CN109672607A - A kind of email processing method, device and storage equipment, program product - Google Patents

A kind of email processing method, device and storage equipment, program product Download PDF

Info

Publication number
CN109672607A
CN109672607A CN201811564850.9A CN201811564850A CN109672607A CN 109672607 A CN109672607 A CN 109672607A CN 201811564850 A CN201811564850 A CN 201811564850A CN 109672607 A CN109672607 A CN 109672607A
Authority
CN
China
Prior art keywords
detected
mail
content
client
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201811564850.9A
Other languages
Chinese (zh)
Inventor
金健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Neusoft Corp
Original Assignee
Neusoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Neusoft Corp filed Critical Neusoft Corp
Priority to CN201811564850.9A priority Critical patent/CN109672607A/en
Publication of CN109672607A publication Critical patent/CN109672607A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/21Monitoring or handling of messages
    • H04L51/23Reliability checks, e.g. acknowledgments or fault reporting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1466Active attacks involving interception, injection, modification, spoofing of data unit addresses, e.g. hijacking, packet injection or TCP sequence number attacks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The embodiment of the present application discloses a kind of email processing method, device and storage equipment, program product, and when server sends mail to client, Mail Gateway obtains the mail, as mail to be detected.Then content to be detected is isolated from mail to be detected, content to be detected is replaced with into indicating risk information, and the mail after recombination is sent to client by the mail after regeneration recombination.That is, first coming out the linking separated in the email attachment file and/or message body in mail, APT is avoided to attack client by way of email attachment file and/or link, guarantees the safety of client.And the mail after recombinating includes content corresponding access address in Mail Gateway to be detected in mail to be detected, if the content to be detected is safety, user can obtain the attachment files and/or link by the access address;If content to be detected be it is dangerous, to user carry out indicating risk, thus realize effectively defence APT attack.

