FI121773B - Procedure and server for authenticating the sender of an e-mail message and detecting the mode of transmission of the e-mail message - Google Patents

Description

A method and server for authenticating the sender of an email message and detecting the method of forwarding the email message

FIELD OF THE INVENTION The invention relates generally to email security and, in particular, to the ability of the recipient of an email message to verify that the sender information included in the email message is reliable.

Background Art 10 The Internet is made up of several servers, routers, and other so-called.

nodes, and telecommunication connections connecting nodes. Typically, e-mail messages pass through multiple Internet nodes from sender to recipient. When sending an e-mail, the sender usually does not know which nodes the e-mail passes through. Each node through which 15 e-mails pass may take a copy of it or redirect a message or a copy of a message to another node. For this reason, unencrypted email over the Internet is considered a very insecure means of communication.

The recipient of a conventional e-mail cannot know with certainty 20 whether the sender marked in the e-mail has actually sent the e-mail or whether the sender is someone else.

E-mail is transmitted over the Internet, usually using the Simple Mail Transfer Protocol (SMTP) defined in IETF (Internet Engineering Task Force) definition RFC822. An extension to the SMTP-25 protocol (RFC3207) has also been developed. SSMTP (Secure 5 SMTP), which allows the sending and receiving servers to communicate

(M

^ secure with each other.

[Ί. The following describes the traditional SMTP protocol

x how to process an email when sending an email from server A

^ 30 for server B \ § (A = sending server, B = receiving server)

C/O

uo uo O 1) B> 220 ESMTP ready

(M

2) A> helo smtp.domain.tld 35 3) B> 220 Hello.

2 4) A> MAIL From: <sender@domain.tld> 5) B> 220 sender ok 6) A> RCPT TO: <recipient@domain.tld> 7) B> 220 recipient ok

5 8) A> DATA

9) B> 220 Enter data followed by <CRxLF>. <CRxLF> 10) A> From: sender@domain.tld 11) A> To: recipient@domain.tld 12) A> Subject: Message Subject 10 13) A > 14) A> The actual message.

16) B> 250 Ok

17) A> QUIT

15 18) B> 220 Bye.

Above, in steps 1-3, servers A and B are shaking hands.

In steps 4-7, message routing information is transmitted specifying the recipient of the message. The routing information defines what is called a "routing". return address in case 20 cannot be delivered.

In steps 8-16, the e-mail is transferred from one server to another. Steps 8 and 9 prepare the transfer.

Steps 10-12 transfer message header information, which is separated from the actual message by an empty line (step 13).

In step 14, the actual message or text and any attachments are transferred. Server A then sends a line containing a period (.) And a ^ line break (step 15). After step 15, the receiving server B generally ci stores the message on its own disk.

isL In step 16, server B sends an acknowledgment that the message has been received. The servers A and B terminate the connection (steps 17 and 18).

After this, the sending server A usually deletes the message from its disk.

§ The above example describes two servers (A and B)

C/O

activity. E-mail forwarding servers may form a long chain, whereby forwarding the mail through the entire chain includes the steps 1 to 18 described above several times. Servers will also be referred to as routers.

3 Concatenating the routers / servers that forward the e-mail causes a relay delay because the next router in the chain will not be able to forward the message until the previous router has completely forwarded the message to it. In addition, the message is often stored on each router disk on the router disk, which increases transmission delay.

It is possible to forward an e-mail message so that the server belonging to the router chain will contact the next server in the chain as soon as it has sufficient information to forward the message.

In the example above, after step 8, server B has enough information to connect to the next server (server C). The transmission of the message through the router chain (A, B, C) is thereby accelerated because the next router (server C) in the chain is able to forward the message while the previous router (server B) still receives the rest of the message from the first router (server A). This type of email delivery is called "" transparent delivery. " Transparent delivery has the advantage that the first router in the chain (server A) receives information directly from the last router in the chain (server C) when the message is delivered to the recipient of the message. In addition, transparent transmission reduces the risk of a message being lost if server 20 (server B) between the ends of the chain breaks during message transmission.

In general, routers can be physical routers or virtual routers. Multiple virtual routers can be placed inside a single physical server.

FIG. 1 illustrates a server containing virtual routers.

Server 101 receives the message 102 according to the protocol (SMTP) and o forwards the message 102. Server 101 includes four routers, designated by the following names: email firewall 103, security c10, 104, content filter 105, and SMTP backend 106. Between routers 103-106 ixL The drawn arrows illustrate how message 102 travels within server 101 from one ox 30 router to another. . If the conventional transmission method is used, each router * 103-106 stores the message 102 on the server 101 disk. If a transparent transmission method is used instead of the conventional § transmission method, the message 102 is not stored on disk, but the router 103-105 transmits the message 102 immediately o and acknowledges receipt of the message only when the next router 35 104-106 acknowledges receipt of the message.

4

Amavisd, an open source software downloadable on the Internet, provides transparent routing within the server.

Transparent server-to-server routing poses challenges because an SMTP e-mail can have multiple recipients to whom 5 addressed e-mails can be routed through different servers. In this case, the router, which uses a transparent relay method, will have to disperse the relay of e-mail to several different servers, which complicates the control of the relay. Transparent mediation therefore works best when it comes to receiving e-mail, that is, between the last server in the chain or between virtual servers within the server.

The prior art involves the following so-called. Authentication issue: In Internet emails, anyone can send mail from any sender address. Further, complex relay chains make it difficult to determine the true origin of emails, since each of the 15 actual servers, and often also the internal virtual servers, write their own entries in the message header. An untrustworthy server can write extra proxy information to the header information, thus trying to obscure the true origin of the message.

One solution to the authentication problem is to use digital 20 signatures in an email message. However, quite a few email senders and recipients use digital signatures. Digital signature requires software installations on the sender's and recipient's terminals. The software allows the sender to sign his message and the recipient to verify that the signature attached to the message is genuine.

25 A more advanced solution to the authentication problem is to use o dedicated servers to create and verify digital signatures.

^ At this point, for example, you can check the origin of cvj emails at the organizational level.

r ^. Some methods have been developed to authenticate the server that forwarded the e-mail.

* '' Reverse IP verification 'is a known method for authenticating the server that sent / forwarded the e-mail.

C/O

| £ The following describes the operation of the '' Reverse IP verification '' method: o Assume that the receiving server is called 'domain-b' and 35 that the sending server has an IP address of 123.45.67.89. In this case, the receiving server, 'domain-b', writes the following information in the message mediator: 5

Received: from smtp.domain.tld (smtp.domain.tld [123.45.67.89]) by smtp.domain-b.tld with ESMTP

5 In the first step of the 'Reverse IP verification' method, the receiving server performs a DNS query where the server, or 'domain-b', asks the name server for the domain name corresponding to the above IP address: dig @ dns-server1 PTR 89.67.45.123.in-addr. lottery 10

In response to the DNS query, the name server (dns-server1) returns, for example, the following answer: 89.67.45.123.in-addr.arpa PTR smtp.domain.tld 15

The name server response indicates that the IP address 123.45.67.89 corresponds to the complete domain name 'domain'.

The second step of the '' Reverse IP verification 'method is to determine the fully-20 qualified domain name corresponding to IP address 123.45.67.89. In this case, the 'domain-b' server will use another DNS server (dns-server2) according to the following DNS query: dig @ dns-server2 A smtp.domain.tld.

25 In response to the DNS query, the name server (dns-server2) returns o for example the answer below: δ

CM

cm smtp.domain.tld. A 123.45.67.89 i o 30 Finally, the 'domain-b' server compares the £ IP address marked in the Received field to 123.45.67.89 obtained in step g of step 123.45.67.89 '' Reverse IP verification ''. In this example, the IP-10 addresses are the same, i.e. the message is sent from a server with the domain name 'domain' and an IP address of 123.45.67.89.

CM

The 35 '' Reverse IP verification 'method is well known and is used by many mail router software such as' postfix' (www.Dostfix.org).

6

Assume, as in the example above, that the domain name 'domain' and the IP address 123.45.67.89 match. In this case, the 'domain-b' server will type the domain name 'domain' in brackets and the IP address 123.45.67.89 in brackets.

5 Assume that the 'domain-b' server forwards the received message to, for example, the 'domain-c' server.

Let's also assume that the so-called "domain-b" server '' Fully Qualified Domain Name '' is the IP address of 'smtp.domain-b.tld' and 'domain-b' server is 234.56.78.90. In this case, the 'domain-c' server writes the following information to the message mediator 10:

Received: from smtp.domain-b.tld (smtp.domain-b.tld [234.56.78.90]) by smtp.domain-c.tld with ESMTP 15 where ESMTP is the literal word for "Enhanced Simple Mail Transport Protocol".

The message then contains the following mediators! Edot: 20 Received: from smtp.domain-b.tld (smtp.domain-b.tld [234.56.78.90]) by smtp.domain-c.tld with ESMTP Received: from smtp.domain .tld (smtp.domain.tld [123.45.67.89]) by smtp.domain-b.tld with ESMTP 25 o For example, the mail server software 'postfix' writes message broker information as described above.

In addition to the "Reverse IP verification" method, there are other known methods for determining the reliability of the servers involved in sending or transmitting an e-mail message. One method of £ uses a list containing the IP addresses of trusted servers. If the IP address of the proxy server is listed, the proxy server S is considered to be (sufficiently) reliable. Similarly, if the proxy server is not found in the list of trusted servers, the proxy server is considered to be unreliable.

7

Other known methods of authenticating the server sending a message are SPF (Sender Policy Framework) and Microsoft Sender ID. In these methods, the message sending organization discloses in the Internet Name Service (DNS) which mail router the domain name email-5 messages are sent from. For example, a) a single IP address, b) all IP addresses that belong to a domain name, and / or c) a so-called domain name can be defined as SPF or '' Microsoft Sender ID ''. MX servers. There is an extension to the SPF method. The "best_guess" method, which assumes all IP addresses in the domain as 10 certified email routers, and / or the so-called domain name. MX Servers, even if the sending organization did not publish any DNS information in the method.

It is further known that by means of digital signature-based methods 15, the transmitting server may write a header in the message header to identify the sender of the message.

In addition, it is known to determine the correctness of the sender of a message by sending a message to the sender in a so-called. a verification message asking you to verify that the message is indeed from the sender. Such methods based on the use of 20 verification messages are discussed, for example, in U.S. Patents 6,393,465 and 6,868,498. A disadvantage of these methods is the additional trouble that the sender of the message has to deal with when the sender has to process the check message (s) associated with his message.

Another problem with the prior art is the disclosure of the method of transmitting an e-mail message.

o One way of expressing e-mail delivery is by using, for example, UNIX mail servers. In this expression, the sender information of an e-mail that arrives from the Internet to an organization is changed, i ^. that the recipient (end-user) of the message separates from within the organization and o 30 messages coming from the Internet. The sender information is changed to £, for example, "EXT" at the beginning. In this case, for example, the sender information of the email section will look like this:

C/O

tn tn o EXT Matti Virtanen matti.virtanen (a) concern.tld

(M

35 8

A similar entry can also be made in the subject field of the message.

The third problem with the prior art is that it usually requires additional measures from the sending organization. If the 5 transmitting organizations do not have the authentication method enabled, the server sending the message cannot be identified. The exception to this is the SPF method when using the so-called SPF method. The "best_guess" method, however, is a very unreliable way to identify the sender of an email because the message can come through a very complex delivery chain.

A fourth problem with the prior art relates to the above SPF method. This issue occurs when a message is sent from outside the organization and the server used by the organization is assigned to forward the message to a recipient outside the organization. If the recipient uses the SPF method, the SPF method returns 15 that the message has an incorrect origin because the message's original address (Envelope from) should come from a different server than the external server to which the message was forwarded.

BRIEF SUMMARY OF THE INVENTION

The main object of the invention is to solve the above-mentioned prior art problems.

An e-mail message sent over the Internet may pass through multiple servers / routers to the recipient, whereby the e-mail message contains proxy information written by each of the 25 servers typically involved in forwarding the e-mail messages.

The invention comprises a method of authenticating the sender of an e-mail message, the e-mail message including proxy information marked by at least one server (router). The method of the invention o 30 utilizes the '' Reverse IP verification 'method described above. £ Specifically, the '' Reverse IP verification '' method goes through the message forwarder information, i.e. the information in the Received fields, starting with

C/O

[Λ the proxy information that the server preceding the server that received the e-mail has marked in the e-mail. The broker information (Received fields) 35 is scanned until either unreliable broker information is found or all broker information is processed by the 'Reverse IP verification' method.

9 In the latter case, a check is made for the broker information first tagged in the email, comparing the fully qualified domain name obtained by the 'Reverse IP verification' method with the domain name contained in the sender information of the email message. If 5 domain names match, the sender of the email message is authenticated. If necessary, the examination of the method can be refined with 1-4 additional checks.

In addition to the method, the invention comprises a server with scanning means for transmitting and / or receiving e-mail messages.

10

List of figures

In the following, the invention will be described in more detail with reference to the accompanying drawings, in which: Figure 1 illustrates a server with virtual routers, Figure 2A illustrates a method of operation, Figure 2B illustrates steps of an investigation, 20 is a heuristic view, FIG. 4B shows an additional investigation step for searching a domain name from a list of hijacked servers, FIG. 4C shows an additional investigation step utilizing MX data, FIG. 4D shows further investigation steps utilizing a RIPE database, and FIG. , δ

CM

cm Detailed Description of the Invention The method is thus related to the authentication of the sender of an email message.

o x 30 Authentication of the sender generally means that the sender marked in £ is the actual sender of the message. In other words, the recipient of the message may have sufficient confidence that the message originates from the sender indicated in the From field of the message header.

o o

CM

35 10 Sender authentication also includes verification of the correctness of the intermediary information. This proxy information indicates the servers through which the e-mail message has been transmitted from the original sender to the recipient.

5 The method further relates to how the method of transmitting an e-mail message can be expressed more clearly and reliably in the subject line of an e-mail message. The method replaces the header information of the e-mail with verified information that allows the reliability of the origin of the message to be evaluated. More specifically, the e-mail program 10 or any other program operating according to the method makes an entry in the address of the original sender which indicates to the end user that the origin of the message has not been verified. An entry made with untrustworthy address information may include, for example, three question marks [???].

15 Any message encryption may also be communicated to the end user by means of a specific entry placed in the sender's address information. An indication indicating the use of encryption is, for example, '.S'.

To save time for end users, a program operating according to the method can be implemented by sorting 20 received messages into two different folders based on the reliability of the message origin.

It is well known that the email server writes "unknown" and the IP address in parentheses in the message header if the "Reverse IP verification" method reveals that the full domain name and IP address of the 25 servers that transmitted the message do not match.

It is essential to the invention which checks are performed on the e-mail message and when the e-mail message is judged to be correct.

i

(M

isL Suppose the broker information included in the email is: o x 30

Received: from smtp.domain-b.tld (smtp.domain-b.tld g [234.56.78.90])

C/O

[g by smtp.domain-c.tld with ESMTP

§ Received: from smtp.domain.tld (smtp.domain.tld [123.45.67.89])

35 by smtp.domain-b.tld with ESMTP

11

Let's also assume that the sender of the email is:

From: Matti. Doe @ domain. corn 5 The operation of an embodiment of the method will be described by way of example. The above broker information and sender information are examined as follows.

1) Reading the latest proxy information, or proxy information (value of the Received field), recorded by the server before the 10 servers that received the e-mail in the e-mail.

2) Extract the IP address from the broker information, for example IP address 34.56.78.90.

3) Check if the IP address obtained in step 2 is in the list of trusted IP addresses.

15 4) If not found, enter the IP address in the list.

5) If found, steps 2-4 for the next broker information are performed. If the proxy information read is the proxy information first tagged in the email, continue with step 6.

6) Reading the IP address from the list.

20 7) Using DNS lookup (example smtp.domain.tld) to find out the full domain name corresponding to the IP address.

8) Using the DNS lookup (example 34.56.78.90) to find out the IP address corresponding to the full domain name.

25 9) If the IP address read from the list and the IP address returned by the latter DNS lookup are the same, steps 6-8 are performed for the next listed IP address. If the read IP-c \ j address is the last in the list, proceed to step 10.

ΐ'Ί. 10) Distinguish between an IP address and a complete one

o

x 30 domain names, the remainder of the name (in the example domain.tld).

11) Let's see if the rest of the full domain name o matches the sender information in the email, ie the From field

C/O

[12] If matching, the sender is authenticated.

35 12

The above note 4) is accompanied by the following note: The IP address contained in the proxy information first marked in the email message is always written down in the list.

The method reveals where the mail comes from.

5 The method works even if there is a public server in between, for example an ISP server, as long as the intermediate server writes its own "Received" line in the message.

FIG. 2A illustrates the working principle of the method. The method is for authenticating the sender of an email message on the server that received the email message 10. On said server, a list of the proxy information entered in the email message by at least one of the servers involved in relaying the email is formed. The list is then scanned 202, starting with the proxy information that the server prior to receiving the e-mail has marked in the e-mail. The investigation includes at least the steps illustrated in Figure 2B. The investigation will show whether the 203 data examined are reliable. If they are, the server that received the e-mail will infer 204 the sender information marked on the e-mail as valid.

FIG. 2B illustrates the steps of an investigation for use in a method that is performed in all embodiments of the method. This investigation by the server receiving the e-mail message uses a list formed of the e-mail forwarder information (Received fields) and the e-mail sender information (From field). The investigation begins with a list of the proxy information that the server before the server that received the email has marked in the email. The investigation includes the following steps.

25 The first name server query retrieves a complete domain name corresponding to the 206 proxy information marked with the o IP address. The second name server query fetches the IP address corresponding to the complete domain name retrieved 207 and compares the IP address used in the first name server query with the IP address obtained in the second name server query. With the comparable IP addresses o x 30 being the same 209 and the proxy information being the last appellant information 210 in the list, * the domain name retrieved in the first name server query 211 is compared with the sender information of the email containing the sender of the email.

C/O

[g related domain name. If the domain names match 212, the sender information of 204 o is inferred. Thus, sender information is judged to be 35 correct after the list of mediator information in the email message has been completely reviewed and in comparison 209 the mediator information has been found to be trustworthy and in addition 13 sender information has been found to be 212 trusted / valid. If the list has 210 unexplored data, the following information is read from the list and at least steps 206-208 are performed. If the comparison 209 reveals that the IP addresses are not the same, the sender information 205 is concluded to be incorrect.

FIG. 3 illustrates the modification of the list used in the investigation.

Modifying the list means that the following step is performed between steps 201 and 202 of Figure 2A. The server that received the e-mail removes from the list 301 any proxy information that the server in the list of trusted IP addresses has marked in the e-mail. An entry made by a trusted server is trusted to such an extent that you do not want to examine the entry, or proxy information. As the list of broker information becomes shorter, the execution time required by the method is also reduced. A list of trusted IP addresses can be created, for example, from a company's or community's own servers. In this case, all other servers 15 are interpreted as "unreliable", that is, the proxy information that they have marked in the e-mail remains in the list and that proxy information is examined as shown in Figure 2A.

If necessary, the accuracy of the examination may be increased by the additional steps shown in Figure 4A-4D. Further steps are directed to the above list, which contains the received broker information (Received fields).

FIG. 4A shows a further step of the investigation in which the first part of the domain name is viewed by a heuristic method. Specifically, the server receiving the e-mail examines 401, by a predetermined heuristic method, the portion of the 206 complete domain names retrieved in the first name server-25 query after the last two dotted strings of the ^ domain name have been removed. The heuristic method determines whether the cvj expresses a dynamic web address or a non-dynamic web address. Suppose [Ί. review 401 indicates that the portion of the domain name remaining after the last two dotted character strings of the remaining portion of the ox 30 domain name has been removed indicates a non-dynamic web address. In this case, the § 402 sender information (From field) is inferred the last 00 [g] of the list is 210 and the region names compared in step 212 match. No fake or hijacking of dynamic web addresses is much more difficult than fake or hijacking of a dynamic web address. If, on the other hand, examination 401 indicates that the dynamic network address is indicated by the part 14 in question, the intermediary information is determined to be incorrect / unreliable and consequently the sender information (From field) is inaccurate / unreliable 205.

In addition, or alternatively, the examination shown in Figure 2B may be supplemented by the following additional step.

FIG. 4B shows an additional step of the investigation where the domain name is searched from the list of hijacked servers. This additional step is preferably performed after the '' Reverse IP verification 'has been performed (Fig. 2, step 209). Some Internet mail servers are hijacked by malicious people like hackers. The hijacked servers, more specifically their domain names, are made up of publicly available lists of hijacked servers that can be thought of as a single logical list. In Figure 4B, the server receiving the e-mail message searches 403 for the domain name in the (logical) list of hijacked servers. Subsequently, the sender information 404 is inferred if the searched domain name is missing from the list of hijacked servers and if the last proxy information 210 of the list (containing the received fields) and the matched domain names match 212.

In addition or alternatively, the examination shown in Figure 2B may be supplemented by the following additional step.

FIGURE 4C shows a further step of the investigation utilizing the MX

(Mail exchange) information. The MX information is stored on a Domain Name Server (DNS). A single MX information indicates to which server the e-mail addressed to a specific domain name should be delivered. In a further step 405, the domain name retrieved in step 206 is compared to the 25 MX information obtainable through the Internet name service. When the domain name matches 406 some MX information, the intermediary information is inferred to be reliable. If the relay information is the last 210 in the list and the ^ region names match 212, the sender information (From field) cvj is inferred.

r ^. In addition, or alternatively, the examination shown in Figure 2B may be supplemented by the following additional step.

FIGURE 4D illustrates additional steps of investigation utilizing RIPE

§ (Reseaux IP Europeens) database. As stated above, the investigation

C/O

| g the second name server query fetches an IP address corresponding to the 207 domain names retrieved. In a further step of the investigation 407, this IP address is used as a search key when retrieving the IP address associated organization from the RIPE WHOIS database. In a further step, 408 holder organization information is compared with the domain name obtained in the first name server query 206. If the holder organization information matches 409 area names, the broker information is reliable. Otherwise, the broker information is unreliable and the sender information is interpreted as incorrect / unreliable.

Several embodiments are associated with the method of the invention.

In one embodiment, the sender information of the e-mail message is only interpreted as valid when the additional steps 401, 403, 405, 407, and 408 shown in Figs. 4A-4D are correct and the domain names to be compared in step 212 match. In all other cases, the sender information of the e-mail message 10 will be interpreted as incorrect.

In other embodiments of the method of the invention, the interpretation of the correctness of the e-mail message is done differently. First, the number of additional steps to be performed may vary, for example, the additional step 401 shown in FIG. 4A alone may be performed. Secondly, the 15 sender information may be interpreted as correct even though an additional step of investigation indicates that certain intermediary information is incorrect.

It is possible to attach a degree of security to the sender information. For example, the degree of security is an integer from 0 to 100, such that 0 is definitely incorrect sender information and 100 is definitely correct sender information. The degree of assurance can be realized, for example, by scoring such that the additional steps 401, 403 and 405 of the investigation produce 0-20 points each, the additional steps 407 and 408 together yield 0-20 points, and the step 212 produces 0-20 points. In this case, the degree of security is the sum of the points, that is, an integer between 0 and 100. A limit may be set for the sum of the points, for example 80, which 25 must be reached in order for the sender information to be interpreted correctly. In one embodiment of the method, the degree of security associated with the sender information of the e-mail ^ is stored in a security database The degree of security is stored ^ together with the sender's IP address and domain name in the o 30 security level database. This will allow the database to be searched when new e-mails are received from the sender's IP address. If the level of security retrieved from the database by IP address and domain name is low,

C/O

[g] received e-mails should be treated with suspicion, o The server that sent or forwarded the e-mail 35 may also be associated with a degree of security. Here, the degree of security describes the reliability of a particular server 16 rather than the reliability of the sender (IP address). The degree of security associated with the server is then increased when an e-mail is received through the server, the sender of which is verified according to the method of the invention. Similarly, the degree of security associated with the server is reduced if the sender information of the received electronic mail 5 is found to be incorrect.

An embodiment of the method includes the step of adding to the list of trusted IP addresses each server which, based on the degree of security attached to the server, is highly likely to transmit messages containing the correct sender information. More specifically, the IP address of the server 10 is added to the list of trusted IP addresses discussed in connection with Figure 3. This also controls the situation where the message was received from outside the organization, but the server inside the organization is directed to forward the received message to a recipient outside the organization.

15 The following is a summary. If necessary, the method can be used without the additional checks shown in Figures 4A-4D. However, if at least one of the four additional checks is used, the sender of the e-mail is judged to be valid when the following three conditions are true: proxy information is the last proxy information 210 in the list, the domain name obtained in the first 20 nameserver queries associated with the proxy information contains the domain name 212 associated with the right. As discussed above, on the server that received the e-mail message, it is possible to assign a degree of security to the sender information that illustrates the probability of the sender information right. This probability is greater the more the additional checks performed o have verified that the broker information / information is correct. Further, it is possible to store the degree of security with the sender information in a database or cvj memory for later use in the security level. In the e-mail receiving server, the degree of security is preferably written o x 30 in the header of the e-mail. In this case, the recipient of the email can * decide for himself whether the sender information is correct or not.

§ The degree of assurance is preferably written in the From-

C/O

| g field. The degree of assurance can also be written in the Reply To - o field of an email message.

C \ l 35 17

In addition, the From and / or Reply To field can be used to enter the encryption strength. The degree of encryption is different from the encryption mark (for example, '.S'). The level of encryption strength indicates how strong / reliable encryption technology (or encryption techniques) have been used to communicate 5 emails.

To determine the level of encryption, the method includes the following steps, where "sender information" refers to sender information contained in a received e-mail message ("sender information" does not refer to sender information for a response message). This information does not normally appear to the recipient of the email message, nor does it indicate the actual level of security of the channel used for relaying the message, but instead of extracting from the relay information 15 the relay information that has been proven reliable by the methods described in the invention Annotation describing the strength of encryption can be used to determine In the next step, the domain name included in the sender information is used in the MX query through the domain name system. This MX query returns a set of MX servers. Then, an SMTP (Simple Mail) is created on each MX server (contained in the set)

Transfer Protocol) test connection that reveals whether the MX server supports 25 email encryption and what the encryption strength is. Outbound encryption strength can be determined by selecting the weakest strength from the encryption strengths c \ i determined from all MX servers corresponding to the domain name ° through test connections. The strength of inbound traffic encryption and isL outbound traffic encryption are written separately in the header information of the e-mail message 30 or can be combined to form one total strength of £ encryption, g. Email message header

C/O

the data (From field and / or Reply To field) can be written with o method at least one of the following entries: a) an error entry 35 indicating that the sender information has been inferred, b) an encryption entry indicating that at least one encryption technique has been used .

18

In addition, or alternatively, at least one of the following information may be written in the header of an e-mail message: c) a security level indicating the probability of the sender information being correct, d) the degree of encryption.

By using both the From and Reply-Το fields, it is possible to indicate any asymmetric features associated with the communication channel for reporting the above 5 notes / information a), b), c) and / or d). For example, if an e-mail has been received using encrypted transmission, but the reply message would have been sent using unencrypted transmission, the From field will be typed with an encryption entry and the Reply-Το. Field will be omitted with 10 encryption entries.

In order for the entries / information a), b), c) and / or d) to be forwarded to the sender of the e-mail, a normal e-mail program is required. When the recipient of an e-mail message (not a reply message) receives the message, the e-mail program displays text in the From field, which preferably contains 15 entries / information a), b), c) and / or d). When a message is answered, that is, a reply message is sent, a normal e-mail program extracts the string in the Reply To field as the reply address. When the remainder of this string contains the entries / information (a), (b), (c) and / or (d), the corresponding entry / information is transmitted to the sender of the response message. More specifically, the sender of the 20 response messages will see the entries / information in the To field of the response message.

The sender of the reply message can use the annotations / information to verify the correctness of the recipient's address and the method of transmission. For example, if the message has been encrypted but the reply message is going to be unencrypted, the sender of the reply message will be aware of it before sending the message and may take this into consideration when deciding on the content of the message.

o Encryption of the message alone does not create security, but also seamlessly addresses the correctness of the recipient addresses (security is not created if, for example, a highly encrypted message is sent completely to the wrong organization), o In addition, the invention comprises a server for authenticating the sender to indicate how the email is delivered.

§ The server is configured to perform the method steps described above.

FIG. 5 shows a server according to the invention. The server 501 is for authenticating the sender of the e-mail 502. The server 501 receiving the email message 502 includes means 503 for generating a list 504 of the proxy information that the at least one server involved in forwarding the email message 19 has marked in the email message. In addition, the server 501 includes at least processing means 505 and IP comparison means 506. By means of processing means 505, the server 501 processes the list 504, starting with the proxy information marked by the server 5 prior to the server receiving the email message. The list processing uses IP comparison means 506 adapted to a) receive proxy information from the processing means 505, b) retrieve the full domain name corresponding to the IP address marked in the proxy information in the first name server query, c) retrieve the full domain name 10 in the second name server query, and d) e) return the domain name to the processing means 505. The processing means 505 is adapted to f) read the domain name associated with the sender of the email message and, in the last 15 proxy information in the list, g) compare the read alias and (h) inferring the sender information to be correct when the compared domain names match.

Thus, the server 501 of the invention includes at least means 503, 505 and 506. In addition to these, the server 501 may include other means and the processing means 505 may be adapted to perform operations other than the aforementioned operations f), g) and h).

In order to enhance the processing of the list 504, the processing means 505 is preferably adapted to remove from the list 504 any proxy information that the server in the list of trusted IP addresses has marked in 25 e-mails. This reduces the list and requires less use of the IP comparison means 506.

The server 501 may further include a heuristic means 507 adapted to view, by a heuristic method, the portion of the domain name remaining after the last two ox-separated 30 parts of the full domain name are removed, the complete domain name being the IP_comparison means 506. section in the second name server query performed by the full domain name.

C/O

If the server 501 includes the heuristics means 507, the processing means 505 is adapted to infer the sender information of the e-mail 502 35 when a review by the heuristics means indicates that it is a non-dynamic web address.

The processing means 505, if necessary, is adapted to look up the domain name returned by the IP comparison means 506 from the hosts list. Usually, the sender information of an email message is only valid when (each) searched domain name is missing from the list of hijacked servers.

The processing means 505 is adapted, if necessary, to compare the domain name retrieved in the first name server query with the MX information available through the Internet name service.

If necessary, the processing means 505 is adapted to use the IP address obtained in the second name server query as a retrieval key when retrieving the holder organization information associated with the IP-10 address from the RIPE database and then comparing the holder organization information obtained in the database search with the domain name obtained in the first name server query.

Preferably, the server 501 includes markup means 508 adapted to write at least one of the following entries / data in the header of the e-mail message: a) an error flag indicating that the server has inferred the sender information as incorrect; b) an encryption mark indicating at least one encryption technique; (c) a security level indicating the likelihood of the sender being correct; or (d) an encryption level indicating the use of 20 strong encryption techniques in the transmission of an e-mail message. These entries / data are written to an e-mail message 509 transmitted by the server 501 having the same content (text and / or attachments) as the e-mail message 502 received by the server.

In addition to the foregoing descriptions and examples, the method and server of the invention-25 may be implemented in various ways which will be apparent to those skilled in the art, due to their skill and the teachings of this patent application.

The invention is defined in the following claims relating to a method and a server.

o X 30 en

CL

CD

o

C/O

m m o o

(M

Claims (20)

1. A method for authenticating a transmitter of an e-mail message comprises a step in which in a server that has received the e-mail message (201) a list of the intermediary information recorded on the Received fields is formed, which at least one server, which has participated in the e-mail service, has logged in the e-mail message, the list indicating all the servers that have transmitted the e-mail, characterized in that in a server that has received the e-mail list, the list is examined (202) starting with the intermediary information such as the server which previously received the email has recorded in the email, wherein the survey contains the following steps: a complete domain name corresponding to an IP address is retrieved in a first name server request (206), which has been recorded in intermediary information, an IP address corresponding to the complete the domain name is retrieved (207) in a second name server request, the IP address used in the first name server request 2 0 is compared (208) with the IP address obtained in the second name server request, and since IP addresses are the same (209): the following intermediary information is examined, since intermediary information is the last intermediary information (210) in the list, the complete domain name is compared (211 ) with the email message sender information, which has been registered to From field o ^ and which contains a domain name that joins the email message sender, and ^ it is concluded (212) that the sender information is correct if the domain name matches each other . CL 2. A method according to claim 1, characterized in that prior to the investigation, each such intermediary information is written off (301) from the list, which § a server in the list of the reliable servers has noted in the e-mail message. Method according to Claim 1, characterized in that the method comprises a first further check, in which, by means of a heuristic method, (401) the part of the domain name retrieval (206) retrieving (206) is inspected, which remains after the final two , punctuation separated character strings from the complete domain name, the heuristic method finding out whether said part indicates a dynamic or non-dynamic net address, and where said part indicates a non-dynamic net address it is concluded (402) that the intermediary information is right. 10 Method according to claim 1, characterized in that the method comprises another further check, in which the domain name is searched (403) in the list of hijacked name servers and if the domain name is not in the list it is concluded (404) that the mediator information is correct. 15 Process according to claim 1, characterized in that the method comprises a third additional check, in which the domain name, which is retrieved in the first name query, compares (405) MX (Mail exchange) data which is accessed via an Internet name service, and where the domain name corresponds to (406) any of the MX (Mail 20 exchange) data it is concluded that the intermediary information is reliable. Method according to claim 1, characterized in that the method comprises a fourth additional check (407), in which the IP address, which is retrieved in the second name query, is used as a search key in the retrieval of information about the owner organization which joins IP. the address from the RIPE database (RIPE WHOIS database), the information received in the database search (The owner organization is compared (408) with the domain name obtained in the first name server request (206), and where the domain names are corresponding to 3. it is drawn) a conclusion (409) that the intermediary information is reliable Process according to claims 1-6, characterized in that it is concluded that transmitter information is correct if the following conditions are true: a) o intermediary information is the last intermediary information in the list, b) the domain name obtained in the first, to the intermediary information, connecting the name server request, incoming a domain name connecting to the sender of the e-mail message, and c) at least one of the additional control lines performed proves that the intermediary information is correct. Method according to claims 1-6, characterized in that the server receiving the e-mail message is enclosed in the transmitter information with a degree of security which describes the probability of the transmitter information right, the higher the probability the more the checks carried out have been proven that the intermediary information / information is right / right. Method according to claim 8, characterized in that the security of the server which receives the e-mail message 10 is stored together with the transmitter information in a memory. 10. A method according to claim 8, characterized in that the security of the server receiving the e-mail message is written on the e-mail message header information. 15 11. A method according to claim 1, characterized in that at least one of the following notes is written to the server receiving the e-mail on the header information of the e-mail message: error note indicating that the transmitter information has been concluded to be incorrect, encryption note indicating an encryption technique has been used in the communication of the message over the Internet. Method according to claim 1, characterized in that it comprises the following steps performed by the server receiving the e-mail message: the domain name contained in the transmitter information is utilized in the MX query carried out by a domain name system, wherein the MX query c \ j returns a group of MX servers, isL to each MX server in the group, an SMTP connection is formed, which also reveals if the MX server supports email encryption, and in case at least one of the ^ 30 MX servers supports e mail encryption § On the e-mail message header information, the encryption's CO [£ degree of strength is written, which indicates how strong encryption technology for conveying the e-mail message reply message is at hand. A server (501) for authenticating the sender of an email (502), which includes means (503) for forming a list (504) of the intermediary information recorded in Received fields, such as at least one server, which has participated in e-mail brokering, has registered in the e-mail, the list shows all the servers that have transmitted the e-mail, characterized in that the server further adopts processing means (505) for handling the list (504) with starting from intermediary information , which the server that previously received the email 10 has recorded in the email, IP comparator (506), which is adapted to receive intermediary information from said processing means (505), retrieve in a name server request a complete domain name corresponding to IP - the address listed in the mediator information, retrieving in a second name server request an IP address corresponding to the full domain name, comparing the one used in the first name server request The IP address with the IP address received in the second name server request and, if both addresses are the same, return the domain name to said processing means, said processing means being adapted to read the domain name associated with the e-mail transmitter, examining the the following intermediary information, and in connection with the last intermediary information in the list, compare the Iästä domain name with the domain name returned by the IP comparison agents, and conclude that transmitter information is correct if the compared cvj domain names match. in A server according to claim 13, characterized in that the x processing means are further adapted to CC from the list prior to using the comparison means any such intermediary information that a server located in the list of S reliable IP addresses has been recorded. in the email. O A server according to claim 13, characterized in that the server further comprises heuristic means (507) adapted to inspect by means of a heuristic method the part of the domain name retrieving in the second name server request, which remains after the last two shutdowns. , punctuation separated character strings from the last part of the domain name, the heuristic method finding out if said part indicates a dynamic web address or a non-dynamic web address. 16. A server according to claim 15, characterized in that the processing means (505) are further adapted to conclude that the e-mail intermediary task is correct, when the examination carried out by heuristic means proves that said part indicates a non-dynamic network address. A server according to claim 13, characterized in that the processing means are further adapted to search the domain name in a list of hijacked name servers. 18. A server according to claim 13, characterized in that the processing means are further adapted to compare the domain name retrieved in the first name server request with MX (Mail exchange) data which is accessed via an Internet name service. 19. A server according to claim 13, characterized in that the processing means are further adapted to use the IP address, which is retrieved in the second name server request, as a search key in the retrieval of information about the owner organization that connects to the IP address from the RIPE database. (RIPE WHOIS database), and compare the information received from the database organization with the domain name obtained in the first 0 name server request. 20. A server according to claim 16, characterized in that the server further comprises note means (508) adapted to write on the header information of the e-mail (509) at least one of the following notes: a) error note, which indicates that the transmitter information has been concluded to be inaccurate; (b) the encryption note indicating that at least one encryption technique has CO [g used in the e-mail service; c) degree of security, which describes with o what probability the transmitter information is correct; or d). the strength of encryption, which shows how strong encryption technology has been used in e-mailing.