CN113630397B - E-mail security control method, client and system - Google Patents

E-mail security control method, client and system Download PDF

Info

Publication number
CN113630397B
CN113630397B CN202110858775.2A CN202110858775A CN113630397B CN 113630397 B CN113630397 B CN 113630397B CN 202110858775 A CN202110858775 A CN 202110858775A CN 113630397 B CN113630397 B CN 113630397B
Authority
CN
China
Prior art keywords
information
mail
phishing
group
attachment
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110858775.2A
Other languages
Chinese (zh)
Other versions
CN113630397A (en
Inventor
杨腾霄
马宇尘
乔梁
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Newdun Wangan Technology Co ltd
Original Assignee
Shanghai Newdun Wangan Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Newdun Wangan Technology Co ltd filed Critical Shanghai Newdun Wangan Technology Co ltd
Priority to CN202110858775.2A priority Critical patent/CN113630397B/en
Publication of CN113630397A publication Critical patent/CN113630397A/en
Application granted granted Critical
Publication of CN113630397B publication Critical patent/CN113630397B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1483Countermeasures against malicious traffic service impersonation, e.g. phishing, pharming or web spoofing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L51/00User-to-user messaging in packet-switching networks, transmitted according to store-and-forward or real-time protocols, e.g. e-mail
    • H04L51/42Mailbox-related aspects, e.g. synchronisation of mailboxes

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Information Transfer Between Computers (AREA)

Abstract

The invention discloses an email security control method, a client and a system, and relates to the technical field of network security. The method comprises the steps of: acquiring a target mail, and extracting head information, text information and/or attachment information of the target mail; judging whether the mail is a suspected phishing mail or not according to the head information, the text information and/or the attachment information; when the suspected phishing mail is judged to belong to, the head information, the text information and/or the accessory information are sent to a phishing preventing friend group for evaluation; and acquiring the evaluation result and displaying the evaluation result corresponding to the target mail. The invention improves the reliability of the detection of the phishing mails and can more effectively finish the detection and confirmation of the suspected phishing mails.

Description

E-mail security control method, client and system
Technical Field
The present invention relates to the field of network security technologies, and in particular, to an email security control method, a client, and a system.
Background
The Internet brings great convenience to the life of people and brings unsafe factors to people. For example, with the rapid development of electronic commerce, phishing is currently the most dominant and fastest growing means of network fraud. Among the most common means of phishing is phishing mail. Phishing mail refers to the transmission of an email with fraudulent content to a recipient by a phishing attacker, for example, by sending a fraudulent spam to the recipient claiming to be from a bank or other well-known institution, inducing the recipient to access a fake Web page (Web) site, or by retrieving sensitive information of the recipient by replying to the mail. The most common phishing mails fall broadly into three categories: counterfeit phishing mail, linking phishing mail, and attachment phishing mail: the fake phishing mail is mainly that a fraudster realizes hiding of real sender information through a sender server built by the fraudster and disguises the real sender information as any sender; link fishing mail is mainly to embed a fishing link (hyperlink or direct link) in a normal mail and to require a user to input account information in the mail or in an opened link page to view an order or sample; the attachment phishing mail mainly comprises the steps of implanting virus execution programs into mail attachments and inducing victims to download the malicious attachments.
The prior art generally performs security filtering on e-mail for security protection. Some existing detection methods for phishing mails mainly comprise the following steps: 1) Based on sender black-and-white list filtering detection mechanism: and setting an explicit black-and-white list, and only accepting mails sent by the trust account in the white list. 2) Based on whether there is an IP address type web page link in the mail: if the mail has an IP address type webpage link, the suspicion of inducing the user to access the unknown website is considered to exist, because most of the known websites are accessed by adopting a domain name mode. 3) Based on link feature analysis in the mail body: whether the mail is a phishing mail is judged by whether special characters such as "@" - "exist in the link or whether the number of domain names, domain name separators ()' and URL path field separators (/) in the link are reasonable or not. 4) Based on whether the mail body explicit domain name and implicit domain name match: and judging whether the link domain name displayed in the mail is matched with the real link domain name in the HTML page, and if the link domain name is not matched with the real link domain name, considering that the user is suspected to be induced to visit the malicious website. 5) Based on whether the mail body link domain name registration time is below a set threshold: by inquiring whether the time interval between the registration time of the domain name and the mail sending time is lower than a set threshold value by using the who is mode, the mail with the time interval lower than the set threshold value is considered to be the phishing mail. 6) Based on the similarity of the mail text link domain name to the well-known website domain name: by determining that the mail body linked domain name is not equal to the domain name of the well-known website, the higher the similarity is, the greater the likelihood of spoofing the domain name.
For the black-and-white list detection mechanism, the black-and-white list is recorded based on the discovered phishing sites, and the dynamic updating mechanism is set immediately, so that the detection mechanism has certain hysteresis and is difficult to obtain the expected protection effect. For other detection mechanisms, whether for mail body link domain name detection or deploying a virus mail gateway or attachment sandbox, the defensive effect against some special phishing attacks is often difficult to expect. For example, the harpoon-type phishing mails are used for collecting a large amount of information of attack targets in advance, the targets are selected in a targeted manner, and mostly, the trust relationship accounts of the attack targets are stolen, or well-designed counterfeit well-known websites are adopted for notification, and the news mail content mode is adopted for sending the mails, so that a mailbox black-and-white list can be effectively bypassed; for another example, when an attacker adopts a mode of sinking a third-party server (sump attack), a mode of hanging horses on legal domain name websites induces users to click on legal websites tampered with content, and the existing method for detecting the link domain name in phishing mail cannot detect the link domain name in time. Meanwhile, the development of the internet financial technology also enables phishing websites to be changed newly, so that the phishing websites are often more confusing, and a great challenge is brought to the traditional detection method.
How to provide a fishing mail detection with better reliability and safety is a technical problem to be solved at present.
Disclosure of Invention
The invention aims to provide an email security control method, a client and a system, which can send head information, text information and/or attachment information corresponding to a target email to an anti-phishing friend group for further evaluation according to the condition that the target email is judged to belong to a suspected phishing email, acquire an evaluation result and display the evaluation result corresponding to the target email.
In order to achieve the above object, the present invention provides the following technical solutions:
an email security control method, comprising the steps of:
acquiring a target mail, and extracting head information, text information and/or attachment information of the target mail;
judging whether the mail is a suspected phishing mail or not according to the head information, the text information and/or the attachment information;
when the suspected phishing mail is judged to belong to, the head information, the text information and/or the accessory information are sent to a phishing preventing friend group for evaluation;
and acquiring the evaluation result and displaying the evaluation result corresponding to the target mail.
Further, before the head information, the text information and/or the accessory information are sent to the anti-phishing friend group for evaluation, the method further comprises the steps of,
acquiring the setting information of the associated contact person of the mailbox where the target mail is located;
judging whether the mailbox is provided with a phishing preventing friend group or not according to the related contact person setting information;
when the fact that the anti-phishing friend group exists is judged, the head information, the text information and/or the accessory information are sent to the anti-phishing friend group for evaluation;
when judging that the anti-phishing friend group does not exist, acquiring instant communication account information of a preset anti-phishing associated contact person, triggering to establish the anti-phishing friend group based on the anti-phishing associated contact person, and then sending the head information, the text information and/or the accessory information to the anti-phishing friend group for evaluation.
Further, the step of determining whether the mail is a suspected phishing mail includes,
acquiring the header information of the mail;
based on a preset first-type dynamic blacklist library, judging whether the head information contains specified first-type phishing information in the first-type dynamic blacklist library, and judging that the mail is suspected phishing mail when the first-type phishing information is contained.
Further, when the first type of phishing information is not contained, a text information judging instruction is sent out, whether the text information of the mail contains appointed second type of phishing information in a preset second type of dynamic blacklist library or not is judged according to the text information judging instruction, and when the second type of phishing information is contained, the mail is judged to be a suspected phishing mail.
Further, when the second type of phishing information is not contained, an attachment information judging instruction is sent out, whether the target mail contains an attachment or not is detected according to the attachment information judging instruction, when the target mail contains the attachment, the file attribute type of the attachment is obtained, the attachment is detected according to the file attribute type, and whether the target mail is a suspected phishing mail or not is judged according to an attachment detection result.
Further, when the attachment is detected according to the file attribute type, detecting whether the attachment contains a macro object or not when the file attribute type is an office document, and judging that the attachment is a suspected phishing mail when the attachment contains the macro object; when the file attribute type is a portable executable PE file, detecting whether a preset characteristic field block exists in the accessory, and judging that the file is a suspected phishing mail when the preset characteristic field block exists; when the file attribute type is not the two types, acquiring a mail protocol of the target mail through a preset matching rule, acquiring a file attribute field in the mail protocol, detecting whether the corresponding content of the file attribute field is matched with the file attribute field type of the attachment, and judging that the target mail is a suspected phishing mail when the MIME field is not matched with the MIME type.
Further, the head information, the text information and/or the accessory information are sent to the anti-phishing friend group for evaluation,
the head information, the text information and/or the accessory information are used as group information sent by the user to be displayed in a group communication interactive interface of the anti-phishing friend group, a comment collecting control is arranged in the group communication interactive interface corresponding to the group information, and comment information of group members is collected through the comment collecting control;
or, the head information, the text information and/or the attachment information are used as the group notice issued by the user to be displayed in the group communication interactive interface of the anti-phishing friend group, and a comment collecting control is arranged in the group communication interactive interface corresponding to the group notice, and the comment information of the group members is collected through the comment collecting control.
Further, the comment collecting control is associated with a comment collecting interface, and after the comment collecting control is triggered, the comment collecting interface can be transmitted for the triggered group members to input comment information;
and a display permission setting control is further arranged corresponding to the comment information, and the display permission setting control is used for setting visible permission and/or validity time of the corresponding comment information.
The invention also provides an E-mail client, which comprises the following structure:
the mail information extraction module is used for acquiring the received mail and extracting the head information, the text information and/or the attachment information of the mail;
the mail prejudging module is used for judging whether the mail is a suspected phishing mail or not according to the head information, the text information and/or the attachment information;
the judging module is used for sending the head information, the text information and/or the accessory information to the anti-phishing friend group for judging when the suspected phishing mail is judged to belong to;
and the result acquisition module is used for acquiring the evaluation result and displaying the evaluation result corresponding to the mail.
The invention also provides an email detection system, which comprises a memory, a processor and a phishing email detection device which is stored on the memory and can run on the processor;
the phishing mail detection apparatus is configured to: acquiring a target mail, extracting head information, text information and/or attachment information of the target mail, judging whether the mail is a suspected phishing mail according to the head information, the text information and/or the attachment information, and sending the head information, the text information and/or the attachment information to a phishing-preventing friend group for evaluation when the mail is judged to be the suspected phishing mail; and obtaining the evaluation result and displaying the evaluation result corresponding to the target mail.
Compared with the prior art, the invention has the following advantages and positive effects by taking the technical scheme as an example: according to the method, under the condition that the target mail is judged to belong to the suspected phishing mail, the head information, the text information and/or the attachment information corresponding to the target mail are sent to the anti-phishing friend group for further evaluation, and the evaluation result is obtained and displayed corresponding to the target mail.
Drawings
Fig. 1 is a flowchart of an email security control method according to an embodiment of the present invention.
Fig. 2 is a flowchart of steps for determining whether a mail is a suspected phishing mail according to an embodiment of the present invention.
Fig. 3 is an exemplary diagram of a group communication interaction interface of an anti-phishing friend group according to an embodiment of the present invention.
Fig. 4 is a block diagram of an instant messaging client according to an embodiment of the present invention.
Fig. 5 is a block diagram of a system according to an embodiment of the present invention.
Reference numerals illustrate:
the group communication interaction interface 300, the group name 310, the interaction information display column 320, the interaction information input column 330, the group other information display column 340, the group member display column 350, the instant communication message 360, the comment collecting control 361 and the comment displaying control 362;
the system comprises a client 400, a mail information extraction module 410, a mail prejudging module 420, a comment module 430 and a result acquisition module 440;
system 510, memory 510, processor 520.
Detailed Description
The method, the client and the system for controlling the email security disclosed by the invention are further described in detail below with reference to the accompanying drawings and the specific embodiments. It should be noted that the technical features or combinations of technical features described in the following embodiments should not be regarded as being isolated, and they may be combined with each other to achieve a better technical effect. In the drawings of the embodiments described below, like reference numerals appearing in the various drawings represent like features or components and are applicable to the various embodiments. Thus, once an item is defined in one drawing, no further discussion thereof is required in subsequent drawings.
It should be noted that the structures, proportions, sizes, etc. shown in the drawings are merely used in conjunction with the disclosure of the present specification, and are not intended to limit the applicable scope of the present invention, but rather to limit the scope of the present invention. The scope of the preferred embodiments of the present invention includes additional implementations in which functions may be performed out of the order described or discussed, including in a substantially simultaneous manner or in an order that is reverse, depending on the function involved, as would be understood by those of skill in the art to which embodiments of the present invention pertain.
Techniques, methods, and apparatus known to one of ordinary skill in the relevant art may not be discussed in detail, but should be considered part of the specification where appropriate. In all examples shown and discussed herein, any specific values should be construed as merely illustrative, and not a limitation. Thus, other examples of the exemplary embodiments may have different values.
Examples
Referring to fig. 1, an email security control method provided by an embodiment of the present invention is shown. The method comprises the following steps:
s100, acquiring the target mail, and extracting head information, text information and/or attachment information of the target mail.
The target mail can be any mail received by the user, or can be a certain mail actively selected by the user.
The header information, in this embodiment, may include multidimensional information such as sender address, reply address, time of sender, message-ID of sender, topic and format. The text information refers to the text content of the mail. The attachment information refers to link attachment information of the mail.
For extracting the attachment information, it is first necessary to detect whether the mail to be detected includes an attachment. When the method is implemented, whether an attachment field of the mail is empty or not can be detected, and if the attachment field is empty, the attachment is not contained; if the attribute field is not null, then it is determined that the attachment is included.
S200, judging whether the mail is a suspected phishing mail or not according to the head information, the text information and/or the attachment information.
Referring to fig. 2, in this embodiment, the step of determining whether the mail is a suspected fishing mail is preferably as follows: acquiring the header information of the mail; based on a preset first-type dynamic blacklist library, judging whether the head information contains specified first-type phishing information in the first-type dynamic blacklist library, and judging that the mail is suspected phishing mail when the first-type phishing information is contained.
And when the first type of phishing information is not contained, a text information judging instruction can be sent. And then, judging whether the text information of the mail contains appointed second-type phishing information in a preset second-type dynamic blacklist library according to the text information judging instruction, and judging that the mail is a suspected phishing mail when the second-type phishing information is contained.
In this embodiment, in implementation, the first type of dynamic blacklist library may include one or any combination of a mail address dynamic blacklist library, an IP address dynamic blacklist library, and a domain name dynamic blacklist library; correspondingly, the first type of phishing information comprises one or any combination of a phishing mail address, a phishing IP address and a phishing domain name. The second type of dynamic blacklist repository may include one or more of a keyword dynamic blacklist repository and a link address dynamic blacklist repository; correspondingly, the second type of phishing information may include keywords or/and link addresses.
The dynamic blacklist libraries are preset, and the system can firstly set various basic blacklist libraries, such as various blacklist libraries provided by the spamhaus anti-garbage organization; and then, based on the mode of user reporting and/or regular pushing, updating the blacklist libraries of various foundations to form various dynamic blacklist libraries.
On the other hand, when the second type of fishing information is not included, an accessory information judgment instruction may be issued. And then, detecting whether the target mail contains an attachment according to the attachment information judging instruction, acquiring the file attribute type of the attachment when the target mail contains the attachment, detecting the attachment according to the file attribute type, and judging whether the target mail is a suspected phishing mail according to an attachment detection result.
Preferably, when the attachment is detected according to the file attribute type, detecting whether the attachment contains a macro object or not when the file attribute type is an office document, and judging that the attachment is a suspected phishing mail when the attachment contains the macro object; when the file attribute type is a portable executable PE file, detecting whether a preset characteristic field block exists in the accessory, and judging that the file is a suspected phishing mail when the preset characteristic field block exists; when the file attribute type is not the two types, acquiring a mail protocol of the target mail through a preset matching rule, acquiring a file attribute field in the mail protocol, detecting whether the corresponding content of the file attribute field is matched with the file attribute field type of the attachment, and judging that the target mail is a suspected phishing mail when the MIME field is not matched with the MIME type.
By way of example and not limitation, for example, the MIME of an attachment to a target mail is application/x-doseec, and the MIME field in the mail protocol is image/png, where the MIME field does not match the MIME type, indicating that the target mail has MIME forgery, may be determined to be a suspected phishing mail.
In this embodiment, the office document may include office documents in various formats, such as word, excel, ppt. The PE (Portable Executable, portable and executable) files refer to program files on microsoft Windows operating system, such as EXE, DLL, OCX, SYS, COM files. Other types of files, such as text and script type files. For files with regular structures, such as office documents and PE files, the header feature field of the attachment can be obtained to simply and accurately judge the MIME (multipurpose Internet mail extension) type. For other types of files, such as text and script type files, the MIME type may be obtained using content recognition. Specifically, the content recognition method may be to detect whether a preset php (hypertext preprocessor) function, a preset field or a preset keyword exists in the attachment content, and if so, determine that the MIME type is other than the office document and the PE file.
And S300, when the suspected phishing mail is judged, the head information, the text information and/or the accessory information are sent to a phishing preventing friend group for evaluation.
Specifically, before the head information, the text information and/or the attachment information are sent to the anti-phishing friend group for evaluation, the method further comprises the following steps: acquiring the setting information of the associated contact person of the mailbox where the target mail is located; judging whether the mailbox is provided with a phishing preventing friend group or not according to the related contact person setting information; when the fact that the anti-phishing friend group exists is judged, the head information, the text information and/or the accessory information are sent to the anti-phishing friend group for evaluation; when judging that the anti-phishing friend group does not exist, acquiring instant communication account information of a preset anti-phishing associated contact person, triggering to establish the anti-phishing friend group based on the anti-phishing associated contact person, and then sending the head information, the text information and/or the accessory information to the anti-phishing friend group for evaluation.
The anti-phishing friend group and the anti-phishing associated contact are set based on an instant messaging tool, and anti-phishing friend group and anti-phishing associated contact information corresponding to the associated contact can be obtained through obtaining instant messaging account information of the associated contact, usually the user.
The instant messaging account information of the associated contact person can be obtained through active setting of the user in the electronic mailbox, such as the associated contact person information of the mailbox set by the user in the electronic mailbox, including the instant messaging account of the associated contact person. After the instant messaging account information of the associated contact person is obtained, whether the mailbox is provided with the anti-phishing friend group or not can be judged according to the instant messaging account information.
Specifically, if the associated contact is provided with the anti-phishing friend group, the mailbox is judged to have the anti-phishing friend group, and the head information, the text information and/or the attachment information can be directly sent to the anti-phishing friend group for evaluation. If the associated contact is not provided with the anti-phishing friend group, judging that the mailbox does not have the anti-phishing friend group, at the moment, acquiring instant messaging account information of the preset anti-phishing associated contact, triggering to establish the anti-phishing friend group based on the anti-phishing associated contact, and then sending the head information, the text information and/or the accessory information to the anti-phishing friend group for evaluation.
The anti-phishing associated contact information is preset, and can be set by a user or a system. In this embodiment, preferably, the anti-phishing related contact is automatically set by a system, and the system selects the anti-phishing related contact based on the work or occupation information of the remarks of the user.
It can be understood that if the user has a history operation of using the anti-phishing friend group to perform the evaluation, the anti-phishing friend group already exists in the address book of the instant messaging tool of the associated contact person, and at this time, the information can be directly sent to the anti-phishing friend group to perform the evaluation. If the user triggers the anti-phishing friend group evaluation operation for the first time, an anti-phishing friend group is established according to instant messaging account information of a preset anti-phishing associated contact person, and then the information is sent to the anti-phishing friend group for evaluation.
S400, obtaining the evaluation result and displaying the evaluation result corresponding to the target mail.
In one implementation manner of this embodiment, the method for sending the foregoing header information, text information, and/or attachment information to the anti-phishing friend group for evaluation in step S300 is as follows: and displaying the head information, the text information and/or the accessory information as the group message sent by the user in a group communication interactive interface of the anti-phishing friend group, wherein a comment collecting control is arranged in the group communication interactive interface corresponding to the group message, and comment information of group members is collected through the comment collecting control.
And the comment collecting control is associated with a comment collecting interface. After the evaluation opinion collection control is triggered, the display screen can input the evaluation opinion collection interface for the triggered group members to input evaluation opinion information.
Preferably, a display permission setting control is further arranged corresponding to the comment information, and the display permission setting control is used for setting visible permission and/or validity time of the corresponding comment information.
And a comment display control is also arranged corresponding to the group message, and the comment display control can output comment information of the application request after being triggered.
And obtaining visible authority information of each group member for setting the respective comment and comment on the basis of the visible authority information, and hiding or shielding the group member comment and comment according to the visible authority information.
The visible permission can comprise a plurality of options of only the comment application user, all the group members are visible, part of the group members are visible and part of the group members are invisible, and one or more sub-options can be arranged under each option for the system or the user to set the viewing permission of the comment information.
Preferably, the visibility authority of the comment information of all the group members is set by default to be visible only to the group members whose job level is higher than that of the group members themselves. In this way, the comment information that can be viewed by each group member can be set according to the job level of the group member. The technical scheme is particularly suitable for the anti-phishing friend group established based on personnel in the enterprise, and can effectively avoid that the group members with lower job classes refer to the comments of the group members with higher job classes for catering to or advising people with higher job classes.
The above technical solution is described in detail below with reference to fig. 3.
Referring to fig. 3, an interface diagram of the group communication interaction interface 300 is illustrated, after the header information, the text information and/or the attachment information are sent to the anti-phishing friend group in the form of a group message, the group communication interaction interface 300 illustrated in fig. 3 may be popped up, and a user may perform information interaction in the group communication interaction interface. The group communication interactive interface 300 may include a group name 310, an interactive information display field 320, an interactive information input field 330, a device information display field 340, and a group member display field 350. The transmitted header information, text information and/or attachment information are output in the interactive information display column 320 in the form of an instant communication message 360, and a comment collection control 361 and a comment display control 362 are output corresponding to the instant communication message 360.
The comment collection control 361 is associated with a comment collection interface. After the evaluation opinion collection control is triggered, the display screen can input the evaluation opinion collection interface for the triggered group members to input evaluation opinion information. And a display permission setting control is further arranged corresponding to the comment information, and the display permission setting control is used for setting visible permission and/or validity time of the corresponding comment information.
The comment presentation control 362 is triggered to output the group member comment information for the header information, body information, and/or attachment information. Preferably, the comment information of each group member is output in the form of a list.
And obtaining visible authority information of each group member for setting the respective comment and comment on the basis of the visible authority information, and hiding or shielding the group member comment and comment according to the visible authority information.
In another implementation manner of this embodiment, in step S300, the method for sending the foregoing header information, text information, and/or attachment information to the anti-phishing friend group for evaluation is as follows: and displaying the head information, the text information and/or the accessory information serving as the group notice issued by the user in a group communication interactive interface of the anti-phishing friend group, and setting a comment collecting control corresponding to the group notice in the group communication interactive interface, wherein the comment collecting control is used for collecting comment information of group members.
As in the previous embodiment, a comment display control may also be provided corresponding to the group message, where the comment display control is triggered to output comment information of the header information, the text information, and/or the attachment information. Other technical features refer to the previous embodiments and are not described in detail here.
In this embodiment, the step of performing the evaluation may specifically be as follows: acquiring comment information of each group member in the anti-phishing friend group; counting the number of group members in the comment, judging that the target mail is suspected phishing mail, and judging whether the number of the group members exceeds a preset number threshold; and when the number exceeds a preset number threshold, judging that the fishing mails are fishing mails, and outputting warning information corresponding to the target mails.
The preset number threshold may be set by the user or the system, such as by way of example and not limitation, setting the number threshold to 1/2 of the total number of group members.
In another implementation manner of this embodiment, for the anti-phishing friend group built in the enterprise, the comments of the group members may be set differently according to the job level of the user, where the step of performing the comments may specifically be as follows:
acquiring the job level and comment information of each group member in the anti-fishing group, dividing the group members with the job level equal to or higher than the job level of the user into high job groups, and dividing the group members with the job level lower than the job level of the user into low job groups;
for the high-duty group, the initial value of the evaluation statistic value H is set to be 0; for each group member of the high-duty group, acquiring comment information of the group member, judging whether the comment information of the group member is suspected phishing mail, executing H++ if the judgment is yes, otherwise, keeping the current H value unchanged;
for the low duty group, the initial value of the evaluation statistic value L is set to be 0; for each group member of the low-duty group, acquiring comment information of the group member, judging whether the comment information of the group member is suspected phishing mail, executing L++ if the comment information is judged to be suspected phishing mail, otherwise, keeping the current L value unchanged;
obtaining final values of a comment statistic value H and a comment statistic value L, judging whether the H or the L exceeds a preset quantity threshold value, and judging that the E-mail is a phishing mail when one of the H or the L exceeds the preset quantity threshold value; if both do not exceed the preset quantity threshold, the regular mail is judged.
Referring to fig. 4, an email client is provided in accordance with another embodiment of the present invention.
The client 400 includes a mail information extraction module 410, a mail pre-judgment module 420, a comment module 430 and a result acquisition module 440.
The mail information extraction module 410 is configured to obtain a received mail, and extract header information, text information, and/or attachment information of the mail.
The mail pre-judging module 420 is configured to judge whether the mail is a suspected phishing mail according to the header information, the text information and/or the attachment information.
The evaluation module 430 is configured to send the header information, the body information, and/or the attachment information to the anti-phishing friend group for evaluation when it is determined that the anti-phishing email belongs to the suspected phishing email.
The result obtaining module 440 is configured to obtain the evaluation result and display the evaluation result corresponding to the mail.
For other technical features, reference is made to the foregoing embodiments, and each module may be configured to perform corresponding information acquisition, storage, transmission and information processing procedures, which are not described herein.
Referring to fig. 5, an email detection system is provided in accordance with another embodiment of the present invention.
The system 500 includes a memory 510 and a processor 520, and a phishing mail detection device stored on the memory and operable on the processor.
The phishing mail detection apparatus is configured to: acquiring a target mail, extracting head information, text information and/or attachment information of the target mail, judging whether the mail is a suspected phishing mail according to the head information, the text information and/or the attachment information, and sending the head information, the text information and/or the attachment information to a phishing-preventing friend group for evaluation when the mail is judged to be the suspected phishing mail; and obtaining the evaluation result and displaying the evaluation result corresponding to the target mail.
Other technical features referring to the previous embodiments, each component may be configured to perform corresponding information acquisition, storage, transmission and information processing procedures, and will not be described herein.
In the above description, the disclosure of the present invention is not intended to limit itself to these aspects. Rather, the components may be selectively and operatively combined in any number within the scope of the present disclosure. In addition, terms like "comprising," "including," and "having" should be construed by default as inclusive or open-ended, rather than exclusive or closed-ended, unless expressly defined to the contrary. All technical, scientific, or other terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs. Common terms found in dictionaries should not be too idealized or too unrealistically interpreted in the context of the relevant technical document unless the present disclosure explicitly defines them as such. Any alterations and modifications of the present invention, which are made by those of ordinary skill in the art based on the above disclosure, are intended to be within the scope of the appended claims.

Claims (7)

1. An email security control method, characterized by comprising the steps of:
acquiring a target mail, and extracting head information, text information and/or attachment information of the target mail; the target mail is a mail received by a user;
judging whether the mail is a suspected phishing mail or not according to the head information, the text information and/or the attachment information;
when the suspected phishing mail is judged to belong to, the head information, the text information and/or the accessory information are sent to a phishing preventing friend group for evaluation;
obtaining a judging result and displaying the judging result corresponding to the target mail;
the method comprises the following steps of: acquiring the setting information of the associated contact person of the mailbox where the target mail is located; judging whether the mailbox is provided with a phishing preventing friend group or not according to the related contact person setting information; when the fact that the anti-phishing friend group exists is judged, the head information, the text information and/or the accessory information are sent to the anti-phishing friend group for evaluation; when judging that the anti-phishing friend group does not exist, acquiring instant messaging account information of a preset anti-phishing associated contact person, triggering to establish the anti-phishing friend group based on the anti-phishing associated contact person, and then sending the head information, the text information and/or the accessory information to the anti-phishing friend group for evaluation;
the relevant contact person is the user, and the anti-phishing friend group and the anti-phishing relevant contact person corresponding to the user are obtained through obtaining instant messaging account information of the user, wherein the anti-phishing friend group and the anti-phishing relevant contact person are set based on an instant messaging tool; and displaying the head information, the text information and/or the attachment information as a group message sent by the user in a group communication interactive interface of the anti-phishing friend group;
the group communication interaction interface is provided with a comment collecting control corresponding to the group message, and comment information of group members is collected through the comment collecting control; the evaluation opinion collecting control is associated with an evaluation opinion collecting interface, and after the evaluation opinion collecting control is triggered, the evaluation opinion collecting interface can be input for the triggered group members to input evaluation opinion information; a display permission setting control is further arranged corresponding to the comment information, and the display permission setting control is used for setting visible permission and/or validity time of the corresponding comment information;
and performing distinguishing setting on the comments of the group members of the anti-phishing friend group according to the job level of the user, wherein the steps of performing comments at the moment are as follows: acquiring the job level and comment information of each group member in the anti-fishing group, dividing the group members with the job level equal to or higher than the job level of the user into high job groups, and dividing the group members with the job level lower than the job level of the user into low job groups; for the high-duty group, the initial value of the evaluation statistic value H is set to be 0; for each group member of the high-duty group, acquiring comment information of the group member, judging whether the comment information of the group member is suspected phishing mail, if so, executing H value and 1, otherwise, keeping the current H value unchanged; for the low duty group, the initial value of the evaluation statistic value L is set to be 0; for each group member of the low duty group, acquiring comment information of the group member, judging whether the comment information of the group member is suspected phishing mail, if so, executing the L value and adding 1, otherwise, keeping the current L value unchanged; obtaining final values of a comment statistic value H and a comment statistic value L, judging whether the H value or the L value exceeds a preset quantity threshold value, and judging that the E-mail is a phishing mail when one of the H value and the L value exceeds the preset quantity threshold value; and when the H value and the L value do not exceed the preset quantity threshold, judging that the mail is regular mail.
2. The method according to claim 1, characterized in that: the step of determining whether the mail is a suspected phishing mail includes,
acquiring the header information of the mail;
based on a preset first-type dynamic blacklist library, judging whether the head information contains specified first-type phishing information in the first-type dynamic blacklist library, and judging that the mail is suspected phishing mail when the first-type phishing information is contained.
3. The method according to claim 2, characterized in that: when the first type phishing information is not contained, a text information judging instruction is sent out, whether the text information of the mail contains appointed second type phishing information in a preset second type dynamic blacklist library or not is judged according to the text information judging instruction, and when the second type phishing information is contained, the mail is judged to be a suspected phishing mail.
4. A method according to claim 3, characterized in that: and when the target mail contains the attachment, acquiring the file attribute type of the attachment, detecting the attachment according to the file attribute type, and judging whether the target mail is a suspected phishing mail according to an attachment detection result.
5. The method according to claim 4, wherein: when the attachment is detected according to the file attribute type, detecting whether the attachment contains a macro object or not when the file attribute type is an office document, and judging that the attachment is a suspected phishing mail when the attachment contains the macro object; when the file attribute type is a portable executable PE file, detecting whether a preset characteristic field block exists in the accessory, and judging that the file is a suspected phishing mail when the preset characteristic field block exists; when the file attribute type is not the two types, acquiring a mail protocol of the target mail through a preset matching rule, acquiring a file attribute field in the mail protocol, detecting whether the corresponding content of the file attribute field is matched with the file attribute field type of the attachment, and judging that the target mail is a suspected phishing mail when the MIME field is not matched with the MIME type.
6. An email client according to the method of claim 1, comprising:
the mail information extraction module is used for acquiring the received mail and extracting the head information, the text information and/or the attachment information of the mail;
the mail prejudging module is used for judging whether the mail is a suspected phishing mail or not according to the head information, the text information and/or the attachment information;
the judging module is used for sending the head information, the text information and/or the accessory information to the anti-phishing friend group for judging when the suspected phishing mail is judged to belong to;
and the result acquisition module is used for acquiring the evaluation result and displaying the evaluation result corresponding to the mail.
7. An email detection system comprising a memory and a processor according to the method of claim 1, wherein: further comprising phishing mail detection means stored on said memory and operable on said processor;
the phishing mail detection apparatus is configured to: acquiring a target mail, extracting head information, text information and/or attachment information of the target mail, judging whether the mail is a suspected phishing mail according to the head information, the text information and/or the attachment information, and sending the head information, the text information and/or the attachment information to a phishing-preventing friend group for evaluation when the mail is judged to be the suspected phishing mail; and obtaining the evaluation result and displaying the evaluation result corresponding to the target mail.
CN202110858775.2A 2021-07-28 2021-07-28 E-mail security control method, client and system Active CN113630397B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110858775.2A CN113630397B (en) 2021-07-28 2021-07-28 E-mail security control method, client and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110858775.2A CN113630397B (en) 2021-07-28 2021-07-28 E-mail security control method, client and system

Publications (2)

Publication Number Publication Date
CN113630397A CN113630397A (en) 2021-11-09
CN113630397B true CN113630397B (en) 2023-04-25

Family

ID=78381340

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110858775.2A Active CN113630397B (en) 2021-07-28 2021-07-28 E-mail security control method, client and system

Country Status (1)

Country Link
CN (1) CN113630397B (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112039874B (en) * 2020-08-28 2023-03-24 绿盟科技集团股份有限公司 Malicious mail identification method and device
CN114004604B (en) * 2021-12-30 2022-03-29 北京微步在线科技有限公司 Method and device for detecting URL data in mail and electronic equipment
CN115643095B (en) * 2022-10-27 2023-08-29 山东星维九州安全技术有限公司 Method and system for testing network security inside company

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102833240B (en) * 2012-08-17 2016-02-03 中国科学院信息工程研究所 A kind of malicious code catching method and system
CN105072137B (en) * 2015-09-15 2016-08-17 北京灵创众和科技有限公司 The detection method of spear type fishing mail and device
CN108306810B (en) * 2017-01-11 2020-11-03 腾讯科技(深圳)有限公司 Group building method, server and terminal
CN108418777A (en) * 2017-02-09 2018-08-17 中国移动通信有限公司研究院 A kind of fishing mail detection method, apparatus and system
CN111262831A (en) * 2020-01-07 2020-06-09 深信服科技股份有限公司 Phishing mail detection method, device, equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN113630397A (en) 2021-11-09

Similar Documents

Publication Publication Date Title
CN113630397B (en) E-mail security control method, client and system
US20210314348A1 (en) Classifier bypass based on message sender trust and verification
EP1863240B1 (en) Method and system for phishing detection
US8010612B2 (en) Secure transactional communication
US8291065B2 (en) Phishing detection, prevention, and notification
US8984289B2 (en) Classifying a message based on fraud indicators
US7634810B2 (en) Phishing detection, prevention, and notification
US20060271631A1 (en) Categorizing mails by safety level
US20090089859A1 (en) Method and apparatus for detecting phishing attempts solicited by electronic mail
US20060123478A1 (en) Phishing detection, prevention, and notification
US20070005702A1 (en) User interface for email inbox to call attention differently to different classes of email
CN109328448A (en) Spam Classification system based on network flow data
US20080133672A1 (en) Email safety determination
AU2006324171A1 (en) Email anti-phishing inspector
EP1866784A2 (en) User interface for email inbox to call attention differently to different classes of email
US7917593B1 (en) Method and system for employing automatic reply systems to detect e-mail scammer IP addresses
WO2017162997A1 (en) A method of protecting a user from messages with links to malicious websites containing homograph attacks
JP4564916B2 (en) Phishing fraud countermeasure method, terminal, server and program
CN113630399B (en) Anti-phishing method, device and system based on gateway
CN113645205B (en) Safety control method, client and system for adding contact person for preventing phishing
KR100693842B1 (en) Fishing-preventing method and computer-readable recording medium where computer program for preventing phishing is recorded
Valeeva SPAM AND ANTI-SPAM METHODS
CN115801721A (en) Mail detection method and device
CN113630395A (en) Anti-phishing method, client and system for communication content

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant