JP2007102747A - Packet detector, message detection program, shutdown program of unauthorized e-mail - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent an operation of an unauthorized virus of a type for inquiring a mail server name. <P>SOLUTION: A computer is mounted with: an application identifier detection function of detecting an identifier for specifying a type of application data included in a packet; an application type specification function (S1, 2, 4, 5) of detecting whether or not the identifier represents an application of a name service for converting a host name into a network layer address; an application data determination function (S6, S8) of determining whether or not data for inquiring the network layer address of the mail server in the application data of the packet when it is detected that the application type is the name service; and a packet shutdown function (S7, 9, 10) of shutting down transmission of the packet including the application data when the data for inquiring the network layer address of the mail server is included in the application data. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a packet detection device, a message detection program, and an illegal mail blocking program for blocking the transmission of mail data to which unauthorized application data is attached among viruses on a network.

  Conventionally, as virus detection technology, data that describes characteristic information called definition file for a known virus is prepared in advance, and a file that may be infected with a virus is pattern-matched with the definition file. It has been known. This definition file is a file that contains the characteristics of a computer virus-infected file or a worm program that repeats itself over the network, and is defined by anti-virus software (vaccine software) to detect computer viruses and worms. Each virus pattern recorded in the file is compared with the file to be inspected, and if a match with the pattern is found, it is determined that the file is infected with the virus.

  In addition, as a worm countermeasure that is a type of virus that has been known in the past, for example, one described in "http://www.nttdata.co.jp/netcom/pdf/nc04_ss_03.pdf" Can be mentioned.

  However, the conventional pattern matching type virus detection technology that prepares a virus definition file has a problem that it cannot detect a new type of virus or a subtype of virus that does not have a definition file.

  Therefore, the present invention has been proposed in view of the above-described circumstances, and a packet detection device, a message detection program, and an illegal mail blocking program that can prevent the operation of an illegal virus of a type that inquires about a mail server name. The purpose is to provide.

  The present invention is a packet detection device, a message detection program, and an illegal mail blocking program for preventing a computer from sending an illegal electronic mail due to a computer virus, and can be stored in a computer on any network. .

  The present invention is a packet detection device for detecting a packet transmitted on a network, and specifies the type of application data included in a packet transmitted from a client computer on the network in order to solve the above-described problem. An application identifier detecting means for detecting an identifier, an application type specifying means for detecting whether the identifier detected by the application identifier detecting means indicates a name service application for converting a host name into a network layer address, and an application type Data that inquires the application data of the packet about the network layer address of the mail server when it is detected that the application type specified by the specifying means is a name service And a data detection means for detecting whether or not included.

  The present invention relates to a server device that responds to a message that inquires about an address in the network layer of a mail server, or a message that is stored in a proxy server device that forwards a message sent to the server device and received via a network. In order to solve the above-described problem, the message detection program acquires the transmission source address of the received message, and the transmission server address and the network layer of the mail server previously stored in the server address storage means And a message detection function for detecting a message in which the source address is not stored in the server address storage means, and the source address is not stored in the server address storage means by the message detection function. message And a data detection function for detecting whether the data to query the network layer address of the mail server, is implemented in the server apparatus or the proxy server device.

  The present invention is a fraudulent mail detection program that prevents a computer from sending fraudulent electronic mail due to a computer virus. In order to solve the above-described problem, the present invention relates to a packet sent from the computer. An application identifier detection function that detects an identifier that specifies the type of application data included, and whether the identifier detected by the application identifier detection function indicates a name service application that converts a host name into a network layer address When it is detected that the application type specifying function to be detected and the application type specified by the application type specifying function are name services, a mail service is added to the application data of the packet. An application data determination function that determines whether or not data that inquires about the network layer address is included, and when the application data determination function determines that data that inquires the network layer address of the mail server is included, A packet blocking function for blocking transmission of a packet including the application data is implemented.

  The packet detection device according to the present invention shows a name service application that converts a host name into a network layer address by looking at an identifier that specifies the type of application data included in a packet transmitted from a client computer. Since it can detect that there is data that inquires about the network layer address of the mail server in the application data of the packet, it detects the operation of an illegal virus that inquires about the mail server name. Can be used for prevention.

  According to the message detection program of the present invention, the address in the network layer of the mail server stored in the server device or the proxy server device is compared with the source address of the received message, and the source address is the server. Detecting messages that are not stored in the address storage means and detecting that the message is data that inquires about the network layer address of the mail server. It is possible to prevent a response to a message due to an illegal virus operation.

  The illegal mail blocking program according to the present invention refers to an application of a name service that converts a host name into a network layer address by looking at an identifier that specifies the type of application data included in a packet transmitted from a computer. If the packet application data contains data that inquires about the network layer address of the mail server, the transmission of the packet is blocked, so an illegal virus that inquires about the mail server name. Can be prevented.

  Hereinafter, embodiments of the present invention will be described with reference to the drawings.

  For example, as shown in FIG. 1, the present invention is a network system having terminals 1A and 1B, mail servers 2 and 4, and a DNS (Domain Name System) server 3, and illegal mail mounted on the terminals 1A and 1B. Applies to the interception program. In this embodiment, for example, an unauthorized mail blocking program is installed in the terminal 1A, and the function of the unauthorized mail blocking program is implemented.

  Normally, in this network system, mail data is transmitted from the terminal 1A to the terminal 1B by performing procedures (1) to (8) as shown in FIG. That is, first, when the terminal 1A creates mail data S1 with the destination mail address "hanako@abc.cdf.co.jp" and the body text "Hello!", It is registered in the mail client setting of the terminal 1A. The mail data S1 is transmitted to the mail server (SMTP (Simple Mail Transfer Protocol) server) 2 having the host name “mail.cdf.co.jp” (procedure (1)).

  When the mail data S1 is received by the mail server 2 with the host name “mail.cdf.co.jp”, the mail server 2 recognizes the destination of the mail data included in the mail data S1, and A packet including an MX (Mail eXchanger) record inquiry S2 that inquires about the IP (Internet Protocol) address of the mail server 4 that can be accessed by the terminal 1B that is the destination of the mail data S1 is transmitted to the DNS server 3 (procedure (2)). This MX record inquiry S2 includes the domain name “abc.cdf.co.jp” of the mail address that is the destination of the mail data.

  When the DNS server 3 receives a packet including the MX record inquiry S2, the DNS server 3 sends the host name of the mail server 4 corresponding to the domain name “abc.cdf.co.jp” of the mail data received together with the MX record inquiry S2. “Server.abc.cdf.co.jp” and the IP address are extracted from the DNS data. Then, the DNS server 3 returns MX record information S3 including the extracted host name and IP address of the mail server 4 to the mail server 2 (procedure (3)). As described above, the DNS server 3 provides the mail server 2 with a name service for converting a host name into a network layer address.

  When the mail server 2 receives the MX record information S3 from the DNS server 3, the mail server 2 transmits mail data S4 addressed to the IP address included in the MX record information S3 and including the mail data S1 (procedure (4)). .

  When receiving the mail data S4, the mail server 4 stores the mail data S4 in the mail box. Thereafter, when the terminal 1B requests the mailbox confirmation S5 designating the mail address (procedure (7)), the mail server 4 transmits the mail data stored in the mailbox to the terminal 1B, The mail data S1 transmitted from the terminal 1A can be received by the terminal 1B.

  If the terminal 1A is infected with a so-called mass mailing type illegal software that sends a large amount of emails with a copy of illegal software attached to such normal mail transmission operation, the function of the illegal software causes 2, a packet including the domain name of the mail address registered in the address book of the terminal 1A and the MX record inquiry is transmitted to the DNS server 3 (procedure (1)), and the host name of the mail server 4 and The MX record information including the IP address is received (procedure (2)). Then, the mail data with the attached file name “Worm.exe” attached is sent to the mail server 4 by the unauthorized software of the terminal 1A (procedure (3)), and the mail box confirmation S5 of the terminal 1B (procedure ( 4)), the mail data is transmitted to the terminal 1B (procedure (5)).

  In the network system performing such operations, the terminal 1A is equipped with a basic software execution unit 11 and an application software execution unit 12 including a mail application, as shown in FIG. The basic software execution unit 11 includes a communication interface unit 21 connected to the network 10 and a TCP (Transmission Control Protocol) / IP communication control unit 22.

  As shown in FIG. 4, such a terminal 1 </ b> A, when creating application data 110 by the application software execution unit 12, passes the application data 110 to the basic software execution unit 11. The basic software execution unit 11 creates an IP packet in which the TCP / IP communication control unit 22 adds the transport layer header 111 and the IP layer header 112 of the TCP header or UDP header to the beginning of the application data 110, and the communication interface unit 21. Thus, a link layer header or the like is added to the IP packet, a predetermined modulation process or the like is performed, and the IP packet is transmitted to the network 10. As described above, when the mail data S1 is transmitted to the mail server 2, the body of the mail is created as the application data 110. The IP packet transmitted from the network 10 to the terminal 1A is subjected to demodulation processing and the like by the communication interface unit 21, analyzed by the TCP / IP communication control unit 22, and passed to the application software execution unit 12. .

  However, for example, when an unauthorized mail content transmitted from another terminal is previewed or an unauthorized attachment is executed, the unauthorized software execution unit 13 is installed in the application layer.

  When implemented in the terminal 1A, the unauthorized software execution unit 13 transmits an IP packet including an MX record inquiry in order to realize the procedure (1) to the procedure (5) shown in FIG. This IP packet is sent to the DNS server 3 via the network 10 via the TCP / IP communication control unit 22 and the communication interface unit 21 when the filtering process described later is not executed. The application data 110 in FIG. 4 created by the unauthorized software execution unit 13 includes an MX record inquiry.

  In contrast to the functions realized by the unauthorized software execution unit 13, the terminal 1A in which the unauthorized mail blocking program to which the present invention is applied is implemented, monitors the packet created by the TCP / IP communication control unit 22, and is illegal. The MX record inquiry blocking unit 30 is provided as a function for blocking the transmission of various packets. The MX record inquiry blocking unit 30 is a functional unit that can be realized by installing the above-described unauthorized mail blocking program on the terminal 1A.

  The MX record inquiry blocking unit 30 includes a packet hook unit 31 that is created by the TCP / IP communication control unit 22 and intercepts an IP packet to be passed to the communication interface unit 21, and an IP packet that is intercepted by the packet hook unit 31. And a filtering unit 32 that performs a filtering process on the.

  When the packet hook unit 31 intercepts an IP packet transmitted from the terminal 1 </ b> A, the packet hook unit 31 passes the IP packet to the filtering unit 32, receives the IP packet filtered by the filtering unit 32, and passes it to the communication interface unit 21.

  When receiving an IP packet from the packet hook unit 31, the filtering unit 32 determines whether the IP packet includes an MX record inquiry to the DNS server 3. At this time, the filtering unit 32 refers to the port number, which is an identifier for designating the type of the application data 110, from the transport layer header 111, and the application data including the MX record inquiry is stored in the application data 110. It is determined whether the value indicates that the Further, the filtering unit 32 analyzes the contents of the application data 110 and determines whether or not the data indicates an MX record inquiry. Then, when the IP packet includes an MX record inquiry to the DNS server 3, the filtering unit 32 does not pass the IP packet to the packet hook unit 31. As a result, the filtering unit 32 blocks transmission of the IP packet including the application data 110 created by the unauthorized software execution unit 13.

  On the other hand, when the IP packet does not include the MX record inquiry to the DNS server 3, the filtering unit 32 passes the IP packet to the packet hook unit 31. When the DNS server 3 is inquired about the Web server name and IP address for browsing the Web site as well as the mail data, the port number and application data 110 are received by the filtering unit 32. It goes without saying that the IP packet is returned to the packet hook unit 31.

  Next, a processing procedure for blocking an IP packet including an MX record inquiry from the terminal 1A to the DNS server 3 in the terminal 1A configured as described above will be described with reference to the flowchart of FIG.

  First, when the packet hook unit 31 intercepts an IP packet from the TCP / IP communication control unit 22 and passes it to the filtering unit 32, in step S1, the filtering unit 32 determines that the transport layer header 111 of the IP packet is a UDP header. It is determined whether or not the packet is a UDP packet. If it is determined that the packet is a UDP packet, the port number stored in the UDP header is extracted in step S2. If the port number is a number indicating the inquiry to the name service (addressed to the DNS port), the process proceeds to step S6. If not, the IP packet is sent to the packet hook unit in step S3. The data is passed to the communication interface unit 21 via 31.

  In step S6, the filtering unit 32 analyzes the application data 110 of the UDP packet and determines whether or not the application data 110 is an MX record inquiry to the DNS server 3 and an inquiry for mail server information. To do. If it is determined that the inquiry is an MX record inquiry, the UDP packet is discarded in step S7. If the inquiry is not an MX record inquiry, the IP packet is passed to the DNS server 3 in step S3.

  Here, in the case of a UDP packet, the MX record inquiry is stored as the application data 110 of a single packet, so it is analyzed whether the application data 110 itself is an inquiry for mail server information.

  If it is determined in step S1 that it is not a UDP packet, it is determined in step S4 whether or not the transport layer header 111 is a TCP header. If it is a TCP header, in step S5 the TCP header is changed to a TCP header. It is determined whether or not the included port number is a number (addressed to the DNS port) indicating an inquiry to the name service. If the port number is a number indicating an inquiry to the name service, the process proceeds to step S8. On the other hand, if the transport layer header 111 is not a TCP header or if the port number is not a number indicating an inquiry to the name service even if it is a TCP header, the process proceeds to step S3.

  In step S8, the filtering unit 32 determines whether the application data 110 includes an MX record inquiry that is an inquiry about the host name of the mail server. If the MX record inquiry is included, the IP packet is discarded in step S9, and the FIN packet is transmitted from the communication interface unit 21 to the DNS server 3 in step S10, so that the terminal 1A and the DNS server 3 Disconnect the session.

  Here, when the unauthorized software execution unit 13 of the terminal 1A acquires DNS data of the DNS server 3 in accordance with TCP, there is a possibility of using a plurality of IP packets. When an IP packet including an MX record inquiry can be detected, it is necessary to disconnect the session itself. In step S8, even if it is not possible to determine that the MX record query is included in the application data 110 with a single IP packet, the port number is determined and the application data 110 is analyzed over a plurality of IP packets. The MX record inquiry from the terminal 1A to the DNS server 3 may be detected.

  In addition, as a method for inquiring mail server information from the terminal 1A to the DNS server 3, a method of specifying only the MX record, inquiring all the information possessed by the DNS server 3, and only the mail server information from the information possessed by the DNS server 3 However, any one of them can be detected in steps S6 and S8.

  As described above, according to the terminal 1A in which the illegal mail blocking program to which the present invention is applied is implemented, the functions of Step S1 to Step S10 executed by the packet hook unit 31 and the filtering unit 32, that is, Steps S1, 2 and Steps. An application identifier detection function that detects an identifier that specifies the type of application data included in the packet through S4 and S5, and an application of a name service that uses the identifier detected by the application identifier detection function to convert a host name into a network layer address And an application type specifying function for detecting whether the application type is a name service in steps S6 and S8. In this case, an application data determination function for determining whether or not the packet application data includes data for inquiring the network layer address of the mail server can be realized. When it is determined that the data for inquiring the network layer address of the mail server is included, a packet blocking function for blocking transmission of a packet including the application data can be realized.

  In this way, by configuring the packet hook unit 31 and the filtering unit 32 with the unauthorized mail blocking program, the unauthorized software execution unit 13 can prevent the operation of an unauthorized virus that inquires about the mail server name. That is, even if the content of the virus is unknown, the MX record inquiry from the terminal 1A to the DNS server 3 can be blocked, and the characteristic operation of the unauthorized software can be performed without storing the known unauthorized software as a definition file. By blocking, unauthorized transmission of unauthorized mail can be prevented. In addition, this illegal mail blocking program can realize the above-mentioned effect without affecting the operation of normal mail software.

  Next, a description will be given of detecting and blocking a packet detection function and a blocking function to which the present invention is applied by intermediate devices 201 and 202 such as a gateway between the terminal and the DNS server 3 as shown in FIG. To do.

  As shown in FIG. 7, normally, in a network including the terminal 1A, the mail server 2, and the DNS server 3, a router 301 that is a relay device that refers to a network layer address, and a bridge-type device 302 that refers to a data link layer address. In addition, there is a switch 303 and a horizontal device 304 that monitors data relayed by the switch 303. Further, in order to distribute the load of the DNS server 3, a DNS proxy 305 that relays messages transmitted and received by the DNS server 3 may be inserted before the DNS server 3. The DNS proxy 305 is a relay device that performs application layer processing.

  In such a network, when the terminal 1A is infected with a computer virus, an MX record inquiry message Q1 is transmitted from the terminal 1A to the DNS server 3. This illegal MX record inquiry message Q1 is relayed by the router 301, the bridge-type device 302, the switch 303, and the DNS proxy 305 along the message transmission path indicated by the dotted line in the drawing, and is received by the DNS server 3. In addition, the improper MX record inquiry message Q1 is also received by the horizontal device 304. On the other hand, a valid MX record inquiry message Q2 addressed from the mail server 2 to the DNS server 3 is relayed by the router 301, the bridge type device 302, the switch 303, and the DNS proxy 305 and received by the DNS server 3.

  As described above, the bridge-type device 302 operating in the data link layer, the switch 303, the router 301 operating in the network layer, the horizontal device 304, and the DNS proxy 305 operating in the application layer are only valid MX record inquiry messages Q2. Accordingly, the DNS server 3 also receives an invalid MX record inquiry message Q1.

  On the other hand, the illegal operation detection function and blocking function to which the present invention is applied are implemented in any one of the router 301, the bridge type device 302, the switch 303, the horizontal type device 304, the DNS proxy 305, and the DNS server 3. Even so, it is possible to prevent the operation of an illegal virus of the type that inquires about the mail server name as described above. Here, unlike the case where the above-described terminal 1A is provided with an illegal operation detection function, the router 301, the bridge type device 302, the switch 303, the DNS proxy 305 relay device and the horizontal type device 304 are valid MX records. It is necessary to design to ensure that the inquiry message Q2 is passed.

  In the following, an embodiment in which at least an illegal operation detection function is implemented in devices constituting a network will be described.

  First, a case where an illegal operation detection function is implemented in the DNS server 3 (DNS proxy 305) will be described.

  As shown in FIG. 8, the DNS server 3 includes a basic software execution unit 311, a DNS server software execution unit 312, a setting interface unit 313, and an MX record inquiry blocking unit 314.

  When the DNS server software execution unit 312 receives the MX record inquiry message from the mail server 2, the DNS server software execution unit 312 determines the host name and IP address of the mail server 4 of the mail transmission destination corresponding to the domain name of the mail data included in the MX record inquiry message. It is extracted from the DNS data, and MX record information including the host name and IP address of the extracted mail server 4 is returned to the mail server 2. As described above, the DNS server software execution unit 312 performs processing for providing the mail server 2 with a name service for converting a host name into a network layer address.

  Normally, when the DNS server 3 receives the valid MX record inquiry message Q2 via the communication interface unit 321 and the TCP / IP communication control unit 322, the DNS server software execution unit receives the MX record information for the valid MX record inquiry message Q2. In step 312, the MX record information is transferred to the basic software execution unit 311. The basic software execution unit 311 creates an IP packet with the transport layer header and IP layer header added to the beginning of the MX record information by the TCP / IP communication control unit 322, and the communication layer 321 adds the link layer header to the IP packet. Etc. are added and subjected to predetermined modulation processing and the like, and sent to the network 10.

  Note that when the DNS server software execution unit 312 is a DNS proxy software execution unit, an MX record inquiry is normally performed in order to transfer the MX record inquiry message received from the basic software execution unit 311 to another DNS server 3. The message destination is changed and transferred to the TCP / IP communication control unit 322.

