CN113381983A - Method and device for identifying counterfeit e-mail - Google Patents

Method and device for identifying counterfeit e-mail Download PDF

Info

Publication number
CN113381983A
CN113381983A CN202110548160.XA CN202110548160A CN113381983A CN 113381983 A CN113381983 A CN 113381983A CN 202110548160 A CN202110548160 A CN 202110548160A CN 113381983 A CN113381983 A CN 113381983A
Authority
CN
China
Prior art keywords
mail
detection
data packet
mail data
detection result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110548160.XA
Other languages
Chinese (zh)
Other versions
CN113381983B (en
Inventor
王楚涵
沈凯文
郭明磊
郑晓峰
段海新
刘武
林延中
潘庆峰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Coremail Technology Guangzhou Co ltd
Tsinghua University
Original Assignee
Coremail Technology Guangzhou Co ltd
Tsinghua University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Coremail Technology Guangzhou Co ltd, Tsinghua University filed Critical Coremail Technology Guangzhou Co ltd
Priority to CN202110548160.XA priority Critical patent/CN113381983B/en
Publication of CN113381983A publication Critical patent/CN113381983A/en
Application granted granted Critical
Publication of CN113381983B publication Critical patent/CN113381983B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06QINFORMATION AND COMMUNICATION TECHNOLOGY [ICT] SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL OR SUPERVISORY PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation; Time management
    • G06Q10/107Computer-aided management of electronic mailing [e-mailing]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Business, Economics & Management (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Human Resources & Organizations (AREA)
  • Entrepreneurship & Innovation (AREA)
  • Strategic Management (AREA)
  • General Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Operations Research (AREA)
  • Economics (AREA)
  • Marketing (AREA)
  • Data Mining & Analysis (AREA)
  • Quality & Reliability (AREA)
  • Tourism & Hospitality (AREA)
  • Physics & Mathematics (AREA)
  • General Business, Economics & Management (AREA)
  • General Physics & Mathematics (AREA)
  • Theoretical Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention provides a method and a device for identifying a counterfeit E-mail, wherein the method comprises the following steps: analyzing the mail data packet by a preset mail safety monitoring algorithm to obtain a detection result of the mail data packet; displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet; the preset mail safety detection algorithm comprises at least one of issuing detection, source detection, sender detection, high-similarity domain name detection and encryption detection. The detection is carried out on the mail data packet from a plurality of angles such as generation detection, source detection, sender detection, high-approximation domain name detection, encryption detection and the like, so that the detection of the counterfeit E-mail is more accurately carried out, the detection result of the counterfeit E-mail is synchronously displayed in the display interface of the E-mail, a user is helped to identify the counterfeit E-mail, and the communication safety is ensured.

