 3, link 4, then the corresponding access address 1 of email attachment file 1, email attachment file 2 are corresponding
Access address 2, the corresponding access address 3 of link 3, the corresponding access address 4 of link 4.Then user can by click access address 1 with
Email attachment file 1 is checked in request;It can be by clicking access address 3 to request to check link 2.
Through the foregoing embodiment it is found that Mail Gateway obtains the mail first when server sends mail to client,
As mail to be detected.Then, content to be detected is isolated from mail to be detected, which is replaced with into wind
Dangerous prompt information, the mail after regeneration recombination, is sent to client for the mail after recombination.It is, first will be in mail
Linking separated in email attachment file and/or message body comes out, and APT is avoided to pass through email attachment file and/or link
Mode attacks client, guarantees the safety of client.
It in the embodiment of the present application, can be to the to be detected interior of preservation after Mail Gateway isolates content to be detected
Hold and carry out malicious act detection, obtains the testing result of the content to be detected, and save the testing result, user can pass through a little
Access address request is hit when checking content to be detected, obtains the testing result of content to be detected.Wherein, malicious act detection can be with
Including to email attachment file carry out known malicious code detection, to email attachment file carry out unknown malicious code detection and
One of malicious link detection or a variety of is carried out to the link in message body.
In one possible implementation, carrying out known malicious code detection to the email attachment file can be by looking into
Malicious module realizes that carrying out unknown malicious code detection to the email attachment file can be realized by sandbox module, to the postal
Link in part text carries out malicious link detection can be realized by malice network address detection module.
I.e. in practical applications, it can use antivirus module and known malicious code carried out to all types of attachment files of mail
Detection;Unknown malicious code detection is carried out using all types of attachment files of the sandbox module to mail;It is detected using malice network address
Module carries out malicious link detection to the link in mail, to obtain testing result.
To detect convenient for Mail Gateway to all types of contents to be detected, the mail that can be treated in detection content is attached
Link in part file and message body is detected respectively.Email attachment file in content to be detected is added to attachment
It is added in link detection queue in file detection queue, by the link in message body, so that Mail Gateway can be same
When different types of content to be detected is detected, then according to two detect queue testing result, obtain whole detection
As a result.
In one possible implementation, when client user wants to check content to be detected, click can be passed through
The access address of mail is checked.Mail Gateway can wait for target by what triggering access address was sent in response to client
Detection content checks request, obtains the testing result of target content to be detected;If the testing result of target content to be detected
Not detect malicious act, target content to be detected is sent to the client;If the detection of target content to be detected
As a result to detect malicious act, prompt information is sent to client.Wherein, target content to be detected is in content to be detected
It is one or more.
It is understood that if it is hostile content that Mail Gateway, which detects that user wants the target checked content to be detected,
When, Mail Gateway returns to safety instruction information, includes that hostile content can not be downloaded to prompt user's target content to be detected;Such as
Fruit target content to be detected is secure content, then can will download the visit of the link in email attachment file and/or message body
It asks that address returns to user, is checked so that user can download.
Mail Gateway is to guarantee that user accesses the real-time of the testing result of content to be detected, can be using packet queue
Mode is detected.Be divided into real-time detection queue and backstage detection queue, Mail Gateway preferentially to real-time detection queue to
Detection content is detected, if real-time detection queue is empty, then is detected to backstage detection the to be detected of queue.Specifically
For when Mail Gateway asks checking for target content to be detected by what the triggering access address was sent in response to client
It asks, if not acquiring the testing result of target content to be detected;Target content to be detected is moved to from backstage detection queue
Real-time detection queue carries out malicious act detection, obtains the testing result of target content to be detected;If target content to be detected
Testing result be do not detect malicious act, target content to be detected is sent to client;If target content to be detected
Testing result be detect malicious act, to client send prompt information.Wherein, target content to be detected is in be detected
It is one or more in appearance.
In specific implementation, the corresponding access address of target content to be detected when the user clicks in mail checks detection knot
When fruit, if not yet obtain the testing result of target content to be detected, the scheduler module of Mail Gateway can be immediately by mesh
It marks content to be detected and is moved to real-time detection queue from backstage detection queue, utilize antivirus module, sandbox module and evil immediately
Network address detection module of anticipating carries out malicious act detection to target content to be detected, to obtain testing result.
It should be noted that showing that this is to be checked when Mail Gateway does not isolate content to be detected from mail to be detected
Mail security is surveyed, mail to be detected is directly sent to client.Wherein, not isolating content to be detected is mail to be detected
In do not include in email attachment file and message body also do not include link.For example, the mail of plain text.
In the embodiment of the present application, if detection obtains content to be detected as safety, user can pass through the access
Location obtains the attachment files and/or link;If detection obtain content to be detected be it is dangerous, to user carry out risk mention
Show, to realize effectively defence APT attack.
For ease of understanding, mail treatment frame diagram shown in Figure 3, Mail Gateway get the mail of server transmission
Afterwards, which is parsed, and judges whether the mail includes content to be detected;If in mail not including Email attachment text
Part and message body do not include linking, then mail are directly sent to client.If in mail include email attachment file and/
Or link, then email attachment file and/or linking separated are come out.Then indicating risk information is replaced with, by the postal after recombination
Part is sent to client.Mail Gateway dispatches antivirus module, malice network address detection module and sandbox module to isolating simultaneously
Email attachment file and/or link carry out malicious act detection.When user by the access address in indicating risk information into
When row is checked, if testing result is not detect malicious act, email attachment file and/or link are sent to client
End;If result to be detected is to detect malicious act, prompt information is sent to client.
Referring to fig. 4, which is Application Scenarios-Example figure provided by the embodiments of the present application, and client and server can pass through
Mail Gateway carries out mail transmission.The Mail Gateway may include mail parsing module, mail recombination module, threat detection scheduling
Module, antivirus module, sandbox module and malice network address detection module.
Wherein, mail parsing module: the network application-level protocol by analyzing mail to be detected, to Mail Contents to be detected
Content to be detected is parsed and is extracted, content to be detected includes link, attachment files etc. in message body, for subsequent
Processing.
Mail recombination module: content to be detected is replaced with direction by link and Email attachment in replacement message body
The access address of mail security intra-gateway restores mail body content and generates the mail after recombination, again by network with postal
Mail after recombination is sent to client by the form of part agreement.
Threat detection scheduler module: by the content to be detected extracted in mail be added backstage detection queue in wait into
Row detection.When the user clicks when access address in mail, threat detection scheduler module can also immediately will be corresponding to be detected
Content moves to real-time detection queue and is detected immediately.
Antivirus module: known malicious code detection can be carried out to all types of attachmentes, preferentially in real-time detection queue
Content is detected, and when real-time detection queue empty, is detected to the content in the detection queue of backstage.
Sandbox module: unknown malicious code detection can be carried out to all types of attachmentes, preferentially in real-time detection queue
Content is detected, and when real-time detection queue empty, is detected to the content in the detection queue of backstage.
Malice network address detection module: the detection of malice network address can be carried out to the link in mail, preferentially to real-time detection team
Content in column is detected, and when real-time detection queue empty, is detected to the content in the detection queue of backstage.
By above-mentioned it is found that Mail Gateway can be deployed in outside mail server and client in the embodiment of the present application
Portion is not take up mail server and client resource.Moreover, being directed to, APT attacks the malice network address being frequently utilized that and mail is attached
The dedicated wooden horse of part has corresponding effective detection means, and carries out indicating risk to user.In addition, in mail to
Detection content uses the detection mode of packet queue, takes full advantage of detection resource, both ensure that client quickly receives mail
Text in turn ensures the real-time for accessing content to be detected immediately.
Based on above method embodiment, present invention also provides a kind of mail treatment devices, below in conjunction with attached drawing to this
Device is illustrated.
Referring to Fig. 5, which is a kind of mail treatment structure drawing of device provided by the embodiments of the present application, as shown in figure 5, described
Device may include:
Receiving unit 501, the mail to be detected sent for receiving server to client;
Separative unit 502, for isolating content to be detected from the mail to be detected, the content to be detected includes
Link in email attachment file and/or message body;
First transmission unit 503, for the content to be detected in the mail to be detected to be replaced with indicating risk information
Mail after the recombination is sent to the client by the mail after generating recombination, and the indicating risk information includes described
Content to be detected in the mail to be detected corresponding access address in the Mail Gateway.
In one possible implementation, described device further include:
Detection unit obtains the inspection of the content to be detected for carrying out malicious act detection to the content to be detected
Survey result.
In one possible implementation, the detection unit, after being added to the content to be detected
Platform detects queue and carries out malicious act detection, obtains the testing result of the content to be detected.
In one possible implementation, described device further include:
Acquiring unit, it is to be detected to target interior for being sent in response to the client by the triggering access address
That holds checks request, obtains the testing result of target content to be detected, and the target content to be detected is described to be detected
It is one or more in content;
Second transmission unit, if the testing result for target content to be detected is not detect malicious act,
Target content to be detected is sent to the client;
Third transmission unit, if the testing result for target content to be detected is to detect malicious act, to
The client sends prompt information.
In one possible implementation, described device further include:
Mobile unit, it is to be detected to target interior for being sent in response to the client by the triggering access address
Hold check request, if not acquiring the testing result of target content to be detected, by target content to be detected from
The backstage detection queue is moved to real-time detection queue and carries out malicious act detection, obtains the inspection of target content to be detected
Survey result;The target content to be detected is one or more in the content to be detected;
Third transmission unit, if the testing result for target content to be detected is not detect malicious act,
Target content to be detected is sent to the client;
4th transmission unit, if the testing result for target content to be detected is to detect malicious act, to
The client sends prompt information.
In one possible implementation, the malicious act detection includes to known to email attachment file progress
Malicious Code Detection carries out unknown malicious code detection to the email attachment file and to the link in the message body
Carry out one of malicious link detection or a variety of.
In one possible implementation, known malicious code detection is carried out by virus investigation mould to the email attachment file
Block is realized, is carried out unknown malicious code detection to the email attachment file and is realized by sandbox module, in the message body
Link carry out malicious link detection by malice network address detection module realize.
In one possible implementation, first transmission unit, if be also used to from the mail to be detected
The content to be detected is not isolated, and the mail to be detected is transmitted directly to the client.
It should be noted that in the present embodiment each unit or module realization, may refer to the realization of Fig. 1-Fig. 4, this reality
Applying example, details are not described herein.
In addition, the embodiment of the present application also provides a kind of computer readable storage medium, the computer readable storage medium storing program for executing
In be stored with instruction, when described instruction is run on the terminal device, so that the terminal device executes above-mentioned mail treatment
Method.
The embodiment of the present application also provides a kind of computer program product, and the computer program product is transported on the terminal device
When row, so that the terminal device executes above-mentioned email processing method.
Through the foregoing embodiment it is found that Mail Gateway obtains the mail first when server sends mail to client,
As mail to be detected.Then, content to be detected is isolated from mail to be detected, which is replaced with into wind
Dangerous prompt information, the mail after regeneration recombination, is sent to client for the mail after recombination.It is, first will be in mail
Linking separated in email attachment file and/or message body comes out, and APT is avoided to pass through email attachment file and/or link
Mode attacks client, guarantees the safety of client.Moreover, the mail after recombination includes content to be detected in mail to be detected
The corresponding access address in Mail Gateway, if the content to be detected is safety, user can be obtained by the access address
Obtain the attachment files and/or link;If content to be detected be it is dangerous, to user carry out indicating risk, thus realize have
Effect defence APT attack.
It should be noted that each embodiment in this specification is described in a progressive manner, each embodiment emphasis is said
Bright is the difference from other embodiments, and the same or similar parts in each embodiment may refer to each other.For reality
For applying system or device disclosed in example, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, phase
Place is closed referring to method part illustration.
It should be appreciated that in this application, " at least one (item) " refers to one or more, and " multiple " refer to two or two
More than a."and/or" indicates may exist three kinds of relationships, for example, " A and/or B " for describing the incidence relation of affiliated partner
It can indicate: only exist A, only exist B and exist simultaneously tri- kinds of situations of A and B, wherein A, B can be odd number or plural number.Word
Symbol "/" typicallys represent the relationship that forward-backward correlation object is a kind of "or"." at least one of following (a) " or its similar expression, refers to
Any combination in these, any combination including individual event (a) or complex item (a).At least one of for example, in a, b or c
(a) can indicate: a, b, c, " a and b ", " a and c ", " b and c ", or " a and b and c ", and wherein a, b, c can be individually, can also
To be multiple.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one
Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation
There are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to contain
Lid non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those
Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment
Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that
There is also other identical elements in process, method, article or equipment including the element.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor
The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit
Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology
In any other form of storage medium well known in field.
The foregoing description of the disclosed embodiments makes professional and technical personnel in the field can be realized or use the application.
Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein
General Principle can be realized in other embodiments without departing from the spirit or scope of the application.Therefore, the application
It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one
The widest scope of cause.
Claims (10)
1. a kind of email processing method, which is characterized in that the method is applied to Mail Gateway, which comprises
Receive the mail to be detected that server is sent to client;
Content to be detected is isolated from the mail to be detected, the content to be detected includes email attachment file and/or postal
Link in part text;
Content to be detected in the mail to be detected is replaced with into the mail after indicating risk information generates recombination, it will be described heavy
Mail after group is sent to the client, and the indicating risk information includes that the content to be detected in the mail to be detected exists
Corresponding access address in the Mail Gateway.
2. the method according to claim 1, wherein the method also includes:
Malicious act detection is carried out to the content to be detected, obtains the testing result of the content to be detected.
3. according to the method described in claim 2, it is characterized in that, described carry out malicious act inspection to the content to be detected
It surveys, obtains the testing result of the content to be detected, comprising:
The content to be detected is added to backstage detection queue and carries out malicious act detection, obtains the inspection of the content to be detected
Survey result.
4. according to the method in claim 2 or 3, which is characterized in that the method also includes:
The request of checking to target content to be detected sent in response to the client by triggering the access address, obtains
The testing result of the target content to be detected, the target content to be detected are one or more in the content to be detected
?;
If the testing result of the target content to be detected is not detect malicious act, target content to be detected is sent out
Give the client;
If the testing result of the target content to be detected is to detect malicious act, Xiang Suoshu client sends prompt letter
Breath.
5. according to the method described in claim 3, it is characterized in that, the method also includes:
Request is checked to target content to be detected by what the triggering access address was sent in response to the client, if
The testing result for not acquiring target content to be detected moves target content to be detected from backstage detection queue
It moves real-time detection queue and carries out malicious act detection, obtain the testing result of target content to be detected;The target waits for
Detection content is one or more in the content to be detected;
If the testing result of the target content to be detected is not detect malicious act, target content to be detected is sent out
Give the client;
If the testing result of the target content to be detected is to detect malicious act, Xiang Suoshu client sends prompt letter
Breath.
6. according to the method described in claim 2, it is characterized in that, malicious act detection includes to the Email attachment text
Part carries out known malicious code detection, just to email attachment file progress unknown malicious code detection and to the mail
Link in text carries out one of malicious link detection or a variety of.
7. the method according to claim 1, wherein the method also includes:
If not isolating the content to be detected from the mail to be detected, the mail to be detected is transmitted directly to institute
State client.
8. a kind of mail treatment device, which is characterized in that described device is applied to Mail Gateway, and described device includes:
Receiving unit, the mail to be detected sent for receiving server to client;
Separative unit, for isolating content to be detected from the mail to be detected, the content to be detected includes that mail is attached
Link in part file and/or message body;
First transmission unit generates recombination for the content to be detected in the mail to be detected to be replaced with indicating risk information
Mail after the recombination is sent to the client by mail afterwards, and the indicating risk information includes the postal to be detected
Content to be detected in the part corresponding access address in the Mail Gateway.
9. a kind of computer readable storage medium, which is characterized in that it is stored with instruction in the computer readable storage medium storing program for executing, when
When described instruction is run on the terminal device, so that the terminal device perform claim requires at the described in any item mails of 1-7
Reason method.
10. a kind of computer program product, which is characterized in that when the computer program product is run on the terminal device, make
It obtains the terminal device perform claim and requires the described in any item email processing methods of 1-7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811564850.9A CN109672607A (en) | 2018-12-20 | 2018-12-20 | A kind of email processing method, device and storage equipment, program product |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201811564850.9A CN109672607A (en) | 2018-12-20 | 2018-12-20 | A kind of email processing method, device and storage equipment, program product |
Publications (1)
Publication Number | Publication Date |
---|---|
CN109672607A true CN109672607A (en) | 2019-04-23 |
Family
ID=66144130
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201811564850.9A Pending CN109672607A (en) | 2018-12-20 | 2018-12-20 | A kind of email processing method, device and storage equipment, program product |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109672607A (en) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110648118A (en) * | 2019-09-27 | 2020-01-03 | 深信服科技股份有限公司 | Fish fork mail detection method and device, electronic equipment and readable storage medium |
CN111092902A (en) * | 2019-12-26 | 2020-05-01 | 中国科学院信息工程研究所 | Attachment camouflage-oriented fishfork attack mail discovery method and device |
CN114006721A (en) * | 2021-09-14 | 2022-02-01 | 北京纽盾网安信息技术有限公司 | E-mail risk detection method and system |
CN114363033A (en) * | 2021-12-29 | 2022-04-15 | 湖北天融信网络安全技术有限公司 | Mail management and control method and device, network security equipment and storage medium |
CN116436663A (en) * | 2023-04-07 | 2023-07-14 | 华能信息技术有限公司 | Mail attack detection method |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070136806A1 (en) * | 2005-12-14 | 2007-06-14 | Aladdin Knowledge Systems Ltd. | Method and system for blocking phishing scams |
CN101360028A (en) * | 2008-07-24 | 2009-02-04 | 华中科技大学 | Real-time scheduling method suitable for industrial sensor network |
US20100250579A1 (en) * | 2009-03-24 | 2010-09-30 | Barracuda Inc. | Recalling spam email or viruses from inboxes |
CN103067387A (en) * | 2012-12-27 | 2013-04-24 | 中国建设银行股份有限公司 | Monitoring system and monitoring method for anti phishing |
US20140259158A1 (en) * | 2013-03-11 | 2014-09-11 | Bank Of America Corporation | Risk Ranking Referential Links in Electronic Messages |
CN104813332A (en) * | 2012-12-20 | 2015-07-29 | 迈克菲股份有限公司 | Just in-time, email embedded URL reputation determination |
CN106027378A (en) * | 2016-07-04 | 2016-10-12 | 乐视控股(北京)有限公司 | Email detection method and device |
US20180091453A1 (en) * | 2016-09-26 | 2018-03-29 | Agari Data, Inc. | Multi-level security analysis and intermediate delivery of an electronic message |
CN108337153A (en) * | 2018-01-19 | 2018-07-27 | 论客科技(广州)有限公司 | A kind of monitoring method of mail, system and device |
-
2018
- 2018-12-20 CN CN201811564850.9A patent/CN109672607A/en active Pending
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20070136806A1 (en) * | 2005-12-14 | 2007-06-14 | Aladdin Knowledge Systems Ltd. | Method and system for blocking phishing scams |
CN101360028A (en) * | 2008-07-24 | 2009-02-04 | 华中科技大学 | Real-time scheduling method suitable for industrial sensor network |
US20100250579A1 (en) * | 2009-03-24 | 2010-09-30 | Barracuda Inc. | Recalling spam email or viruses from inboxes |
CN104813332A (en) * | 2012-12-20 | 2015-07-29 | 迈克菲股份有限公司 | Just in-time, email embedded URL reputation determination |
CN103067387A (en) * | 2012-12-27 | 2013-04-24 | 中国建设银行股份有限公司 | Monitoring system and monitoring method for anti phishing |
US20140259158A1 (en) * | 2013-03-11 | 2014-09-11 | Bank Of America Corporation | Risk Ranking Referential Links in Electronic Messages |
CN106027378A (en) * | 2016-07-04 | 2016-10-12 | 乐视控股(北京)有限公司 | Email detection method and device |
US20180091453A1 (en) * | 2016-09-26 | 2018-03-29 | Agari Data, Inc. | Multi-level security analysis and intermediate delivery of an electronic message |
CN108337153A (en) * | 2018-01-19 | 2018-07-27 | 论客科技(广州)有限公司 | A kind of monitoring method of mail, system and device |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN110648118A (en) * | 2019-09-27 | 2020-01-03 | 深信服科技股份有限公司 | Fish fork mail detection method and device, electronic equipment and readable storage medium |
CN111092902A (en) * | 2019-12-26 | 2020-05-01 | 中国科学院信息工程研究所 | Attachment camouflage-oriented fishfork attack mail discovery method and device |
CN114006721A (en) * | 2021-09-14 | 2022-02-01 | 北京纽盾网安信息技术有限公司 | E-mail risk detection method and system |
CN114363033A (en) * | 2021-12-29 | 2022-04-15 | 湖北天融信网络安全技术有限公司 | Mail management and control method and device, network security equipment and storage medium |
CN116436663A (en) * | 2023-04-07 | 2023-07-14 | 华能信息技术有限公司 | Mail attack detection method |
CN116436663B (en) * | 2023-04-07 | 2024-05-17 | 华能信息技术有限公司 | Mail attack detection method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112567710B (en) | System and method for contaminating phishing campaign responses | |
Alazab et al. | Spam and criminal activity | |
CN112567707B (en) | Method and system for generating and deploying dynamic false user accounts | |
US10873597B1 (en) | Cyber attack early warning system | |
Han et al. | Phisheye: Live monitoring of sandboxed phishing kits | |
CN110730175B (en) | Botnet detection method and detection system based on threat information | |
CN109672607A (en) | A kind of email processing method, device and storage equipment, program product | |
US8549642B2 (en) | Method and system for using spam e-mail honeypots to identify potential malware containing e-mails | |
US8578480B2 (en) | Systems and methods for identifying potentially malicious messages | |
WO2006107904A1 (en) | Method and apparatus for detecting email fraud | |
Lazarov et al. | Honey sheets: What happens to leaked google spreadsheets? | |
US11374972B2 (en) | Disinformation ecosystem for cyber threat intelligence collection | |
Sihag et al. | PICAndro: Packet InspeCtion‐Based Android Malware Detection | |
Dakpa et al. | Study of phishing attacks and preventions | |
El Aassal et al. | Spears Against Shields: Are Defenders Winning The Phishing War? | |
Wu et al. | Holmes: An efficient and lightweight semantic based anomalous email detector | |
US20240163299A1 (en) | Email security diagnosis device based on quantitative analysis of threat elements, and operation method thereof | |
Dhinakaran et al. | Multilayer approach to defend phishing attacks | |
Lee et al. | The Game of Spear and Shield in Next Era of Cybersecurity | |
Arya et al. | Multi layer detection framework for spear-phishing attacks | |
Dhinakaran et al. | " Reminder: please update your details": Phishing Trends | |
Nikolov | SOCIAL ENGINEERING AS A HIGH CYBERSECURITY THREAT | |
Olufemi et al. | Detection and prevention of phishing attack using linkguard algorithm | |
Lemmen et al. | Automating Payload Delivery & Detonation Testing | |
Oroko | A Client based email phishing detection algorithm: case of phishing attacks in the banking industry |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20190423 |
|
RJ01 | Rejection of invention patent application after publication |