  The DNS server 3 includes an MX record inquiry blocking unit 314 as a function unit that detects and blocks an unauthorized MX record inquiry message Q1. The MX record inquiry blocking unit 314 detects the MX record inquiry message before passing the MX record inquiry message to the DNS server software execution unit 312, and if the message is invalid, the MX record inquiry blocking unit 314 sends the message to the administrator or the like. Judge whether to give a warning. For this purpose, the MX record inquiry blocking unit 314 includes a packet hook unit 331 that intercepts the MX record inquiry message received by the communication interface unit 321, a detection unit 332, and an operation setting data storage unit 333.

  When the MX record inquiry message is received by the communication interface unit 321, the MX record inquiry blocking unit 314 intercepts the MX record inquiry message and detects whether it is illegal by the detection unit 332. At this time, the detection unit 332 refers to the operation setting data stored in the operation setting data storage unit 333.

  As shown in FIG. 9, the operation setting data stores a plurality of MX record inquiry message transmission source addresses, masks, and actions (operation contents) in association with each other. This operation setting data includes the address of a mail server that is permitted to accept the MX record inquiry message as the source address. The operation setting data is input from the setting interface unit 313 by an administrator operation or the like, and is registered in the operation setting data storage unit 333.

  When the detection unit 332 identifies whether the destination of the MX record inquiry message obtained from the communication interface unit 321 matches the transmission source address or the mask of the operation setting data, the detection unit 332 performs an action corresponding to the transmission source address and the mask. Identify.

  When the detection unit 332 permits the delivery of the MX record inquiry message to the DNS server software execution unit 312, the detection unit 332 sends the MX record inquiry message from the packet hook unit 331 to the DNS server via the TCP / IP communication control unit 322. The data is sent to the software execution unit 312. On the other hand, when blocking the delivery of the MX record inquiry message to the DNS server software execution unit 312, the MX record inquiry message is discarded without being passed to the packet hook unit 331. If it is determined to give a warning, the fact is transmitted by e-mail transmission to the administrator.

  The operation setting data may be set so as to discard the MX record inquiry message from the terminal on the network. In addition, when an MX record inquiry message is transmitted from a relay apparatus that is registered not to exist between the DNS server 3 and the mail server, all MX record inquiry messages may be discarded. good. That is, when the detection unit 332 receives an MX record inquiry message of a transmission source address that is not included in the operation setting data, the detection unit 332 does not detect whether the MX record inquiry message is invalid. Like that.

  With reference to the flowchart of FIG. 10, a description will be given of a processing procedure for blocking an MX record inquiry from the terminal 1A to the DNS server 3 in the DNS server 3 (or DNS proxy 305) configured as described above. In the following description of the flowchart, the same processes as those described above are denoted by the same step numbers, and detailed description thereof is omitted.

  First, when the packet hook unit 331 intercepts a received packet from the communication interface unit 321 and passes it to the detection unit 332, in step S1, the detection unit 332 determines whether the transport layer header of the received packet is a UDP packet that is a UDP header. If it is determined that the packet is a UDP packet, the port number stored in the UDP header is extracted in step S2. If the port number is a number indicating the inquiry to the name service (addressed to the DNS port), the process proceeds to step S6. If not, the received packet is sent to the packet hook unit in step S14. The data is transferred to the TCP / IP communication control unit 322 via 331.

  In step S6, the detection unit 332 analyzes the application data of the UDP packet and determines whether the application data is an MX record inquiry message and an inquiry about mail server information. If it is determined that the message is an MX record inquiry message, the operation for the transmission source address of the received MX record inquiry message is determined in step S11 by referring to the operation setting data.

  If the detection unit 332 determines that the reply of the MX record information to the MX record inquiry message is permitted, the detection unit 332 passes the UDP packet to the TCP / IP communication control unit 322 and executes the MX record inquiry message by executing DNS server software. The process is terminated by passing the data to the unit 312. On the other hand, if it is determined that the MX record inquiry message is to be discarded, the UDP packet is discarded in step S13, and the process is terminated. If it is determined that a warning is to be issued, a warning mail or the like is transmitted to the administrator or the like in step S 12, the UDP packet is passed to the TCP / IP communication control unit 322, and is passed to the DNS server software execution unit 312. To finish the process.

  On the other hand, if the received packet is not a UDP packet in step S1, it is determined in step S4 whether the received packet is a TCP packet. In step S5, the port number of the received packet is extracted to determine whether it is destined for the DNS port. judge. If it is determined in step S4 that the received packet is not a TCP packet, or if it is determined in step S5 that it is not destined for the DNS port, the received packet is passed from the packet hook unit 331 to the TCP / IP communication control unit 322. To finish the process.

  If the detection unit 332 determines that the received packet is a TCP packet in step S4 and is destined for the DNS port in step S5, the detection unit 332 inquires of the host name of the mail server in the application data of the TCP packet in step S8. It is determined whether or not an MX record inquiry is included. If no MX record inquiry message is included, the MX record inquiry message is passed from the packet hook unit 331 to the TCP / IP communication control unit 322 in step S14. . On the other hand, if an MX record inquiry is included, in step S15, the operation for the transmission source address is determined with reference to the operation setting data.

  If the detection unit 332 determines that the reply of the MX record information to the MX record inquiry message is permitted, the detection unit 332 passes the MX record inquiry message to the TCP / IP communication control unit 322 and sends it to the DNS server software execution unit 312. Pass it to finish the process. On the other hand, if it is determined that the MX record inquiry message is to be discarded, the TCP packet is discarded in step S17, and the TCP session is disconnected in step S18, and the process is terminated. If it is determined that a warning is to be issued, a warning mail or the like is transmitted to the administrator or the like in step S16, and the MX record inquiry message is passed to the TCP / IP communication control unit 322, and the DNS server software execution unit 312 is sent. To end the process.

  In this process, first, it is confirmed whether the port number is addressed to the DNS port for all MX record inquiry messages, and after confirming whether the application data is the MX record inquiry message, the transmission source address and the operation setting data are set. The action is determined by comparing the source address of the mail server. However, the present invention is not limited to this. First, only a valid source address such as a mail server is registered in the operation setting data, and the MX record inquiry message is transmitted. When the original address is not included in the transmission source address of the operation setting data, it may be excluded from the port number and application data detection targets.

  As described above, according to the DNS server 3 (or DNS proxy 305) to which the present invention is applied, the operation setting data for identifying an unauthorized or legitimate MX record inquiry message is stored in the operation setting data storage unit 333 in advance. The MX record inquiry message from the unauthorized terminal 1A can be detected and blocked.

  Further, as shown in FIG. 11, when the DNS server software execution unit 312 receives the MX record inquiry message, the DNS server 3 (or DNS proxy 305) refers to the operation setting data in the DNS server software execution unit 312. The operation for the MX record inquiry message may be determined.

  As shown in FIG. 12, the operation of the DNS server 3 (or DNS proxy 305) is as follows. First, when a message is received by the DNS server software execution unit 312, whether or not the message is an MX record inquiry message in step S6. In step S11, the source address of the MX record inquiry message is acquired from the TCP / IP communication control unit 322, the source address is compared with the operation setting data, and the MX record is determined. The operation for the inquiry message is determined.

  When the DNS server software execution unit 312 determines that the received transmission source address is permitted to return the MX record information in response to the MX record inquiry message, in step S21, the MX record information To respond. On the other hand, if it is determined that the received transmission source address is to block the MX record inquiry message, the process proceeds to step S13, the MX record inquiry message is discarded, and the process ends. Further, if it is determined that the received transmission source address is a warning, the process proceeds to step S21, a warning mail or the like is transmitted, and an MX record inquiry message is responded.

  As described above, the MX record inquiry blocking unit 314 not only performs processing on the MX record inquiry message, but also determines whether the MX record inquiry message is invalid in the application layer by the DNS server 3 and the relay device in the application layer. In this way, in addition to being able to detect and block an illegal MX record inquiry message as described above, transmission of MX record information can be blocked. Further, when there is a possibility that the MX record inquiry message is transmitted from the terminal 1A to the DNS server 3 due to an illegal operation, the DNS server 3 and the DNS proxy 305 inform the administrator or the like of the transmission source address of the terminal 1A. You can be notified.

  Next, a case where an unauthorized MX record inquiry message detection function is implemented in a network layer relay device such as the router 301, the bridge-type device 302, and the switch 303 and a data link layer relay device will be described. Hereinafter, the router 301, the bridge-type device 302, and the switch 303 are collectively referred to simply as a relay device.

  As shown in FIG. 13, the relay device includes a basic software execution unit 341, an MX record inquiry blocking unit 342, and a setting interface unit 343. When the relay device is the router 301, when the communication interface unit 351 of the basic software execution unit 341 receives a packet, the TCP / IP communication control unit 352 refers to the routing table and the like to perform routing processing of the Internet layer and perform communication. The data is transferred from the interface unit 351. Further, when the relay device is a data link layer relay device of the bridge type device 302 and the switch 303, when the communication interface unit 351 of the basic software execution unit 341 receives the packet, the Ethernet (registered trademark) communication control unit 352 generates an address. Data link layer processing is performed with reference to the table and the like, and the data is transferred from the communication interface unit 351.

  When such a relay device detects the MX record inquiry message by the detection unit 362 via the packet hook unit 361, the relay device refers to the operation setting data in the operation setting data storage unit 363 according to the source address of the MX record inquiry message. The operation for the MX record inquiry message is determined. The operation setting data is also set via the setting interface unit 343, as described above.

  As shown in FIG. 9, the operation setting data stores a plurality of MX record inquiry message transmission source addresses, masks, and actions (operation contents) in association with each other. This operation setting data includes, as a transmission source address, the address of a mail server that is permitted to accept the MX record inquiry message and the address of a terminal on the network. Further, MX record inquiry messages from other relay apparatuses registered as not existing on the route between the mail server and the DNS server 3 may be set so that all MX record inquiry messages are discarded. good. The operation setting data is input from the setting interface unit 313 by an administrator operation or the like, and is registered in the operation setting data storage unit 333.

  Further, as shown in FIG. 10, the relay device detects the port number of the transport layer by the detection unit 362 and determines whether the port number is addressed to the DNS port (steps S1, 2, 4, and 4). 5) In such a case, when the MX record inquiry message is stored as the application data of the packet (steps S6, 8), the transmission source address is determined based on the operation setting data (steps S11, 15). The relay device then forwards the MX record inquiry message (step S14), discards the packet (steps S13, 17), and warns (steps S12, 16) according to the operation obtained by referring to the operation setting data.

  In this way, an illegal MX record inquiry message can be detected and blocked by a relay device in the network layer or data link layer, and this also makes an illegal MX record inquiry message to the DNS server 3 as described above. Detecting transmission to and blocking transmission. In addition, when there is a possibility that the MX record inquiry message is transmitted from the terminal 1A to the DNS server 3 due to an unauthorized operation, this relay apparatus can notify the administrator or the like of the transmission source address of the terminal 1A. .

  Next, a case where an improper operation detection function is implemented in the horizontal device 304 will be described.

  As shown in FIG. 14, the horizontal device 304 includes a basic software execution unit 371, an MX record inquiry blocking unit 372, and a setting interface unit 373. The horizontal type device 304 receives a packet transferred by a data link layer relay device such as the bridge type device 302 or the switch 303 by the communication interface unit 381 and receives it by the packet capture unit 391 of the MX record inquiry blocking unit 372. .

  When the horizontal device 304 receives the packet by the detection unit 392 via the packet capture unit 391, the horizontal device 304 refers to the operation setting data in the operation setting data storage unit 393, and determines the MX record by the source address of the MX record inquiry message. Determine the action for the inquiry message. This operation setting data is an operation corresponding to a transmission source address, a transmission source address, and a mask of a mail server or the like that is valid to output an MX record inquiry message or a terminal that is illegal to output an MX record inquiry message. Only whether to issue a warning is set.

  As shown in FIG. 15, the horizontal device 304 detects the port number of the transport layer by the detection unit 392 and determines whether the port number is addressed to the DNS port (steps S1, 2, 4, 5). In such a case, when the MX record inquiry message is stored as the application data of the packet (steps S6, 8), the transmission source address is determined based on the operation setting data (steps S11, 15). Then, the horizontal device 304 refers to the operation setting data and terminates the process without issuing a warning when the transmission source address is valid, and when the transmission source address is invalid. In steps S31 and S32, a warning mail or the like is transmitted to the administrator.

  In this way, the horizontal device 304 can also process the MX record inquiry message, and this also detects transmission of an invalid MX record inquiry message from the terminal 1A to the DNS server 3 as described above. Thus, it is possible to notify the manager or the like of the unauthorized terminal 1A and the transmission source address of the terminal 1A.

  The above-described embodiment is an example of the present invention. For this reason, the present invention is not limited to the above-described embodiment, and various modifications can be made depending on the design and the like as long as the technical idea according to the present invention is not deviated from this embodiment. Of course, it is possible to change.

  That is, in the above-described embodiment, when the DNS server 3, the DNS proxy 305, the router 301, the bridge type device 302, the switch 303, and the horizontal type device 304 have a function for detecting and blocking an unauthorized MX record inquiry message. However, only the function for detecting an illegal MX record inquiry message is implemented in the device on the network, and the reception or transfer of the illegal MX record inquiry message is prohibited. Control such as closing the port may be performed. Also by this, the effect similar to the above can be exhibited.

  In addition, the function for preventing an unauthorized e-mail from being distributed in the above-described embodiment can be applied to a home network in which home appliance groups are connected to a network, an equipment network in which equipment groups are connected to a network, and the like. . For example, even when a home appliance that is connected to a home network and has an email function as an application is infected with a computer virus, an email containing an unauthorized computer virus is transmitted from the home appliance to the external network. Can be prevented.

  Here, as a technology for constructing a home network, in addition to the ECHO network, an embedded network technology called EMIT (Embedded Micro Internetworking Technology) can be used. This embedded network technology has a function of incorporating EMIT middleware into a network device and connecting it to a network, and is called EMIT technology.

  More specifically, EMIT software for realizing EMIT technology is installed in a terminal having a function to prevent the above-described unauthorized e-mail from being transmitted, a relay device constituting a network, and a horizontal device, and the EMIT software. A terminal, a relay device, and a horizontal device on which the terminal is mounted and a user device that remotely controls or monitors the terminal, the relay device, and the horizontal device are connected via a center server (not shown) provided on the Internet. . This user device is, for example, an external terminal (not shown) such as a mobile phone, a PC (Personal Computer), a PDA (Personal Digital Assistant), or a PHS (Personal Handy phone System).

  According to such a system in which EMIT technology is implemented, a user device can remotely monitor how often a message for inquiring a network layer address of a mail server name is detected by a terminal, a relay device, or a horizontal device, It is possible to additionally control a source address for blocking or alarming an electronic mail, or to add address information of a mail server that is not a detection target remotely.

1 is a system diagram showing a network configuration including a terminal on which an unauthorized mail blocking program to which the present invention is applied is installed and a normal mail transmission operation; FIG. This is a system for explaining a mail transmission operation when a terminal is operated by an unauthorized software execution unit. It is a block diagram which shows the functional structure of the terminal in which the blocking program of the unauthorized mail to which this invention was applied was installed. It is a figure which shows the packet structure when making an inquiry to a DNS server from a terminal. It is a flowchart which shows the process sequence of the blocking process of the unauthorized mail by the terminal to which this invention is applied. It is a system figure explaining the other method for intercepting an unauthorized mail. It is a figure which shows the network structure with which various relay apparatuses exist between the terminal and DNS server which perform unauthorized operation | movement. It is a block diagram of the DNS server or DNS proxy which mounted the function which detects the unauthorized operation | movement which applied this invention. It is a figure which shows the structure of operation setting data. It is a flowchart when an illegal operation | movement is detected by the DNS server or DNS proxy to which this invention is applied. FIG. 11 is a block diagram of an example of a DNS server or DNS proxy having a function of detecting an unauthorized operation to which the present invention is applied, and performing an operation on an MX record inquiry message by processing of an application layer. It is a flowchart when an illegal operation | movement is detected by the DNS server or DNS proxy to which this invention is applied. It is a block diagram of a router, a bridge type device, or a switch in which a function for detecting an unauthorized operation to which the present invention is applied is installed. It is a block diagram of the horizontal type | mold apparatus which mounted the function which detects the unauthorized operation | movement which applied this invention. It is a flowchart when an illegal operation | movement is detected by the horizontal type | mold apparatus to which this invention is applied.

Explanation of symbols

1 terminal 2, 4 mail server 3 DNS server 4 mail server 10 network 11 basic software execution unit 12 application software execution unit 13 unauthorized software execution unit 21 communication interface unit 22 TCP / IP communication control unit 31 packet hook unit 32 filtering unit

Claims (8)

A packet detection device that detects a packet for inquiring information identifying a mail server among packets transmitted over a network,
Application identifier detection means for detecting an identifier for specifying the type of application data included in a packet transmitted from a client computer on the network;
Application type specifying means for detecting whether the identifier detected by the application identifier detecting means indicates a name service application for converting a host name into a network layer address;
When it is detected that the application type specified by the application type specifying unit is a name service, it is detected whether or not the application data of the packet includes data for inquiring the network layer address of the mail server. A packet detection device comprising: a data detection means. Server address storage means for storing the address in the network layer of the mail server that inquires about the network layer address of another mail server,
When the source address of the network layer included in the packet transmitted from the network is compared with the address stored in the server address storage means, and the source address is stored in the server address storage means The packet detection apparatus according to claim 1, wherein the packet is not a detection target. A packet blocking means for blocking transmission of a packet including the application data when the data detecting means detects that data for inquiring a network layer address of a mail server is included. The packet detection apparatus according to claim 1 or 2. When the data detecting means detects that data inquiring the network layer address of the mail server is included, the data detecting means further comprises warning means for warning that a packet including the application data is transmitted. The packet detection apparatus according to claim 1 or 2. Of the messages received via the network, stored in the server device that responds to the message that inquires about the address in the network layer of the mail server, or the proxy server device that forwards the message sent to the server device. A message detection program for detecting a message for inquiring information identifying a server,
The server acquires the source address of the received message, compares the source address with the address in the network layer of the mail server that inquires about the network layer address of another mail server stored in the server address storage means in advance, and A message detection function for detecting a message transmitted at a source address not stored in the address storage means;
A data detection function for detecting whether a message transmitted with a source address not stored in the server address storage means detected by the message detection function is data for inquiring a network layer address of the mail server; Is installed on the server device or the proxy server device.   The source address of the received message is other than the address in the network layer of the mail server stored in the server address storage means, and the message is data for inquiring the network layer address of the mail server by the data detection function. 6. The message detection program according to claim 5, further comprising a message blocking function for stopping the operation on the message when detected, in the server device or the proxy server device. The source address of the received message is other than the address in the network layer of the mail server stored in the server address storage means, and the message is data for inquiring the network layer address of the mail server by the data detection function. The message detection program according to claim 5, further comprising warning means for warning that the message is transmitted when detected. A fraudulent email detection program that prevents a computer virus from sending fraudulent emails to a computer,
On the computer,
An application identifier detection function for detecting an identifier that specifies the type of application data included in a packet transmitted from the computer;
An application type identification function for detecting whether the identifier detected by the application identifier detection function indicates a name service application that converts a host name into a network layer address;
When it is detected that the application type specified by the application type specifying function is a name service, it is determined whether the application data of the packet includes data for inquiring the network layer address of the mail server. Application data judgment function,
A fraudulent mail blocking program that implements a packet blocking function that blocks transmission of packets including the application data when it is determined by the application data determination function that data for inquiring the network layer address of the mail server is included. .

Images