Description

A kind of email processing method, device and storage equipment, program product
Technical field
This application involves Internet technical fields, and in particular to a kind of email processing method, device and storage equipment, program Product.
Background technique
With the further development of information age, IT application in enterprises is also deepening continuously, and various IT application in enterprises solve Scheme (such as mailing system, Database Systems etc.) has become the infrastructure of enterprise.But thus generate problem of data safety Also it gets worse, various enterprise's leakages of a state or party secret occur repeatedly, and the existence and legal competition to enterprise cause to seriously threaten, or even danger And the information security of country.
APT (Advanced Persistent Threat) refers to that advanced duration threatens.Utilize advanced attack means The attack form of long duration network attack is carried out to specific objective, the principle of APT attack attacks forms more relative to other To be advanced and advanced, advanced property is mainly reflected in APT and needs operation flow and mesh to object of attack before offensive attack Mark system is accurately collected.APT attack most common means are exactly harpoon attack (Spear Phishing).This attack method It is the network fraud behavior for specific organization, it is therefore an objective to which, not by authorizing confidential data, wherein most straightforward approach is By being sent to specific target of attack for trojan horse program as the attachment of Email, and lure that target opens the attachment into.
Although the existing anti-spam technologies based on mail security gateway can prevent the reception of the improper mail in part, But be different from spam, harpoon attack used in Email pass through and have with extremely strong fascination, attacker can be directed to Unique individual, tissue or enterprise carry out the transmission of mail.Usually, attacker can take time to understand the name of target of attack, The network informations such as email address, and then the name of the authoritative institutions such as company, tissue even government organs is palmed off, it sends in falseness Appearance, malicious file or malicious link lure victim's click or login account password etc. into.
Spear type fishing has the characteristic of customization, precision, and traditional safety measure can not usually prevent these attacks, Spear type fishing is increasingly difficult to be detected.One employee accidentally drops and clicks fishing mail, may to enterprise, government or even Nonprofit organization has serious consequences.Therefore, the prior art effectively can not defend APT to attack.
Summary of the invention
In view of this, the embodiment of the present application provides a kind of email processing method, device and storage equipment, program product, with Solve the technical issues of prior art effectively can not defend APT to attack.
To solve the above problems, technical solution provided by the embodiments of the present application is as follows:
A kind of email processing method, the method are applied to Mail Gateway, which comprises
Receive the mail to be detected that server is sent to client;
Isolate content to be detected from the mail to be detected, the content to be detected include email attachment file and/ Or the link in message body;
Content to be detected in the mail to be detected is replaced with into the mail after indicating risk information generates recombination, by institute Mail after stating recombination is sent to the client, and the indicating risk information includes to be detected interior in the mail to be detected Hold the corresponding access address in the Mail Gateway.
In one possible implementation, the method also includes:
Malicious act detection is carried out to the content to be detected, obtains the testing result of the content to be detected.
In one possible implementation, described that malicious act detection is carried out to the content to be detected, it obtains described The testing result of content to be detected, comprising:
The content to be detected is added to backstage detection queue and carries out malicious act detection, obtains the content to be detected Testing result.
In one possible implementation, the method also includes:
Request is checked to target content to be detected by what the triggering access address was sent in response to the client, Obtain the testing result of target content to be detected, the target content to be detected be one in the content to be detected or It is multinomial;
It is if the testing result of the target content to be detected is not detect malicious act, the target is to be detected interior Appearance is sent to the client;
If the testing result of the target content to be detected is to detect malicious act, Xiang Suoshu client sends prompt Information.
In one possible implementation, the method also includes:
Request is checked to target content to be detected by what the triggering access address was sent in response to the client, If not acquiring the testing result of target content to be detected, target content to be detected is detected into team from the backstage Column are moved to real-time detection queue and carry out malicious act detection, obtain the testing result of target content to be detected;The mesh It is one or more in the content to be detected for marking content to be detected;
It is if the testing result of the target content to be detected is not detect malicious act, the target is to be detected interior Appearance is sent to the client;
If the testing result of the target content to be detected is to detect malicious act, Xiang Suoshu client sends prompt Information.
In one possible implementation, the malicious act detection includes to known to email attachment file progress Malicious Code Detection carries out unknown malicious code detection to the email attachment file and to the link in the message body Carry out one of malicious link detection or a variety of.
In one possible implementation, known malicious code detection is carried out by virus investigation mould to the email attachment file Block is realized, is carried out unknown malicious code detection to the email attachment file and is realized by sandbox module, in the message body Link carry out malicious link detection by malice network address detection module realize.
In one possible implementation, the method also includes:
If not isolating the content to be detected from the mail to be detected, the mail to be detected is directly transmitted To the client.
A kind of mail treatment device, described device are applied to Mail Gateway, and described device includes:
Receiving unit, the mail to be detected sent for receiving server to client;
Separative unit, for isolating content to be detected from the mail to be detected, the content to be detected includes postal Link in part attachment files and/or message body;
First transmission unit is generated for the content to be detected in the mail to be detected to be replaced with indicating risk information Mail after the recombination is sent to the client by the mail after recombination, and the indicating risk information includes described to be checked Survey the corresponding access address in the Mail Gateway of the content to be detected in mail.
In one possible implementation, described device further include:
Detection unit obtains the inspection of the content to be detected for carrying out malicious act detection to the content to be detected Survey result.
In one possible implementation, the detection unit, after being added to the content to be detected Platform detects queue and carries out malicious act detection, obtains the testing result of the content to be detected.
In one possible implementation, which is characterized in that described device further include:
Acquiring unit, it is to be detected to target interior for being sent in response to the client by the triggering access address That holds checks request, obtains the testing result of target content to be detected, and the target content to be detected is described to be detected It is one or more in content;
