JP2007272607A - Mail filtering system and mail filtering program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To prevent an undesired email from being sent by checking the contents of the email when the email is sent. <P>SOLUTION: Basic policies for filtering an email are prepared for respective organizations and for respective positions, and moreover each of them is divided for a general use and for a plurality of special uses. Normally a filtering for the general use is performed, to quantify inspection results for respective email senders and to totalize them. When a quantity exceeds a threshold value, a filtering for a special use corresponding to a level of the quantity is applied automatically. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to a mail filtering system and a mail filtering program, and more particularly to a mail filtering system and a mail filtering program for checking the contents of a mail before transmitting an electronic mail (hereinafter referred to as a mail) on a transmission side.

  As a conventional mail filtering system, in order to increase the detection rate to detect that received mail is spam mail, for mail considered as spam mail, the sender's mail address is extracted from the mail and blacked out. If you register to the list sequentially and the next time you receive an email, determine whether the sender email address is blacklisted, and if it is blacklisted Has proposed a system that increases a count value for the sender mail address and executes a predetermined action on the spam mail when the count value exceeds a predetermined threshold ( For example, see Patent Document 1.)

JP 2005-208780 A

  The conventional email filtering system determines whether or not it is a junk mail when it receives a mail, and copes with it when it is a junk mail, but does not filter when sending a mail, There is a problem that even when an undesired mail is transmitted, it cannot be checked or prohibited from being checked or suspended.

  The present invention has been made to solve such problems, and when sending an email, it is possible to check the content of the email to be sent and prevent an unwanted email from being sent in advance. The purpose is to obtain a mail filtering system and a mail filtering program.

  The present invention is a mail filtering system for performing an inspection before transmission of an e-mail, and for every e-mail address that can be a transmission source, information on the organization and job title to which the user who owns the e-mail address belongs. Stored user information storage means, and for each mail address, the inspection results of all past inspected emails are digitized and integrated, and the audit total storage means stored as audit total results, For each user organization and job title, basic policy storage means in which inspection items for unsent e-mails and corresponding actions for each inspection item are stored as basic policies, and inspections based on the values of the audit tabulation results Threshold storage means in which a threshold for the inspection item is set for each basic policy for each intensity level, and unsent The e-mail is input, and the address extracting means for extracting the sender e-mail address from the e-mail, and the organization and job title to which the user belongs from the user information storage means based on the extracted sender e-mail address Organization / posture information extraction means for extracting information on the basic policy extraction means for extracting the basic policy corresponding to the organization and post from the basic policy storage means based on the extracted information on the organization and post Whether or not the unsent e-mail is inspected for each inspection item of the basic policy based on the basic policy extracted by the basic policy extracting means, and whether or not a threshold for the inspection item is exceeded And an inspection item that is greater than or equal to a threshold based on the result of the determination If there is, an audit total addition processing means for digitizing the inspection result and adding it to the value of the audit total result stored in the audit total storage means, and the basic policy based on the determination result A mail filtering system comprising: mail processing means for processing the unsent e-mail based on the corresponding action of the basic policy extracted by the extracting means.

  The present invention is a mail filtering system for performing an inspection before transmission of an e-mail, and for every e-mail address that can be a transmission source, information on the organization and job title to which the user who owns the e-mail address belongs. Stored user information storage means, and for each mail address, the inspection results of all past inspected emails are digitized and integrated, and the audit total storage means stored as audit total results, For each user organization and job title, basic policy storage means in which inspection items for unsent e-mails and corresponding actions for each inspection item are stored as basic policies, and inspections based on the values of the audit tabulation results Threshold storage means in which a threshold for the inspection item is set for each basic policy for each intensity level, and unsent The e-mail is input, and the address extracting means for extracting the sender e-mail address from the e-mail, and the organization and job title to which the user belongs from the user information storage means based on the extracted sender e-mail address Organization / posture information extraction means for extracting information on the basic policy extraction means for extracting the basic policy corresponding to the organization and post from the basic policy storage means based on the extracted information on the organization and post Whether or not the unsent e-mail is inspected for each inspection item of the basic policy based on the basic policy extracted by the basic policy extracting means, and whether or not a threshold for the inspection item is exceeded And an inspection item that is greater than or equal to a threshold based on the result of the determination If there is, an audit total addition processing means for digitizing the inspection result and adding it to the value of the audit total result stored in the audit total storage means, and the basic policy based on the determination result Since it is a mail filtering system comprising a mail processing means for processing the unsent e-mail based on the corresponding action of the basic policy extracted by the extracting means, it is transmitted when sending a mail. By checking the contents of the mail, it is possible to prevent unwanted mail from being sent.

Embodiment 1 FIG.
FIG. 1 is a diagram showing an overall configuration of a mail filtering system according to Embodiment 1 of the present invention. As shown in FIG. 1, the mail filtering system according to the first embodiment includes a sender information analysis processing unit 1, a confidential information determination processing unit 2, an audit total addition processing unit 3, a mail processing / recording unit 4, Is provided. Further, the mail filtering system according to the first embodiment includes an organization / position-based basic policy definition file 5, an individual audit totaling file 6, a threshold application parameter definition file 7, a confidential information definition file 8, and an inspection log. A file 9, an inspection mail recording file 10, and a personal master file 11 are provided. The mail filtering system according to the first embodiment can be configured by various computers. For example, a mail server (not shown) that sends and receives mail outside the company and a client terminal that sends and receives mail (see FIG. (Not shown) may be configured to connect a mail filtering system via a network.

These components are briefly described below.
The sender information analysis processing means 1 (address extraction means, organization / posture information extraction means, basic policy extraction means, audit tabulation information extraction means and threshold information extraction means) receives the unsent pre-inspection mail 30 and Based on the sender's e-mail address of the pre-inspection mail 30, the basic policy definition file 5 for each organization / position and the individual audit total file 6 described later and the audit total information of the mail sender so far Based on these, the basic policy applied to the mail inspection of the pre-inspection mail 30 before transmission and the parameter type defining the threshold value are determined. The basic policy and parameter type will be described later.
The confidential information determination processing unit 2 (determination unit) is configured to check each inspection item set as a basic policy for the pre-inspection mail 30 to be transmitted according to the basic policy and parameter type determined by the sender information analysis processing unit 1. Conduct an inspection on The check item includes checking whether confidential information and personal information are included in the mail text and attached file. The keyword for determining the confidential information and personal information is a confidential information definition file described later. 8 is registered in advance.
The audit total addition processing means 3 (audit total addition processing means, inspection log output means) stores all the inspection results of the confidential information determination processing means 2 as a log in an inspection log file 9 to be described later, and scores the inspection results. Then, it adds to the value of the audit total result of the individual audit total file 6 described later and records it.
The mail processing / recording means 4 (mail processing means, inspection mail output means), based on the inspection result of the confidential information determination processing means 2, checks the inspected mail 31 that has been inspected according to the corresponding action set in the basic policy. While appropriately processing (sending / holding / deleting, etc.), the contents of the processed inspected mail 31 and the processing time are recorded in the inspection mail recording file 10 described later.
The contents of the individual audit summary file 6, the inspection log file 9, and the inspection mail recording file 10 are, for example, a predetermined terminal such as a terminal of each affiliation manager, and only a predetermined user can obtain the audit report 32. You can browse. Note that an audit report creating means may be provided in the mail filtering system so that the audit report 32 is automatically generated at predetermined time intervals and transmitted to the predetermined terminal by e-mail.

