JP2011254533A - Different-route warning device and different-route warning program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To immediately find fraudulence and allow an administrator etc. to recognize the fraudulence, when the fraudulence using an e-mail is done.SOLUTION: The kind etc. of the mailer of e-mail data is stored for each transmission source in a storage device in advance. Then, e-mail data having passed through a predetermined place of a network is obtained. The kind etc. of the mailer of the obtained e-mail data is obtained. The kind etc. of the mailer stored in advance and the kind etc. of the mailer obtained this time are compared and whether both of the kinds etc. of the mailers are coincident is determined. When both of the kinds etc. of the mailers are determined to be not coincident, warning is output to the administrator etc.

Description

  The present invention relates to a technique for transmitting a warning when, for example, it is recognized that some fraud or the like is present in a delivery route of electronic mail data.

  There is a mail archiver server that stores all e-mail data passing through a predetermined part of a network in a database. The mail archiver server can search and analyze e-mail data accumulated in the past. When the fact that fraud has been performed becomes clear, the mail archiver server can specify e-mail data necessary for proof of the fraud.

Japanese Patent Laying-Open No. 2005-066321 JP 2002-091876 A JP 2000-172586 A JP 2001-36571 A

Nobuhiro Suemasa, “A thorough explanation of Windows technologies, a major e-mail service, one after another, transmission domain authentication technology that prevents phishing”, Nikkei Windows Pro, no. 101, pp. 76-81, August 1, 2005

However, even if fraud using electronic mail is performed, the fraud cannot be detected.
An object of the present invention is, for example, to immediately detect fraud when fraud using electronic mail is performed, and to make an administrator recognize the fraud.

Another path warning device according to the present invention,
For each user of the e-mail data transmission source, at least one of a mailer type, an encoding method, a character code, reply-to information, errors-to information, return-path information, and From information of the e-mail data A normal path information storage unit that stores information in a storage device;
A data acquisition unit for acquiring e-mail data;
The correct path information storage unit in the mailer type, encoding method, character code, reply-to information, errors-to information, return-path information, and From information of the e-mail data acquired by the data acquisition unit is the normal path. A route information acquisition unit that acquires information stored as information as actual route information;
The correct route information stored in the correct route information storage unit corresponding to the user of the transmission source of the e-mail data is compared with the actual route information acquired by the route information acquisition unit. A route determination unit that determines whether or not the actual route information matches,
And a warning output unit that outputs a warning when the route determination unit determines that the normal route information and the actual route information do not match.

Another path warning program according to the present invention,
For each user of the e-mail data transmission source, at least one of a mailer type, an encoding method, a character code, reply-to information, errors-to information, return-path information, and From information of the e-mail data A normal path information storage process for storing the information in a storage device;
A data acquisition process for acquiring email data;
Mail path type, encoding method, character code, reply-to information, errors-to information, return-path information, and From information of the e-mail data acquired in the data acquisition process are the normal paths in the normal path information storage process. Route information acquisition processing for acquiring information stored as information as actual route information;
The correct route information stored in the correct route information storage process corresponding to the user of the transmission source of the e-mail data is compared with the actual route information acquired in the route information acquisition process, and the correct route information and the A route determination process for determining whether or not the actual route information matches,
When the route determination process determines that the normal route information does not match the actual route information, the computer executes a warning output process for outputting a warning.

  The different path warning device and the different path warning program according to the present invention are at least one of mailer type, encoding method, character code, reply-to information, errors-to information, return-path information, and From information. The normal route information is compared with the actual route information which is the above-mentioned information about the actual e-mail data. If the correct path information and the actual path information do not match, it is determined that the e-mail data includes fraud, and a warning is output. Therefore, it is possible to immediately detect e-mail data that may contain fraud such as spam mail. In addition, the administrator or the like can recognize that there is electronic mail data that may contain fraud.

The figure which shows an example of the structure of the network containing the different path | route warning apparatus 100 in embodiment. The figure which shows an example of a structure of the different path warning apparatus 100 in embodiment. The figure which shows the outline | summary of the function of the different path warning apparatus. FIG. 3 is a functional block diagram showing functions of the different path warning device 100 according to the first embodiment. 5 is a flowchart showing an example of the operation of the different path warning device 100 according to the first embodiment. The flowchart which shows an example of operation | movement of the different path warning apparatus 100 which concerns on Embodiment 1 different from the example shown in FIG. The figure which shows an example of the detection location of the relayed mail server information. The figure which shows an example of the header information of e-mail data. FIG. 4 is a functional block diagram showing functions of a different path warning device 100 according to a second embodiment. 9 is a flowchart showing an example of the operation of the different path warning device 100 according to the second embodiment. The functional block diagram which shows the function of the different path warning apparatus 100 which added the function further to the different path warning apparatus 100 shown in FIG. 12 is a flowchart showing an example of the operation of the different path warning device 100 shown in FIG. 11. The functional block diagram which shows the function of the different path warning apparatus 100 which concerns on Embodiment 2 different from the example shown in FIG. 9 and FIG. 13 is a flowchart illustrating an example of the operation of the different path warning device 100 according to the second embodiment, which is different from the examples illustrated in FIGS. 10 and 12. 10 is a flowchart showing an example of the operation of the different path warning device 100 according to the third embodiment.

FIG. 1 is a diagram illustrating an example of a configuration of a network including a different path warning device 100 according to an embodiment.
In FIG. 1, the server 908 is an example of the different path warning device 100. The different path warning device 100 is connected to an internal network including a plurality of PCs 909 (Personal Computers) and a mail server 910 via a switch 941 and the like. Further, the server 908 is connected to the external server A 942 and the external server B 943 via the Internet 940. Furthermore, the external server A 942 is connected to the LAN 944. The external server B 943 is connected to the LAN 945. Here, the internal network refers to a network in a group such as a predetermined company. A network other than the internal network is called an external network.
Here, the server 908 is a computer, for example, an LCD (Liquid Crystal Display) 901, a keyboard 902 (Key / Board: K / B), a mouse 903, an FDD 904 (Flexible Disc / Drive), and a CDD 905 (Compact Disk Device). These hardware resources are connected by cables and signal lines.

FIG. 2 is a diagram illustrating an example of the configuration of the different path warning device 100 according to the embodiment.
In FIG. 2, the different path warning device 100 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, or a processor) that executes a program. The CPU 911 is connected to the ROM 913, the RAM 914, the communication board 915, the LCD 901, the keyboard 902, the mouse 903, the FDD 904, the CDD 905, and the magnetic disk device 920 via the bus 912, and controls these hardware devices. Instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card read / write device may be used.

The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
A communication board 915, a keyboard 902, a mouse 903, an FDD 904, a CDD 905, and the like are examples of input devices.
The communication board 915 is an example of a communication device.

  An operating system 921 (OS), a window system 922, a program group 923, and a file group 924 are stored in the magnetic disk device 920 or the ROM 913. The programs in the program group 923 are executed by the CPU 911, the operating system 921, and the window system 922.

The program group 923 includes “data acquisition unit 102”, “route information acquisition unit 104”, “route determination unit 106”, “warning output unit 108”, “normal route information storage unit” in the description of the embodiment described below. 110 ”,“ classification acquisition unit 112 ”,“ classification determination unit 114 ”,“ elapsed time acquisition unit 116 ”,“ elapsed time determination unit 118 ”,“ reception determination unit 120 ”,“ transmission destination acquisition unit 122 ”,“ transmission ” A program for executing the functions described as “destination determination unit 124”, “normal path information input unit”, and the like, and other programs are stored.
In the file group 924, information, data, signal values, variable values, and parameters described as “normal path information”, “actual path information”, and “˜determination” in the description of the embodiment described below are “file And “database (DB)”. The “file” and “database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for the operation of the CPU 911 such as calculation / processing / output / printing / display. Information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, and buffer memory during the operation of the CPU 911 for extraction, search, reference, comparison, calculation, calculation, processing, output, printing, and display. Is remembered.
In addition, the arrows in the flowcharts described in the following description of the embodiments mainly indicate input / output of data and signals. The data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic field. Recording is performed on a recording medium such as a magnetic disk of the disk device 920, other optical disks, mini disks, and DVDs (Digital / Versatile / Disc). Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.

  In addition, what is described as “to part” in the description of the embodiment described below may be “to circuit”, “to device”, “to device”, “to means”, and “to function”. Also, “to step”, “to procedure”, and “to processing” may be used. Further, what is described as “to process” may be “to step”. That is, what is described as “˜unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “to part” described below. Alternatively, it causes the computer to execute the procedures and methods of “to part” described below.

Embodiment 1 FIG.
In the first embodiment, a description will be given of a different path warning device 100 that handles, as path information, a device that has actually passed between transmission and reception of electronic mail data.

First, based on FIG. 3, the outline | summary of the different path warning apparatus 100 which concerns on Embodiment 1 is demonstrated. FIG. 3 is a diagram showing an outline of functions of the different path warning device 100. Here, in order to simplify the configuration, it is assumed that the function of the mail archiver server is provided in the different path warning device 100.
In FIG. 3, an external PC 210 is a PC belonging to the external network, and an internal PC 220 is a PC belonging to the internal network. A user A of the external PC 210 and a user B of the internal PC 220 exchange e-mail data with each other. Then, the different path warning device 100 connected to the network between the external PC 210 and the internal PC 220 obtains a packet of email data transmitted and received between the user A of the external PC 210 and the user B of the internal PC 220. And store it in the storage device. Further, the different path warning device 100 stores the transmission / reception path information of the email data acquired together in the storage device. The transmission / reception path is stored in a storage device such as a database from the acquired packet or the header information of the mail analyzed from the packet.
Then, the different path warning device 100 determines the path information that is patterned when, for example, a certain number or more of e-mail data is transmitted and received. Then, the route information is stored in a storage device such as a database as normal route information. In other words, the different path warning device 100 determines the correct path information of the e-mail data from the user A to the user B from the e-mail data stored in the storage device. For example, the different path warning device 100 assumes that the e-mail data transmitted from the user A is the correct path transmitted from the external PC 210.
Thereafter, when the e-mail data addressed from the user A to the user B is transmitted from the external PC 230, the different path warning device 100 determines that the e-mail data is transmitted through a path different from the correct path. That is, the different path warning device 100 determines that the e-mail data is likely to be fraudulent e-mail data. Then, the different path warning device 100 outputs a warning to the administrator or the user B who is the recipient of the e-mail data by e-mail data or the like.

As described above, here, it has been described that the function of the mail archiver server is provided in the different path warning device 100. However, the present invention is not limited to this, and a configuration in which a mail archiver server is provided separately from the different path warning device 100 may be employed. That is, in this case, it is the mail archiver server that stores the packet of the email data and the route information of the email data transmitted / received between the user A of the external PC 210 and the user B of the internal PC 220. On the other hand, the different path warning device 100 acquires the packet of the email data and the path information of the email data from the mail archiver server, and determines the correct path information of the email data transmitted by the user A. Further, the different path warning device 100 acquires e-mail data transmitted from the user A, determines whether or not the data is transmitted through the correct path, and outputs a warning if the path is not correct. That is, the e-mail data may be either an e-mail packet or mail data obtained by analyzing the packet.
In the following description, it is assumed that the mail archiver server is configured separately from the different path warning device 100 unless otherwise described.

  Next, the function of the different path warning device 100 according to the first embodiment will be described in detail with reference to FIGS. FIG. 4 is a functional block diagram showing functions of the different path warning device 100 according to the first embodiment. FIG. 5 is a flowchart showing an example of the operation of the different path warning device 100 according to the first embodiment. FIG. 6 is a flowchart showing an example of the operation of the different path warning device 100 according to the first embodiment, which is different from the example shown in FIG.

As illustrated in FIG. 4, the different path warning device 100 according to the first embodiment includes a data acquisition unit 102, a path information acquisition unit 104, a path determination unit 106, a warning output unit 108, and a normal path information storage unit 110.
The data acquisition unit 102 immediately (in real time) acquires e-mail data that passes through a predetermined part of the network via a communication device.
The path information acquisition unit 104 acquires actual path information indicating the communication path of the e-mail data acquired by the data acquisition unit 102 and stores it in the storage device.
The route determination unit 106 compares the normal route information stored in the later-described normal route information storage unit 110 with the actual route information acquired by the route information acquisition unit 104. Then, the route determination unit 106 determines whether or not the normal route information matches the actual route information by the processing device.
The warning output unit 108 outputs a warning by the processing device when the route determination unit 106 determines that the normal route information and the actual route information do not match.
The correct path information storage unit 110 stores correct path information indicating the correct communication path of the e-mail data in a predetermined unit. As described above, the normal path information storage unit 110 determines the path information that is patterned when a predetermined condition is satisfied, for example, when a certain number or more of transmission / reception has been performed. Then, the normal route information storage unit 110 stores the route information as normal route information.
Although not shown, the different path warning device 100 may include a normal path information input unit for registering or changing the normal path information by a user having an appropriate authority. That is, the different path warning device 100 includes a normal path information input unit that inputs normal path information with the input device, and the normal path information storage unit 110 stores the normal path information input by the normal path information input unit. It does not matter.

Next, an example of the operation of the different path warning device 100 according to the first embodiment will be described with reference to FIG. Here, the correct path information storage unit 110 stores, as correct path information, the IP address of the transmission source and the IP address of the transmission destination of the email data received in the past for each source domain (correct path information). Input processing).
First, in the data acquisition process (S101), the data acquisition unit 102 acquires e-mail data.
Next, in the route information acquisition process (S102), the route information acquisition unit 104 acquires the source IP address and destination IP address of the email data acquired by the data acquisition unit 102 as actual route information.
Next, in the route determination process (S103), the route determination unit 106 determines whether the normal route information corresponding to the domain of the transmission source of the email data matches the actual route information.
In the warning output process (S104), the warning output unit 108 outputs a warning to the administrator by e-mail or the like when the route determination unit 106 determines that the normal route information and the actual route information do not match.

  In the above description, the normal path information storage unit 110 stores the source IP address and the destination IP address. However, the primary path information storage unit 110 may store the MAC (Media Access Control) address of the transmission source of the email data received in the past and the MAC address of the transmission destination as the normal path information. In this case, in (S102), the path information acquisition unit 104 acquires the MAC address of the transmission source and the MAC address of the transmission destination of the email data acquired by the data acquisition unit 102 as actual path information.

Next, based on FIG. 6, an example of operation | movement of the different path warning apparatus 100 which concerns on Embodiment 1 different from the above is demonstrated. Here, the correct path information storage unit 110 sets, for each source domain, the address of an MTA (Message Transfer Agent) to be relayed when transferring e-mail data received in the past from the source to the destination. Remember as.
First, in the data acquisition process (S201), the data acquisition unit 102 acquires e-mail data as in (S101).
Next, in the route information acquisition process (S202), the route information acquisition unit 104 uses, as actual route information, the address of the MTA relayed when the e-mail data acquired by the data acquisition unit 102 is transferred from the transmission source to the transmission destination. get.
Next, in the route determination process (S203), as in (S103), the route determination unit 106 determines whether the correct route information corresponding to the domain of the transmission source of the email data matches the actual route information. judge.
In the warning output process (S204), as in (S104), when the route determination unit 106 determines that the normal route information and the actual route information do not match, the warning output unit 108 uses an e-mail or the like as an administrator. Output a warning.

Here, the relayed MTA is specified by the relayed MTA address. Here, the MTA address is the IP address of the MTA. However, if acquisition is possible, the MTA address may be the MTA MAC address.
Further, in order to specify the relayed MTA, the MTA host name may be used instead of the MTA address. Furthermore, in order to specify the relayed MTA, both the MTA address and the host name may be used.

Based on FIG. 7 and FIG. 8, an example of the detection part of the relayed mail server information will be described. FIG. 7 is a diagram illustrating an example of a detected location of relayed mail server information. FIG. 8 is a diagram illustrating an example of header information of e-mail data. The header information of the email data shown in FIG. 8 indicates the header information of the email data transmitted from the sender to the receiver shown in FIG.
The relayed MTA treated as the route information (the normal route information stored in the normal route information storage unit 110 and the actual route information acquired by the route information acquisition unit 104) has at least the essential detection location A and the detection location shown in FIG. Including essential part B. The essential location A for detection is the MTA that relays the sender's terminal first and the MTA that relays it next. In addition, the essential locations B for detection are the MTA relayed most recently received by the receiver and the MTA relayed before that. Normally, the e-mail data is relayed to many other MTAs, but MTAs other than the detection-required location A and the detection-required location B (arbitrary detection locations in FIG. 7) are not included even if included in the route information. It doesn't matter.
In the header information of the e-mail data, the relayed MTA server can be detected by referring to the Received phrase. As shown in FIG. 8, in the header information of the e-mail data, the last Received phrase and the preceding Received phrase indicate the required location A for detection. In addition, the first Received phrase and the next Received phrase indicate the essential part B for detection. Therefore, by detecting at least the last Received phrase and the preceding Received phrase, and the first Received phrase and the next Received phrase from the header information of the e-mail data, the detection mandatory part A and the detection essential MTA information with the location B can be obtained.

  In the above description, the route determination unit 106 determines whether or not the correct route information corresponding to the domain of the transmission source of the e-mail data matches the actual route information. Here, the term “match” is not limited to a perfect match, but may be matched if the match rate is a predetermined value or more. That is, as long as the route information of at least a predetermined ratio matches, it may be matched. In addition, the detection-required portion A and the detection-required portion B may be completely matched, and the matching condition may be that the route information matches at a predetermined ratio or more for any detection location. .

In the above description, the primary path information storage unit 110 stores the transmission source IP address and the transmission destination IP address or the transmission source MAC address and the transmission destination MAC address for each transmission source domain. .
However, the primary path information storage unit 110 includes, for each transmission source domain, information on at least one of the transmission source IP address, the domain name, and the host name of the email data, the transmission destination IP address, and the domain name. You may memorize | store at least any one information with a host name as normal path | route information. In this case, the route information acquisition unit 104 stores the information stored as the normal route information in the IP address, domain name, and host name of the email data acquired by the data acquisition unit 102, and the IP address of the transmission destination. And the information stored as the normal route information in the domain name and the host name is acquired as the actual route information. Then, the route determination unit 106 determines whether or not the normal route information corresponding to the domain of the transmission source of the e-mail data matches the actual route information.
In addition, for each source domain, the primary path information storage unit 110 includes information on at least one of the MAC address, domain name, and host name of the sender of the email data, the MAC address of the destination, and the domain name. You may memorize | store at least any one information with a host name as normal path | route information. The path information acquisition unit 104 stores the information stored as the correct path information in the MAC address, domain name, and host name of the transmission source of the email data acquired by the data acquisition unit 102, the MAC address of the transmission destination, and the domain name And the information stored as the normal route information in the host name are acquired as the actual route information. Then, the route determination unit 106 determines whether or not the normal route information corresponding to the domain of the transmission source of the e-mail data matches the actual route information.

In the first embodiment, the different path warning device 100 uses the IP address (or MAC address) of the transmission source of the email data and the IP address (or MAC address) of the transmission destination as path information. Further, in the first embodiment, the different path warning device 100 uses the address of the MTA relayed when transferring the e-mail data from the transmission source to the transmission destination as the path information. Then, the route normally used from the email data transmitted and received in the past is set as the normal route information, and a warning is output that there is a possibility that fraud is present in the email data transmitted through a route different from the normal route information. .
Therefore, according to the different path warning device 100 according to the first embodiment, for example, an administrator or the like can immediately recognize illegal emails by impersonation of others.

Embodiment 2. FIG.
In the second embodiment, a different path warning device 100 that handles a combination of a transfer path and a destination of e-mail data as path information will be described.

First, the outline | summary of the different path warning apparatus 100 which concerns on Embodiment 2 is demonstrated.
The operation of the different path warning device 100 according to the second embodiment is substantially the same as that of the different path warning device 100 according to the first embodiment. However, the different path warning device 100 according to the second embodiment is different from the different path warning device 100 according to the first embodiment in the following points.
First, the different path warning device 100 according to Embodiment 2 handles different information as path information. The different path warning device 100 according to the first embodiment treats a device that has actually passed between transmission and reception of electronic mail data as a path. This makes it possible to detect fraud such as impersonation. However, the different path warning device 100 according to the second embodiment treats a transfer path and destination combination of e-mail data as path information. In other words, it is assumed that the e-mail data that may be illegally interleaved with the e-mail data transferred outside the original business flow. In addition, for example, an electronic device in which an e-mail data that does not include a destination that must be added to a destination (to clause, cc clause, bcc clause) when sending it outside the company may be illegal. Suppose that it is mail data.
Second, the method for acquiring the normal path information is different. The different path warning device 100 according to the first embodiment determines the path information that is patterned based on the past e-mail data accumulated in the storage device, and uses it as the correct path information. However, in principle, in the different path warning device 100 according to the second embodiment, the administrator or the like registers the normal path information in advance using an input device or the like. Of course, as with the different path warning device 100 according to the first embodiment, information patterned according to past e-mail data accumulated in the storage device may be determined and used as the normal path information.

  Next, the function of the different path warning device 100 according to the second embodiment will be described in detail based on FIG. 9 and FIG. FIG. 9 is a functional block diagram illustrating functions of the different path warning device 100 according to the second embodiment. FIG. 10 is a flowchart showing an example of the operation of the different path warning device 100 according to the second embodiment. Here, only the parts of the function of the different path warning device 100 according to the second embodiment that are different from the function of the different path warning device 100 according to the first embodiment will be described.

As illustrated in FIG. 9, the different path warning device 100 according to the second embodiment further includes a classification acquisition unit 112 and a classification determination unit 114 in addition to the different path warning device 100 according to the first embodiment.
The classification acquisition unit 112 acquires the subject phrase information of the header information of the email data as a subject and stores it in the storage device. Here, the classification acquisition unit 112 may use a subject obtained by removing the character string added by the mailer such as “Re:” or “Fw:” from the information of the subject phrase.
The classification determination unit 114 determines whether or not the subject acquired by the classification acquisition unit 112 is a predetermined subject stored in the normal path information storage unit 110 described later.
Further, the correct path information storage unit 110 stores, as the correct path information, a transfer path from the initial sender of the e-mail data to the final receiver for a predetermined subject. That is, the correct path information storage unit 110 stores correct path information for each subject. The transfer path refers to a path through which e-mail data is transmitted, for example, from “A person in charge” to “B section manager” and from “B section manager” to “C section manager”. In addition, in the above example, the initial sender is “A person in charge” who first transmitted the e-mail data. In the above example, the final recipient is the “C section manager” who last received the e-mail data.
The path information acquisition unit 104 acquires the transfer path from the initial sender to the final receiver of the email data acquired by the data acquisition unit 102 as actual path information.
Then, when the classification determination unit 114 determines that the subject acquired by the classification acquisition unit 112 is a predetermined subject, the route determination unit 106 determines whether the correct route information matches the actual route information.
That is, the different path warning device 100 according to the second embodiment determines whether or not the e-mail data with the predetermined subject is transferred through the determined transfer path. If the data is not transferred through the determined transfer path, a warning is output to the administrator or the like.
As in the first embodiment, although not shown, the different path warning device 100 may include an input unit or the like for a user having appropriate authority to register or change the normal path information. Absent.

Next, based on FIG. 10, an example of operation | movement of the different path warning apparatus 100 which concerns on Embodiment 2 is demonstrated. Here, as described above, the normal path information storage unit 110 stores the transfer path from the initial sender of the e-mail data to the final receiver as the normal path information for a predetermined subject.
First, in the data acquisition process (S301), as in (S101), the data acquisition unit 102 acquires e-mail data.
Next, in the classification acquisition process (S302), the classification acquisition unit 112 acquires the subject phrase information of the header information of the email data as the subject.
Next, in the classification determination process (S303), the classification determination unit 114 determines whether the subject acquired by the classification acquisition unit 112 is a predetermined subject stored in the correct path information storage unit 110. When the classification determination unit 114 determines that the subject is a predetermined subject (Yes in S303), the process proceeds to (S304). On the other hand, when the classification determination unit 114 determines that the subject is not a predetermined subject (No in S303), the process ends.
Next, in the route information acquisition process (S304), the route information acquisition unit 104 acquires the transfer route from the initial sender to the final receiver of the email data acquired by the data acquisition unit 102 as actual route information.
Next, in the route determination process (S305), when the classification determination unit 114 determines that the subject acquired by the classification acquisition unit 112 is a predetermined subject, the route determination unit 106 obtains the correct route information and the actual route information. It is determined whether or not they match.
Then, in the warning output process (S306), as in (S104), the warning output unit 108, when the path determination unit 106 determines that the normal path information and the actual path information do not match, Output a warning.

In the above description, it is determined whether or not electronic mail data with a predetermined subject has been transferred through a predetermined transfer path. However, the present invention is not limited to this. For example, it may be determined whether or not the e-mail data with the attached file having a predetermined file name is transferred through a predetermined transfer path. That is, in this case, each function performs the following processing.
The classification acquisition unit 112 acquires the file name of the attached file of the e-mail data.
The classification determination unit 114 determines whether the file name acquired by the classification acquisition unit 112 is a predetermined file name stored in the normal path information storage unit 110 by the processing device.
The normal path information storage unit 110 stores a transfer path from the initial sender of the e-mail data to the final receiver as normal path information for a predetermined file name.

  Next, based on FIG. 11 and FIG. 12, a different path warning device 100 in which a function is further added to the different path warning device 100 according to the second embodiment described above will be described. FIG. 11 is a functional block diagram showing functions of the different path warning device 100 in which functions are further added to the different path warning device 100 shown in FIG. FIG. 12 is a flowchart showing an example of the operation of the different path warning device 100 shown in FIG.

As illustrated in FIG. 11, the different path warning device 100 includes an elapsed time acquisition unit 116, an elapsed time determination unit 118, and a reception determination unit 120 in addition to the different path warning device 100 illustrated in FIG. 9.
The elapsed time acquisition unit 116 acquires the elapsed time from when the initial transmission source of the e-mail data acquired by the data acquisition unit 102 is transmitted until the data acquisition unit 102 acquires it by the processing device.
The elapsed time determination unit 118 determines whether or not the elapsed time acquired by the elapsed time acquisition unit 116 exceeds a predetermined limit time.
The reception determination unit 120 determines whether or not the final recipient has received the e-mail data by the processing device.
Further, the correct path information storage unit 110 stores the transfer path from the original sender of the e-mail data to the final receiver as the correct path information for a predetermined subject, and the initial sender transmits the e-mail data. Then, a predetermined time limit until the last receiver receives the data is stored.
The warning output unit 108 outputs a warning when the route determination unit 106 determines that the normal route information and the actual route information do not match, and when the elapsed time exceeds the limit time, the elapsed time determination unit 118. When the reception determination unit 120 determines that the final recipient has not received the message, a warning is output.

Next, based on FIG. 12, an example of operation | movement of the different path warning apparatus 100 shown in FIG. 11 is demonstrated. Here, as described above, the normal path information storage unit 110 stores the transfer path from the initial sender of the e-mail data to the final receiver as the normal path information for a predetermined subject. The correct path information storage unit 110 stores a predetermined time limit from when the e-mail data is transmitted by the initial sender until the final receiver receives the e-mail data. Here, only a part different from the operation of the different path warning device 100 described based on FIG. 10 will be described.
The processing from (S401) to (S405) is the same as the processing from (S301) to (S305), respectively. If (Yes in S403), the process proceeds to (S404) and (S406). On the other hand, if (No in S403), the process ends.
In the elapsed time acquisition process (S406), the elapsed time acquisition unit 116 acquires the elapsed time since the initial transmission source of the email data acquired by the data acquisition unit 102 is transmitted.
Next, in the elapsed time determination process (S407), the elapsed time determination unit 118 determines whether or not the elapsed time acquired by the elapsed time acquisition unit 116 exceeds a predetermined limit time. When the elapsed time determination unit 118 determines that the elapsed time exceeds the predetermined limit time (Yes in S407), the process proceeds to (S408). On the other hand, when the elapsed time determination unit 118 determines that the elapsed time does not exceed the predetermined limit time (No in S407), the process ends.
Next, in the reception determination process (S408), the reception determination unit 120 determines whether or not the final recipient has received the e-mail data. If it is determined that the final recipient has received the e-mail data (Yes in S408), the process is terminated. On the other hand, when it is determined that the e-mail data has not been received by the final recipient (No in S408), the process proceeds to (S409).
In the warning output process (S409), the warning output unit 108 outputs a warning to the administrator by e-mail or the like when the route determination unit 106 determines that the normal route information and the actual route information do not match. The warning output unit 108 outputs a warning to the administrator by e-mail or the like when the reception determining unit 120 determines that the e-mail data has been received by the final recipient.

Next, a specific example of the operation of the different path warning device 100 will be described.
The correct path information storage unit 110 changes the “A person in charge or B person in charge or C person in charge” to “D section or E section manager” and “D section or E section manager” to “F department manager” for a predetermined subject. The transfer route to is stored as normal route information. In addition, the correct path information storage unit 110 sets the time limit for the above-mentioned predetermined subject from the time when the “A person in charge or B person in charge or C person in charge” transmits to the time when the “F manager” receives it to N days. Remember that less than.
Here, when the e-mail data of the predetermined subject is transmitted from the “A person in charge” to the “F manager” without passing through the “D section manager or E section manager”, the warning output unit 108 outputs an alarm.
Further, when the e-mail data of the predetermined subject is transmitted from the “A person in charge” to the “M manager”, the warning output unit 108 outputs an alarm.
On the other hand, as a supplement, no warning is output when the e-mail data of the predetermined subject is transmitted from the “A person in charge” to the “D section manager”. That is, even if the e-mail data does not reach the final recipient stored in the correct path information, it is determined that the e-mail data with the correct transfer path in the middle is not fraudulent.

  Here, by referring to the From clause, To clause, CC clause, references clause, and in-reply-to clause in the header portion of the email data, it is possible to acquire the transfer path from the email data. That is, the above processing can be performed by referring to the From clause, To clause, CC clause, references clause, in-reply-to clause, and Subject clause in the header portion of the email data.

  Next, based on FIGS. 13 and 14, a different path warning device 100 according to the second embodiment different from the examples shown in FIGS. 9 to 12 will be described. FIG. 13 is a functional block diagram illustrating functions of the different path warning device 100 according to the second embodiment different from the examples illustrated in FIGS. 9 and 11. FIG. 14 is a flowchart illustrating an example of the operation of the different path warning device 100 according to the second embodiment, which is different from the examples illustrated in FIGS. 10 and 12. Here, only the parts of the function of the different path warning device 100 according to the second embodiment that are different from the function of the different path warning device 100 according to the first embodiment will be described.

As illustrated in FIG. 13, the different path warning device 100 according to the second embodiment further includes a transmission destination acquisition unit 122 and a transmission destination determination unit 124 in addition to the different path warning device 100 according to the first embodiment.
The transmission destination acquisition unit 122 acquires the mail address of the transmission destination of the e-mail data and stores it in the storage device.
The transmission destination determination unit 124 determines whether or not the predetermined mail address (first mail address) is included in the transmission destination mail address acquired by the transmission destination acquisition unit 122 by the processing device.
Further, the correct path information storage unit 110 stores the second mail address as the correct path information for the first mail address as the transmission destination of the e-mail data.
When the destination determination unit 124 determines that the first mail address is included in the destination mail address, the route information acquisition unit 104 is the destination mail address of the email data other than the first mail address. As real route information.
The route determination unit 106 determines whether or not the normal route information for the first email address matches any email address included in the actual route information.
The warning output unit 108 outputs a warning when the route determination unit 106 determines that the normal route information for the first email address does not match any email address included in the actual route information.
That is, the different path warning device 100 according to Embodiment 2 determines whether or not a predetermined transmission destination (mail address) is included in the destination for the electronic mail data including the predetermined destination. If the determined destination is not included in the destination, a warning is output to the administrator or the like.
As in the first embodiment, although not shown, the different path warning device 100 may include an input unit or the like for a user having appropriate authority to register or change the normal path information. Absent.

Next, based on FIG. 14, an example of operation | movement of the different path warning apparatus 100 which concerns on Embodiment 2 different from the example shown to FIGS. 9-12 is demonstrated. Here, as described above, the correct path information storage unit 110 stores the second mail address as the correct path information with respect to the first mail address.
First, in the data acquisition process (S501), as in (S101), the data acquisition unit 102 acquires e-mail data.
Next, in the transmission destination acquisition process (S502), the transmission destination acquisition unit 122 acquires the email address of the transmission destination of the email data.
Next, in the transmission destination determination process (S503), the transmission destination determination unit 124 determines whether or not the first mail address is included in the mail address of the transmission destination acquired by the transmission destination acquisition unit 122. When the transmission destination determination unit 124 determines that the first mail address is included in the transmission destination mail address (Yes in S503), the process proceeds to (S504). On the other hand, when the transmission destination determination unit 124 determines that the first mail address is not included in the transmission destination mail address (No in S503), the process ends.
Next, in the route information acquisition process (S504), the route information acquisition unit 104 acquires the email address of the destination of the email data other than the first email address as the actual route information.
Next, in the route determination process (S505), the route determination unit 106 determines whether or not the normal route information for the first mail address matches any mail address included in the actual route information.
In the warning output process (S506), the warning output unit 108 determines that the second mail address corresponding to the first mail address does not match any mail address included in the actual path information. , Output a warning.

Next, a specific example of the operation of the different path warning device 100 will be described.
When transmitting from “A person in charge or B person in charge or C person in charge” to “Company Z”, the normal path information storage unit 110 stores “D section manager” as a normal path information. Here, including in the destination means writing a mail address in the to phrase or cc phrase. In some cases, an e-mail address may be described in the bcc phrase.
Here, when e-mail data is transmitted from “A person in charge” to “Company Z”, if “D section manager” is not in the destination, the warning output unit 108 outputs an alarm.

Here, examples of the first mail address and the second mail address are given.
The first mail address can be, for example, all external mail addresses. In this case, the second mail address is, for example, an upper mail address. In addition, the first mail address can be designated for each business partner. In this case, the second mail address is, for example, the mail address of the person in charge of the company specified by the first mail address. When the first email address is designated for each company of the business partner, for example, the email address of each company may be designated by the domain, or all the email addresses of each company may be designated.

  Further, as described based on FIG. 9 and FIG. 10, processing for determining whether to perform a check based on the subject of the e-mail data may be added.

In the second embodiment, the transfer information of the e-mail data and the transfer time from the initial sender to the final receiver are used as the route information. Further, in the second embodiment, other destinations in the case where a predetermined destination is included in the destination of the e-mail data are set as route information. Then, a warning is output because there is a possibility that fraud is present in the e-mail data transmitted through a route different from the predetermined normal route information.
Therefore, according to the different path warning device 100 according to the second embodiment, for example, an employee in the company can send e-mail data through a path different from normal for the purpose of concealing fraud in business such as fraud accounting. In the case of transmission, an administrator or the like can immediately recognize. Further, when e-mail data is transmitted / received deviating from the correct approval route, the person in charge of control can immediately recognize it.

Embodiment 3 FIG.
In the third embodiment, a different path warning device 100 that handles e-mail mailer types, encoding system character codes, and the like as path information will be described.

First, the outline | summary of the different path warning apparatus 100 which concerns on Embodiment 3 is demonstrated.
The operation of the different path warning device 100 according to the third embodiment is different from that of the different path warning device 100 according to the first embodiment in that the object handled as the route information is different.
The different path warning device 100 according to the third embodiment handles the mail mailer (e-mail software) type, the encoding method, the character code, and the like as path information. As a result, for example, when a fraudulent person impersonates another person and sends e-mail data, the sender's IP address is disguised, or the mailer used by the original user is different from the mailer or encoding different from normal The case where a system, a character code, etc. are used can be considered. In such a case, it can be recognized that there is a possibility that fraud is involved.

  Next, the function of the different path warning device 100 according to Embodiment 3 will be described in detail with reference to FIG. FIG. 15 is a flowchart showing an example of the operation of the different path warning device 100 according to the third embodiment. The configuration of the different path warning device 100 according to Embodiment 3 is the same as the configuration shown in FIG. Here, only the parts of the function of the different path warning device 100 according to the third embodiment that are different from the function of the different path warning device 100 according to the first embodiment will be described.

The configuration of the different path warning device 100 according to the third embodiment is the same as that of the different path warning device 100 according to the first embodiment. That is, the functional block diagram showing the function of the different path warning device 100 according to Embodiment 3 is the same as the functional block diagram shown in FIG.
The normal path information storage unit 110 stores, for each transmission source user, at least one of mailer type, encoding method, character code, reply-to information, errors-to information, return-path information, and From information. Remember as.
The route information acquisition unit 104 includes the above-mentioned correct information in the mailer type, encoding method, character code, reply-to information, errors-to information, return-path information, and From information of the email data acquired by the data acquisition unit 102. Information stored as route information is acquired as actual route information.
The route determination unit 106 determines whether or not the normal route information corresponding to the user who transmitted the e-mail data matches the actual route information.

Next, an example of the operation of the different path warning device 100 according to Embodiment 3 will be described with reference to FIG. Here, it is assumed that the normal path information storage unit 110 stores the mailer type, the encoding method, and the character code as the normal path information for each transmission source user.
First, in the data acquisition process (S601), as in (S101), the data acquisition unit 102 acquires e-mail data.
Next, in the route information acquisition process (S602), the route information acquisition unit 104 acquires the mailer type, encoding method, and character code of the email data acquired by the data acquisition unit 102 as actual route information.
Next, in the route determination process (S603), the route determination unit 106 determines whether or not the normal route information corresponding to the user who transmitted the e-mail data matches the actual route information.
In the warning output process (S604), as in (S104), when the route determination unit 106 determines that the normal route information and the actual route information do not match, the warning output unit 108 uses an e-mail or the like as an administrator. Output a warning.

  Here, as an example, mailer type, encoding method, and character code are treated as route information. However, as described above, the presence / absence of the reply-to clause, the errors-to clause, the return-path clause, the from clause (including the nickname), and the like, and the described contents may be added to the route information.

In the third embodiment, the mailer type, encoding method, character code, and the like are used as route information. Then, the mailer type, encoding method, character code, etc. that are normally used from the email data sent and received in the past are used as the normal route information, and the mailer type, encoding method, and character code of the received email data are used as the normal route information. For e-mail data different from the above, a warning is output as there is a possibility of fraud.
Therefore, according to the different path warning device 100 according to the third embodiment, when e-mail data is transmitted using another person's terminal, fraud is involved when a mailer or the like different from the original user is used. That you may have

The above is summarized as follows.
The different path warning device according to the above embodiment includes, for example, a normal path information storage unit that stores, in a storage device, normal path information indicating a correct communication path of e-mail data for each predetermined unit;
A data acquisition unit for acquiring e-mail data via a communication device;
A path information acquisition unit that acquires real path information indicating a communication path of the email data acquired by the data acquisition unit and stores the real path information in a storage device;
A processing device that compares the normal route information stored in the normal route information storage unit with the actual route information acquired by the route information acquisition unit to determine whether the correct route information matches the actual route information. A route determination unit for determining by
And a warning output unit that outputs a warning by a processing device when the route determination unit determines that the normal route information does not match the actual route information.

The primary path information storage unit includes, for each transmission source domain, information on at least one of an IP (Internet Protocol) address, a domain name, and a host name of the e-mail data, an IP address of the transmission destination, and a domain Information of at least one of a name and a host name is stored as normal path information,
The route information acquisition unit includes information stored as the original route information in the IP address, domain name, and host name of the email data acquired by the data acquisition unit, the IP address of the transmission destination, and the domain Information stored as the normal path information in the first name and the host name is acquired as actual path information,
The path determination unit determines whether or not the normal path information corresponding to the domain of the transmission source of the e-mail data matches the actual path information.

The primary path information storage unit includes, for each transmission source domain, information on at least one of a MAC (Media Access Control) address, a domain name, and a host name of a transmission source of email data, a transmission destination MAC address, Store at least one of domain name and host name information as correct path information,
The path information acquisition unit includes information stored as the normal path information in the MAC address, domain name, and host name of the transmission source of the email data acquired by the data acquisition unit, the MAC address of the transmission destination, and the domain Information stored as the normal path information in the first name and the host name is acquired as actual path information,
The path determination unit determines whether or not the normal path information corresponding to the domain of the transmission source of the e-mail data matches the actual path information.

The correct path information storage unit stores, as correct path information, the address of an MTA (Message Transfer Agent) relayed when transferring e-mail data from the source to the destination for each source domain.
The path information acquisition unit acquires, as actual path information, the address of the MTA relayed when the e-mail data acquired by the data acquisition unit is transferred from the transmission source to the transmission destination.
The path determination unit determines whether or not the normal path information corresponding to the domain of the transmission source of the e-mail data matches the actual path information.

The normal path information storage unit stores the transfer path from the initial sender of the e-mail data to the final receiver as normal path information,
The path information acquisition unit acquires the transfer path from the initial sender to the final receiver of the e-mail data acquired by the data acquisition unit as actual path information.

The correct path information storage unit stores the correct path information for a predetermined subject,
The different path warning device further includes:
A classification acquisition unit that acquires the subject phrase information of the header information of the email data as a subject and stores the information in a storage device;
A classification determination unit that determines whether or not the subject acquired by the classification acquisition unit is the predetermined subject stored in the normal path information storage unit by a processing device;
When the classification determination unit determines that the subject acquired by the classification acquisition unit is the predetermined subject, the route determination unit determines whether or not the normal route information matches the actual route information. It is characterized by that.

The correct path information storage unit stores the correct path information for a predetermined file name,
The different path warning device further includes:
A classification acquisition unit that acquires the file name of the attached file of the email data and stores the file name in a storage device;
A classification determination unit that determines whether or not the file name acquired by the classification acquisition unit is the predetermined file name stored in the primary path information storage unit, by a processing device;
When the classification determination unit determines that the file name acquired by the classification acquisition unit is the predetermined file name, the route determination unit determines whether the normal route information matches the actual route information. It is characterized by determining.

The normal path information storage unit stores a time limit from when the initial sender transmits the e-mail data to when the final receiver receives the e-mail data,
The different path warning device further includes:
An elapsed time acquisition unit that acquires an elapsed time from the transmission of the initial transmission source of the e-mail data acquired by the data acquisition unit;
An elapsed time determination unit that determines whether or not the elapsed time acquired by the elapsed time acquisition unit exceeds the limit time;
A reception determination unit that determines whether or not the final recipient has received the e-mail data by a processing device;
When the elapsed time determination unit determines that the elapsed time exceeds the limit time and the reception determination unit determines that the final receiver has not received, the warning output unit outputs a warning. It is characterized by outputting.

The correct path information storage unit stores the second mail address as the correct path information with respect to the first mail address,
The different path warning device further includes:
A transmission destination acquisition unit for acquiring a mail address of the transmission destination of the email data and storing it in a storage device;
A transmission destination determination unit that determines whether or not the first email address is included in the email address of the transmission destination acquired by the transmission destination acquisition unit;
When the transmission destination determination unit determines that the first mail address is included in the transmission destination mail address, the route information acquisition unit transmits the transmission destination of the electronic mail data other than the first mail address. Is obtained as real route information,
The route determination unit determines whether or not the normal route information for the first email address matches any email address included in the actual route information,
When the route determination unit determines that the second email address for the first email address does not match any email address included in the actual route information, the warning output unit outputs a warning. And

The normal path information storage unit is configured to store at least one of a mailer type, an encoding method, a character code, reply-to information, errors-to information, return-path information, and From information of e-mail data for each transmission source user. Is stored as normal path information,
The route information acquisition unit includes the mailer type, encoding method, character code, reply-to information, errors-to information, return-path information, and From information of the email data acquired by the data acquisition unit. Obtain information stored as route information as actual route information,
The path determination unit determines whether or not the normal path information corresponding to the user who is the transmission source of the e-mail data matches the actual path information.

The different path warning device further includes:
A correct path information input unit for inputting correct path information by an input device;
The normal path information storage unit stores the normal path information input by the normal path information input unit.

The different path warning program according to the embodiment includes, for example, a normal path information storage process for storing, in a storage device, normal path information indicating a correct communication path of e-mail data for each predetermined unit;
A data acquisition process for acquiring e-mail data via a communication device;
A path information acquisition process for acquiring actual path information indicating a communication path of the e-mail data acquired in the data acquisition process and storing it in a storage device;
A processing device that compares the normal path information stored in the normal path information storage process with the actual path information acquired in the path information acquisition process to determine whether the normal path information matches the actual path information. Route determination processing determined by
When the route determination process determines that the normal route information and the actual route information do not match, the computer is caused to execute a warning output process for outputting a warning by a processing device.

In the normal path information storage process, for each transmission source domain, information on at least one of an IP (Internet Protocol) address, a domain name, and a host name of the email data, an IP address of the transmission destination, and a domain Information of at least one of a name and a host name is stored as normal path information,
In the route information acquisition process, information stored as the original route information in the IP address, domain name, and host name of the e-mail data acquired in the data acquisition process, the IP address and domain of the destination Information stored as the normal path information in the first name and the host name is acquired as actual path information,
In the route determination process, it is determined whether or not the correct route information corresponding to the domain of the transmission source of the electronic mail data matches the actual route information.

In the normal path information storage process, for each source domain, information on at least one of a MAC (Media Access Control) address, a domain name, and a host name of e-mail data, a destination MAC address, Store at least one of domain name and host name information as correct path information,
In the route information acquisition process, the information stored as the original route information in the MAC address, domain name, and host name of the e-mail data acquired in the data acquisition process, the MAC address of the transmission destination, and the domain Information stored as the normal path information in the first name and the host name is acquired as actual path information,
In the route determination process, it is determined whether or not the correct route information corresponding to the domain of the transmission source of the electronic mail data matches the actual route information.

In the normal path information storage process, for each transmission source domain, the address of an MTA (Message Transfer Agent) relayed when transferring e-mail data from the transmission source to the transmission destination is stored as normal path information.
In the route information acquisition process, the MTA address relayed when the e-mail data acquired in the data acquisition process is transferred from the transmission source to the transmission destination is acquired as actual route information.
In the route determination process, it is determined whether or not the correct route information corresponding to the domain of the transmission source of the electronic mail data matches the actual route information.

In the normal path information storage process, the transfer path from the initial sender to the final receiver of the email data is stored as the normal path information,
In the route information acquisition process, the transfer route from the initial sender to the final receiver of the e-mail data acquired in the data acquisition process is acquired as actual route information.

In the normal route information storage process, the normal route information is stored for a predetermined subject,
The different path warning program further includes
A classification acquisition process for acquiring the subject phrase information of the header information of the email data as a subject and storing it in a storage device;
Causing the computer to execute a classification determination process in which the processing device determines whether the subject acquired in the classification acquisition process is the predetermined subject stored in the normal path information storage process,
When the classification determination process determines that the subject acquired in the classification acquisition process is the predetermined subject, the route determination process determines whether the normal route information matches the actual route information. It is characterized by that.

In the normal path information storage process, the normal path information is stored for a predetermined file name,
The different path warning device further includes:
A classification acquisition process for acquiring the file name of the attached file of the e-mail data and storing it in a storage device;
Causing the computer to execute a classification determination process in which the processing device determines whether the file name acquired in the classification acquisition process is the predetermined file name stored in the normal path information storage process,
When the classification determination process determines that the file name acquired in the classification acquisition process is the predetermined file name, the path determination process determines whether the correct path information matches the actual path information. It is characterized by determining.

In the above-mentioned correct path information storage process, the time limit from when the initial sender transmits the e-mail data until the final receiver receives it is stored,
The different path warning program further includes
An elapsed time acquisition process in which the processing device acquires the elapsed time since the initial transmission source of the e-mail data acquired in the data acquisition process;
An elapsed time determination process for determining whether or not the elapsed time acquired in the elapsed time acquisition process exceeds the limit time;
Causing the computer to execute reception determination processing for determining whether or not the final recipient has received the email data by a processing device;
When the elapsed time exceeds the limit time, it is determined by the elapsed time determination process, and when it is determined by the reception determination process that the final receiver has not received, the warning output process outputs a warning. It is characterized by outputting.

In the normal path information storage process, the second mail address is stored as the normal path information with respect to the first mail address,
The different path warning program further includes
A destination acquisition process for acquiring a destination email address of the email data and storing it in a storage device;
Causing the computer to execute a transmission destination determination process for determining by the processing device whether or not the first mail address is included in the transmission destination mail address acquired in the transmission destination acquisition process;
When the destination determination process determines that the first mail address is included in the destination mail address, the route information acquisition process determines the destination of the email data other than the first mail address. Is obtained as real route information,
In the route determination process, it is determined whether or not the normal route information for the first email address matches any email address included in the actual route information;
When the route determination process determines that the second email address corresponding to the first email address does not match any email address included in the actual route information, the warning output processing outputs a warning. And

In the normal path information storage process, at least one of a mailer type, an encoding method, a character code, reply-to information, errors-to information, return-path information, and From information of e-mail data is provided for each transmission source user. Is stored as normal path information,
In the route information acquisition process, the mailer type, encoding method, character code, reply-to information, errors-to information, return-path information, and From information of the email data acquired in the data acquisition process are correct. Obtain information stored as route information as actual route information,
In the route determination process, it is determined whether or not the normal route information corresponding to the user who is the transmission source of the electronic mail data matches the actual route information.

The different path warning program further includes
Causing the computer to execute normal path information input processing for inputting the normal path information by the input device;
In the normal path information storage process, the normal path information input in the normal path information input process is stored.

The different path warning method according to the above embodiment includes, for example, a data acquisition step in which the communication device acquires e-mail data;
A path information acquisition step in which the storage device acquires and stores real path information indicating the communication path of the email data acquired in the data acquisition step;
The processing device compares the normal route information indicating the correct communication route of the email data for each predetermined unit stored in the storage device with the actual route information acquired in the route information acquisition step, and A route determination step for determining whether or not the actual route information matches;
The processing apparatus includes a warning output step for outputting a warning when the path determination step determines that the normal path information does not match the actual path information.

  DESCRIPTION OF SYMBOLS 100 Different path | route warning apparatus, 102 Data acquisition part, 104 Path | route information acquisition part, 106 Path | route determination part, 108 Warning output part, 110 Normal path | route information storage part, 112 Classification acquisition part, 114 Classification determination part, 116 Elapsed time acquisition part, 118 Elapsed time determination unit, 120 Reception determination unit, 122 Transmission destination acquisition unit, 124 Transmission destination determination unit, 210, 230 External PC, 220 Internal PC, 901 LCD, 902 K / B, 903 mouse, 904 FDD, 905 CDD, 908 server, 909 PC, 910 mail server, 911 CPU, 912 bus, 913 ROM, 914 RAM, 915 communication board, 916 server A, 917 server B, 918 server C, 920 magnetic disk unit, 921 OS, 922 window system, 923 programs, 924 file group, 940 Internet, 941 switch, 942 external server A, 943 external server B, 944, 945 LAN.

Claims (2)

For each user of the e-mail data transmission source, at least one of a mailer type, an encoding method, a character code, reply-to information, errors-to information, return-path information, and From information of the e-mail data A normal path information storage unit that stores information in a storage device;
A data acquisition unit for acquiring e-mail data;
The correct path information storage unit in the mailer type, encoding method, character code, reply-to information, errors-to information, return-path information, and From information of the e-mail data acquired by the data acquisition unit is the normal path. A route information acquisition unit that acquires information stored as information as actual route information;
The correct route information stored in the correct route information storage unit corresponding to the user of the transmission source of the e-mail data is compared with the actual route information acquired by the route information acquisition unit. A route determination unit that determines whether or not the actual route information matches,
A different path warning device comprising: a warning output unit that outputs a warning when the path determination unit determines that the normal path information and the actual path information do not match. For each user of the e-mail data transmission source, at least one of a mailer type, an encoding method, a character code, reply-to information, errors-to information, return-path information, and From information of the e-mail data A normal path information storage process for storing the information in a storage device;
A data acquisition process for acquiring email data;
Mail path type, encoding method, character code, reply-to information, errors-to information, return-path information, and From information of the e-mail data acquired in the data acquisition process are the normal paths in the normal path information storage process. Route information acquisition processing for acquiring information stored as information as actual route information;
The correct route information stored in the correct route information storage process corresponding to the user of the transmission source of the e-mail data is compared with the actual route information acquired in the route information acquisition process, and the correct route information and the A route determination process for determining whether or not the actual route information matches,
A different path warning program that causes a computer to execute a warning output process that outputs a warning when the path determination process determines that the normal path information does not match the actual path information.

Images