JP2007202046A - System, method and program for preventing guide to illegal site, and mail receiver - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system for preventing guide to an illegal site in which a user can be prevented from being guided to the illegal site. <P>SOLUTION: An illegal mail determing section 22 judges whether a link contained in electronic mail, destined for a user, received by a mail receiving section 21 is a link to a site which is suspicious of being illegal. When the link is determined as a link to the site which is suspicious of being illegal, a mail rewriting section 23 rewrites a link destination address into an address of an illegal access warning device 40. When the user opens the rewritten link, the illegal access warning device 40 displays a call arousing attention on a display screen of a terminal device 30. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an unauthorized site guidance prevention system, method, program, and mail receiving apparatus, and more particularly, to an unauthorized site guidance prevention system capable of preventing a user from being guided to an unauthorized site using electronic mail. , Method, program, and mail receiving apparatus.

  In recent years, opportunities to use e-mail using a mobile phone or a PC have been increasing. Along with that, users are increasingly receiving spam mails and chain mails that send advertisements unilaterally, and users often feel unpleasant. Until now, as a technique for eliminating such junk mail reception, for example, techniques described in Patent Document 1 and Patent Document 2 have been proposed. In general, a spam mail or the like is often embedded with a link (URL) for the purpose of guiding the sender to the site. In Patent Document 1 and Patent Document 2, referring to the database storing the URL of the unwanted site, if the email addressed to the user includes the URL of the unwanted site, do not send the email to the user. Prevents spam damage.

JP 2003-249964 A Republished Patent International Publication No. WO 2004/010661

  However, only the user can determine whether the e-mail that arrived at the server is really necessary for the user. If the e-mail is deleted on the server side, the e-mail that is originally necessary can be deleted by mistake. There is a problem that sex cannot be denied. In addition, although an e-mail in which a known URL registered in the database is embedded can be deleted, an e-mail cannot be deleted for an unknown URL, and the e-mail is transmitted to the user.

Here, in recent years, by clicking the URL link of the guise of such as banks and credit card companies to send e-mail to an indefinite number of persons, to unauthorized site which had been described in the mail, legitimate sites There are many so-called phishing scams that lead to fraudulent sites posing as scams and fraudulently collect personal information such as IDs, passwords, and credit card numbers. This fraud is
・ Spoofing the sender's display of e-mail and misidentifying it as an e-mail from a valid sender,
・ Instruct the email to be accessed using insulting text such as “I won the sweepstakes” or text that makes the recipient feel obligatory, such as “If you do not access, your account will be invalid” thing,
-Displaying an address on the display screen that is different from the fraudulent website for fraud actually linked to hide that the link destination is a fraudulent website,
It is made up of such work.

  FIG. 6 shows an example of electronic mail (phishing mail) used for phishing scams. This electronic mail is transmitted in the HTML format, and “webmaster@nec.co.jp” described in the from line indicating the transmission source is a spoofed address. In addition, the e-mail text contains a plausible sentence for inputting personal information such as a credit card. In the link part, as the link destination of the anchor tag, the fraudulent site address "www.abuse-site.com/abuse/" that is the actual link destination and the display character string (anchor character string) The URL “http://www.nec.co.jp/campaign/” that seems to be correct is embedded.

  FIG. 7 shows a display example of the phishing mail shown in FIG. 6 on the user PC. When the source e-mail shown in FIG. 6 is displayed by the mail software of the user PC, it is displayed on the display screen as shown in FIG. At first glance, the link part of this email appears to be a link to http://www.nec.co.jp/campaign/. If you do not check carefully by the source, the actual link destination will be www.abuse- I don't realize it's site.com/abuse/. If the user misunderstands that the link destination is http://www.nec.co.jp/campaign/ and clicks on the link portion, the user is connected to the unauthorized site that is the actual link destination.

  In order not to encounter a phishing scam, it is important that the user does not easily click the link destination of the received e-mail or confirms the link destination before clicking. However, as described above, phishing emails are cleverly structured to click on a link destination, and often click on the link destination inadvertently or overlooked. In a network configuration in which the access destination can be confirmed in advance by a gateway server or proxy server for Web access to the Internet, such as within an organization of a company or a mobile phone network, to these servers to unauthorized sites By providing a function that prevents access to unauthorized sites, access to unauthorized sites can be prevented at the water's edge. However, in the case of a mode in which a general user accesses from a home PC without going through a gateway server or a proxy server, the unauthorized server is directly accessed from the user's terminal. Access cannot be prevented at the water's edge.

  In a connection mode that does not go through a gateway server or proxy server, purchase software that can prevent access to unauthorized sites and install it on a PC in advance to prevent access to unauthorized sites. I can. However, there is a problem that cost and time are required for purchasing and installing software, which is not convenient for the user. In addition, it rejects the mail that is judged to be illegal when receiving it, or automatically deletes it so that the mail itself does not touch the user's eyes. A measure is also taken to insert a character string to that effect in order to call attention. However, it cannot be said that there is no possibility that the necessary mail is rejected or deleted by mistake, and the possibility that the URL link may be accidentally opened due to carelessness cannot be denied.

  The present invention eliminates the above-mentioned problems of the prior art and prevents a user from being directed to an unauthorized site without deleting the electronic mail before sending it to the user. It is an object to provide a program and a mail receiving device.

  In order to achieve the above object, a system for preventing unauthorized access to unauthorized sites according to the present invention is a system for preventing guided unauthorized access to an unauthorized site using a warning device that prompts a user to be alerted. Is detected, and when it is included, the fraudulent e-mail judging section for judging whether the link to the external site is a link to the suspected fraud, and the suspected fraud A mail rewriting unit that rewrites a link to the external site into a link to the warning device.

  The method for preventing an unauthorized site from guiding according to the present invention is a method for preventing an unauthorized site from being guided to a computer, wherein the computer detects whether or not a link to an external site is included in an incoming mail. When determining that the link to the external site is a link to a site suspected of fraud, and determining that the computer is a link to a site suspected of fraud, the external site And rewriting the link to the site into a link to a warning device that prompts the user to call attention.

  In the system and method for preventing induction to an unauthorized site according to the present invention, a link included in an e-mail addressed to a user determines whether the user is a link to a site suspected of being an unauthorized site, and an unauthorized site is suspected. If the link is determined to be a link to, the link is rewritten to a link to the warning device. As a result, before the user accesses the linked site before rewriting, the user can be alerted by accessing the warning device, and the user can be discouraged from accessing the suspected fraud site. .

  In the unauthorized access prevention system and method of the present invention, the link destination address of the link to the external site is compared with the sender address of the received mail, and if both domains are different, the link to the site suspected of fraud It is possible to adopt a configuration that determines that In general, in an e-mail for guiding a user to an unauthorized site, the sender is misrepresented, and the domain of the misrepresented sender is different from the domain of the link destination address that is the inducement destination. Therefore, when both domains differ, it can be judged that it is an email for guiding a user to an unauthorized site.

  In the unauthorized access prevention system of the present invention, the mail rewriting unit may employ a configuration in which information specifying the link destination address of the link to the external site before rewriting is included in the link to the warning device after rewriting. In this case, the link destination address before rewriting can be passed to the warning device side.

  In the unauthorized access prevention system of the present invention, when the warning device receives access from a user, the warning device displays a warning to the effect that an attempt to access a site that may be an unauthorized site is made on the terminal device of the user. Can be adopted. Further, when the warning device refers to a storage device that stores the address of a known unauthorized site, and the link destination address of the link to the external site matches the address stored in the storage device, the user terminal A configuration can be adopted in which a warning indicating that a dangerous site is being accessed is displayed on the display device. If the link destination address before rewriting matches the address of a known illegal site stored in the storage device, the user may be discouraged from accessing the site by issuing a warning with a stronger text. it can.

  In the unauthorized access prevention system of the present invention, the warning device monitors transmission / reception data between a link destination external site determined to be a link to the suspected fraud site and a user terminal device. It is possible to adopt a configuration further including an access monitoring unit. In this case, it is possible to protect the user at a higher level by performing a virus check or check for outflow of update information by the warning device.

  The program of the present invention is a program for causing a computer to execute processing for preventing guidance to an unauthorized site, and detects whether or not the received mail contains a link to an external site. Sometimes, determining whether the link to the external site is a link to a site suspected of fraud, and determining that the link to the site suspected of fraud is a link to the external site. And rewriting the link to a warning device that prompts the user to call attention.

  In the program of the present invention, in the step of determining whether the link is to a site suspected of fraud, the link destination address of the link to the external site and the sender address of the received mail are stored in the computer. In comparison, if the two domains are different, it is possible to adopt a configuration for executing processing for determining that the link is to a site suspected of fraud.

  The mail receiving apparatus of the present invention is a mail receiving apparatus that prevents a user from being directed to an unauthorized site, and detects whether or not a link to an external site is included in the received mail. If it is determined that the link to the external site is a link to a site suspected of fraud and a link to the site suspected of fraud, And a mail rewriting unit that rewrites the link into a link to a warning device that prompts the user to call attention.

  In the unauthorized site access prevention system, method, program, and mail receiving device of the present invention, when the link included in the e-mail addressed to the user determines that the user is a link to a site suspected of being an unauthorized site, Rewrite the link to a link to the warning device. When a user opens a link from an e-mail, the access destination is a warning device, and by prompting the user to be alerted by the warning device, the user can be prevented from being directed to an unauthorized site. Users can be protected from damage.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings. FIG. 1 shows the configuration of a system for preventing guidance to unauthorized sites according to an embodiment of the present invention. The unauthorized site guidance preventing system 100 includes a mail receiving device 20 that receives an email addressed to a user, and an unauthorized access warning device 40 that warns the user that the connected site may be an unauthorized site. The mail receiving device 20 and the unauthorized access warning device 40 are configured as a computer system such as a workstation. The terminal device 30 is configured as a PC or a mobile phone terminal having a network communication function, for example.

  The mail receiving device 20 includes a mail receiving unit 21, an unauthorized mail determining unit 22, a mail rewriting unit 23, and a mail distribution unit 24. The mail receiving unit 21 receives an e-mail addressed to the user from the external network 10 such as the Internet. The unauthorized mail determination unit 22 determines whether the received electronic mail includes a link to an unauthorized site. This operation will be described later. When the unauthorized mail determination unit 22 determines that the link to the unauthorized site is included, the email rewrite unit 23 creates an email in which the link destination is rewritten to the unauthorized access warning device 40. The mail delivery unit 24 transmits the electronic mail rewritten by the mail rewriting unit 23 to the user terminal device 30. If the unauthorized mail determination unit 22 determines that the link to the unauthorized site is not included, the email received by the mail receiving unit 21 is transmitted to the terminal device 30 as it is.

  The unauthorized access warning device 40 includes a warning display unit 41. The terminal device 30 receives an e-mail from the mail receiving device 20 and displays the received e-mail on the display screen. When the user opens (clicks) a link whose link destination is rewritten by the mail rewriting unit 23 included in the displayed electronic mail, the terminal device 30 accesses the unauthorized access warning device 40. When receiving an access from the terminal device 30, the warning display unit 41 displays a warning screen for prompting attention on the display screen of the terminal device 30.

  FIG. 2 shows an operation procedure of the mail receiving device 20. The mail receiving unit 21 receives an e-mail addressed to the user (step A1). The illegal mail determination unit 22 checks the content of the received electronic mail (step A2), and determines whether it is an invitation mail to an illegal site such as a phishing scam (step A3). In step A3, it is determined whether or not the mail is a fraudulent mail if the link is not embedded in the body. If it is included, the mail address of the sender of the received mail and the received mail are included. By comparing with the address of the link destination URL included in the text, it is determined whether or not the mail is illegal.

  In e-mails used in phishing scams, senders are often misrepresented and emails are sent with falsified bank and credit company addresses, but these sender email addresses are non-genuine fake addresses. The actual sender is different from this. On the other hand, fraudulent sites that are actually set up to collect personal information cannot be placed below the regular domain used by banks or credit companies. And the domain of the credit company. Therefore, the fraudulent mail determination unit 22 compares the domain part of the source address of the e-mail with the domain of the link destination URL, and determines that it is an invitation mail to the fraudulent site if they do not match.

  For example, assume that the source address of the email received in step A1 is webmaster@legal-site.com. In step A2, if the result of checking the received mail includes a link to an address including a domain (legal-site.com) that matches the sender address, the mail sender is the same domain as the sender's domain. In step A3, it is determined that no misrepresentation has been performed, and it is determined that it is not an invitation mail to an unauthorized site. However, when the link destination URL is “http://www.abuse-site.com/”, the domain of the link destination URL (abuse-site.com) is the domain of the mail transmission source address. The mail sender is trying to access a server in a domain that is different from the sender's domain.

  As a method of detecting spam mails and illegal mails, the mail header part and body characteristics are extracted from the received mail, and this is compared with previously stored characteristics such as spam mails. Various types of information have been proposed or have already been commercialized, such as a method for storing address information of an unauthorized site in advance and detecting whether the address is included in the received mail. In step A3, instead of or in addition to the above-described domain comparison, it may be determined whether or not it is an invitation mail to an unauthorized site by using these methods.

  If it is determined in step A3 that the email is a solicitation email to an unauthorized site, the email rewriting unit 23 rewrites the URL determined to be an unauthorized site included in the email text (step A4), and links the destination to an unauthorized access warning. Let it be device 40. FIG. 3 shows how the link destination address is rewritten by the mail rewriting unit 23. The link destination URL of the anchor tag before rewriting is assumed to be http://www.abuse-site.com/abuse/. If the address (host name) of the unauthorized access warning device 40 is alert.nec.co.jp, the mail rewriting unit 23 sets the link destination URL of the anchor tag to http://alert.nec.co.jp/alert. Rewrite to .cgi. At that time, in order to deliver the address before rewriting to the unauthorized access warning device 40, the address before rewriting (www.abuse-site.com/abuse/) is included as a parameter in the URL after rewriting. When rewriting, it is preferable to add a notice to the subject (subject header) or mail body that the address has been rewritten to alert the user.

  The mail delivery unit 24 transmits the electronic mail whose link destination is rewritten to the unauthorized access warning device 40 in Step A4 to the user terminal device 30 (Step A5). If it is determined in step A3 that it is not an invitation mail to an unauthorized site, the electronic mail received in step A1 is transmitted to the terminal device 30 as it is. This transmission may be performed in response to a mail acquisition request from the terminal device 30 side, or may be automatically performed from the mail receiving device 20 side.

  FIG. 4 shows the operation procedure of the system for preventing solicitation to unauthorized sites when prompting the user to call attention. When the user clicks the link rewritten in step A4 in FIG. 3 included in the received mail (step B1), the terminal device 30 transmits an HTTP request to the unauthorized access warning device 40. Upon receiving this HTTP request, the unauthorized access warning device 40 may cause the warning display unit 41 to display an indication that there is a possibility of trying to access an unauthorized site and warn enough to handle personal information. Then, it is displayed on the display screen of the terminal device 30 (step B2).

  For example, consider the case where the electronic mail shown in FIG. 6 is received. This e-mail is sent from the “http://www.abuse-site.com/abuse/” to “http: // alert” as shown in FIG. .nec.co.jp / alert.cgi? originalURL = http: //www.abuse-site.com/abuse/%F2Fabuse%F2 ". When the user clicks on the link part “http://www.nec.co.jp/campaign/” on the screen displayed as shown in FIG. 7, the terminal device 30 is an illegal link destination. An HTTP request including the original URL before rewriting is transmitted to the access warning device 40.

  FIG. 5 shows a specific example of page information that the unauthorized access warning device 40 transmits in response to an HTTP request from the terminal device 30. In this example, on the display screen of the terminal device 30, there is a warning that there is a possibility of an unauthorized site for the user and personal information or the like should not be entered, and information on how to deal with it is displayed. The By viewing such a display, the user can be prepared for handling personal information. Returning to FIG. 4, when the user clicks a link to the original link destination before rewriting from the warning display screen as shown in FIG. 5, the terminal device 30 goes to the link destination via the external network 10. Access (step B3).

  In the present embodiment, the mail receiving device 20 determines whether or not the received electronic mail is an invitation mail to an unauthorized site, and if it is determined to be an invitation mail to an unauthorized site, it is included in the email. The link destination of the link URL is rewritten to the unauthorized access warning device 40. Even when the user accidentally clicks a link included in the e-mail after URL rewriting, the terminal device 30 accesses the unauthorized access warning device 40 without accessing the original link destination before rewriting. By doing so, it is possible to avoid a situation where the user accesses an unauthorized site with the intention of accessing a legitimate site.

  In addition, the mail receiving device 20 rewrites the access destination of the link in the received mail to the unauthorized access warning device 40 only when the unauthorized email determination unit 22 determines that the email is a solicitation email to the unauthorized site. Only the access that is suspected of access is bypassed by the unauthorized access warning device 40. As a result, the link included in the normal e-mail that is not suspected of fraud can be accessed from the terminal device 30 to the linked site as usual. Moreover, the situation where access concentrates on the unauthorized access warning device 40 can be avoided, and the equipment amount of the unauthorized access warning device 40 can be minimized.

  After accessing the unauthorized access warning device 40, on the display screen of the user's terminal device 30, an indication that there is a possibility that an unauthorized site is being accessed and an original URL before rewriting are displayed. In this way, the user can discourage access to the original link destination, and can be given an opportunity to avoid access to an unauthorized site in advance. In addition, the user can access the site of the original URL after confirming such display. At that time, since the user accesses after seeing the warning on the display screen, the user visits the site with caution. For this reason, even if the access destination site is an unauthorized site, it is possible to prevent inadvertent input of personal information to the unauthorized site.

  In the present embodiment, although the e-mail is rewritten, the e-mail itself is neither deleted nor rejected, so that the necessary e-mail is not erroneously deleted on the mail receiving device 20 side. Further, in the present embodiment, since a method of rewriting the URL on the mail receiving device 20 side is adopted, even if the user is in a network connection environment where access control by a proxy server or the like cannot be used, the terminal device 30 is separately provided. Without installing the protection software, the user can be protected from the act of guiding the user to an unauthorized site and stealing personal information or the like.

  The unauthorized access warning device 40 stores in advance a list of sites that are known to be actually used for fraud, and the site that the user is trying to access (rewritten by the mail receiving device 20). It may be searched whether or not the original URL) is included in the list. In this case, if there is a site that the user is trying to access on the list, the message “The site you are trying to access is an unauthorized site” is displayed on the display screen of the terminal device 30. Make a one-step strong warning. In this way, the user can be protected from unauthorized sites.

  When the original URL rewritten by the mail receiving device 20 is clicked on the display screen shown in FIG. 3, instead of accessing the site of the URL from the user terminal device 30, the unauthorized access warning device 40 is used. May be used as a proxy server, and the unauthorized access warning device 40 may access the site of the URL. In this case, the unauthorized access warning device 40 further includes an access monitoring unit, and the access monitoring unit monitors data transmitted and received between the connection destination site and the terminal device 30. The access monitoring unit checks the received data of the terminal device 30 using a virus pattern stored in advance, and checks whether a virus has entered. Alternatively, the transmission data from the terminal device 30 is checked using the pattern data stored in advance when personal information is leaked to check whether personal information is leaked. In this case, the safety of the user can be further improved.

  In the embodiment described above, the link destination is rewritten by the mail rewriting unit 23 of the mail receiving device 20 before the user receives the e-mail by the terminal device 30, but the link destination is rewritten on the terminal device 30. Also good. For example, the mail software on the terminal device 30 has the functions of the fraudulent mail determination unit 22 and the mail rewriting unit 23, and when a user displays an email, a link to a site suspected of fraud is fraudulent. Rewrite the link to the access warning device 40. Also in this case, the user can be protected from damage such as fraud.

  Although the present invention has been described based on the preferred embodiment, the system for preventing guidance to unauthorized sites, the method, the program, and the mail receiving device of the present invention are not limited to the above embodiment. Rather, various modifications and changes made from the configuration of the above embodiment are also included in the scope of the present invention.

The block diagram which shows the structure of the guidance prevention system to the unauthorized site of one Embodiment of this invention. The flowchart which shows the operation | movement procedure of the mail receiver. The figure which shows the mode of rewriting of the link destination address by the mail rewriting part. The flowchart which shows the operation | movement procedure of the solicitation prevention system to the unauthorized site at the time of calling a user's alert. The figure which shows the specific example of the page information which the unauthorized access warning apparatus 40 transmits in response to the HTTP request from the terminal device 30. The figure which shows the source of the electronic mail (phishing mail) used for a phishing scam. The figure which shows the example of a display on user PC of FIG.

Explanation of symbols

10: External network 20: Mail receiving device 21: Mail receiving unit 22: Unauthorized mail judging unit 23: Mail rewriting unit 24: Mail distributing unit 30: Terminal device 40: Unauthorized access warning device 41: Warning display unit

Claims (11)

An anti-guidance system that uses a warning device to alert the user,
A fraudulent e-mail determination unit that detects whether or not a link to an external site is included in the received mail and determines whether the link to the external site is a link to a site suspected of fraud When,
If it is determined that a link to a site that fraud is suspected, induced prevention of a link to the external site, the illegal site and having a mail rewriting unit for rewriting to the link to the warning device system.   The fraudulent mail determination unit compares the link destination address of the link to the external site and the sender address of the received mail, and determines that the link is to a site suspected of fraud if both domains are different. The system for preventing guidance to unauthorized sites according to claim 1.   The guidance to an unauthorized site according to claim 1 or 2, wherein the mail rewriting unit includes information specifying a link destination address of the link to the external site before rewriting in the link to the warning device after rewriting. Prevention system.   The warning device according to any one of claims 1 to 3, wherein when the warning device receives an access from a user, a warning to the effect that an attempt to access a site that may be an unauthorized site is made on the user's terminal device. A system to prevent unauthorized entry to the listed site.   When the warning device refers to a storage device that stores the address of a known illegal site, and the link destination address of the link to the external site matches the address stored in the storage device, the terminal display device of the user The system for preventing guidance to an unauthorized site according to claim 4, wherein a warning that an attempt is made to access a dangerous site is displayed above.   The warning device further includes an access monitoring unit that monitors transmission / reception data between a link destination external site determined to be a link to a site suspected of fraud and a user terminal device. Item 6. The system for preventing guidance to unauthorized sites according to item 4 or 5. A method for preventing the use of a computer to navigate to unauthorized sites,
The computer detects whether contain links to other sites in the received mail, when it is included, links to external sites, determines whether a link to a site where fraud is suspected Steps,
And rewriting the link to the external site to a link to a warning device that prompts a user to be alerted when the computer determines that the link is to a site suspected of being fraudulent. How to prevent navigation to the site.   In the step of determining whether the link is to a site suspected of fraud, the computer compares the link destination address of the link to the external site with the sender address of the received mail, and both domains The system for preventing guidance to an unauthorized site according to claim 7, wherein if they are different, it is determined that the link is to a site suspected of fraud. A program for causing a computer to execute processing for preventing induction to an unauthorized site, wherein the computer
Links to external sites on the received mail to detect whether or not included, as it is included are links to external sites, and determining whether a link to a site where fraud is suspected,
A program that, when judged to be a link to a site suspected of fraud, rewrites the link to the external site into a link to a warning device that prompts the user to call attention.   In the step of determining whether or not the link is to a site suspected of fraud, the computer compares the link destination address of the link to the external site with the sender address of the received mail, and both domains The program according to claim 9, wherein if they are different, a process for causing a link to a site suspected of fraud is executed. A mail receiving device that prevents a user from being directed to an unauthorized site,
Links to external sites on the received mail to detect whether or not included, as it is included are links to external sites, badmail determining section for determining whether a link to a site where fraud is suspected When,
An e-mail rewriting unit that rewrites a link to the external site into a link to a warning device that prompts a user to be alerted when it is determined that the link is to a site suspected of fraud Receiver device.

Images