Second transmission unit, if the testing result for target content to be detected is not detect malicious act, Target content to be detected is sent to the client;
Third transmission unit, if the testing result for target content to be detected is to detect malicious act, to The client sends prompt information.
In one possible implementation, described device further include:
Mobile unit, it is to be detected to target interior for being sent in response to the client by the triggering access address Hold check request, if not acquiring the testing result of target content to be detected, by target content to be detected from The backstage detection queue is moved to real-time detection queue and carries out malicious act detection, obtains the inspection of target content to be detected Survey result;The target content to be detected is one or more in the content to be detected;
Third transmission unit, if the testing result for target content to be detected is not detect malicious act, Target content to be detected is sent to the client;
4th transmission unit, if the testing result for target content to be detected is to detect malicious act, to The client sends prompt information.
In one possible implementation, the malicious act detection includes to known to email attachment file progress Malicious Code Detection carries out unknown malicious code detection to the email attachment file and to the link in the message body Carry out one of malicious link detection or a variety of.
In one possible implementation, known malicious code detection is carried out by virus investigation mould to the email attachment file Block is realized, is carried out unknown malicious code detection to the email attachment file and is realized by sandbox module, in the message body Link carry out malicious link detection by malice network address detection module realize.
In one possible implementation, first transmission unit, if be also used to from the mail to be detected The content to be detected is not isolated, and the mail to be detected is transmitted directly to the client.
A kind of computer readable storage medium is stored with instruction in the computer readable storage medium storing program for executing, works as described instruction When running on the terminal device, so that the terminal device executes above-mentioned email processing method.
A kind of computer program product, when the computer program product is run on the terminal device, so that the terminal Equipment executes above-mentioned email processing method.
It can be seen that the embodiment of the present application has the following beneficial effects:
In the embodiment of the present application, when server sends mail to client, Mail Gateway obtains the mail first, by it As mail to be detected.Then, content to be detected is isolated from mail to be detected, which is replaced with into risk and is mentioned Show information, the mail after recombination is sent to client by the mail after regeneration recombination.It is, first by the mail in mail Linking separated in attachment files and/or message body comes out, and avoids APT by way of email attachment file and/or link Client is attacked, guarantees the safety of client.Moreover, the mail after recombination include in mail to be detected content to be detected in postal Corresponding access address in part gateway, if the content to be detected is safety, user can be somebody's turn to do by the access address Attachment files and/or link;If content to be detected be it is dangerous, indicating risk is carried out to user, to realize effectively anti- Imperial APT attack.
Detailed description of the invention
Fig. 1 is the block schematic illustration of exemplary application scene provided by the embodiments of the present application;
Fig. 2 is a kind of flow chart of email processing method provided by the embodiments of the present application;
Fig. 3 is the frame diagram of email processing method provided by the embodiments of the present application;
Fig. 4 is Application Scenarios-Example figure provided by the embodiments of the present application;
Fig. 5 is a kind of mail treatment structure drawing of device provided by the embodiments of the present application.
Specific embodiment
In order to make the above objects, features, and advantages of the present application more apparent, with reference to the accompanying drawing and it is specific real Mode is applied to be described in further detail the embodiment of the present application.
Technical solution provided by the present application for ease of understanding will first be illustrated the background technique of the application below.
It is customized since spear type fishing has, the characteristic of precision, traditional safety measure can not prevent such attack. Moreover, the consequence of harpoon attack is also very serious, harpoon attacker divulges business sensitive information and manipulation using the data stolen Market.In addition, spear type phishing attack, which can also dispose huge Malware, kidnaps computer, by the network where the computer Become the huge Botnet that can be used for DoS (Denial of Service, refusal service), seriously affects network security.
In addition, APT attack is attacked frequently with dedicated Malware, that is, for some enterprise's bespoke Special Malware.Based on the main killing known software of common antivirus software, the APT Malware attacked can not be looked into It kills.Although sandbox can detecte unknown malware, working efficiency is lower, and directly applies to the inspection of office network mail Very big resource can be occupied by looking into.Meanwhile APT attack does not have rubbish usually mainly by great fraudulent Email attack The feature of rubbish mail, traditional anti-spam technologies can not be blocked effectively.Moreover, not only attachment, message body Link may also be used as vulnerability exploit means.Furthermore traditional malware detection mode is slower, no matter in client or service Device is detected, and access delay can be generated, and can not be judged in time to the safety of mail.
Based on this, the embodiment of the present application provides a kind of email processing method and device, the application can be by Mail Gateways Between a client and a server, when server sends mail to client, Mail Gateway first obtains the mail for deployment.Then Content to be detected is isolated from the mail and is saved, that is, isolates the link in email attachment file and/or message body.So Content to be detected is replaced with into indicating risk information afterwards, and generates the mail after recombination using the indicating risk information, then by postal Mail after recombination is sent to client by part gateway.Exist in indicating risk information including the content to be detected in mail to be detected Corresponding access address in Mail Gateway, if the content to be detected is safety, user can be obtained by the access address The attachment files and/or link;If content to be detected be it is dangerous, indicating risk is carried out to user, to avoid APT logical The mode for crossing email attachment file and/or link attacks client, improves internet security and privacy of user.
Referring to Fig. 1, which is the block schematic illustration of exemplary application scene provided by the embodiments of the present application.Wherein, this Shen Please embodiment provide test object know method for distinguishing can be applied in Mail Gateway 20.
In practical application, client 101 and client 102 can initiate the connection request, mail to server 30 respectively Gateway 20 first receives the request, and sends the request to server 30.Server 30 receive connection and with client 101 and visitor Family end 102 interacts.When server 30 sends mail to client 101 and/or client single 102, mail security gateway 20 The mail that server 30 is sent is obtained, and the mail is parsed, the content to be detected in mail is separated, and saves In the memory space of Mail Gateway 30.And the content to be detected in mail is replaced with into indicating risk information, carry out mail weight Mail after recombination is sent to client 101 and/or client 102 by group.
It should be noted that Mail Gateway 20 can provide mail malicious act detection service simultaneously for multiple client. Wherein, Mail Gateway 20 can be deployed in server 30, the network that can also be deployed between client 101 and server 30 In.For the resource for being not take up server 30, Mail Gateway is deployed between client 101 and server 30 under normal conditions In network.
It will be understood by those skilled in the art that block schematic illustration shown in FIG. 1 is only that presently filed embodiment can be An example being wherein achieved.The scope of application of the application embodiment is not limited by any aspect of the frame.
It should be noted that client 101 and client 102 can be carried on terminal, terminal can be existing, It is research and development or research and development in the future, can be by any type of wiredly and/or wirelessly connection (for example, Wi-Fi, LAN, honeycomb, same Shaft cable etc.) any user equipment for interacting, including but not limited to: existing, researching and developing or research and development in the future intelligence Can wearable device, smart phone, non-smart mobile phone, tablet computer, laptop PC, desktop personal computer, Minicomputer, medium-size computer, mainframe computer etc., presently filed embodiment is unrestricted in this regard.Also need Pay attention to, server 30 can be existing, researching and developing or research and development in the future, setting of can providing a user mail service A standby example, presently filed embodiment is in this regard without any restrictions.
Email processing method provided by the present application for ease of understanding says the processing method below in conjunction with attached drawing It is bright.
Referring to fig. 2, which is a kind of flow chart of email processing method provided by the embodiments of the present application, as shown in Fig. 2, should Method is applied to Mail Gateway, which comprises
S201: the mail to be detected that server is sent to client is received.
In the present embodiment, when server sends mail to client, Mail Gateway first obtains the mail from server, and will It is as mail to be detected.
It is understood that between a client and a server due to Mail Gateway deployment, when server is to client When sending mail, Mail Gateway can first receive the mail, to be then forwarded to client after the mail treatment, to guarantee The safety of client.In practical applications, client can initiate the connection request to server, and Mail Gateway can receive The connection request is sent to server by the connection request, and server responds the connection request, and mail is sent to client, To which Mail Gateway can first receive the mail, using the mail as mail to be detected.
S202: content to be detected is isolated from mail to be detected.
In the present embodiment, after Mail Gateway gets mail to be detected, which is parsed, it will be to be checked The content to be detected surveyed in mail is separated, and can save the content to be detected in the memory space of Mail Gateway, with Just Mail Gateway can carry out safety detection to the content to be detected.
Wherein, content to be detected includes the link in email attachment file and/or message body, and email attachment file can Think the various files such as document, picture, program.When content to be detected includes multiple email attachment files, Mail Gateway difference Multiple email attachment files are separated, multinomial content to be detected is obtained;When in content to be detected including multiple links, point Multiple linking separateds are not come out, obtain multinomial content to be detected.That is, each email attachment file or each link are used as one Item content to be detected.
In specific implementation, Mail Gateway can according to electronic mail network application layer protocol, to the mail to be detected into Row parsing, and contents extraction to be detected therein is come out.The common application layer protocol of electronic mail network includes simple mail Transport protocol (Simple Mail Transfer Protocol, SMTP), post office protocol (Post Office Protocol, POP), Mail Access Protocol (Internet Mail Access Protocol, Internet, IMAP) agreement etc..
S203: replacing with the mail after indicating risk information generates recombination for the content to be detected in mail to be detected, will Mail after recombination is sent to client.
In the present embodiment, after Mail Gateway separates content to be detected, content to be detected is replaced with safe Indicating risk information, with there may be risk of attacks using the content of indicating risk information alert client user's original mail. Then, the mail after recombination is generated using indicating risk information, which is sent to client.
Wherein, indicating risk information includes content to be detected in the mail to be detected corresponding access in Mail Gateway Location.When user checks mail, it can be seen that then indicating risk information can judge whether to need to access according to business demand to be somebody's turn to do Address is with request content to be detected.
It should be noted that each content to be detected is right respectively when in content to be detected including multinomial content to be detected Answer an access address.I.e. when content to be detected includes multiple email attachment files, each email attachment file is one corresponding Access address;And/or including when multiple links, each link respectively corresponds an access address, to facilitate user by should The corresponding access address of content to be detected, the request content to be detected.For example, including Email attachment text in content to be detected Part 1, email attachment file 2, link 3, link 4, then the corresponding access address 1 of email attachment file 1, email attachment file 2 are corresponding Access address 2, the corresponding access address 3 of link 3, the corresponding access address 4 of link 4.Then user can by click access address 1 with Email attachment file 1 is checked in request;It can be by clicking access address 3 to request to check link 2.
Through the foregoing embodiment it is found that Mail Gateway obtains the mail first when server sends mail to client, As mail to be detected.Then, content to be detected is isolated from mail to be detected, which is replaced with into wind Dangerous prompt information, the mail after regeneration recombination, is sent to client for the mail after recombination.It is, first will be in mail Linking separated in email attachment file and/or message body comes out, and APT is avoided to pass through email attachment file and/or link Mode attacks client, guarantees the safety of client.
It in the embodiment of the present application, can be to the to be detected interior of preservation after Mail Gateway isolates content to be detected Hold and carry out malicious act detection, obtains the testing result of the content to be detected, and save the testing result, user can pass through a little Access address request is hit when checking content to be detected, obtains the testing result of content to be detected.Wherein, malicious act detection can be with Including to email attachment file carry out known malicious code detection, to email attachment file carry out unknown malicious code detection and One of malicious link detection or a variety of is carried out to the link in message body.
In one possible implementation, carrying out known malicious code detection to the email attachment file can be by looking into Malicious module realizes that carrying out unknown malicious code detection to the email attachment file can be realized by sandbox module, to the postal Link in part text carries out malicious link detection can be realized by malice network address detection module.
I.e. in practical applications, it can use antivirus module and known malicious code carried out to all types of attachment files of mail Detection;Unknown malicious code detection is carried out using all types of attachment files of the sandbox module to mail;It is detected using malice network address Module carries out malicious link detection to the link in mail, to obtain testing result.
To detect convenient for Mail Gateway to all types of contents to be detected, the mail that can be treated in detection content is attached Link in part file and message body is detected respectively.Email attachment file in content to be detected is added to attachment It is added in link detection queue in file detection queue, by the link in message body, so that Mail Gateway can be same When different types of content to be detected is detected, then according to two detect queue testing result, obtain whole detection As a result.
In one possible implementation, when client user wants to check content to be detected, click can be passed through The access address of mail is checked.Mail Gateway can wait for target by what triggering access address was sent in response to client Detection content checks request, obtains the testing result of target content to be detected;If the testing result of target content to be detected Not detect malicious act, target content to be detected is sent to the client;If the detection of target content to be detected As a result to detect malicious act, prompt information is sent to client.Wherein, target content to be detected is in content to be detected It is one or more.
It is understood that if it is hostile content that Mail Gateway, which detects that user wants the target checked content to be detected, When, Mail Gateway returns to safety instruction information, includes that hostile content can not be downloaded to prompt user's target content to be detected;Such as Fruit target content to be detected is secure content, then can will download the visit of the link in email attachment file and/or message body It asks that address returns to user, is checked so that user can download.
Mail Gateway is to guarantee that user accesses the real-time of the testing result of content to be detected, can be using packet queue Mode is detected.Be divided into real-time detection queue and backstage detection queue, Mail Gateway preferentially to real-time detection queue to Detection content is detected, if real-time detection queue is empty, then is detected to backstage detection the to be detected of queue.Specifically For when Mail Gateway asks checking for target content to be detected by what the triggering access address was sent in response to client It asks, if not acquiring the testing result of target content to be detected;Target content to be detected is moved to from backstage detection queue Real-time detection queue carries out malicious act detection, obtains the testing result of target content to be detected;If target content to be detected Testing result be do not detect malicious act, target content to be detected is sent to client;If target content to be detected Testing result be detect malicious act, to client send prompt information.Wherein, target content to be detected is in be detected It is one or more in appearance.
In specific implementation, the corresponding access address of target content to be detected when the user clicks in mail checks detection knot When fruit, if not yet obtain the testing result of target content to be detected, the scheduler module of Mail Gateway can be immediately by mesh It marks content to be detected and is moved to real-time detection queue from backstage detection queue, utilize antivirus module, sandbox module and evil immediately Network address detection module of anticipating carries out malicious act detection to target content to be detected, to obtain testing result.
It should be noted that showing that this is to be checked when Mail Gateway does not isolate content to be detected from mail to be detected Mail security is surveyed, mail to be detected is directly sent to client.Wherein, not isolating content to be detected is mail to be detected In do not include in email attachment file and message body also do not include link.For example, the mail of plain text.
In the embodiment of the present application, if detection obtains content to be detected as safety, user can pass through the access Location obtains the attachment files and/or link;If detection obtain content to be detected be it is dangerous, to user carry out risk mention Show, to realize effectively defence APT attack.
For ease of understanding, mail treatment frame diagram shown in Figure 3, Mail Gateway get the mail of server transmission Afterwards, which is parsed, and judges whether the mail includes content to be detected;If in mail not including Email attachment text Part and message body do not include linking, then mail are directly sent to client.If in mail include email attachment file and/ Or link, then email attachment file and/or linking separated are come out.Then indicating risk information is replaced with, by the postal after recombination Part is sent to client.Mail Gateway dispatches antivirus module, malice network address detection module and sandbox module to isolating simultaneously Email attachment file and/or link carry out malicious act detection.When user by the access address in indicating risk information into When row is checked, if testing result is not detect malicious act, email attachment file and/or link are sent to client End;If result to be detected is to detect malicious act, prompt information is sent to client.
Referring to fig. 4, which is Application Scenarios-Example figure provided by the embodiments of the present application, and client and server can pass through Mail Gateway carries out mail transmission.The Mail Gateway may include mail parsing module, mail recombination module, threat detection scheduling Module, antivirus module, sandbox module and malice network address detection module.
Wherein, mail parsing module: the network application-level protocol by analyzing mail to be detected, to Mail Contents to be detected Content to be detected is parsed and is extracted, content to be detected includes link, attachment files etc. in message body, for subsequent Processing.
Mail recombination module: content to be detected is replaced with direction by link and Email attachment in replacement message body The access address of mail security intra-gateway restores mail body content and generates the mail after recombination, again by network with postal Mail after recombination is sent to client by the form of part agreement.
Threat detection scheduler module: by the content to be detected extracted in mail be added backstage detection queue in wait into Row detection.When the user clicks when access address in mail, threat detection scheduler module can also immediately will be corresponding to be detected Content moves to real-time detection queue and is detected immediately.
Antivirus module: known malicious code detection can be carried out to all types of attachmentes, preferentially in real-time detection queue Content is detected, and when real-time detection queue empty, is detected to the content in the detection queue of backstage.
Sandbox module: unknown malicious code detection can be carried out to all types of attachmentes, preferentially in real-time detection queue Content is detected, and when real-time detection queue empty, is detected to the content in the detection queue of backstage.
Malice network address detection module: the detection of malice network address can be carried out to the link in mail, preferentially to real-time detection team Content in column is detected, and when real-time detection queue empty, is detected to the content in the detection queue of backstage.
By above-mentioned it is found that Mail Gateway can be deployed in outside mail server and client in the embodiment of the present application Portion is not take up mail server and client resource.Moreover, being directed to, APT attacks the malice network address being frequently utilized that and mail is attached The dedicated wooden horse of part has corresponding effective detection means, and carries out indicating risk to user.In addition, in mail to Detection content uses the detection mode of packet queue, takes full advantage of detection resource, both ensure that client quickly receives mail Text in turn ensures the real-time for accessing content to be detected immediately.
Based on above method embodiment, present invention also provides a kind of mail treatment devices, below in conjunction with attached drawing to this Device is illustrated.
Referring to Fig. 5, which is a kind of mail treatment structure drawing of device provided by the embodiments of the present application, as shown in figure 5, described Device may include:
Receiving unit 501, the mail to be detected sent for receiving server to client;
Separative unit 502, for isolating content to be detected from the mail to be detected, the content to be detected includes Link in email attachment file and/or message body;
First transmission unit 503, for the content to be detected in the mail to be detected to be replaced with indicating risk information Mail after the recombination is sent to the client by the mail after generating recombination, and the indicating risk information includes described Content to be detected in the mail to be detected corresponding access address in the Mail Gateway.
In one possible implementation, described device further include:
Detection unit obtains the inspection of the content to be detected for carrying out malicious act detection to the content to be detected Survey result.
In one possible implementation, the detection unit, after being added to the content to be detected Platform detects queue and carries out malicious act detection, obtains the testing result of the content to be detected.
In one possible implementation, described device further include:
Acquiring unit, it is to be detected to target interior for being sent in response to the client by the triggering access address That holds checks request, obtains the testing result of target content to be detected, and the target content to be detected is described to be detected It is one or more in content;
Second transmission unit, if the testing result for target content to be detected is not detect malicious act, Target content to be detected is sent to the client;
Third transmission unit, if the testing result for target content to be detected is to detect malicious act, to The client sends prompt information.
In one possible implementation, described device further include:
Mobile unit, it is to be detected to target interior for being sent in response to the client by the triggering access address Hold check request, if not acquiring the testing result of target content to be detected, by target content to be detected from The backstage detection queue is moved to real-time detection queue and carries out malicious act detection, obtains the inspection of target content to be detected Survey result;The target content to be detected is one or more in the content to be detected;
Third transmission unit, if the testing result for target content to be detected is not detect malicious act, Target content to be detected is sent to the client;
4th transmission unit, if the testing result for target content to be detected is to detect malicious act, to The client sends prompt information.
In one possible implementation, the malicious act detection includes to known to email attachment file progress Malicious Code Detection carries out unknown malicious code detection to the email attachment file and to the link in the message body Carry out one of malicious link detection or a variety of.
In one possible implementation, known malicious code detection is carried out by virus investigation mould to the email attachment file Block is realized, is carried out unknown malicious code detection to the email attachment file and is realized by sandbox module, in the message body Link carry out malicious link detection by malice network address detection module realize.
In one possible implementation, first transmission unit, if be also used to from the mail to be detected The content to be detected is not isolated, and the mail to be detected is transmitted directly to the client.
It should be noted that in the present embodiment each unit or module realization, may refer to the realization of Fig. 1-Fig. 4, this reality Applying example, details are not described herein.
In addition, the embodiment of the present application also provides a kind of computer readable storage medium, the computer readable storage medium storing program for executing In be stored with instruction, when described instruction is run on the terminal device, so that the terminal device executes above-mentioned mail treatment Method.
The embodiment of the present application also provides a kind of computer program product, and the computer program product is transported on the terminal device When row, so that the terminal device executes above-mentioned email processing method.
Through the foregoing embodiment it is found that Mail Gateway obtains the mail first when server sends mail to client, As mail to be detected.Then, content to be detected is isolated from mail to be detected, which is replaced with into wind Dangerous prompt information, the mail after regeneration recombination, is sent to client for the mail after recombination.It is, first will be in mail Linking separated in email attachment file and/or message body comes out, and APT is avoided to pass through email attachment file and/or link Mode attacks client, guarantees the safety of client.Moreover, the mail after recombination includes content to be detected in mail to be detected The corresponding access address in Mail Gateway, if the content to be detected is safety, user can be obtained by the access address Obtain the attachment files and/or link;If content to be detected be it is dangerous, to user carry out indicating risk, thus realize have Effect defence APT attack.
It should be noted that each embodiment in this specification is described in a progressive manner, each embodiment emphasis is said Bright is the difference from other embodiments, and the same or similar parts in each embodiment may refer to each other.For reality For applying system or device disclosed in example, since it is corresponded to the methods disclosed in the examples, so being described relatively simple, phase Place is closed referring to method part illustration.
It should be appreciated that in this application, " at least one (item) " refers to one or more, and " multiple " refer to two or two More than a."and/or" indicates may exist three kinds of relationships, for example, " A and/or B " for describing the incidence relation of affiliated partner It can indicate: only exist A, only exist B and exist simultaneously tri- kinds of situations of A and B, wherein A, B can be odd number or plural number.Word Symbol "/" typicallys represent the relationship that forward-backward correlation object is a kind of "or"." at least one of following (a) " or its similar expression, refers to Any combination in these, any combination including individual event (a) or complex item (a).At least one of for example, in a, b or c (a) can indicate: a, b, c, " a and b ", " a and c ", " b and c ", or " a and b and c ", and wherein a, b, c can be individually, can also To be multiple.
It should also be noted that, herein, relational terms such as first and second and the like are used merely to one Entity or operation are distinguished with another entity or operation, without necessarily requiring or implying between these entities or operation There are any actual relationship or orders.Moreover, the terms "include", "comprise" or its any other variant are intended to contain Lid non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence "including a ...", it is not excluded that There is also other identical elements in process, method, article or equipment including the element.
The step of method described in conjunction with the examples disclosed in this document or algorithm, can directly be held with hardware, processor The combination of capable software module or the two is implemented.Software module can be placed in random access memory (RAM), memory, read-only deposit Reservoir (ROM), electrically programmable ROM, electrically erasable ROM, register, hard disk, moveable magnetic disc, CD-ROM or technology In any other form of storage medium well known in field.
The foregoing description of the disclosed embodiments makes professional and technical personnel in the field can be realized or use the application. Various modifications to these embodiments will be readily apparent to those skilled in the art, as defined herein General Principle can be realized in other embodiments without departing from the spirit or scope of the application.Therefore, the application It is not intended to be limited to the embodiments shown herein, and is to fit to and the principles and novel features disclosed herein phase one The widest scope of cause.

Claims (10)

1. a kind of email processing method, which is characterized in that the method is applied to Mail Gateway, which comprises
Receive the mail to be detected that server is sent to client;
Content to be detected is isolated from the mail to be detected, the content to be detected includes email attachment file and/or postal Link in part text;
Content to be detected in the mail to be detected is replaced with into the mail after indicating risk information generates recombination, it will be described heavy Mail after group is sent to the client, and the indicating risk information includes that the content to be detected in the mail to be detected exists Corresponding access address in the Mail Gateway.
2. the method according to claim 1, wherein the method also includes:
Malicious act detection is carried out to the content to be detected, obtains the testing result of the content to be detected.
3. according to the method described in claim 2, it is characterized in that, described carry out malicious act inspection to the content to be detected It surveys, obtains the testing result of the content to be detected, comprising:
The content to be detected is added to backstage detection queue and carries out malicious act detection, obtains the inspection of the content to be detected Survey result.
4. according to the method in claim 2 or 3, which is characterized in that the method also includes:
The request of checking to target content to be detected sent in response to the client by triggering the access address, obtains The testing result of the target content to be detected, the target content to be detected are one or more in the content to be detected ?;
If the testing result of the target content to be detected is not detect malicious act, target content to be detected is sent out Give the client;
If the testing result of the target content to be detected is to detect malicious act, Xiang Suoshu client sends prompt letter Breath.
5. according to the method described in claim 3, it is characterized in that, the method also includes:
Request is checked to target content to be detected by what the triggering access address was sent in response to the client, if The testing result for not acquiring target content to be detected moves target content to be detected from backstage detection queue It moves real-time detection queue and carries out malicious act detection, obtain the testing result of target content to be detected;The target waits for Detection content is one or more in the content to be detected;
If the testing result of the target content to be detected is not detect malicious act, target content to be detected is sent out Give the client;
If the testing result of the target content to be detected is to detect malicious act, Xiang Suoshu client sends prompt letter Breath.
6. according to the method described in claim 2, it is characterized in that, malicious act detection includes to the Email attachment text Part carries out known malicious code detection, just to email attachment file progress unknown malicious code detection and to the mail Link in text carries out one of malicious link detection or a variety of.
7. the method according to claim 1, wherein the method also includes:
If not isolating the content to be detected from the mail to be detected, the mail to be detected is transmitted directly to institute State client.
8. a kind of mail treatment device, which is characterized in that described device is applied to Mail Gateway, and described device includes:
Receiving unit, the mail to be detected sent for receiving server to client;
Separative unit, for isolating content to be detected from the mail to be detected, the content to be detected includes that mail is attached Link in part file and/or message body;
First transmission unit generates recombination for the content to be detected in the mail to be detected to be replaced with indicating risk information Mail after the recombination is sent to the client by mail afterwards, and the indicating risk information includes the postal to be detected Content to be detected in the part corresponding access address in the Mail Gateway.
9. a kind of computer readable storage medium, which is characterized in that it is stored with instruction in the computer readable storage medium storing program for executing, when When described instruction is run on the terminal device, so that the terminal device perform claim requires at the described in any item mails of 1-7 Reason method.
10. a kind of computer program product, which is characterized in that when the computer program product is run on the terminal device, make It obtains the terminal device perform claim and requires the described in any item email processing methods of 1-7.
CN201811564850.9A 2018-12-20 2018-12-20 A kind of email processing method, device and storage equipment, program product Pending CN109672607A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811564850.9A CN109672607A (en) 2018-12-20 2018-12-20 A kind of email processing method, device and storage equipment, program product

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811564850.9A CN109672607A (en) 2018-12-20 2018-12-20 A kind of email processing method, device and storage equipment, program product

Publications (1)

Publication Number Publication Date
CN109672607A true CN109672607A (en) 2019-04-23

Family

ID=66144130

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811564850.9A Pending CN109672607A (en) 2018-12-20 2018-12-20 A kind of email processing method, device and storage equipment, program product

Country Status (1)

Country Link
CN (1) CN109672607A (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110648118A (en) * 2019-09-27 2020-01-03 深信服科技股份有限公司 Fish fork mail detection method and device, electronic equipment and readable storage medium
CN111092902A (en) * 2019-12-26 2020-05-01 中国科学院信息工程研究所 Attachment camouflage-oriented fishfork attack mail discovery method and device
CN114006721A (en) * 2021-09-14 2022-02-01 北京纽盾网安信息技术有限公司 E-mail risk detection method and system
CN114363033A (en) * 2021-12-29 2022-04-15 湖北天融信网络安全技术有限公司 Mail management and control method and device, network security equipment and storage medium
CN116436663A (en) * 2023-04-07 2023-07-14 华能信息技术有限公司 Mail attack detection method

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070136806A1 (en) * 2005-12-14 2007-06-14 Aladdin Knowledge Systems Ltd. Method and system for blocking phishing scams
CN101360028A (en) * 2008-07-24 2009-02-04 华中科技大学 Real-time scheduling method suitable for industrial sensor network
US20100250579A1 (en) * 2009-03-24 2010-09-30 Barracuda Inc. Recalling spam email or viruses from inboxes
CN103067387A (en) * 2012-12-27 2013-04-24 中国建设银行股份有限公司 Monitoring system and monitoring method for anti phishing
US20140259158A1 (en) * 2013-03-11 2014-09-11 Bank Of America Corporation Risk Ranking Referential Links in Electronic Messages
CN104813332A (en) * 2012-12-20 2015-07-29 迈克菲股份有限公司 Just in-time, email embedded URL reputation determination
CN106027378A (en) * 2016-07-04 2016-10-12 乐视控股(北京)有限公司 Email detection method and device
US20180091453A1 (en) * 2016-09-26 2018-03-29 Agari Data, Inc. Multi-level security analysis and intermediate delivery of an electronic message
CN108337153A (en) * 2018-01-19 2018-07-27 论客科技(广州)有限公司 A kind of monitoring method of mail, system and device

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20070136806A1 (en) * 2005-12-14 2007-06-14 Aladdin Knowledge Systems Ltd. Method and system for blocking phishing scams
CN101360028A (en) * 2008-07-24 2009-02-04 华中科技大学 Real-time scheduling method suitable for industrial sensor network
US20100250579A1 (en) * 2009-03-24 2010-09-30 Barracuda Inc. Recalling spam email or viruses from inboxes
CN104813332A (en) * 2012-12-20 2015-07-29 迈克菲股份有限公司 Just in-time, email embedded URL reputation determination
CN103067387A (en) * 2012-12-27 2013-04-24 中国建设银行股份有限公司 Monitoring system and monitoring method for anti phishing
US20140259158A1 (en) * 2013-03-11 2014-09-11 Bank Of America Corporation Risk Ranking Referential Links in Electronic Messages
CN106027378A (en) * 2016-07-04 2016-10-12 乐视控股(北京)有限公司 Email detection method and device
US20180091453A1 (en) * 2016-09-26 2018-03-29 Agari Data, Inc. Multi-level security analysis and intermediate delivery of an electronic message
CN108337153A (en) * 2018-01-19 2018-07-27 论客科技(广州)有限公司 A kind of monitoring method of mail, system and device

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110648118A (en) * 2019-09-27 2020-01-03 深信服科技股份有限公司 Fish fork mail detection method and device, electronic equipment and readable storage medium
CN111092902A (en) * 2019-12-26 2020-05-01 中国科学院信息工程研究所 Attachment camouflage-oriented fishfork attack mail discovery method and device
CN114006721A (en) * 2021-09-14 2022-02-01 北京纽盾网安信息技术有限公司 E-mail risk detection method and system
CN114363033A (en) * 2021-12-29 2022-04-15 湖北天融信网络安全技术有限公司 Mail management and control method and device, network security equipment and storage medium
CN116436663A (en) * 2023-04-07 2023-07-14 华能信息技术有限公司 Mail attack detection method
CN116436663B (en) * 2023-04-07 2024-05-17 华能信息技术有限公司 Mail attack detection method

Similar Documents

Publication Publication Date Title
CN112567710B (en) System and method for contaminating phishing campaign responses
Alazab et al. Spam and criminal activity
CN112567707B (en) Method and system for generating and deploying dynamic false user accounts
US10873597B1 (en) Cyber attack early warning system
Han et al. Phisheye: Live monitoring of sandboxed phishing kits
CN110730175B (en) Botnet detection method and detection system based on threat information
CN109672607A (en) A kind of email processing method, device and storage equipment, program product
US8549642B2 (en) Method and system for using spam e-mail honeypots to identify potential malware containing e-mails
US8578480B2 (en) Systems and methods for identifying potentially malicious messages
WO2006107904A1 (en) Method and apparatus for detecting email fraud
Lazarov et al. Honey sheets: What happens to leaked google spreadsheets?
US11374972B2 (en) Disinformation ecosystem for cyber threat intelligence collection
Sihag et al. PICAndro: Packet InspeCtion‐Based Android Malware Detection
Dakpa et al. Study of phishing attacks and preventions
El Aassal et al. Spears Against Shields: Are Defenders Winning The Phishing War?
Wu et al. Holmes: An efficient and lightweight semantic based anomalous email detector
US20240163299A1 (en) Email security diagnosis device based on quantitative analysis of threat elements, and operation method thereof
Dhinakaran et al. Multilayer approach to defend phishing attacks
Lee et al. The Game of Spear and Shield in Next Era of Cybersecurity
Arya et al. Multi layer detection framework for spear-phishing attacks
Dhinakaran et al. " Reminder: please update your details": Phishing Trends
Nikolov SOCIAL ENGINEERING AS A HIGH CYBERSECURITY THREAT
Olufemi et al. Detection and prevention of phishing attack using linkguard algorithm
Lemmen et al. Automating Payload Delivery & Detonation Testing
Oroko A Client based email phishing detection algorithm: case of phishing attacks in the banking industry

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20190423

RJ01 Rejection of invention patent application after publication