CN111262831A - Phishing mail detection method, device, equipment and computer readable storage medium - Google Patents

Phishing mail detection method, device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN111262831A
CN111262831A CN202010016028.XA CN202010016028A CN111262831A CN 111262831 A CN111262831 A CN 111262831A CN 202010016028 A CN202010016028 A CN 202010016028A CN 111262831 A CN111262831 A CN 111262831A
Authority
CN
China
Prior art keywords
mail
detected
phishing
attachment
detection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202010016028.XA
Other languages
Chinese (zh)
Inventor
杨玉华
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Sangfor Technologies Co Ltd
Original Assignee
Sangfor Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Sangfor Technologies Co Ltd filed Critical Sangfor Technologies Co Ltd
Priority to CN202010016028.XA priority Critical patent/CN111262831A/en
Publication of CN111262831A publication Critical patent/CN111262831A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/07User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail characterised by the inclusion of specific contents
    • H04L51/08Annexed information, e.g. attachments
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses a phishing mail detection method, a phishing mail detection device, phishing mail detection equipment and a computer readable storage medium. The phishing mail detection method comprises the following steps: acquiring a mail to be detected, and detecting whether the mail to be detected contains an attachment or not; if the mail to be detected contains the attachment, acquiring the file attribute type of the attachment; detecting the attachment according to the file attribute type to obtain a first detection result; and judging whether the mail to be detected is a phishing mail or not according to the first detection result. The invention can solve the problem of poor accuracy of the existing phishing mail detection result.

Description

Phishing mail detection method, device, equipment and computer readable storage medium
Technical Field
The invention relates to the technical field of e-mail detection, in particular to a phishing mail detection method, device and equipment and a computer readable storage medium.
Background
Attachment phishing is a common phishing mail attack means. Hackers send carefully forged mail carrying virus attachments to the victim's mailbox server, induce the victim to receive and open the virus attachments, and then the virus automatically executes the machine controlling the victim. These virus accessories often have the functions of vulnerability exploitation and lateral propagation, and once the host of the victim is lost, the virus accessories spread and propagate to the whole intranet, and finally the whole network is paralyzed.
For phishing mails carrying viral attachments, a common safeguard at present is to deploy a viral mail gateway or an attachment sandbox at the mail portal. The virus mail gateway can not help new virus attachments or script virus attachments, the virus library of the virus gateway is updated to have timeliness, and hackers usually do killing-free treatment on common virus gateways when constructing fishing attachments, so that the fishing attachments are easy to bypass. The method of attaching sandboxes has the problem of low processing speed, and the detection of sandboxes requires frequent creation and destruction of execution environments, so the searching and killing speed is limited. In addition, as many viruses have anti-debugging technology and anti-sandbox technology at present, the virus accessories cannot be accurately identified, and the condition of missed detection is caused.
Therefore, the existing phishing mail detection method has the condition of missed detection, and the accuracy of the detection result is poor.
Disclosure of Invention
The invention mainly aims to provide a phishing mail detection method, a device, equipment and a computer readable storage medium, aiming at solving the problem of poor accuracy of the existing phishing mail detection result.
In order to achieve the above object, the present invention provides a phishing mail detection method comprising:
acquiring a mail to be detected, and detecting whether the mail to be detected contains an attachment or not;
if the mail to be detected contains the attachment, acquiring the file attribute type of the attachment;
detecting the attachment according to the file attribute type to obtain a first detection result;
and judging whether the mail to be detected is a phishing mail or not according to the first detection result.
Optionally, the step of detecting whether the mail to be detected contains an attachment includes:
filtering the mail to be detected based on a preset filtering rule, and detecting whether the mail to be detected after filtering contains an attachment or not;
wherein the preset filtering rule comprises at least one of the following:
the mail filtering protocol is a mail to be detected with a preset mail protocol, the mail to be detected with a source internet interconnection protocol IP address and a target IP address which do not accord with a first preset condition is filtered, and the mail to be detected with a sender domain name belonging to a preset white list domain name list is filtered.
Optionally, if the file attribute type is an office document, the step of detecting the attachment according to the file attribute type to obtain a first detection result includes:
and detecting whether the accessory contains the macro object or not to obtain a first detection sub-result.
Optionally, if the file attribute type is a portable executable PE file, the step of detecting the attachment according to the file attribute type to obtain a first detection result includes:
and detecting whether the accessory has a preset characteristic field block or not to obtain a second detection sub-result.
Optionally, if the file attribute type is other types except for an office document and a PE file, the step of detecting the attachment according to the file attribute type to obtain a first detection result includes:
acquiring a mail protocol of the mail to be detected, and acquiring a file attribute field in the mail protocol through a preset matching rule;
and detecting whether the content corresponding to the file attribute field is matched with the file attribute type of the attachment or not to obtain a third detection sub-result.
Optionally, before the step of determining whether the mail to be detected is a phishing mail according to the first detection result, the method further includes:
acquiring an accessory name of the accessory, and detecting whether the accessory name meets a second preset condition to obtain a second detection result;
wherein the second preset condition comprises at least one of:
the attachment name does not contain Chinese, the attachment name contains a first preset word, and the suffix of the attachment name is a preset suffix;
the step of judging whether the mail to be detected is a phishing mail according to the first detection result comprises the following steps:
and judging whether the mail to be detected is a phishing mail or not according to the first detection result and the second detection result.
Optionally, before the step of determining whether the mail to be detected is a phishing mail according to the first detection result, the method further includes:
acquiring a subject name of the mail to be detected, and detecting whether the subject name meets a third preset condition to obtain a third detection result;
wherein the third preset condition comprises at least one of:
the theme name does not have preset specific characters, the theme name is inconsistent with the accessory name, and the theme name comprises a second preset word;
the step of judging whether the mail to be detected is a phishing mail according to the first detection result comprises the following steps:
and judging whether the mail to be detected is a phishing mail or not according to the first detection result and the third detection result.
Further, to achieve the above object, the present invention also provides a phishing mail detecting device comprising:
the first detection module is used for acquiring the mail to be detected and detecting whether the mail to be detected contains an attachment or not;
the acquisition module is used for acquiring the file attribute type of the attachment if the mail to be detected contains the attachment;
the second detection module is used for detecting the attachment according to the file attribute type to obtain a first detection result;
and the judging module is used for judging whether the mail to be detected is a phishing mail according to the first detection result.
Further, to achieve the above object, the present invention also provides a phishing mail detecting apparatus comprising: the phishing mail detection method comprises a memory, a processor and a phishing mail detection program stored on the memory and capable of running on the processor, wherein the phishing mail detection program realizes the steps of the phishing mail detection method when being executed by the processor.
Further, to achieve the above object, the present invention also provides a computer-readable storage medium having stored thereon a phishing mail detection program which, when executed by a processor, implements the steps of the phishing mail detection method as described above.
The invention provides a phishing mail detection method, a device, equipment and a computer readable storage medium, which are used for detecting whether a mail to be detected contains an attachment or not by acquiring the mail to be detected; if the mail to be detected contains the attachment, acquiring the file attribute type of the attachment; detecting the attachment according to the file attribute type to obtain a first detection result; and judging whether the mail to be detected is a phishing mail or not according to the first detection result. In the embodiment of the invention, the dimension cut-in from the special attachment format can be directly used for rapidly detecting the mail to be detected according to the file attribute type of the attachment so as to judge whether the mail to be detected is the phishing mail. Meanwhile, compared with the mode of the virus mail gateway in the prior art, the method and the device have the advantages that the problem of timeliness of virus library updating does not exist, the detection and perception capability of the fishing attachment is improved, the detection blind spot of virus gateway equipment is covered, the condition of missing detection can be avoided, and the accuracy of the detection result is improved.
Drawings
FIG. 1 is a schematic diagram of an apparatus architecture of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flow chart illustrating a phishing mail detection method according to a first embodiment of the present invention;
fig. 3 is a functional block diagram of a phishing mail detecting device according to a first embodiment of the present invention.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
Referring to fig. 1, fig. 1 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present invention.
The phishing mail detection device in the embodiment of the invention can be a server, and can also be a terminal device such as a Personal Computer (PC), a tablet computer, a portable computer and the like.
As shown in fig. 1, the phishing mail detection apparatus may include: a processor 1001, such as a CPU, a communication bus 1002, a user interface 1003, a network interface 1004, and a memory 1005. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., a Wi-Fi interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the configuration of the phishing mail detection apparatus shown in fig. 1 does not constitute a limitation of the phishing mail detection apparatus and may include more or fewer components than those shown, or some components in combination, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a phishing detection program.
In the terminal shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting a client and performing data communication with the client; and the processor 1001 may be configured to call the phishing mail detection program stored in the memory 1005 and perform the following operations:
acquiring a mail to be detected, and detecting whether the mail to be detected contains an attachment or not;
if the mail to be detected contains the attachment, acquiring the file attribute type of the attachment;
detecting the attachment according to the file attribute type to obtain a first detection result;
and judging whether the mail to be detected is a phishing mail or not according to the first detection result.
Further, the processor 1001 may call the phishing detection program stored in the memory 1005, and also perform the following operations:
filtering the mail to be detected based on a preset filtering rule;
wherein the preset filtering rule comprises at least one of the following:
filtering the mail to be detected with the mail protocol being a preset mail protocol, filtering the mail to be detected with the source internet interconnection protocol IP address and the destination IP address not conforming to a first preset condition, and filtering the mail to be detected with the sender domain name belonging to a preset white list domain name list;
and detecting whether the filtered mail to be detected contains the attachment.
Further, if the file attribute type is an office document, the processor 1001 may call a phishing mail detection program stored in the memory 1005, and further perform the following operations:
and detecting whether the accessory contains the macro object or not to obtain a first detection sub-result.
Further, if the file attribute type is a portable executable PE file, the processor 1001 may call the phishing mail detection program stored in the memory 1005, and further perform the following operations:
and detecting whether the accessory has a preset characteristic field block or not to obtain a second detection sub-result.
Further, if the file attribute type is other than the office document and the PE file, the processor 1001 may call the phishing mail detection program stored in the memory 1005, and further perform the following operations:
acquiring a mail protocol of the mail to be detected, and acquiring a file attribute field in the mail protocol through a preset matching rule;
and detecting whether the content corresponding to the file attribute field is matched with the file attribute type of the attachment or not to obtain a third detection sub-result.
Further, the processor 1001 may call the phishing detection program stored in the memory 1005, and also perform the following operations:
acquiring an accessory name of the accessory, and detecting whether the accessory name meets a second preset condition to obtain a second detection result;
wherein the second preset condition comprises at least one of:
the attachment name does not contain Chinese, the attachment name contains a first preset word, and the suffix of the attachment name is a preset suffix;
and judging whether the mail to be detected is a phishing mail or not according to the first detection result and the second detection result.
Further, the processor 1001 may call the phishing detection program stored in the memory 1005, and also perform the following operations:
acquiring a subject name of the mail to be detected, and detecting whether the subject name meets a third preset condition to obtain a third detection result;
wherein the third preset condition comprises at least one of:
the theme name does not have preset specific characters, the theme name is inconsistent with the accessory name, and the theme name comprises a second preset word;
and judging whether the mail to be detected is a phishing mail or not according to the first detection result and the third detection result.
The specific implementation of the phishing mail detection device of the invention is basically the same as that of each embodiment of the phishing mail detection method described below, and the detailed description is omitted here.
Based on the hardware structure, the invention provides various embodiments of the phishing mail detection method.
The invention provides a phishing mail detection method.
Referring to fig. 2, fig. 2 is a flowchart illustrating a phishing mail detection method according to a first embodiment of the present invention.
In this embodiment, the phishing mail detection method includes:
step S10, acquiring a mail to be detected, and detecting whether the mail to be detected contains an attachment;
the phishing mail detection method of the embodiment is realized by a phishing mail detection device, and the device takes a server as an example for description.
In this embodiment, a corresponding mail traffic auditing module may be deployed by bypassing the mail traffic of the client, so as to copy and acquire the mail data stream from the past mail traffic and perform detection. Specifically, the mail to be detected is obtained, and whether the mail to be detected includes the attachment is detected. It can be understood that the embodiment of the invention detects whether the mail to be detected is the phishing mail according to the mail attachment, so that whether the mail to be detected comprises the attachment needs to be detected firstly. For the detection of the attachment, the judgment can be carried out by detecting whether an attachment field of the mail is empty, and if the attachment field is empty, the judgment is carried out without the attachment; if the attribute field is not empty, then it is determined that an attachment is included.
Step S20, if the mail to be detected contains an attachment, acquiring the file attribute type of the attachment;
if the Mail to be detected contains the attachment, a file attribute type of the attachment is obtained, where the file attribute type may be a MIME (Multipurpose Internet Mail Extensions) type, and the file attribute type is described by taking the MIME type as an example in this embodiment. The MIME type is a type in which a file with a certain extension is set to be opened by an application, and when the extension file is accessed, a browser is automatically opened by using a specific application. The method is mainly used for specifying some client-side customized file names and some media file opening modes.
For obtaining the MIME type, the obtaining can be carried out by a file header characteristic field and a content identification mode. Specifically, for a file with a regular structure, such as an office document and a PE file (Portable Executable file), a file header feature field of an attachment can be obtained, that is, the MIME type can be simply and accurately determined, and for other types of files, such as a text file and a script file, the MIME type can be obtained in a content identification manner. The office documents are office documents, and comprise word documents, excel documents, ppt documents and the like; the PE files are program files on a Microsoft Windows operating system, and common EXE, DLL, OCX, SYS and COM files are PE files. The content identification mode may be to detect whether a preset PHP (PHP: Hypertext Preprocessor) function, a preset field, or a preset keyword exists in the attachment content, and if so, determine that the MIME type is other types except for the office document and the PE file.
In addition, if the mail to be detected does not contain the attachment, the mail to be detected is judged not to be a phishing mail.
Step S30, detecting the attachment according to the file attribute type to obtain a first detection result;
and step S40, judging whether the mail to be detected is a phishing mail according to the first detection result.
And then, detecting the attachment according to the file attribute type, namely detecting the attachment according to the MIME type to obtain a first detection result, and further judging whether the mail to be detected is a phishing mail according to the first detection result.
As an embodiment, if the file attribute type is an office document, step S30 includes:
step a1, detecting whether the accessory contains macro objects or not, and obtaining a first detection sub-result.
And if the file attribute type is an office document, namely the MIME type is the office document, detecting whether the attachment contains a Macro (Macro) object or not to obtain a first detection sub-result. If the attachment contains the macro object, judging that the mail to be detected is a phishing mail; and if the attachment does not contain the macro object, judging that the mail to be detected is not a phishing mail.
It should be noted that for an attachment of a malicious phishing office document class, the macro code is a necessary condition, that is, a hacker must write an attack load (payload) into a macro code block of the office document to implement an attack. Since the files of the office documents have a certain structure, whether the mail to be detected is a phishing mail can be judged by searching whether the office documents contain macro objects (namely macro code blocks).
As an embodiment, if the file attribute type is a portable executable PE file, step S30 includes:
step a2, detecting whether the accessory has a preset feature field block or not to obtain a second detection sub-result.
And if the file attribute type is the PE file, namely the MIME type is the PE file, detecting whether a preset characteristic field block exists in the attachment or not to obtain a second detection sub-result. If the attachment has the preset characteristic field block, judging that the mail to be detected is a phishing mail; and if the preset characteristic field block does not exist in the attachment, judging that the mail to be detected is not a phishing mail.
It should be noted that, in order to avoid the searching and killing of the mail antivirus gateway, the phishing attachment is usually subjected to the shelling processing, and the real program entrance can be hidden through the shelling processing, so that the antivirus network manager or the antivirus engine cannot perform effective detection. After the attachment is shelled, different types of shells can leave different representation field blocks in the attachment file, so that whether the attachment is shelled or not can be judged by searching whether the attachment has the preset feature field block or not, and whether the mail to be detected is a phishing mail or not can be further judged.
As an embodiment, if the file attribute type is other than the office document and the PE file, step S30 includes:
a3, acquiring a mail protocol of the mail to be detected, and acquiring a file attribute field in the mail protocol through a preset matching rule;
step a4, detecting whether the content corresponding to the file attribute field matches the file attribute type of the attachment, and obtaining a third detection sub-result.
If the file attribute type is other types except the office document and the PE file, namely the MIME type is other types except the office document and the PE file, the mail protocol of the mail to be detected is obtained through the preset matching rule, and the file attribute field in the mail protocol, namely the MIME field, is obtained. The preset matching rule may include a regular expression. And then, detecting whether the content corresponding to the MIME field is matched with the MIME type of the accessory or not to obtain a third detection sub-result. If the MIME field is not matched with the MIME type, the mail to be detected is judged to be a phishing mail; and if the MIME field is matched with the MIME type, judging that the mail to be detected is not a phishing mail.
For example, the MIME of the attachment is application/x-document, but the MIME field in the mail protocol is image/png, which indicates that the mail to be detected has a MIME falsification behavior, and the MIME of the PE file is falsified to cause png image MIME, that is, the MIME field is not matched with the MIME type, so that the mail to be detected is determined to be a phishing mail.
Further, when the mail to be detected is judged to be the phishing mail, the warning processing can be carried out.
The embodiment of the invention provides a phishing mail detection method, which comprises the steps of detecting whether a mail to be detected contains an attachment or not by acquiring the mail to be detected; if the mail to be detected contains the attachment, acquiring the file attribute type of the attachment; detecting the attachment according to the file attribute type to obtain a first detection result; and judging whether the mail to be detected is a phishing mail or not according to the first detection result. In the embodiment of the invention, the dimension cut-in from the special attachment format can be directly used for rapidly detecting the mail to be detected according to the file attribute type of the attachment so as to judge whether the mail to be detected is the phishing mail. Meanwhile, compared with the mode of the virus mail gateway in the prior art, the method and the device have the advantages that the problem of timeliness of virus library updating does not exist, the detection and perception capability of the fishing attachment is improved, the detection blind spot of virus gateway equipment is covered, the condition of missing detection can be avoided, and the accuracy of the detection result is improved.
Further, based on the first embodiment shown in fig. 2, a second embodiment of the phishing mail detection method of the present invention is proposed.
In this embodiment, the step of "detecting whether the mail to be detected contains the attachment" includes:
step A, filtering the mail to be detected based on a preset filtering rule, and detecting whether the mail to be detected after filtering contains an attachment;
wherein the preset filtering rule comprises at least one of the following:
filtering the mail to be detected with the mail protocol being a preset mail protocol, filtering the mail to be detected with the source internet interconnection protocol IP address and the destination IP address not conforming to a first preset condition, and filtering the mail to be detected with the sender domain name belonging to a preset white list domain name list;
in this embodiment, because the mail data flow is usually large, in order to improve the detection efficiency of the phishing mails, the mails to be detected may be primarily filtered, and a part of the mails to be detected which do not conform to the rule may be directly filtered out, so as to avoid entering the processing logic of the subsequent attachment detection, and reduce the data processing amount in the attachment detection process.
Specifically, after receiving the mail to be detected, the mail to be detected is filtered based on a preset filtering rule, wherein the preset filtering rule includes at least one of the following: the mail filtering protocol is a mail to be detected with a preset mail protocol, the mail to be detected with a source internet interconnection protocol IP address and a target IP address which do not accord with a first preset condition is filtered, and the mail to be detected with a sender domain name belonging to a preset white list domain name list is filtered.
The preset Mail Protocol includes IMAP (Internet Mail Access Protocol) and POP3(Post Office Protocol 3, version 3 of Post Office Protocol). If the mail protocol of the mail to be detected is IMAP or POP3, the mail to be detected is not possible to be phishing mail, and the mail to be detected is filtered. If the mail Protocol of the mail to be detected is not IMAP or POP3, such as SNTP (Simple Network Time Protocol), the mail does not conform to the preset filtering rule, and if the mail may be a phishing mail, the filtering process is not performed.
The first preset condition is that a source IP (Internet Protocol) address is an Internet IP (i.e., extranet IP), and a destination IP is a local area network IP (i.e., intranet IP). If the source IP address of the mail to be detected is an Internet IP and the target IP is a local area network IP, the mail to be detected is sent from an external network to an internal network, possibly a phishing mail, and is not filtered; and if the source IP address and the destination IP address do not meet the first preset condition, the source IP address and the destination IP address are not possible to be phishing mails, and filtering the phishing mails.
The preset white list domain name list is preset, and if the domain name of the sender belongs to the preset white list domain name list, the sender is not possible to be a phishing mail, and the filtering processing is carried out on the phishing mail; if the domain name of the sender does not belong to the preset white list domain name list, the domain name does not accord with the preset filtering rule, the domain name is possibly a phishing mail, and filtering processing is not carried out.
Then, it is detected whether the filtered mail to be detected includes an attachment, and further the subsequent steps are continuously executed, and the specific execution process may refer to the first embodiment, which is not described herein again.
In the embodiment, the mails to be detected can be subjected to preliminary filtering treatment, so that the mails which accord with the preset filtering rule can be filtered, namely the mails to be detected which are impossible to be phishing mails are filtered, the data processing amount in the subsequent attachment detection process is reduced, and the detection efficiency of the phishing mails is improved.
Further, based on the above embodiments, a third embodiment of the phishing mail detection method of the present invention is proposed.
In the present embodiment, before step S40, the phishing mail detection method further includes:
step B, acquiring the accessory name of the accessory, and detecting whether the accessory name meets a second preset condition to obtain a second detection result;
wherein the second preset condition comprises at least one of:
the attachment name does not contain Chinese, the attachment name contains a first preset word, and the suffix of the attachment name is a preset suffix;
in this embodiment, to further improve the accuracy of the phishing mail detection result, the attachment detection and the detection of the attachment name can be combined to determine whether the mail to be detected is a phishing mail.
Specifically, after the accessory is detected based on the file attribute type (i.e., MIME type) to obtain the first detection result, the name of the accessory can be further obtained, and then, whether the name of the accessory meets the second preset condition is detected to obtain the second detection result. Wherein the second preset condition comprises at least one of: the attachment name does not contain Chinese, the attachment name contains a first preset word, and the suffix of the attachment name is a preset suffix.
The first preset word can be an English word of a preset common fishing attachment, and the preset suffix can be some unusual types, such as arj, scr, lnk and the like, because the mail attachment does not contain the suffix name in a normal user scene.
Step S40 includes:
and judging whether the mail to be detected is a phishing mail or not according to the first detection result and the second detection result.
And then, judging whether the mail to be detected is a phishing mail or not according to the first detection result and the second detection result. And if the mail to be detected is preliminarily judged to be the phishing mail according to the first detection result, and the second detection result is that the attachment name meets a second preset condition, judging that the mail to be detected is the phishing mail.
Of course, it can be understood that, in specific implementation, if the mail to be detected is preliminarily determined to be a phishing mail based on the first detection result, the attachment name of the attachment can be continuously obtained so as to further determine whether the mail to be detected is a phishing mail; if the mail to be detected is not the phishing mail based on the first detection result, at the moment, the attachment name of the attachment does not need to be continuously acquired, and the mail to be detected can be directly judged not to be the phishing mail.
In the embodiment, whether the mail to be detected is the phishing mail is judged by combining the attachment detection with the attachment name detection, so that the accuracy of the phishing mail detection result can be further improved.
Further, based on the above embodiments, a third embodiment of the phishing mail detection method of the present invention is proposed.
In the present embodiment, before step S40, the phishing mail detection method further includes:
step C, acquiring the subject name of the mail to be detected, and detecting whether the subject name meets a third preset condition or not to obtain a third detection result;
wherein the third preset condition comprises at least one of:
the theme name does not have preset specific characters, the theme name is inconsistent with the accessory name, and the theme name comprises a second preset word;
in this embodiment, to further improve the accuracy of the phishing mail detection result, the attachment detection and the subject name detection can be combined to determine whether the mail to be detected is a phishing mail.
Specifically, after the attachment is detected based on the file attribute type (i.e., MIME type) to obtain the first detection result, the subject name of the mail to be detected may also be obtained, and then, it is detected whether the subject name meets a third preset condition to obtain a third detection result. Wherein the third preset condition comprises at least one of the following: the theme name does not have preset specific characters, the theme name is inconsistent with the accessory name, and the theme name comprises a second preset word.
The second preset word is a preset subject word of the common fishing accessory. It should be noted that, in the sending process of the email, if the subject name is a chinese name, the chinese subject name is usually converted into a subject name in a special format by a coding method, so if no specific character is preset in the subject name, the email to be detected is determined to be a phishing email; and if the preset specific character exists in the subject name, judging that the mail to be detected is not a phishing mail. In addition, because normal users usually forget to write a subject when using the mail to transmit a normal file, the mail client defaults to use the name of the attachment as the subject name of the mail, and therefore, if the subject name is consistent with the name of the attachment, the mail to be detected is judged not to be a phishing mail; and if the subject name is not consistent with the attachment name, judging that the mail to be detected is a phishing mail.
Step S40 includes:
and judging whether the mail to be detected is a phishing mail or not according to the first detection result and the third detection result.
And then, judging whether the mail to be detected is a phishing mail or not according to the first detection result and the third detection result. And if the mail to be detected is preliminarily judged to be the phishing mail according to the first detection result and the third detection result is that the subject name accords with the third preset condition, judging that the mail to be detected is the phishing mail.
Of course, it can be understood that, in specific implementation, if the mail to be detected is preliminarily determined to be a phishing mail based on the first detection result, the subject name of the mail to be detected can be continuously obtained so as to further determine whether the mail to be detected is a phishing mail; if the mail to be detected is not the phishing mail based on the first detection result, the main topic name of the mail to be detected does not need to be continuously obtained, and the mail to be detected can be directly judged to be not the phishing mail.
In the embodiment, whether the mail to be detected is the phishing mail is judged by combining the attachment detection with the detection of the subject name of the mail to be detected, so that the accuracy of the phishing mail detection result can be further improved.
In addition, it should be noted that, in the specific embodiment, whether the mail to be detected is the phishing mail can be determined by combining the attachment detection with the detection of the attachment name and the subject name of the mail to be detected, so as to further improve the accuracy of the phishing mail detection result.
The invention also provides a phishing mail detection device.
Referring to fig. 3, fig. 3 is a functional block diagram of a phishing mail detecting device according to a first embodiment of the present invention.
As shown in fig. 3, the phishing mail detection apparatus includes:
the first detection module 10 is configured to acquire a mail to be detected, and detect whether the mail to be detected includes an attachment;
an obtaining module 20, configured to obtain a file attribute type of the attachment if the to-be-detected mail includes the attachment;
the second detection module 30 is configured to detect the attachment according to the file attribute type to obtain a first detection result;
and the judging module 40 is configured to judge whether the mail to be detected is a phishing mail according to the first detection result.
Further, the phishing mail detection apparatus further includes:
the filtering module is used for filtering the mail to be detected based on a preset filtering rule;
wherein the preset filtering rule comprises at least one of the following:
filtering the mail to be detected with the mail protocol being a preset mail protocol, filtering the mail to be detected with the source internet interconnection protocol IP address and the destination IP address not conforming to a first preset condition, and filtering the mail to be detected with the sender domain name belonging to a preset white list domain name list;
the first detection module is specifically configured to:
and detecting whether the filtered mail to be detected contains the attachment.
Further, if the file attribute type is an office document, the second detection module 30 includes:
and the first detection unit is used for detecting whether the accessory contains the macro object or not to obtain a first detection sub-result.
Further, if the file attribute type is a portable executable PE file, the second detecting module 30 includes:
and the second detection unit is used for detecting whether the accessory has a preset characteristic field block or not to obtain a second detection sub-result.
Further, if the file attribute type is other than the office document and the PE file, the second detection module 30 includes:
the acquisition unit is used for acquiring a mail protocol of the mail to be detected and acquiring a file attribute field in the mail protocol through a preset matching rule;
and the third detection unit is used for detecting whether the content corresponding to the file attribute field is matched with the file attribute type of the attachment or not to obtain a third detection sub-result.
Further, the phishing mail detection apparatus further includes:
the third detection module is used for acquiring the accessory name of the accessory, and detecting whether the accessory name meets a second preset condition or not to obtain a second detection result;
wherein the second preset condition comprises at least one of:
the attachment name does not contain Chinese, the attachment name contains a first preset word, and the suffix of the attachment name is a preset suffix;
the determining module 40 is specifically configured to:
and judging whether the mail to be detected is a phishing mail or not according to the first detection result and the second detection result.
Further, the phishing mail detection apparatus further includes:
the fourth detection module is used for acquiring the subject name of the mail to be detected, and detecting whether the subject name meets a third preset condition or not to obtain a third detection result;
wherein the third preset condition comprises at least one of:
the theme name does not have preset specific characters, the theme name is inconsistent with the accessory name, and the theme name comprises a second preset word;
the determining module 40 is specifically configured to:
and judging whether the mail to be detected is a phishing mail or not according to the first detection result and the third detection result.
The function implementation of each module in the phishing mail detection device corresponds to each step in the embodiment of the phishing mail detection method, and the functions and implementation processes are not described in detail herein.
The present invention also provides a computer-readable storage medium having stored thereon a phishing mail detection program which, when executed by a processor, implements the steps of the phishing mail detection method as described in any of the above embodiments.
The specific embodiment of the computer-readable storage medium of the present invention is substantially the same as the embodiments of the phishing mail detection method described above, and will not be described herein again.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, an air conditioner, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (10)

1. A phishing mail detection method, characterized by comprising:
acquiring a mail to be detected, and detecting whether the mail to be detected contains an attachment or not;
if the mail to be detected contains the attachment, acquiring the file attribute type of the attachment;
detecting the attachment according to the file attribute type to obtain a first detection result;
and judging whether the mail to be detected is a phishing mail or not according to the first detection result.
2. A phishing mail detection method as claimed in claim 1 wherein said step of detecting whether said mail to be detected contains an attachment comprises:
filtering the mail to be detected based on a preset filtering rule, and detecting whether the mail to be detected after filtering contains an attachment or not;
wherein the preset filtering rule comprises at least one of the following:
the mail filtering protocol is a mail to be detected with a preset mail protocol, the mail to be detected with a source internet interconnection protocol IP address and a target IP address which do not accord with a first preset condition is filtered, and the mail to be detected with a sender domain name belonging to a preset white list domain name list is filtered.
3. A phishing mail detection method as claimed in claim 1 wherein if said file attribute type is an office document, said detecting said attachment according to said file attribute type to obtain a first detection result comprises:
and detecting whether the accessory contains the macro object or not to obtain a first detection sub-result.
4. A phishing mail detection method as claimed in claim 1 wherein if said file attribute type is a portable executable PE file, said detecting said attachment according to said file attribute type to obtain a first detection result comprises:
and detecting whether the accessory has a preset characteristic field block or not to obtain a second detection sub-result.
5. A phishing mail detection method as claimed in claim 1 wherein if said file attribute type is other than office document and PE file, said step of detecting said attachment based on said file attribute type to obtain a first detection result comprises:
acquiring a mail protocol of the mail to be detected, and acquiring a file attribute field in the mail protocol through a preset matching rule;
and detecting whether the content corresponding to the file attribute field is matched with the file attribute type of the attachment or not to obtain a third detection sub-result.
6. A phishing mail detection method as claimed in any one of claims 1 to 5 wherein before the step of determining whether said mail to be detected is a phishing mail according to said first detection result, further comprising:
acquiring an accessory name of the accessory, and detecting whether the accessory name meets a second preset condition to obtain a second detection result;
wherein the second preset condition comprises at least one of:
the attachment name does not contain Chinese, the attachment name contains a first preset word, and the suffix of the attachment name is a preset suffix;
the step of judging whether the mail to be detected is a phishing mail according to the first detection result comprises the following steps:
and judging whether the mail to be detected is a phishing mail or not according to the first detection result and the second detection result.
7. A phishing mail detection method as claimed in any one of claims 1 to 5 wherein before the step of determining whether said mail to be detected is a phishing mail according to said first detection result, further comprising:
acquiring a subject name of the mail to be detected, and detecting whether the subject name meets a third preset condition to obtain a third detection result;
wherein the third preset condition comprises at least one of:
the theme name does not have preset specific characters, the theme name is inconsistent with the accessory name, and the theme name comprises a second preset word;
the step of judging whether the mail to be detected is a phishing mail according to the first detection result comprises the following steps:
and judging whether the mail to be detected is a phishing mail or not according to the first detection result and the third detection result.
8. A phishing mail detecting apparatus, characterized by comprising:
the first detection module is used for acquiring the mail to be detected and detecting whether the mail to be detected contains an attachment or not;
the acquisition module is used for acquiring the file attribute type of the attachment if the mail to be detected contains the attachment;
the second detection module is used for detecting the attachment according to the file attribute type to obtain a first detection result;
and the judging module is used for judging whether the mail to be detected is a phishing mail according to the first detection result.
9. A phishing mail detecting apparatus characterized by comprising: a memory, a processor and a phishing detection program stored on the memory and executable on the processor, which when executed by the processor implements the steps of the phishing detection method of any one of claims 1 to 7.
10. A computer-readable storage medium, characterized in that the computer-readable storage medium has stored thereon a phishing mail detection program which, when executed by a processor, implements the steps of the phishing mail detection method according to any one of claims 1 to 7.
CN202010016028.XA 2020-01-07 2020-01-07 Phishing mail detection method, device, equipment and computer readable storage medium Pending CN111262831A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010016028.XA CN111262831A (en) 2020-01-07 2020-01-07 Phishing mail detection method, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010016028.XA CN111262831A (en) 2020-01-07 2020-01-07 Phishing mail detection method, device, equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN111262831A true CN111262831A (en) 2020-06-09

Family

ID=70950275

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010016028.XA Pending CN111262831A (en) 2020-01-07 2020-01-07 Phishing mail detection method, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN111262831A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630397A (en) * 2021-07-28 2021-11-09 上海纽盾网安科技有限公司 E-mail security control method, client and system
CN115529185A (en) * 2022-09-29 2022-12-27 北京中睿天下信息技术有限公司 Mail classifying and cleaning method
CN116132165A (en) * 2023-01-29 2023-05-16 中国联合网络通信集团有限公司 Mail detection method, device and medium

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102209075A (en) * 2011-06-02 2011-10-05 国家计算机病毒应急处理中心 Behavior-based malicious email transmission node detection method
CN105721416A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Apt event attack organization homology analysis method and apparatus
US20160269422A1 (en) * 2015-03-12 2016-09-15 Forcepoint Federal Llc Systems and methods for malware nullification
CN105991395A (en) * 2015-01-30 2016-10-05 杭州迪普科技有限公司 Attachment replacing method and attachment replacing device
CN108197472A (en) * 2017-12-20 2018-06-22 北京金山安全管理系统技术有限公司 macro processing method, device, storage medium and processor
CN108959917A (en) * 2017-05-25 2018-12-07 腾讯科技(深圳)有限公司 A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102209075A (en) * 2011-06-02 2011-10-05 国家计算机病毒应急处理中心 Behavior-based malicious email transmission node detection method
CN105991395A (en) * 2015-01-30 2016-10-05 杭州迪普科技有限公司 Attachment replacing method and attachment replacing device
US20160269422A1 (en) * 2015-03-12 2016-09-15 Forcepoint Federal Llc Systems and methods for malware nullification
CN105721416A (en) * 2015-11-16 2016-06-29 哈尔滨安天科技股份有限公司 Apt event attack organization homology analysis method and apparatus
CN108959917A (en) * 2017-05-25 2018-12-07 腾讯科技(深圳)有限公司 A kind of method, apparatus, equipment and the readable storage medium storing program for executing of Email detection
CN108197472A (en) * 2017-12-20 2018-06-22 北京金山安全管理系统技术有限公司 macro processing method, device, storage medium and processor

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113630397A (en) * 2021-07-28 2021-11-09 上海纽盾网安科技有限公司 E-mail security control method, client and system
CN115529185A (en) * 2022-09-29 2022-12-27 北京中睿天下信息技术有限公司 Mail classifying and cleaning method
CN116132165A (en) * 2023-01-29 2023-05-16 中国联合网络通信集团有限公司 Mail detection method, device and medium
CN116132165B (en) * 2023-01-29 2024-02-27 中国联合网络通信集团有限公司 Mail detection method, device and medium

Similar Documents

Publication Publication Date Title
US11218495B2 (en) Resisting the spread of unwanted code and data
US10505956B1 (en) System and method for detecting malicious links in electronic messages
US8549642B2 (en) Method and system for using spam e-mail honeypots to identify potential malware containing e-mails
JP4598774B2 (en) Method and apparatus for filtering email spam based on similarity measures
US20020004908A1 (en) Electronic mail message anti-virus system and method
CN111262831A (en) Phishing mail detection method, device, equipment and computer readable storage medium
US9614866B2 (en) System, method and computer program product for sending information extracted from a potentially unwanted data sample to generate a signature
CN106529294B (en) A method of determine for mobile phone viruses and filters
US10419525B2 (en) Server-based system, method, and computer program product for scanning data on a client using only a subset of the data
US9092624B2 (en) System, method, and computer program product for conditionally performing a scan on data based on an associated data structure
CN113630397A (en) E-mail security control method, client and system
JP5805585B2 (en) Relay server and proxy access method
US20130275384A1 (en) System, method, and computer program product for determining whether an electronic mail message is unwanted based on processing images associated with a link in the electronic mail message
JP2007156690A (en) Method for taking countermeasure to fishing fraud, terminal, server and program
KR101959534B1 (en) A security system and method for e-mail
CN113965349B (en) Network safety protection system and method with safety detection function
AU2012258355B2 (en) Resisting the Spread of Unwanted Code and Data
US8918864B2 (en) System, method, and computer program product for making a scan decision during communication of data over a network
CN115801721A (en) Mail detection method and device

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20200609