  The basic policy definition file 5 (basic policy storage means) for each organization / post stores the definition of the basic policy for each organization and each post of all users who can be mail senders. The basic policy defines the inspection items to be checked when checking the mail and the corresponding measures set for each inspection item. Explain the reasons for setting basic policies by organization and job title. If the organization is a company (manufacturing, service, media, etc.), a government office, or a hospital, the items that should be checked for mail are expected to differ depending on the type of job. . Also, depending on the position, the inspection strength (the level of severity of the inspection) when checking e-mails is naturally different depending on the general employee and the section manager class or officer class. If the inspection strength is too high, inconveniences such as being unable to send even necessary mail will occur, and if the inspection strength is too low, mail that should have been prohibited will flow out to the outside. There is a fear. Therefore, in the present embodiment, the basics for inspecting mail for each organization and each post so that the transmission of undesirable mail can be prevented appropriately and surely while ensuring the convenience of mail transmission. The policy is set differently. In the basic policy definition file 5 for each organization / post, the basic policy master 5a (see FIG. 3) in which the basic policy type is set for each affiliation and each post, and the definition for each basic policy. And a definition master 5b (see FIG. 4) that stores (check items and corresponding measures). In the example of FIG. 3, the basic policy of the manager of the sales first section is defined as “Eigyo Policy K” in the basic policy master 5a. As shown in FIG. 4, the contents include, as shown in FIG. 4, check items (number of transmission destinations, size of mail, confidential information keyword inspection, personal information keyword inspection) when checking the mail to be transmitted, A response measure (mail hold 1, mail hold 2) when the threshold set for the check item is exceeded is defined. Here, the mail hold 1 is processed as a low level, and the mail hold 2 is processed as a high level. When checking the mail, it is checked based on this basic policy, that is, whether or not the threshold value is exceeded for each check item. Although it is possible to arbitrarily set which check items are inspected in order, it is necessary to set in advance. In the example of FIG. 4, the number of destinations (inspection 1), mail size (inspection 2), confidential information keyword inspection (inspection 3), and personal information keyword inspection (inspection 4) are set to be inspected in this order. ing.

  The individual audit summary file 6 (audit summary storage means) digitizes and accumulates the previous email inspection results and stores them as audit summary results for each email address, and the data is updated each time an email is sent. Is done. The individual audit total file 6 includes, for each e-mail address of all users who have transmitted e-mails in the past, the e-mail sender's previous audit total information and the update date / time indicating the latest date / time updated. Stored.

  The threshold application parameter definition file 7 (threshold storage means) sets a set of threshold values for each inspection item for each basic policy for each inspection intensity level based on the value of the audit total result. This is called a parameter type. The threshold application parameter definition file 7 is set with a parameter master 7a (see FIG. 3) in which parameter types are defined for each inspection intensity level based on the audit aggregation result values, and thresholds to be applied to each basic policy for each parameter type. Threshold master 7b (see FIG. 4). As shown in FIG. 3, the parameter type is automatically changed according to the audit total result so far. That is, at first, everyone starts operation with the “general” parameter, but when the audit total result exceeds 10, it is changed to the “special A” parameter, and when the audit total result exceeds 100, for example, “special B”. Changed to a parameter. Of the threshold values for the “general” parameter, for example, “personal information keyword check” is “200” as shown in FIG. If the number is less than “200”, it is determined that there is no problem, but after changing to “special A parameter”, it is determined that there is a problem when the personal information included in the mail becomes “30” or more. In this way, the higher the audit total result value, the higher the inspection strength of the mail inspection.

  The confidential information definition file 8 (confidential information definition storage means and personal information definition storage means) defines keywords used for mail inspection. For example, in order to prevent leakage of personal information (name and address), it is effective to put a personal name dictionary and a place name dictionary as keywords. In addition, as shown in Fig. 5 as an example, words that may be attached to documents that are prohibited from being taken out of the company or outside the company such as "Confidential" and "Confidential" are registered as keywords. Good. Furthermore, if necessary, important projects or project names that are not desired to be publicized may be registered.

  The inspection log file 9 (inspection log storage means) stores mail inspection results as a log. That is, data such as the transmission source mail address, the transmission destination mail address, the title, the transmission time, the keyword caught in the mail inspection, and the number of detections are stored.

  The inspection mail storage file 10 (inspection mail storage means) records all the inspected mails 31 that have been inspected. That is, data such as a transmission source mail address, a transmission destination mail address, a title, a body text, an attached file, and a transmission time are stored.

  The personal master file 11 (user information storage means) stores information such as name, affiliation, and title for every mail address of all users who can be mail senders.

Next, the operation of the mail filtering system according to the first embodiment will be described with reference to FIG.
As shown in FIG. 2, first, in step S1, when a mail sender creates a mail and inputs a transmission instruction, the mail is input to the mail filtering system according to the first embodiment. Next, in step S2, the sender information analysis processing means 1 confirms the basic policy according to the organization / position of the mail sender and the audit total information of the mail sender so far, The parameter types for the audit total information up to are extracted.

  The operation of the sender information analysis processing means 1 in step S2 is shown in FIG. First, the sender information analysis processing means 1 searches registration data in the personal master file 11 based on the mail address of the mail sender, and extracts information (data) relating to the mail sender's affiliation and post. Next, using the extracted affiliation and post data, the basic policy master 5a of the basic policy definition file 5 by organization / post is searched to extract the basic policy of the mail sender. In the example of FIG. 3, the affiliation and title are “section manager” of “sales first section”, so “Eigyo Policy K” is extracted as the basic policy. Next, the latest audit total result of the mail sender is checked by the individual audit total file 6. In the example of FIG. 3, the audit total result is “100”. Next, the parameter type corresponding to the audit total result is extracted from the parameter master 7 a of the threshold application parameter definition file 7. In the example of FIG. 3, the type of the parameter corresponding to the audit total result “100 or more” is “special A”. Through the above processing, the sender information analysis processing means 1 extracts the basic policy and parameter type of the mail sender according to the organization and job title, and outputs them as basic policy information 40.

  Returning to the description of FIG. 2, next, in step S3, the confidential information determination processing means 2 is transmitted based on the basic policy and parameter type (basic policy information 40) by organization / postion extracted in step S2. Whether or not confidential information is included in the email.

  The operation of the confidential information determination processing means 2 in step S3 is shown in FIG. First, in step S10, the confidential information determination processing means 2 confirms the number of destination mail addresses of the mail to be sent (To (destination), CC (carbon copy), BCC (blind carbon copy)). The number of all destinations included). If the number of transmission destinations exceeds the threshold value preset in the threshold value master 7b of the threshold value application parameter definition file 7, it is determined that mail transmission should be suspended (mail suspension 1 in step S14). If not, the process proceeds to step S11 to check the mail size (capacity). If the mail size exceeds a threshold value preset in the threshold value master 7b of the threshold value application parameter definition file 7, it is determined that the mail transmission should be suspended (mail suspension 1 in step S14). If not, the process proceeds to step S12, and whether or not there is a keyword of confidential information registered in the confidential information definition file 8 in the text and attached file of the mail to be transmitted is included. Make sure that As a result, if the number of keywords included exceeds the threshold value preset in the threshold value master 7b of the threshold value application parameter definition file 7, it is determined that mail transmission should be suspended (step S15). Mail hold 2). If not, the process proceeds to step S13, in which the personal information keyword of the personal information keyword registered in the confidential information definition file 8 is present or not in the text and attached file of the email to be transmitted. Check how many are included. As a result, if the number of personal information keywords included exceeds the threshold value preset in the threshold value master 7b of the threshold value application parameter definition file 7, it is determined that mail transmission should be suspended (step Mail hold of S14 1). If not, the process proceeds to step S16, where it is determined that the mail can be transmitted and transmitted (mail transmission in step S16).

  Returning to the description of FIG. 2, next, in step S <b> 4, the audit total addition processing means 3 scores the current determination result and adds it to the previous audit total result according to the determination result in step S <b> 3.

  The operation of the audit total addition processing means 3 in step S4 is shown in FIG. First, in step S20, the determination result of the confidential information determination processing means 2 is confirmed. Next, in step S21, a predetermined value set in advance is added to the audit total result so far according to the confirmed determination result. In the example of FIG. 6, when it is determined as “mail transmission”, “+0” is added to the audit count result. If it is determined that “mail hold 1”, “+1” is added to the audit count result (level low processing). If it is determined that “mail hold 2”, “+20” is added to the audit count result (high level processing). As shown in FIG. 3, since the audit total result of the mail sender so far has been “100”, when the current determination result is “mail hold 1”, “+1” is added to “101”. If the current determination result is “mail hold 2”, “+20” is added to “120”. Next, in step S 22, the inspected mail log is output as an inspection log and stored in the inspection log file 9.

  Returning to the description of FIG. 2, next, in step S5, the mail processing / recording means 4 performs mail processing and recording.

  The operation of the mail processing / recording means 4 in step S5 is shown in FIG. First, in step S30, the determination result by the confidential information determination unit 2 is confirmed. As a result of confirmation, for those whose mail transmission has been suspended, a suspension notification mail is automatically created and transmitted to the mail sender in steps S14 and S15. Next, in step S31, the superior of the mail sender visually checks the suspended mail on the screen of his / her terminal. Next, in step S32, a message prompting the determination of whether or not transmission is possible is displayed on the screen, and it waits for either the “Delete Mail” button or the “Send Mail” button to be clicked. If the “delete mail” button is clicked, the mail is deleted in step S33. On the other hand, if the “mail transmission” button is clicked, the mail is transmitted to the destination mail address in step S16. Next, in step S34, the mail processing is recorded in the inspection mail recording file 10. It should be noted that the convenience is further improved by automatically creating a mail notifying whether the mail has been deleted or sent and sending it to the mail sender.

As described above, in the present embodiment, different basic policies for each organization and post are prepared as basic policies for filtering e-mails. A plurality of parameter types such as “special A” parameters, etc., are usually subjected to general filtering, and the test results are scored and tabulated for each mail sender. If the score exceeds the threshold, Since special filtering according to the level is automatically applied, the following effects can be obtained.
(1) Mail that matches (or does not match) preset conditions (basic policies by organization / post) can be filtered, and mail that is determined not to be sent (outside the company) can be prohibited.
(2) “Basic policies by organization / post” set in advance are not unique, and parameter types that define thresholds (inspection strength) are attached, and parameter types are automatically changed according to the value of individual audit totals. can do. As a result, the operation starts with all “general” parameters at the beginning, but the “special A” parameter for the user who needs attention is automatically set according to the latest auditing result of the mail sender “Mr. A”. It can be applied to “Mr. A”. That is, when the parameter type is “general” parameter, a case where 200 or more keywords that seem to be “individual names” are included is checked. However, in the case of the “special A” parameter for the user who needs attention, the threshold is set to 30 and the check is made strict. The inspection intensity can be automatically changed based on the results of the previous auditing.
(3) “Basic policies by organization / post” set in advance are not unique, and there are several different policies for each organization / post, which are automatically applied according to the organization and post of each mail sender. . By giving flexibility to the basic policy in this way, it is possible to inspect emails with the basic policy suitable for each organization and each post, so it is possible to prevent unwanted emails while ensuring the convenience of sending emails. It is possible to prevent transmission from outside the company appropriately and reliably.
(4) The inspection result of each mail can be scored (audit tabulation). As a result, the status of compliance with the mail usage rules can be confirmed at any time if the audit totals are scored and accumulated for each mail sender.

Embodiment 2. FIG.
FIG. 8 is a diagram showing the correspondence to an encrypted attached file. In this case, it is assumed that all users are sending emails in an encryption company-wide management system that is a mechanism that can be decrypted by an authorized third party.

  As shown in FIG. 8, an email with an encrypted attachment is temporarily put on hold (determined as an email with attachment outside the specified type), and the senior manager confirms the content (of the encryption company-wide management system). If the usage is appropriate for the business, the suspended state is canceled and an e-mail is sent. Since other operations are the same as those in the first embodiment, description thereof is omitted here.

  As described above, in the present embodiment, the same effect as in the first embodiment can be obtained, and the content of the encrypted attached file can be confirmed. Can be reliably detected and deleted.

1 is a configuration diagram showing an overall configuration of a mail filing system according to Embodiment 1 of the present invention. It is the flowchart which showed operation | movement of the mail filing system which concerns on Embodiment 1 of this invention. It is explanatory drawing which showed operation | movement of the sender information analysis process in the mail filing system which concerns on Embodiment 1 of this invention. It is explanatory drawing explaining the basic policy applied to the mail sender in the mail filing system which concerns on Embodiment 1 of this invention. It is explanatory drawing which showed the operation | movement of the confidential information determination process in the mail filing system which concerns on Embodiment 1 of this invention. It is explanatory drawing which showed the operation | movement of the audit total addition process in the mail filing system which concerns on Embodiment 1 of this invention. It is explanatory drawing which showed the operation | movement of the mail process and recording process in the mail filing system which concerns on Embodiment 1 of this invention. It is explanatory drawing which showed operation | movement of the mail filing system which concerns on Embodiment 2 of this invention.

Explanation of symbols

  1 Sender information analysis processing means 2 Confidential information determination processing means 3 Audit tabulation addition processing means 4 Mail processing / recording means 5 Basic policy definition file by organization / post 5a Basic policy master 5b Definition master 6 Individual Separate audit summary file, 7 threshold application parameter definition file, 7a parameter master, 7b threshold master, 8 confidential information definition file, 9 inspection log file, 10 inspection mail recording file, 11 personal master file.

Claims (4)

An email filtering system for performing an inspection before sending an email,
User information storage means for storing information on the organization and job title to which the user who owns the email address belongs for every email address that can be a sender,
For each of the e-mail addresses, the inspection results of all past inspected e-mails are digitized and integrated, and an audit total storage means stored as an audit total result,
Basic policy storage means in which inspection items for unsent e-mails and corresponding measures for each inspection item are stored as basic policies for each organization and post of the user,
Threshold storage means in which a threshold for the inspection item is set for each basic policy for each inspection intensity level based on the value of the audit totalization result,
An address extracting means for inputting an unsent e-mail and extracting a source e-mail address from the e-mail;
Organization / posture information extraction means for extracting information on the organization and post to which the user belongs from the user information storage means based on the extracted sender email address;
Basic policy extraction means for extracting the basic policy corresponding to the organization and position from the basic policy storage means based on the extracted information on the organization and position;
Based on the basic policy extracted by the basic policy extraction means, the unsent e-mail is inspected for each inspection item of the basic policy to determine whether or not a threshold for the inspection item is exceeded. Determination means to perform,
Based on the result of the determination, when there is an inspection item that is equal to or greater than the threshold, the inspection result is digitized and added to the value of the audit total result stored in the audit total storage means. Means,
Mail processing means for processing the unsent e-mail based on the corresponding action of the basic policy extracted by the basic policy extraction means based on the determination result Email filtering system. Further comprising confidential information definition storage means in which keywords for searching for confidential information that should not be transmitted, which may be included in the unsent e-mail, are registered,
The mail filtering system according to claim 1, wherein the inspection item includes a confidential information keyword inspection. Further comprising personal information definition storage means in which keywords for searching for personal information that should not be transmitted, which can be included in the unsent e-mail, are registered;
The mail filtering system according to claim 1, wherein the inspection item includes a personal information keyword inspection. An email filtering program for performing an inspection before sending an email,
A user information storage step in which information about the organization and job title to which the user who owns the email address belongs is stored for every email address that can be a sender,
For each e-mail address, the inspection results of all past inspected emails are digitized and integrated, and stored as an audit total result, and an audit total storage step is stored.
A basic policy storage step in which, for each of the user's organization and job title, an inspection item for an unsent e-mail and a corresponding action for each inspection item are stored as a basic policy;
A threshold storage step in which a threshold for the inspection item is set for each basic policy for each inspection intensity stage based on the value of the audit totalization result;
An address extraction step in which an unsent e-mail is input and a source e-mail address is extracted from the e-mail;
Organization / posture information extraction step in which information on the organization and post to which the user belongs is extracted from the information stored in the user information storage step based on the extracted sender email address;
A basic policy extraction step in which the basic policy corresponding to the organization and job title is extracted from the basic policy stored in the basic policy storage step based on the extracted information about the organization and job title;
Whether or not the unsent e-mail is inspected for each of the inspection items of the basic policy based on the basic policy extracted in the basic policy extraction step, so that a threshold for the inspection item is exceeded. A determination step in which is determined;
Based on the result of the determination, when there is an inspection item that is equal to or greater than a threshold, the inspection result is digitized and added to the value of the audit total result stored in the audit total storage step. When,
A mail processing step for causing a computer to execute a mail processing step for processing the unsent e-mail based on the corresponding action of the basic policy extracted by the basic policy extraction step based on the determination result Filtering program.

Images