Description

Method and device for identifying counterfeit e-mail
Technical Field
The invention relates to the technical field of information processing, in particular to a method and a device for identifying a counterfeit E-mail.
Background
Email has always been one of the most important typical applications on the internet and is an integral part of modern life and work.
However, existing email systems have some non-negligible security issues. Malicious attack mails cannot be well screened out by the e-mail receiver, and the user is rarely reminded safely. The existing mail interface only has the functions of sending a mail prompt and fishing a mail prompt. And the existing solutions are not comprehensive enough and are easy to be bypassed by attackers.
Therefore, how to better identify the fake e-mail is an urgent problem to be solved in the industry.
Disclosure of Invention
The invention provides a method and a device for identifying a counterfeit E-mail, which are used for solving the problem that the counterfeit E-mail cannot be well identified in the prior art.
The invention provides a method for identifying a counterfeit E-mail, which comprises the following steps:
analyzing the mail data packet by a preset mail safety monitoring algorithm to obtain a detection result of the mail data packet;
displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet;
the preset mail safety detection algorithm comprises at least one of issuing detection, source detection, sender detection, high-similarity domain name detection and encryption detection.
According to the method for identifying the counterfeit E-mail, provided by the invention, the step of analyzing the E-mail data packet by a preset E-mail safety monitoring algorithm to obtain the detection result of the E-mail data packet comprises the following steps:
carrying out transmission detection on the MAIL data packet, wherein the transmission detection is to carry out consistency comparison on the MIME From and the MAIL From in the MAIL data packet;
and when the sending detection result does not pass, the detection result corresponding to the mail data packet is mail abnormity.
According to the method for identifying the counterfeit E-mail, provided by the invention, the step of analyzing the E-mail data packet by a preset E-mail safety monitoring algorithm to obtain the detection result of the E-mail data packet comprises the following steps:
performing source detection on the mail data packet, wherein the source detection is that sender policy framework verification, domain name key identification mail standard verification and domain-based message identity verification are performed on the mail data packet; simultaneously, identity entities verified by the three verification methods are compared with the results in a consistency mode;
and when the source verification fails, the detection result corresponding to the mail data packet is mail abnormity.
According to the method for identifying the counterfeit E-mail, provided by the invention, the step of analyzing the E-mail data packet by a preset E-mail safety monitoring algorithm to obtain the detection result of the E-mail data packet comprises the following steps:
carrying out sender detection on the mail data packet, wherein the sender detection is that special character detection is carried out on the MIME FROM field in the mail data packet;
and when the sending detection result does not pass, the detection result corresponding to the mail data packet is mail abnormity.
According to the method for identifying the counterfeit E-mail, provided by the invention, the step of analyzing the E-mail data packet by a preset E-mail safety monitoring algorithm to obtain the detection result of the E-mail data packet comprises the following steps:
performing high-approximation domain name detection on the mail data packet, wherein the high-approximation domain name detection is to detect a From field in the mail data packet;
and under the condition that the From field in the mail data packet is the international domain name, the detection result corresponding to the mail data packet is abnormal.
According to the method for identifying the counterfeit E-mail, provided by the invention, the step of analyzing the E-mail data packet by a preset E-mail safety monitoring algorithm to obtain the detection result of the E-mail data packet comprises the following steps:
carrying out encryption detection on the mail data packet, wherein the encryption detection is to detect whether the mail data packet is encrypted by a secure transport layer protocol or not;
and under the condition that the mail data part is not encrypted by a secure transport layer protocol, the detection result corresponding to the mail data packet is mail abnormity.
The invention also provides a device for identifying the counterfeit E-mail, which comprises:
the analysis module is used for analyzing the mail data packet through a preset mail safety monitoring algorithm to obtain a detection result of the mail data packet;
the display module is used for displaying the detection result corresponding to the mail data packet on a display interface of the mail data packet;
the preset mail safety detection algorithm comprises at least one of issuing detection, source detection, sender detection, high-similarity domain name detection and encryption detection.
The invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor executes the program to realize the steps of the method for identifying the counterfeit E-mail.
The invention also provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, carries out the steps of the method of identifying a counterfeit e-mail as claimed in any one of the above.
The method and the device for identifying the counterfeit E-mail detect the E-mail data packet from a plurality of angles such as generation detection, source detection, sender detection, high-approximation domain name detection, encryption detection and the like, so that the counterfeit E-mail is more accurately detected, the detection result of the counterfeit E-mail is synchronously displayed in a display interface of the E-mail, a user is helped to identify the counterfeit E-mail, and the safety of communication is ensured.
Drawings
In order to more clearly illustrate the technical solutions of the present invention or the prior art, the drawings needed for the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a method for identifying a counterfeit email according to an embodiment of the present invention;
FIG. 2 is a schematic diagram of a counterfeit E-mail identification apparatus according to the present invention;
fig. 3 is a schematic physical structure diagram of an electronic device provided in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention clearer, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is obvious that the described embodiments are some, but not all embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Fig. 1 is a schematic flowchart of a method for identifying a counterfeit email according to an embodiment of the present invention, as shown in fig. 1, including:
step S1, analyzing the mail data packet by a preset mail safety monitoring algorithm to obtain the detection result of the mail data packet;
specifically, according to the method, firstly, a receiving end server starts the SMTP service, monitors a 25-port, establishes TCP connection with a sending end server, and receives an SMTP data packet. And sending the SMTP data packet to a mail processing module.
The Mail data packet described in the present application is a Simple Mail Transfer Protocol (SMTP) Mail data packet sent by a receiving-end server, and the Mail data packet is analyzed in the present application, specifically, security detection is performed along with the SMTP Mail data packet.
The mail data packet described in the application comprises two parts of an envelope and a letter. The envelope part contains the SMTP commands such as HELO, MAIL FROM, RCPT TO and the like, and the letter part contains the MAIL header information (fields such as FROM, TO, Subject, Date and the like) and the whole MAIL body information and the possible MAIL attachments which are transmitted TO the receiver. The relevant protocol contents For mail have explicit requirements in Request For Comments (RFC).
Table 1 shows UI prompting content and detected abnormal behavior of mail, as shown in Table 1 below, in which Table 1 shows UI prompting content and detected abnormal behavior of mail
Figure BDA0003074405350000051
Step S2, displaying the corresponding detection result of the mail data packet on the display interface of the mail data packet;
the preset mail safety detection algorithm comprises at least one of issuing detection, source detection, sender detection, high-similarity domain name detection and encryption detection.
The display interface of the email data packet described in the present application may specifically refer to a web interface for displaying an email or a client interface for displaying an email.
In the application, if the detection result of the mail shows that the mail has a safety problem, the detection result of the mail is presented to a user in a UI reminding mode.
The preset mail safety monitoring algorithm can output five types of different UI prompting contents aiming at different mail abnormal behaviors: 1. the mail is sent by others 2. the source of the mail is not credible 3. the sender of the mail is not credible 4. please take care of the highly approximate domain name 5. the mail content is not encrypted and not safe. The detection algorithm will detect the mail and send the detection result (UI alert content) to the mail processing module.
According to the method and the device, the mail data packet is detected from a plurality of angles such as generation detection, source detection, sender detection, high-proximity domain name detection, encryption detection and the like, so that the counterfeit E-mail is more accurately detected, the detection result of the counterfeit E-mail is synchronously displayed in the display interface of the E-mail, a user is helped to identify the counterfeit E-mail, and the communication safety is ensured.
Based on any of the above embodiments, the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain the detection result of the mail data packet includes:
carrying out transmission detection on the MAIL data packet, wherein the transmission detection is to carry out consistency comparison on the MIME From and the MAIL From in the MAIL data packet;
and when the sending detection result does not pass, the detection result corresponding to the mail data packet is mail abnormity.
Specifically, the existing sending detection is not clear, if the mail has multiple MIME FROM fields, the existing sending detection is probably bypassed, but the mail receiver should reject the mail with multiple FROM fields in the mail according to the descriptions of RFC7489 and RFC 5322. In the embodiment of the application, if the MIME FROM field is inconsistent with the MAIL FROM field, the UI reminds the MAIL to be sent by others.
The method and the device have the advantage that the mail data packet is subjected to generation detection, so that more complete and accurate counterfeit E-mail detection is realized.
Based on any of the above embodiments, the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain the detection result of the mail data packet includes:
performing source detection on the mail data packet, wherein the source detection is that sender policy framework verification, domain name key identification mail standard verification and domain-based message identity verification are performed on the mail data packet;
and when the source verification fails, the detection result corresponding to the mail data packet is mail abnormity.
Specifically, Sender Policy Framework (SPF) originator Policy Framework, Domain Keys Identified Mail (DKIM) Domain name key identification Mail standard, and Domain-based Message Authentication (DMARC) are three protocols used to protect Mail security. Three protocols can largely secure mail. However, in the event that the spf/dkim/dmarc protocol check fails, the mail manufacturer does not notify the user and there is a chance that the mail will enter the inbox. The invention proposes that if the spf/dkim/dmarc check fails or the three protocols verify, but the verified identity entities are different, a UI should be added to remind that the mail source is not trusted.
The source detection is carried out on the mail data packet, so that the more perfect and accurate counterfeit E-mail detection is realized.
Based on any of the above embodiments, the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain the detection result of the mail data packet includes:
carrying out sender detection on the mail data packet, wherein the sender detection is that special character detection is carried out on the MIME FROM field in the mail data packet;
and when the sending detection result does not pass, the detection result corresponding to the mail data packet is mail abnormity.
Specifically, although the RFC does not explicitly specify that special characters and characters such as Unicode reverse order cannot be used in the MIME FROM field, mails containing these characters can be utilized by attackers to transmit realistic forged mails. The present application proposes that if the MIME FROM field contains special characters (containing "\ x81- \ xff, \ t \ n", etc., Unicode control character \ u202E, etc.), the UI alerts the mail sender that it is not trusted.
By carrying out sender detection on the mail data packet, the method and the device realize more perfect and accurate counterfeit E-mail detection.
Based on any of the above embodiments, the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain the detection result of the mail data packet includes:
performing high-approximation domain name detection on the mail data packet, wherein the high-approximation domain name detection is to detect a From field in the mail data packet;
and under the condition that the From field in the mail data packet is the international domain name, the detection result corresponding to the mail data packet is abnormal.
Specifically, with the internationalization of IDN domain names, the mail domain has also begun to introduce IDN domain names. However, upon front-end display, an attacker can initiate a mail forgery effect through such techniques. The present application proposes that if the From field in the mail is the IDN domain name, then there may be phishing behavior that uses a highly similar domain name, which would prompt the user on the UI for a carefully highly similar domain name.
According to the method and the device, the high-approximation domain name detection is carried out on the mail data packet, so that more complete and accurate counterfeit E-mail detection is realized.
Based on any of the above embodiments, the step of analyzing the mail data packet by a preset mail security monitoring algorithm to obtain the detection result of the mail data packet includes:
carrying out encryption detection on the mail data packet, wherein the encryption detection is to detect whether the mail data packet is encrypted by a secure transport layer protocol or not;
and under the condition that the mail data part is not encrypted by a secure transport layer protocol, the detection result corresponding to the mail data packet is mail abnormity.
Specifically, if the mail is transmitted in a clear text without encryption in the transmission process, the mail can be utilized by an attacker through a man-in-the-middle attack mode. The application proposes that if the mail is not TLS encrypted and is likely to be attacked by a man-in-the-middle, the UI reminds that the mail content is not encrypted and is not safe.
In the method and the device, the encryption detection is carried out on the mail data packet, so that more perfect and accurate counterfeit E-mail detection is realized.
In another embodiment of the present application, an SMTP mail packet sent from a receiving mail module is received first. Loading the mail data packet into a mail security detection algorithm, sending the detection result and the SMTP data packet to a mail processing module, processing the SMTP data packet into eml files, sending the eml file and the mail detection result to a webpage end, and a client receiving and processing the eml file and the mail detection result sent by the mail processing module, displaying the eml file to a user in a front-end display mode, and if the mail detection result shows that the mail has a security problem, displaying the mail detection result to the user in a UI reminding mode.
According to the method and the device, the mail data packet is detected from a plurality of angles such as generation detection, source detection, sender detection, high-proximity domain name detection, encryption detection and the like, so that the counterfeit E-mail is more accurately detected, the detection result of the counterfeit E-mail is synchronously displayed in the display interface of the E-mail, a user is helped to identify the counterfeit E-mail, and the communication safety is ensured.
Fig. 2 is a schematic diagram of a counterfeit email identification apparatus provided by the present invention, as shown in fig. 2, including: an analysis module 210 and a display module 220; the analysis module 210 is configured to analyze the mail data packet by using a preset mail security monitoring algorithm to obtain a detection result of the mail data packet; the display module 220 is configured to display a detection result corresponding to the mail data packet on a display interface of the mail data packet; the preset mail safety detection algorithm comprises at least one of issuing detection, source detection, sender detection, high-similarity domain name detection and encryption detection.
According to the method and the device, the mail data packet is detected from a plurality of angles such as generation detection, source detection, sender detection, high-proximity domain name detection, encryption detection and the like, so that the counterfeit E-mail is more accurately detected, the detection result of the counterfeit E-mail is synchronously displayed in the display interface of the E-mail, a user is helped to identify the counterfeit E-mail, and the communication safety is ensured.
Fig. 3 is a schematic physical structure diagram of an electronic device provided in the present invention, and as shown in fig. 3, the electronic device may include: a processor (processor)310, a communication Interface (communication Interface)320, a memory (memory)330 and a communication bus 340, wherein the processor 310, the communication Interface 320 and the memory 330 communicate with each other via the communication bus 340. The processor 310 may call logic instructions in the memory 330 to perform a method of spoofed e-mail identification, the method comprising: analyzing the mail data packet by a preset mail safety monitoring algorithm to obtain a detection result of the mail data packet; displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet; the preset mail safety detection algorithm comprises at least one of issuing detection, source detection, sender detection, high-similarity domain name detection and encryption detection.
In addition, the logic instructions in the memory 330 may be implemented in the form of software functional modules and stored in a computer readable storage medium when the software functional modules are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the method for identifying counterfeit emails provided by the above methods, the method comprising: analyzing the mail data packet by a preset mail safety monitoring algorithm to obtain a detection result of the mail data packet; displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet; the preset mail safety detection algorithm comprises at least one of issuing detection, source detection, sender detection, high-similarity domain name detection and encryption detection.
In yet another aspect, the present invention also provides a non-transitory computer-readable storage medium, on which a computer program is stored, the computer program being implemented by a processor to perform the method for identifying a counterfeit email provided in the above embodiments, the method including: analyzing the mail data packet by a preset mail safety monitoring algorithm to obtain a detection result of the mail data packet; displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet; the preset mail safety detection algorithm comprises at least one of issuing detection, source detection, sender detection, high-similarity domain name detection and encryption detection.
The above-described embodiments of the apparatus are merely illustrative, wherein the modules described as separate parts may or may not be physically separate, and the parts displayed as modules may or may not be physical modules, may be located in one place, or may be distributed on a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (9)

1. A method for identifying a counterfeit e-mail, comprising:
analyzing the mail data packet by a preset mail safety monitoring algorithm to obtain a detection result of the mail data packet;
displaying a detection result corresponding to the mail data packet on a display interface of the mail data packet;
the preset mail safety detection algorithm comprises at least one of issuing detection, source detection, sender detection, high-similarity domain name detection and encryption detection.
2. The method for identifying the counterfeit email according to claim 1, wherein the step of analyzing the email data packet by a preset email security monitoring algorithm to obtain the detection result of the email data packet comprises:
carrying out transmission detection on the MAIL data packet, wherein the transmission detection is to carry out consistency comparison on the MIME From and the MAIL From in the MAIL data packet;
and when the sending detection result does not pass, the detection result corresponding to the mail data packet is mail abnormity.
3. The method for identifying the counterfeit email according to claim 1, wherein the step of analyzing the email data packet by a preset email security monitoring algorithm to obtain the detection result of the email data packet comprises:
performing source detection on the mail data packet, wherein the source detection is that sender policy framework verification, domain name key identification mail standard verification and domain-based message identity verification are performed on the mail data packet;
and when the source verification fails, the detection result corresponding to the mail data packet is mail abnormity.
4. The method for identifying the counterfeit email according to claim 1, wherein the step of analyzing the email data packet by a preset email security monitoring algorithm to obtain the detection result of the email data packet comprises:
carrying out sender detection on the mail data packet, wherein the sender detection is that special character detection is carried out on the MIME FROM field in the mail data packet;
and when the sending detection result does not pass, the detection result corresponding to the mail data packet is mail abnormity.
5. The method for identifying the counterfeit email according to claim 1, wherein the step of analyzing the email data packet by a preset email security monitoring algorithm to obtain the detection result of the email data packet comprises:
performing high-approximation domain name detection on the mail data packet, wherein the high-approximation domain name detection is to detect a From field in the mail data packet;
and under the condition that the From field in the mail data packet is the international domain name, the detection result corresponding to the mail data packet is abnormal.
6. The method for identifying the counterfeit email according to claim 1, wherein the step of analyzing the email data packet by a preset email security monitoring algorithm to obtain the detection result of the email data packet comprises:
carrying out encryption detection on the mail data packet, wherein the encryption detection is to detect whether the mail data packet is encrypted by a secure transport layer protocol or not;
and under the condition that the mail data part is not encrypted by a secure transport layer protocol, the detection result corresponding to the mail data packet is mail abnormity.
7. An apparatus for identifying a counterfeit e-mail, comprising:
the analysis module is used for analyzing the mail data packet through a preset mail safety monitoring algorithm to obtain a detection result of the mail data packet;
the display module is used for displaying the detection result corresponding to the mail data packet on a display interface of the mail data packet;
the preset mail safety detection algorithm comprises at least one of issuing detection, source detection, sender detection, high-similarity domain name detection and encryption detection.
8. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method for identifying a counterfeit e-mail according to any one of claims 1 to 6 are implemented when the program is executed by the processor.
9. A non-transitory computer readable storage medium, having stored thereon a computer program, wherein the computer program, when being executed by a processor, is adapted to carry out the steps of the method for identifying a counterfeit e-mail according to any one of claims 1 to 6.
CN202110548160.XA 2021-05-19 2021-05-19 Method and device for identifying fake e-mail Active CN113381983B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110548160.XA CN113381983B (en) 2021-05-19 2021-05-19 Method and device for identifying fake e-mail

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110548160.XA CN113381983B (en) 2021-05-19 2021-05-19 Method and device for identifying fake e-mail

Publications (2)

Publication Number Publication Date
CN113381983A true CN113381983A (en) 2021-09-10
CN113381983B CN113381983B (en) 2023-09-22

Family

ID=77571362

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110548160.XA Active CN113381983B (en) 2021-05-19 2021-05-19 Method and device for identifying fake e-mail

Country Status (1)

Country Link
CN (1) CN113381983B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115037542A (en) * 2022-06-09 2022-09-09 北京天融信网络安全技术有限公司 Abnormal mail detection method and device

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050097177A1 (en) * 2003-10-31 2005-05-05 Mcumber William E. Business process for improving electronic mail
US20110040974A1 (en) * 2009-08-13 2011-02-17 Michael Gregor Kaplan Authentication of email servers and personal computers
CN106992926A (en) * 2017-06-13 2017-07-28 深信服科技股份有限公司 A kind of method and system for forging mail-detection
CN108347370A (en) * 2017-10-19 2018-07-31 北京安天网络安全技术有限公司 A kind of detection method and system of targeted attacks mail
CN109474611A (en) * 2018-12-11 2019-03-15 四川大学 It is a kind of that detection technique is protected based on multifactor E mail safety
CN110061981A (en) * 2018-12-13 2019-07-26 成都亚信网络安全产业技术研究院有限公司 A kind of attack detection method and device
CN110519150A (en) * 2018-05-22 2019-11-29 深信服科技股份有限公司 Mail-detection method, apparatus, equipment, system and computer readable storage medium
CN110661750A (en) * 2018-06-28 2020-01-07 深信服科技股份有限公司 Mail sender identity detection method, system, equipment and storage medium

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20050097177A1 (en) * 2003-10-31 2005-05-05 Mcumber William E. Business process for improving electronic mail
US20110040974A1 (en) * 2009-08-13 2011-02-17 Michael Gregor Kaplan Authentication of email servers and personal computers
CN106992926A (en) * 2017-06-13 2017-07-28 深信服科技股份有限公司 A kind of method and system for forging mail-detection
CN108347370A (en) * 2017-10-19 2018-07-31 北京安天网络安全技术有限公司 A kind of detection method and system of targeted attacks mail
CN110519150A (en) * 2018-05-22 2019-11-29 深信服科技股份有限公司 Mail-detection method, apparatus, equipment, system and computer readable storage medium
CN110661750A (en) * 2018-06-28 2020-01-07 深信服科技股份有限公司 Mail sender identity detection method, system, equipment and storage medium
CN109474611A (en) * 2018-12-11 2019-03-15 四川大学 It is a kind of that detection technique is protected based on multifactor E mail safety
CN110061981A (en) * 2018-12-13 2019-07-26 成都亚信网络安全产业技术研究院有限公司 A kind of attack detection method and device

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115037542A (en) * 2022-06-09 2022-09-09 北京天融信网络安全技术有限公司 Abnormal mail detection method and device

Also Published As

Publication number Publication date
CN113381983B (en) 2023-09-22

Similar Documents

Publication Publication Date Title
US20230344869A1 (en) Detecting phishing attempts
US10819744B1 (en) Collaborative phishing attack detection
KR101137089B1 (en) Validating inbound messages
US10834127B1 (en) Detection of business email compromise attacks
US8661545B2 (en) Classifying a message based on fraud indicators
WO2019199712A1 (en) Mail protection system
EP2709046A1 (en) Real-time classification of email message traffic
Cohen et al. Novel set of general descriptive features for enhanced detection of malicious emails using machine learning methods
US20050268101A1 (en) System and method for authenticating at least a portion of an e-mail message
US8443447B1 (en) Apparatus and method for detecting malware-infected electronic mail
EP2036246A2 (en) Systems and methods for identifying potentially malicious messages
KR20080073301A (en) Electronic message authentication
US11978020B2 (en) Email security analysis
CN109039874B (en) Mail auditing method and device based on behavior analysis
CN113381983B (en) Method and device for identifying fake e-mail
Gupta et al. Forensic analysis of E-mail address spoofing
CA2793422C (en) Hypertext link verification in encrypted e-mail for mobile devices
Morovati et al. Detection of Phishing Emails with Email Forensic Analysis and Machine Learning Techniques.
KR20040081345A (en) Reducing unwanted and unsolicited electronic messages
US20240143742A1 (en) System and method for providing user feedback
US20230319065A1 (en) Assessing Behavior Patterns and Reputation Scores Related to Email Messages
US20210234891A1 (en) Artificial intelligence (ai) powered conversational system for identifying malicious messages
CN115801719A (en) Mail processing method, device, equipment and readable storage medium
CN117527746A (en) Mail processing method and device, electronic equipment and storage medium
WO2005107136A2 (en) Method and apparatus for authenticating at least a portion of an e-mail message

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant