CN114465978A - Mailbox disclosure discovery method, device and system and readable storage medium - Google Patents

Mailbox disclosure discovery method, device and system and readable storage medium Download PDF

Info

Publication number
CN114465978A
CN114465978A CN202210115657.7A CN202210115657A CN114465978A CN 114465978 A CN114465978 A CN 114465978A CN 202210115657 A CN202210115657 A CN 202210115657A CN 114465978 A CN114465978 A CN 114465978A
Authority
CN
China
Prior art keywords
mailbox
target
address
mail
leakage
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210115657.7A
Other languages
Chinese (zh)
Other versions
CN114465978B (en
Inventor
余学强
刘欢
胥帆鸥
李伟辰
练晓谦
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Knownsec Information Technology Co Ltd
Original Assignee
Beijing Knownsec Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Knownsec Information Technology Co Ltd filed Critical Beijing Knownsec Information Technology Co Ltd
Priority to CN202210115657.7A priority Critical patent/CN114465978B/en
Publication of CN114465978A publication Critical patent/CN114465978A/en
Application granted granted Critical
Publication of CN114465978B publication Critical patent/CN114465978B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1491Countermeasures against malicious traffic using deception as countermeasure, e.g. honeypots, honeynets, decoys or entrapment

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Information Transfer Between Computers (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a method, a device and a system for discovering mailbox disclosure and a readable storage medium, which are applied to the technical field of mails. The mailbox disclosure discovery system firstly constructs a disguised mail corresponding to each mailbox according to a trap mail template, then sends the disguised mail to the corresponding mailbox, when a first mailbox acquires the disguised mail in a certain mailbox and opens the disguised mail, a picture downloading request is sent to the mailbox disclosure discovery system, the mailbox disclosure discovery system can determine the revealed mailbox through a target identifier in the picture downloading request, the disguised mail containing the identifier is sent to each mailbox, when the mailbox is revealed, a revealed mailbox account can be timely discovered according to the identifier and notified to an administrator, and the safety of the mailbox account is guaranteed.

Description

Mailbox disclosure discovery method, device and system and readable storage medium
Technical Field
The invention relates to the technical field of mails, in particular to a method, a device and a system for discovering mailbox leakage and a readable storage medium.
Background
The e-mail is usually an important tool for communication inside and outside an enterprise, carries a large amount of enterprise information, and has the problems of easy leakage caused by external attack because the e-mail has obvious target, low attack cost and high return. The leakage of the mail can greatly threaten the safety problem of the enterprise and influence the normal work of the individual or the enterprise.
In daily work, mail leakage is various, external attacks can cause mail leakage, and the habit of a user or other reasons can cause mail leakage. The prior art usually has a lot of work in preventing the leakage of the mail, but cannot face a wide range of ways of leakage of the mail, and the leakage of the mail still occurs in some cases. When a mail leakage situation occurs, the prior art cannot determine that the mail is leaked or determine which mailbox the mail is leaked from, so that the mail leakage situation exists all the time, and inevitable loss is caused.
Therefore, how to find the way of mail leakage in time becomes a problem to be considered by those skilled in the art.
Disclosure of Invention
The application provides a method, a device and a system for discovering mailbox leakage and a readable storage medium, which can find a leaked mailbox account in time when a mail is leaked.
In order to achieve the above purpose, the embodiments of the present application employ the following technical solutions:
in a first aspect, an embodiment of the present application provides a mailbox leakage discovery method, which is applied to a mailbox leakage discovery system, where the mailbox leakage discovery system is connected to at least one mailbox, the mailbox leakage discovery system is configured with a trap email template, and the mailbox leakage discovery system stores a one-to-one correspondence between at least one identifier and the at least one mailbox in advance, where the method includes:
constructing a fake mail corresponding to each mailbox according to the trap mail template, wherein the fake mail comprises the identifier corresponding to the mailbox;
sending the masquerading mail corresponding to each mailbox;
receiving a first picture downloading request sent by a first mailbox, wherein the first picture downloading request is generated when the first mailbox opens a target masquerading mail, the target masquerading mail is acquired by the first mailbox from any one of mailboxes connected with the first mailbox, and the first picture downloading request comprises a target identifier in the target masquerading mail;
and determining a leaked target mailbox according to the target identifier, wherein the target mailbox corresponds to the target identifier.
Optionally, the mailbox disclosure discovery system further prestores a common login IP address of each mailbox, and the first picture downloading request further includes a first IP address of the first mailbox;
after the step of determining a target mailbox with mailbox leakage according to the target identifier, the method further comprises the following steps:
and determining the leakage level of the target mailbox according to the relation between the first IP address and the common login IP address of the target mailbox.
Optionally, the step of determining the leakage level of the target mailbox according to the relationship between the first IP address and the common login IP address of the target mailbox includes:
if the first IP address belongs to a common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is low risk;
and if the first IP address does not belong to the common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is a medium risk.
Optionally, the mailbox disclosure discovery system further prestores a common login IP address of each mailbox, and the first picture downloading request further includes a first IP address of the first mailbox;
after the step of determining a target mailbox with mailbox leakage according to the target identifier, the method further comprises the following steps:
receiving a second picture downloading request sent by a second mailbox, wherein the second picture downloading request is generated when the second mailbox opens the target masquerading mail after the first mailbox sends the target masquerading mail to any one second mailbox connected with the second mailbox, and the second picture downloading request comprises a second IP address of the second mailbox;
and determining the leakage level of the target mailbox according to the relation among the first IP address, the second IP address and the common login IP address of the target mailbox.
Optionally, the step of determining the leakage level of the target mailbox according to the relationship between the first IP address, the second IP address and the common login IP address of the target mailbox includes:
if the first IP address belongs to a common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is low risk;
if the first IP address does not belong to the common login IP address of the target mailbox and the first IP address is consistent with the second IP address, determining that the leakage risk of the target mailbox is a medium risk;
and if the first IP address does not belong to the common login IP address of the target mailbox and the first IP address is inconsistent with the second IP address, determining that the leakage risk of the target mailbox is high risk.
In a second aspect, an embodiment of the present application further provides a mailbox leakage discovery apparatus, which is applied to a mailbox leakage discovery system and a mailbox leakage discovery system, where the mailbox leakage discovery system is connected to at least one mailbox, the mailbox leakage discovery system is configured with a trap email template, and the mailbox leakage discovery system stores a one-to-one correspondence between at least one identifier and the at least one mailbox in advance, and the apparatus includes:
the constructing module is used for constructing a masquerading mail corresponding to each mailbox according to the trap mail template, wherein the masquerading mail comprises the identifier corresponding to the mailbox;
the sending module is used for sending the disguised mails corresponding to the mailboxes;
the system comprises a receiving module, a downloading module and a downloading module, wherein the receiving module is used for receiving a first picture downloading request sent by a first mailbox, the first picture downloading request is generated when the first mailbox opens a target masquerade mail, the target masquerade mail is obtained by the first mailbox from any one of mailboxes connected with the first mailbox, and the first picture downloading request comprises a target identifier in the target masquerade mail;
and the determining module is used for determining a leaked target mailbox according to the target identifier, wherein the target mailbox corresponds to the target identifier.
Optionally, the mailbox disclosure discovery system further prestores a common login IP address of each mailbox, and the first picture downloading request further includes a first IP address of the first mailbox;
the determining module is further configured to determine a leakage level of the target mailbox according to a relationship between the first IP address and a common login IP address of the target mailbox.
Optionally, the determining module is specifically configured to:
if the first IP address belongs to a common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is low risk;
and if the first IP address does not belong to the common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is a medium risk.
In a third aspect, an embodiment of the present application further provides a mailbox disclosure discovery system, including: a processor, a memory and a bus, wherein the memory stores program instructions executable by the processor, when the mailbox leak discovery system runs, the processor communicates with the memory through the bus, and the processor executes the program instructions to execute the mailbox leak discovery method according to any one of the first aspect.
In a fourth aspect, an embodiment of the present application further provides a readable storage medium, where a computer program is stored on the readable storage medium, and when the computer program is executed by a processor, the mailbox leak discovery method according to any one of the first aspects is performed.
Compared with the prior art, the embodiment of the application provides a method, a device, a system and a readable storage medium for discovering mailbox leakage, the mailbox leakage discovering system firstly constructs a masquerading mail corresponding to each mailbox according to a trap mail template, then sends the masquerading mail to the corresponding mailbox, when a first mailbox acquires the masquerading mail in a certain mailbox and opens, a picture downloading request is sent to the mailbox leakage discovering system, the mailbox leakage discovering system can determine the leaked mailbox through a target identifier in the picture downloading request, the masquerading mail containing the identifier is sent to each mailbox, when the mailbox leaks, a leaked mailbox account can be timely discovered according to the identifier, and is notified to an administrator, and the safety of the mailbox account is guaranteed.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present invention and therefore should not be considered as limiting the scope, and for those skilled in the art, other related drawings can be obtained according to the drawings without inventive efforts.
Fig. 1 shows an application scenario diagram of a mailbox disclosure discovery method provided in an embodiment of the present application.
Fig. 2 is a diagram illustrating another application scenario of the mailbox leak discovery method according to the embodiment of the present application.
Fig. 3 shows a flowchart of a mailbox disclosure discovery method provided in an embodiment of the present application.
Fig. 4 shows another flowchart of the mailbox leak discovery method according to the embodiment of the present application.
Fig. 5 shows another flowchart of the mailbox leak discovery method according to the embodiment of the present application.
Fig. 6 shows another flowchart of the mailbox leak discovery method according to the embodiment of the present application.
Fig. 7 shows another flowchart of a mailbox leak discovery method according to an embodiment of the present application.
Fig. 8 shows a schematic structural diagram of a mailbox leak discovery apparatus according to an embodiment of the present application.
Fig. 9 is a schematic structural diagram illustrating a mailbox leak discovery system according to an embodiment of the present application.
Icon: 10-mailbox leak discovery system; 20-mailbox; 30-a first mailbox; 40-a second mailbox; 201-target mailbox; 100-mailbox leak discovery means; 110-a construction module; 120-a sending module; 130-a receiving module; 140-a determination module; 11-a processor; 12-a memory; 13-bus.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. The components of embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the present invention, presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.
Furthermore, the appearances of the terms "first," "second," and the like, if any, are used solely to distinguish one from another and are not to be construed as indicating or implying relative importance.
The electronic mail is an important tool for internal and external communication of enterprises, bears a large amount of enterprise information, and is easy to leak due to external attack because the electronic mail has obvious target, low attack cost and high return.
The mail leakage mode is various, not only can external attacks lead to mail leakage, but also can lead to mail leakage caused by habits of users or other reasons. The prior art usually has a lot of work in preventing the leakage of the mail, but cannot face a wide range of ways of leakage of the mail, and the leakage of the mail still occurs in some cases.
In view of the foregoing technical problems, embodiments of the present application provide a method, an apparatus, a system, and a readable storage medium for discovering mailbox disclosure, where when a leaked masquerading mail is opened and viewed after the leakage of the masquerading mail occurs, a first picture download request in the masquerading mail can automatically send an identifier to a mailbox disclosure discovery system, and a leaked mailbox account can be discovered in time, which is described in detail below.
Referring to fig. 1, fig. 1 is a diagram illustrating an application scenario of a mailbox disclosure discovery method according to an embodiment of the present application, including a mailbox disclosure discovery system 10 and a plurality of mailboxes 20.
The mailbox disclosure discovery system 10 is respectively connected to at least one mailbox 20 through a network, so as to implement data interaction between the mailbox disclosure discovery system 10 and the at least one mailbox 20, where the interaction manner may be through a wired network, for example, the wired network may include a coaxial cable, a twisted pair, an optical fiber, and the like, and may also be through a wireless network, which may be a 2G network, a 3G network, a 4G network, or a 5G network, a WIFI network, and the like, which is not limited in this embodiment of the present application.
The mailbox disclosure discovery system 10 is configured to construct a masquerading email corresponding to each mailbox 20 according to the trap email template, send the corresponding masquerading email to the corresponding mailbox 20, receive a first picture download request sent by a first mailbox, determine a mailbox account of a leaked target mailbox according to a target identifier, and display the mailbox account in a client, where a use object faced by the mailbox disclosure discovery system 10 is an administrator.
The mailbox disclosure discovery system 10 is configured with a trap email template, the trap email template carries false sensitive information, the false sensitive information is false content or a false subject related to the enterprise sensitive information, and is written by html codes, in addition, the mailbox disclosure discovery system 10 also stores a one-to-one correspondence relationship between at least one identifier and at least one mailbox 20 in advance, and can find a mailbox account of the corresponding mailbox 20 through the identifier.
The mailbox 20 is used for receiving a masquerading mail sent by the mailbox disclosure discovery system 10, and may be an electronic mailbox which is used by a user daily and can send and receive mails, or a masquerading mailbox which only receives a masquerading mail, and a facing object of the masquerading mail is a user and has a separate network domain name.
Referring to fig. 2 on the basis of the application scenario diagram shown in fig. 1, fig. 2 shows another application scenario diagram of the mailbox disclosure discovery method according to the embodiment of the present application, which includes a mailbox disclosure discovery system 10, a target mailbox 201, a first mailbox 30, and a second mailbox 40.
The mailbox disclosure discovery system 10, the target mailbox 201, the first mailbox 30 and the second mailbox 40 are connected in sequence, and the mailbox disclosure discovery system 10 is further connected with the first mailbox 30 and the second mailbox 40 respectively.
The target mailbox 201 is a mailbox which reveals a target masquerading mail and can be determined according to a target identifier in the target masquerading mail, wherein the target masquerading mail is a masquerading mail acquired by the first mailbox 30 from the target mailbox 201, and the target identifier is an identifier corresponding to the target mailbox 201 in the target masquerading mail.
The first mailbox 30 is an intruder mailbox, and is capable of acquiring a mail from the target mailbox 201 without permission of a user of the target mailbox 201, and also capable of sending the acquired mail to the second mailbox 40 or other mailboxes, and when the mail acquired by the first mailbox 30 includes a target masquerading mail and the target masquerading mail is opened, the first mailbox 30 sends a first picture download request to the mailbox disclosure discovery system 10.
The second mailbox 40 receives the masquerading mail transmitted from the first mailbox 30 and opens, and transmits a second picture download request to the mailbox disclosure discovery system 10.
It should be noted that the first picture downloading request and the second picture downloading request are requests sent to the mailbox disclosure discovery system 10 by the first mailbox 30 and the second mailbox 40 when the target masquerading mail is opened, and are used for downloading the pictures inserted in the target masquerading mail.
It should be noted that the mailbox disclosure discovery system 10 may further include a client, and the administrator can construct a masquerading email by sending an instruction through the client, and the specific types of the client are various, for example, the client may be a client of a portal, such as a surf client, a search client, and the like; alternatively, the client may be a client of a hot application, such as a wechat client, a microblog client, or the like; alternatively, the client may be a client of a mainstream mailbox, such as a 163 mailbox client, a 126 mailbox client, and the like, which is not limited in this embodiment of the present application.
Referring to fig. 3 on the basis of the application scenario diagram shown in fig. 1, fig. 3 is a flowchart illustrating a mailbox disclosure discovery method provided in an embodiment of the present application, where the mailbox disclosure method is applied to a mailbox disclosure discovery system 10, and includes the following steps S110 to S140:
s110, constructing a disguised mail corresponding to each mailbox according to the trap mail template, wherein the disguised mail comprises an identifier corresponding to the mailbox.
The masquerading mail includes an identifier corresponding to the mailbox 20, where the identifier is an identification instruction capable of identifying the mailbox 20 to distinguish different mailboxes 20, for example, the identifier may be a MAC address of the mailbox 20, may also be an Identity (ID) of the mailbox 20, and may also be set according to other characteristics of the mailbox 20, which is not limited in this embodiment of the present application.
It should be noted that, a picture resource is inserted into each masquerading mail, a download address of the picture resource points to the mailbox disclosure discovery system 10, and when the masquerading mail is opened, the picture resource is automatically loaded and requests the mailbox disclosure discovery system 10 for the picture resource. The mailbox disclosure discovery system 10 constructs a plurality of masquerading mails according to a pre-stored trap mail template, and each masquerading mail corresponds to the mailbox 20.
And S120, sending the disguised mails corresponding to the mailboxes.
After the mailbox disclosure discovery system 10 constructs the masquerading mail, the masquerading mail corresponding to each mailbox 20 is sent to each mailbox 20, and at this time, an administrator of the mailbox disclosure discovery system 10 informs a user of each mailbox 20 that the masquerading mail cannot be opened, so as to avoid misjudgment.
It should be noted that the mailbox disclosure discovery system 10 can send the masquerading email to each mailbox 20 according to a preset time interval, where the preset time interval may be set according to a default mode of the system or according to a requirement of an administrator, and the embodiment of the present application is not limited in any way. For example, the preset time interval may be transmitted once for 6 hours.
S130, receiving a first picture downloading request sent by the first mailbox.
Wherein the first photo download request is generated when the first mailbox 30 opens the target masquerading mail, the target masquerading mail is obtained by the first mailbox 30 from any mailbox 20 connected with the first mailbox, and the first photo download request comprises a target identifier in the target masquerading mail.
When the first mailbox 30 is not allowed, and acquires the masquerading mail from any mailbox 20 connected with the first mailbox and opens the masquerading mail, the picture inserted in the masquerading mail is automatically downloaded, the picture downloading address is connected to the mailbox disclosure discovery system 10, and then the first mailbox 30 sends a first picture downloading request to acquire the picture to the mailbox disclosure discovery system 10.
S140, determining a leaked target mailbox according to the target identifier, wherein the target mailbox corresponds to the target identifier.
Since the identifier corresponds to the mailbox 20 and the target mailbox 201 corresponds to the target identifier, after the mailbox disclosure discovery system 10 receives the first picture download request, the target identifier in the target masquerading mail can be acquired, and the mailbox 20 which reveals the target masquerading mail is found out as the target mailbox 201 according to the correspondence.
It should be noted that, the correspondence between the identifier and the mailbox pre-stored by the mailbox disclosure discovery system 10 may be that a single identifier corresponds to a single mailbox, for example, 01 identifier corresponds to an a mailbox, 02 identifier corresponds to a B mailbox, or multiple identifiers correspond to a single mailbox, for example, 01 identifier and 02 identifier both correspond to an a mailbox, which is not limited in this embodiment of the present application.
After determining the target mailbox 201 with leakage, please refer to fig. 4 on the basis of fig. 3, fig. 4 shows another schematic flow chart of the mailbox leakage discovery method according to the embodiment of the present application, and after step S140, step S150 is further included;
s150, determining the leakage level of the target mailbox according to the relation between the first IP address and the common login IP address of the target mailbox.
The first picture downloading request further includes a first IP address of the first mailbox 30, when the mailbox disclosure discovery system 10 receives the first picture downloading request sent by the first mailbox 30, the first IP address in the first picture downloading request is read, then the picture resource corresponding to the first picture downloading request is sent to the first mailbox 30 according to the first IP address, and the first mailbox 30 loads and displays the picture resource after receiving the picture resource.
The mailbox disclosure discovery system 10 pre-stores the common login IP address of each mailbox 20, and determines the disclosure level of the target mailbox 201 according to the relationship between the first IP address and the common login IP address of the target mailbox 201, where the common login IP address is the most common address used when a user logs in the mailbox through a mailbox account. In the embodiment of the present application, the determination of the commonly used login IP address is to use N (e.g., 5) IP addresses with the highest frequency among all IP addresses when the user logs in the mailbox through the mailbox account as the commonly used login IP address, where N is a positive integer greater than 1, and of course, the setting of the commonly used login IP address may also be set by other methods, and the setting method used in the embodiment of the present application does not limit the protection range thereof.
Next, step S150 is described in detail, with reference to fig. 5 on the basis of fig. 4, fig. 5 shows another schematic flow chart of the mailbox leak discovery method provided in the embodiment of the present application, and step S150 includes:
and S151, if the first IP address belongs to the common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is low.
S152, if the first IP address does not belong to the common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is a medium risk.
After the mailbox leakage discovery system 10 acquires the first IP address, it is determined whether the first IP address belongs to a common login IP address of the target mailbox 201, if the first IP address belongs to the common login IP address of the target mailbox 201, a user of the target mailbox 201 may perform a misoperation on the target masquerading mail, the target masquerading mail is opened, the mailbox leakage discovery system 10 determines that the leakage risk of the target mailbox 201 is low risk, and at this time, an administrator of the mailbox leakage discovery system 10 checks the user of the target mailbox 201.
If the first IP address does not belong to the common login IP address of the target mailbox 201, it is determined that the target mailbox 201 is leaked, and the mailbox leakage discovery system 10 determines that the leakage risk of the target mailbox 201 is a medium risk.
In the embodiment of the present application, when the mailbox disclosure discovery system 10 determines that the disclosure risk of the target mailbox 201 is medium risk or low risk, the disclosure risk can be displayed in the client, and an alarm signal can also be output to the client, so that an administrator can know the situation relatively quickly, and thus, a corresponding response is made to the situation, for example, the target mailbox is maintained to enhance the security of account data in the mailbox, and the alarm signal may be a sound alarm signal, a text alarm signal, or the like.
S210, receiving a second picture downloading request sent by a second mailbox.
The mailbox disclosure discovery system 10 further stores a common login IP address of each mailbox 20 in advance, and the first picture downloading request further includes a first IP address of the first mailbox 30.
The second picture download request is generated when the second mailbox 40 opens the target masquerading mail after the first mailbox 30 sends the target masquerading mail to any one of the second mailboxes 40 connected to itself, wherein the second picture download request includes a second IP address of the second mailbox 40.
When the mailbox disclosure discovery system 10 receives a first picture download request sent by the first mailbox 30, the first IP address in the first picture download request is read, then the picture resource corresponding to the first picture download request is sent to the first mailbox 30 according to the first IP address, and the first mailbox 30 loads and displays the picture resource after receiving the picture resource.
If the second mailbox 40 opens the target masquerading mail after the first mailbox 30 sends the target masquerading mail to the second mailbox 40, the picture inserted in the target masquerading mail is automatically downloaded at this time, and the picture download address is connected to the mailbox disclosure discovery system 10, so that the second mailbox 40 sends a second picture download request to the mailbox disclosure discovery system 10 to acquire the picture. S220, determining the leakage level of the target mailbox according to the relation between the first IP address, the second IP address and the common login IP address of the target mailbox.
When the mailbox disclosure discovery system 10 receives the second picture download request sent by the second mailbox 40, the second IP address in the second picture download request is read, then the picture resource corresponding to the second picture download request is sent to the second mailbox 40 according to the second IP address, and the second mailbox 40 loads and displays the picture resource after receiving the picture resource.
After the target masquerading mail is forwarded, the mailbox disclosure discovery system 10 determines the disclosure level of the target mailbox 201 according to the relationship among the first IP address, the second IP address and the common login IP address of the target mailbox 201.
Next, step S220 is described in detail, with reference to fig. 7 on the basis of fig. 6, fig. 7 shows another schematic flow chart of the mailbox leak discovery method according to the embodiment of the present application, and step S220 includes:
s221, if the first IP address belongs to the common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is low.
S222, if the first IP address does not belong to the common login IP address of the target mailbox and the first IP address is consistent with the second IP address, determining that the leakage risk of the target mailbox is a medium risk.
And S223, if the first IP address does not belong to the common login IP address of the target mailbox and the first IP address is inconsistent with the second IP address, determining that the leakage risk of the target mailbox is high risk.
When the first IP address belongs to the common login IP address of the target mailbox 201, the target disguised mail is determined to be opened by mistake for the user, and the target mailbox 201 is judged to be at low risk.
When the first IP address does not belong to the common login IP address of the target mailbox 201 and the first IP address is consistent with the second IP address, it is determined that the target masquerading mail has been leaked once, and it is determined that the target mailbox 201 is in danger.
When the first IP address does not belong to the common login IP address of the target mailbox 201 and the first IP address is inconsistent with the second IP address, it is determined that the target disguised mail of the mail has been leaked for the second time, and at this time, it is determined that the target mailbox 201 is at a high risk.
In this embodiment, when the target mailbox 201 is a masquerading mailbox, since the masquerading mailbox only receives masquerading mails and is not used by a user, when the masquerading mails are opened by the first mailbox 30, the identifier of the masquerading mail and the first IP address of the first mailbox 30 are sent to the mailbox disclosure discovery system 10, and at this time, it is determined that the mails of the entire mailbox system in which the target mailbox 201 is located are disclosed.
The first mailbox 30 sends the masquerading mail to the second mailbox 40 or other mailboxes, and when the masquerading mail is opened, the mailbox disclosure discovery system 10 receives the second IP address or other IP addresses, and the IP addresses are different, at this time, it is determined that the mail in the entire mailbox system where the target mailbox 201 is located has been disclosed and propagated.
In another embodiment of the present application, when there are a plurality of leaked target mailboxes 201, and the first mailbox 30 acquires different masquerading mails from the plurality of target mailboxes 201 and opens the masquerading mails, a picture download request is sent to the mailbox leakage discovery system 10, and the mailbox leakage discovery system 10 obtains the first IP address and the different identifiers of the first mailbox 30 through the picture download request, and then determines that the mails of the entire mailbox system in which the target mailbox 201 is located are leaked.
When the mailbox disclosure discovery system 10 receives a plurality of IP addresses and a plurality of identifiers, and determines that the respective IP addresses are different and the respective identifiers are different, it determines that the mail in the entire mailbox system in which the target mailbox 201 is located has been disclosed and propagated. In the embodiment of the present application, when the mailbox disclosure discovery system 10 determines that the disclosure risk of the target mailbox 201 is medium risk, low risk, or high risk, the disclosure risk can be displayed in the client, and an alarm signal can also be output to the client, so that an administrator can relatively quickly know the situation, and thus make a corresponding response to the situation, for example, maintain the target mailbox 201 to enhance the security of the account data in the mailbox, and the alarm signal may be a sound alarm signal, a text alarm signal, or the like.
Compared with the prior art, the embodiment of the application has the following beneficial effects:
firstly, a principle that pictures in the mails can be automatically loaded by opening the mails is adopted, a first picture downloading request is added into a disguised mail, so that a leaked mailbox account can be timely found when the mail is leaked, and a layer of guarantee is provided for the safety of the mail.
Secondly, the leakage risk of the target mailbox is displayed in the client side, or an alarm signal is output to the client side, so that an administrator can know the situation relatively quickly, and accordingly a corresponding reaction is made for the situation, for example, the target mailbox is maintained, and the safety of account data in the mailbox is enhanced.
Secondly, the method and the device for judging the mailbox leakage risk can judge the mailbox leakage risk and the mailbox server providing services for the mailbox, and can accurately find a mailbox leakage path.
A possible implementation manner of the mailbox disclosure discovery apparatus is provided below, and is used to execute each step of the mailbox disclosure discovery method and corresponding technical effects shown in the foregoing embodiments and possible implementation manners. Referring to fig. 8, fig. 8 is a schematic structural diagram illustrating a mailbox leakage discovery apparatus according to an embodiment of the present application, where the apparatus is applied to a mailbox leakage discovery system 10, and a mailbox leakage discovery apparatus 100 includes: a construction module 110, a transmission module 120, a reception module 130, and a determination module 140;
a constructing module 110, configured to construct a masquerading mail corresponding to each mailbox according to the trap mail template, where the masquerading mail includes an identifier corresponding to the mailbox;
a sending module 120, configured to send a masquerading mail corresponding to each mailbox;
a receiving module 130, configured to receive a first picture download request sent by a first mailbox, where the first picture download request is generated when the first mailbox opens a target masquerading email, the target masquerading email is obtained by the first mailbox from any mailbox connected to the first mailbox, and the first picture download request includes a target identifier in the target masquerading email;
and the determining module 140 determines the leaked target mailbox according to the target identifier, wherein the target mailbox corresponds to the target identifier.
Optionally, the determining module 140 is further configured to determine the leakage level of the target mailbox according to a relationship between the first IP address and the common login IP address of the target mailbox.
Optionally, the determining module 140 is specifically configured to:
if the first IP address belongs to the common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is low risk;
and if the first IP address does not belong to the common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is medium risk.
Optionally, the receiving module 130 receives a second picture downloading request sent by a second mailbox, where the second picture downloading request is generated when the second mailbox opens the target masquerading mail after the first mailbox sends the target masquerading mail to any one of second mailboxes connected to the first mailbox, and the second picture downloading request includes a second IP address of the second mailbox;
the determining module 140 is further configured to determine a leakage level of the target mailbox according to a relationship between the first IP address, the second IP address, and the common login IP address of the target mailbox.
Optionally, the determining module 140 is specifically configured to:
if the first IP address belongs to the common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is low risk;
if the first IP address does not belong to the common login IP address of the target mailbox and the first IP address is consistent with the second IP address, determining that the leakage risk of the target mailbox is a medium risk;
and if the first IP address does not belong to the common login IP address of the target mailbox and the first IP address is inconsistent with the second IP address, determining that the leakage risk of the target mailbox is high risk.
Referring to fig. 9, fig. 9 is a schematic structural diagram of a mailbox leakage discovery system 10 according to an embodiment of the present application.
Mailbox leak discovery system 10 includes a processor 11, a memory 12, and a bus 13, where processor 11 is coupled to memory 12 via bus 13. The memory 12 is used for storing a program, such as the mailbox leak discovery apparatus 100 shown in fig. 8, the mailbox leak discovery apparatus 100 includes at least one software functional module which can be stored in the memory 12 in a form of software or firmware (firmware) or is solidified in an Operating System (OS), and the processor 11 executes the program to implement the mailbox leak discovery method disclosed in the above embodiment after receiving the execution instruction.
The Memory 12 may include a Random Access Memory (RAM) and may also include a non-volatile Memory (NVM).
The processor 11 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware or instructions in the form of software in the processor 11. The processor 11 may be a general-purpose processor, and includes a Central Processing Unit (CPU), a Micro Control Unit (MCU), a Complex Programmable Logic Device (CPLD), a Field Programmable Gate Array (FPGA), and an embedded ARM.
The embodiment of the present application further provides a readable storage medium, on which a computer program is stored, and when the computer program is executed by the processor 11, the mailbox leak discovery method disclosed in the foregoing embodiment is implemented.
To sum up, the embodiment of the present application provides a method and an apparatus for discovering mailbox leakage, a main mailbox server, and a readable storage medium, where a client first sends a mail construction request to the main mailbox server, and after receiving the mail construction request, the main mailbox server constructs a masquerading mail according to a pre-configured trap mail template, and then sends the masquerading mail to each corresponding mailbox server, and when a first external server obtains the masquerading mail in one of the mailbox servers and opens the masquerading mail, the first external server sends a picture download request to the main mailbox server, and finally the main mailbox server determines the leaked mailbox server through a target identifier in the picture download request. By constructing the disguised mails containing the identifiers and sending the disguised mails to each mailbox server, when the disguised mails in a certain mailbox server are leaked, the leaked mailbox accounts can be found in time according to the identifiers and notified to an administrator, and the safety of the mailboxes is further enhanced.
The above description is only for the specific embodiment of the present invention, but the scope of the present invention is not limited thereto, and any changes or substitutions that can be easily conceived by those skilled in the art within the technical scope of the present invention are included in the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the appended claims.

Claims (10)

1. A mailbox leakage discovery method is applied to a mailbox leakage discovery system, the mailbox leakage discovery system is connected with at least one mailbox, the mailbox leakage discovery system is configured with a trap email template, and the mailbox leakage discovery system stores a one-to-one correspondence between at least one identifier and the at least one mailbox in advance, and comprises the following steps:
constructing a fake mail corresponding to each mailbox according to the trap mail template, wherein the fake mail comprises the identifier corresponding to the mailbox;
sending the masquerading mail corresponding to each mailbox;
receiving a first picture downloading request sent by a first mailbox, wherein the first picture downloading request is generated when the first mailbox opens a target masquerade mail, the target masquerade mail is acquired by the first mailbox from any one of mailboxes connected with the first mailbox, and the first picture downloading request comprises a target identifier in the target masquerade mail;
and determining a leaked target mailbox according to the target identifier, wherein the target mailbox corresponds to the target identifier.
2. A mailbox leak discovery method according to claim 1, wherein said mailbox leak discovery system further prestores a common login IP address for each of said mailboxes, and said first picture download request further includes a first IP address of said first mailbox;
after the step of determining a target mailbox with mailbox leakage according to the target identifier, the method further comprises the following steps:
and determining the leakage level of the target mailbox according to the relation between the first IP address and the common login IP address of the target mailbox.
3. A mailbox leak discovery method according to claim 2, wherein said step of determining the leak level of said target mailbox according to the relationship between said first IP address and the common login IP address of said target mailbox comprises:
if the first IP address belongs to a common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is low risk;
and if the first IP address does not belong to the common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is a medium risk.
4. A mailbox leak discovery method according to claim 1, wherein said mailbox leak discovery system further prestores a common login IP address for each of said mailboxes, and said first picture download request further includes a first IP address of said first mailbox;
after the step of determining a target mailbox with mailbox leakage according to the target identifier, the method further comprises the following steps:
receiving a second picture downloading request sent by a second mailbox, wherein the second picture downloading request is generated when the second mailbox opens the target masquerading mail after the first mailbox sends the target masquerading mail to any one second mailbox connected with the second mailbox, and the second picture downloading request comprises a second IP address of the second mailbox;
and determining the leakage level of the target mailbox according to the relation among the first IP address, the second IP address and the common login IP address of the target mailbox.
5. A mailbox leak discovery method according to claim 4, wherein said step of determining the leak level of said target mailbox according to the relationship between said first IP address, said second IP address and the common login IP address of said target mailbox comprises:
if the first IP address belongs to a common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is low risk;
if the first IP address does not belong to the common login IP address of the target mailbox and the first IP address is consistent with the second IP address, determining that the leakage risk of the target mailbox is a medium risk;
and if the first IP address does not belong to the common login IP address of the target mailbox and the first IP address is inconsistent with the second IP address, determining that the leakage risk of the target mailbox is high risk.
6. A mailbox leakage discovery apparatus applied to a mailbox leakage discovery system, wherein the mailbox leakage discovery system is connected with at least one mailbox, the mailbox leakage discovery system is configured with a trap email template, and the mailbox leakage discovery system stores a one-to-one correspondence between at least one identifier and the at least one mailbox in advance, the apparatus comprising:
the constructing module is used for constructing a masquerading mail corresponding to each mailbox according to the trap mail template, wherein the masquerading mail comprises the identifier corresponding to the mailbox;
the sending module is used for sending the disguised mails corresponding to the mailboxes;
a receiving module, configured to receive a first picture download request sent by a first mailbox, where the first picture download request is generated when a target masquerading email is opened by the first mailbox, the target masquerading email is obtained by the first mailbox from any one of mailboxes connected to the first mailbox, and the first picture download request includes a target identifier in the target masquerading email;
and the determining module is used for determining a leaked target mailbox according to the target identifier, wherein the target mailbox corresponds to the target identifier.
7. A mailbox disclosure discovery apparatus as claimed in claim 6, wherein said mailbox disclosure discovery system further stores a common login IP address of each of said mailboxes in advance, and said first picture download request further includes a first IP address of said first mailbox;
the determining module is further configured to determine the leakage level of the target mailbox according to a relationship between the first IP address and the common login IP address of the target mailbox.
8. A mailbox leak discovery apparatus as claimed in claim 7, wherein said determining module is specifically configured to:
if the first IP address belongs to a common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is low risk;
and if the first IP address does not belong to the common login IP address of the target mailbox, determining that the leakage risk of the target mailbox is a medium risk.
9. A mailbox disclosure discovery system, comprising: a processor, a memory and a bus, the memory storing program instructions executable by the processor, the processor and the memory communicating via the bus when the mailbox leak discovery system is running, the processor executing the program instructions to perform the mailbox leak discovery method as claimed in any one of claims 1-5 when executed.
10. A readable storage medium, having stored thereon a computer program which, when executed by a processor, performs a mailbox leak discovery method as claimed in any one of claims 1 to 5.
CN202210115657.7A 2022-02-07 2022-02-07 Mailbox leakage discovery method, device and system and readable storage medium Active CN114465978B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210115657.7A CN114465978B (en) 2022-02-07 2022-02-07 Mailbox leakage discovery method, device and system and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210115657.7A CN114465978B (en) 2022-02-07 2022-02-07 Mailbox leakage discovery method, device and system and readable storage medium

Publications (2)

Publication Number Publication Date
CN114465978A true CN114465978A (en) 2022-05-10
CN114465978B CN114465978B (en) 2023-10-13

Family

ID=81411710

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210115657.7A Active CN114465978B (en) 2022-02-07 2022-02-07 Mailbox leakage discovery method, device and system and readable storage medium

Country Status (1)

Country Link
CN (1) CN114465978B (en)

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546272A (en) * 2010-12-08 2012-07-04 中国移动通信集团公司 Information leakage detection method and device and system utilizing method
CN103188125A (en) * 2011-12-27 2013-07-03 腾讯科技(北京)有限公司 E-mail system, E-mail generation method and E-mail sending method
CN105763533A (en) * 2016-01-15 2016-07-13 网际傲游(北京)科技有限公司 Method of using fake mailbox to register APP or log in to website
CN110855675A (en) * 2019-11-15 2020-02-28 恒安嘉新(北京)科技股份公司 Mail safety consciousness testing method, device, equipment and storage medium
US20200193019A1 (en) * 2017-08-31 2020-06-18 ObservelT LTD Managing data exfiltration risk
CN113259321A (en) * 2021-04-13 2021-08-13 上海碳泽信息科技有限公司 System and method for verifying security awareness of personnel on network attack and utilization

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102546272A (en) * 2010-12-08 2012-07-04 中国移动通信集团公司 Information leakage detection method and device and system utilizing method
CN103188125A (en) * 2011-12-27 2013-07-03 腾讯科技(北京)有限公司 E-mail system, E-mail generation method and E-mail sending method
CN105763533A (en) * 2016-01-15 2016-07-13 网际傲游(北京)科技有限公司 Method of using fake mailbox to register APP or log in to website
US20200193019A1 (en) * 2017-08-31 2020-06-18 ObservelT LTD Managing data exfiltration risk
CN110855675A (en) * 2019-11-15 2020-02-28 恒安嘉新(北京)科技股份公司 Mail safety consciousness testing method, device, equipment and storage medium
CN113259321A (en) * 2021-04-13 2021-08-13 上海碳泽信息科技有限公司 System and method for verifying security awareness of personnel on network attack and utilization

Also Published As

Publication number Publication date
CN114465978B (en) 2023-10-13

Similar Documents

Publication Publication Date Title
CN106339309B (en) Application program testing method, client and system
US10469512B1 (en) Optimized resource allocation for virtual machines within a malware content detection system
US11570211B1 (en) Detection of phishing attacks using similarity analysis
US8667581B2 (en) Resource indicator trap doors for detecting and stopping malware propagation
US8856325B2 (en) Network element failure detection
US9596132B1 (en) Virtual sandboxing for supplemental content
CN105430011B (en) A kind of method and apparatus detecting distributed denial of service attack
US20140089857A1 (en) Method and apparatus for entering a client function module
US8448260B1 (en) Electronic clipboard protection
US7735094B2 (en) Ascertaining domain contexts
CN103491543A (en) Method for detecting malicious websites through wireless terminal, and wireless terminal
EP2960793B1 (en) Communication between frames of a web browser
KR101847381B1 (en) System and method for offering e-mail in security network
US10972507B2 (en) Content policy based notification of application users about malicious browser plugins
CN107274222B (en) Advertisement putting method and device
US20210203668A1 (en) Systems and methods for malicious client detection through property analysis
CN106790291A (en) A kind of intrusion detection reminding method and device
CN111106983B (en) Method and device for detecting network connectivity
US20180300469A1 (en) Securing source devices using a display device filter
US20220058016A1 (en) Disabling a script based on indications of unsuccessful execution of the script
CN112565238A (en) Method for popping privacy policy, client and computer-readable storage medium
US8677495B1 (en) Dynamic trap for detecting malicious applications in computing devices
CN114465978B (en) Mailbox leakage discovery method, device and system and readable storage medium
CN107786413B (en) Method for browsing e-mail and user terminal
CN114265642A (en) Information processing method, information processing device, electronic equipment and computer readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant