JP2013171437A - Misrepresentation mail processing device, misrepresentation mail processing method, and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a misrepresentation mail processing device and the like, capable of improving discrimination accuracy on whether or not a received electronic mail is a misrepresentation mail.SOLUTION: A normal address discrimination part 350 acquires, for each of transmission source IP addresses, a total number of electronic mails to which a user responded among electronic mails received from a transmission source denoted by the transmission source IP address, on the basis of reception result information of the electronic mails stored in a reception result management DB 620 and user's response result information indicative of received electronic mails stored in a response result management DB 630. Then, the normal address discrimination part 350 acquires, on the basis of the obtained total number, a normal transmission source domain name and a normal transmission source IP address, and causes a normal address management DB 610 to store the domain name and the address. A transmission source discrimination part 310 discriminates, on the basis of the normal transmission source domain name and the normal transmission source IP address stored in the normal address management DB 610, whether or not there is a possibility that a transmission source address of a received electronic mail is misrepresented.

Description

  The present invention relates to a spoofed mail processing device, a spoofed mail processing method, and a program for processing a spoofed mail in which a sender's mail address is spoofed.

  An e-mail recipient may receive not only a legitimate e-mail from a sender but also a spoofed mail in which the sender's mail address is spoofed. As a technique for refusing the reception of such a spoofed mail, for example, Patent Document 1 discloses, for each source IP (Internet Protocol) address and email address, an email having the IP address and email address as the source. Is stored, and when an e-mail is received, a score corresponding to the stored total number of receptions corresponding to the IP address and e-mail address of the sender is obtained, and whether or not it is a spoofed mail according to the obtained score There is a technique to discriminate.

JP 2006-251882 A

  However, in the technique disclosed in Patent Document 1, a score is acquired based on the total number of received messages, and is transmitted to a number of destinations such as a mail magazine in order to determine whether the received electronic mail is a spoofed mail. Even if the sender of the e-mail is not spoofed, the score is high because the total number of received messages per unit time is large, and the e-mail may be erroneously detected as a spoofed mail.

  The present invention has been made under the above circumstances, and provides a spoofed mail processing device, a spoofed mail processing method, and a program capable of improving the accuracy of determining whether or not a received electronic mail is a spoofed mail. For the purpose.

In order to achieve the above object, the spoofed mail processing device according to the present invention is
The transmission source address indicating the transmission source mail address of the received electronic mail, the transmission source IP address indicating the transmission source IP address of the electronic mail, and the identification information of the electronic mail are acquired, and the acquired transmission source A reception result acquisition unit that associates an address, the transmission source IP address, and the identification information with each other and stores them in the reception result storage unit;
Among the received e-mails, a response record acquisition unit that acquires identification information of an e-mail that the user responds to and stores the acquired identification information in a response record storage unit;
For each of the transmission source IP addresses stored in the reception performance storage unit, based on the identification information stored in the response performance storage unit, among the emails received from the transmission source represented by the transmission source IP address, The total number of e-mails that the user responds to is acquired, and based on the acquired total number, whether the domain name of the source address corresponding to the source IP address is the domain name of the regular e-mail address of the source The domain name of the source address determined to be the domain name of the sender's regular mail address and the source IP address corresponding to the domain name of the source address are stored in the regular address storage. A normal address discriminating unit to be stored in the unit,
Based on the domain name of the source address and the source IP address stored in the regular address storage unit, it is determined whether or not the source address of the received e-mail may be spoofed A transmission source discrimination unit;
It is characterized by providing.

  According to the present invention, it is possible to improve the accuracy of determining whether or not a received electronic mail is a spoofed mail.

It is a block diagram which shows the structure of the misrepresentation mail processing apparatus which concerns on embodiment. It is a figure which shows an example of regular address management DB. It is a figure which shows an example of reception performance management DB. It is a figure which shows an example of response performance management DB. It is a figure which shows an example of attachment file management DB. It is a block diagram which shows the function structure of the misrepresentation mail processing apparatus which concerns on embodiment. It is a flowchart which shows an example of the flow of a regular address discrimination | determination process. It is a flowchart which shows an example of the flow of a transmission source discrimination | determination process.

  FIG. 1 is a block diagram showing a configuration of a spoofing mail processing apparatus 1 according to an embodiment of the present invention. The spoofed mail processing device 1 is connected to a mail transmitting side device 3 and a mail receiving side device 4 via a network 2 constituted by the Internet, a LAN (Local Area Network) or the like. The mail transmitting device 3 and the mail receiving device are devices having a function of transmitting and receiving an electronic mail such as a mobile phone and a PC (Personal Computer). In the present embodiment, an e-mail transmitted from the mail transmitting device 3 to the mail receiving device 4 is transmitted to the spoofed mail processing device 1 via the network 2. Then, the spoof mail processing device 1 determines whether or not the received electronic mail is a spoof mail, and transmits the received mail to the mail receiving device 4 based on the determination result. Here, the “spoof mail” represents an e-mail in which the sender mail address is spoofed.

  As shown in FIG. 1, the fraudulent mail processing device 1 includes a communication unit 100, an external interface (I / F) 200, a control unit 300, a ROM (Read Only Memory) 400, and a RAM (Random Access Memory) 500. And a storage unit 600.

  The communication unit 100 includes, for example, a communication device such as a NIC (Network Interface Card) or a router. The communication unit 100 is connected to the mail transmission device 4 and the mail reception device 4 via the network 2 and transmits and receives electronic mail.

  The external I / F 200 is an interface for connecting to a drive device (not shown) for reading from and writing to a removable disk such as a CD (Compact Disc), an external storage device including a hard disk drive, and the like. .

  The control unit 300 includes, for example, a CPU (Central Processing Unit), and controls the entire spoofed mail processing device 1. For example, when the communication unit 100 receives an e-mail, the control unit 300 determines whether the received e-mail is a spoofed mail, and based on the determination result, the control unit 300 sends the received e-mail to the destination mail address. Is transmitted by the communication unit 100.

  The ROM 400 is a non-volatile memory that stores a program or the like for the control unit 300 to control the entire spoof mail processing device 1. For example, the ROM 400 stores a program for executing various processes described later.

  The RAM 500 is a volatile memory for temporarily storing various information generated by the control unit 300 and data necessary for generating the various information.

  The storage unit 600 includes a storage device such as a hard disk drive. For example, the storage unit 600 stores a regular address management DB (database) 610, a reception performance management DB 620, a response performance management DB 630, and an attached file management DB 640.

  The regular address management DB 610 stores regular address information representing a sender of a regular electronic mail. Here, “regular e-mail” represents an e-mail whose sender mail address is not spoofed. An example of the regular address information stored in the regular address management DB is shown in FIG. The regular address information includes a regular source domain name and a regular source IP address. The legitimate sender domain name represents the domain name of the mail address of the legitimate electronic mail sender. The regular transmission source IP address represents the IP address of the mail server that is the transmission source of the regular electronic mail.

  The reception result management DB 620 stores the reception result information of the e-mail received from the communication unit 100. The reception result information is information representing the total number of e-mails received from the IP address of the transmission source for each IP address of the transmission source of the received e-mail. An example of the reception result information stored in the reception result management DB 620 is shown in FIG. As shown in FIG. 3, the reception result information includes a transmission source IP address, a total reception number, registration information, a transmission source address, and mail identification information. The transmission source IP address represents the IP address of the mail server that is the transmission source of the received electronic mail. The total number of receptions represents the total number of received mails transmitted from the transmission source IP address. The registration information is information indicating whether or not the transmission source IP address and the transmission source domain name are registered in the regular address management DB 610 as regular address information. When the registration information is “Yes”, the transmission source IP address and the transmission source domain name corresponding to the registration information are registered in the regular address management DB 610. When the registration information is “No”, the source IP address and source domain name corresponding to the registration information are not registered in the regular address management DB 610. The transmission source address represents the mail address of the transmission source of the received electronic mail. The mail identification information is information for identifying the received electronic mail, for example, information represented by “Message ID” included in the header information of the received electronic mail. The transmission source IP address, the transmission source address, and the mail identification information are acquired from the header information of the received electronic mail. Further, the total number of receptions and the registration information are acquired by the control unit 300 as described later.

  The response record management DB 630 stores response record information for the received e-mail. The response record information represents information on e-mails that the user has responded to among the received e-mails. FIG. 4 shows an example of response result information stored in the response result management DB 630. As shown in FIG. 4, the response record information includes a transmission source address of the email that the user responded to and email identification information of the email that the user responded to.

  The attached file management DB 640 stores attached file information representing information related to an attached file attached to an e-mail that is determined to be a spoofed mail among the received e-mails. FIG. 5 shows an example of attached file information stored in the attached file management DB 640. As shown in FIG. 5, the attached file information includes storage destination information indicating the storage destination of the attached file attached to the received electronic mail, and the attached file name.

  Next, a functional configuration of the spoof mail processing device 1 will be described. As illustrated in FIG. 5, the control unit 300 functions as a transmission source determination unit 310, a reception result acquisition unit 320, a spoof mail processing unit 330, a response result acquisition unit 340, and a regular address determination unit 350.

  The transmission source determination unit 310 determines whether there is a possibility that the received electronic mail is a spoofed mail based on the normal address information registered in the normal address management DB 610.

  Specifically, the transmission source discriminating unit 310 sets the combination of the transmission source domain name and the transmission source IP address included in the received header information of the e-mail to the regular address management DB 610 in the regular transmission domain name and the regular transmission source IP. When registered as a set of addresses, it is determined that the received electronic mail is not a spoofed mail, that is, the transmission source is a regular electronic mail.

  The source domain name included in the header information of the received e-mail is registered in the regular address management DB 610, but the source IP address corresponding to the source domain name is registered as the registered regular source address. If the source IP address corresponding to the URL is partly different, or if the source domain name is not registered in the regular address management DB 610, the source discriminator 310 determines that the received e-mail may be a spoofed email. It is determined that there is.

  Further, the source domain name included in the header information of the received electronic mail is registered in the regular address management DB 610, but the source IP address corresponding to the source domain name is registered in the registered regular source domain. If it is significantly different from the regular transmission source IP address corresponding to the name, the transmission source determination unit 310 determines that the received electronic mail is a spoofed mail.

  The reception result acquisition unit 320 acquires a transmission source address, a transmission source IP address, and mail identification information from the received e-mail, and stores them in the reception result management DB 620 in association with each other. Specifically, the reception result acquisition unit 320 acquires a transmission source address, a transmission source IP address, and mail identification information from the header information of the received electronic mail. In addition, the reception result acquisition unit 320 acquires the transmission source address, the transmission source IP address, and the mail identification information from the received electronic mail, and stores the transmission source IP address each time it is stored in the reception result management DB 620. Update the total number of receptions corresponding to.

  The spoofed mail processing unit 330 is an alert process for causing the user to recognize that the email is likely to be a spoofed mail with respect to the email that has been determined by the transmission source determining unit 310 to be a spoofed mail. Execute. Specifically, the spoofed mail processing unit 330 includes an alert notification unit 331, an attached file processing unit 332, and a URL conversion unit 332.

  The alert notification unit 331 adds alert information indicating that the transmission source address of the e-mail may be spoofed to the e-mail that the transmission source determination unit 310 has determined to be a spoofing mail. The alert information is added to the beginning of the body of the e-mail, for example, as a message such as “There is a possibility that the sender of this e-mail is spoofed”. The email to which the alert information is added is transmitted to the mail receiving device 4 by the communication unit 100.

  When the attachment file is attached to the e-mail that the transmission source determination unit 310 has determined that there is a possibility of spoofing mail, the attachment file processing unit 332 stores the attachment file in, for example, an external storage device. Then, the attachment file processing unit 332 associates the storage destination information indicating the storage destination of the attachment file in the storage device with the attachment file name, and stores it in the attachment file management DB 640 as attachment file information. Then, the attached file processing unit 332 adds the attached file information to the electronic mail to which the attached file is attached, and deletes the attached file from the electronic mail. The attached file information is, for example, “The file attached to this e-mail“ The minutes of last week's meeting.pdf ”is stored at“ http://file.co.jp/qazwsx011 ”.” The message is added to the beginning of the body of the received mail. The electronic mail to which the attached file information is added is transmitted to the mail receiving device 4 by the communication unit 100.

  If the URL is described in the body of the e-mail that the sender discriminating unit 310 has determined that there is a possibility of spoofing, the URL converting unit 333 invalidates the link to the file indicated by the URL. Is converted to For example, when a URL such as “http: // ....” is described in the body of the received email, the URL conversion unit 333 deletes the leading “h” from the URL, and “ttp: // .... "to convert the URL. Thereby, for example, when the received electronic mail is opened by mail software having an auto link function, the converted URL is not recognized as a link, and the link to the file indicated by the URL becomes invalid.

  The response record acquisition unit 340 acquires response record information of e-mails that the user has responded among the received e-mails, and stores the acquired response record information in the response record management DB 630. Specifically, the response record acquisition unit 340 includes a reply record acquisition unit 341 and a report information acquisition unit 342.

  The reply record acquisition unit 341 acquires the response record information of the e-mail sent back by the user among the received e-mails, and stores the acquired response record information in the response record management DB 630. Specifically, the reply record acquisition unit 341 acquires the transmission source address of the received electronic mail and the mail identification information as response record information from the header information included in the reply mail to the received electronic mail. Note that the reply record acquisition unit 341 acquires information represented by “In-Reply-To” included in the header information of the received electronic mail as mail identification information.

  Report information acquisition part 342 acquires report information by user's operation, and stores response record information contained in acquired report information in response record management DB630. Here, the report information is information indicating that the transmission source address of the received electronic mail is a regular mail address, and includes the transmission source address of the received electronic mail and mail identification information. For example, information such as a URL for transmitting report information of the e-mail to the report information acquisition unit 342 by the user's operation is included in the e-mail that has been determined by the transmission source determination unit 310 to be a spoofed mail. Added. When the user who has seen the e-mail determines that the source address of the received e-mail is a legitimate e-mail address, the user transmits the report information by operating the URL added to the e-mail. . Thereby, the report information acquisition unit 342 acquires the transmission source address and the mail identification information of the e-mail that the user who viewed the received e-mail determines that the e-mail is not a spoofed mail as response performance information.

  The regular address discriminating unit 350 obtains regular address information based on the reception result information stored in the reception result management DB 620 and the response result information stored in the response result management DB 630, and stores it in the normal address management DB 610. To do.

  Specifically, the regular address discriminating unit 350, for each transmission source IP address included in the reception result information stored in the reception result management DB 620, mail identification information included in the response result information stored in the response result management DB 630. The total number (total number of responses) of e-mails to which the user responded is acquired from the e-mails received from the transmission source indicated by the transmission source IP address. When the ratio of the total number of responses to the total number of emails received from the transmission source indicated by the transmission source IP address (the total number of receptions) is equal to or greater than a predetermined value, the regular address determination unit 350 corresponds to the transmission source IP address. The sender domain name is determined to be the domain name of the sender's regular email address. Then, the regular address determination unit 350 stores the transmission source IP address and the transmission source domain name in the normal address management DB 610 as the normal transmission source IP address and the normal transmission source domain name, respectively.

  Next, the flow of regular address discrimination processing executed by the spoofed mail processing device 1 will be described. FIG. 7 is a flowchart showing an example of the flow of regular address discrimination processing executed by the spoofed mail processing device 1. The regular address determination process shown in FIG. 7 is started at a predetermined time every day, for example.

  The regular address discriminating unit 350 selects one transmission source IP address whose registration information indicates “No” from the reception result management DB 620, and among the mail identification information corresponding to the transmission source IP address, the corresponding mail The number of identification information included in the response record management DB 630 is acquired as the total number of responses (step S11).

  For example, it is assumed that the regular address determination unit 350 selects the transmission source IP address “xxx.xxx.xxx.xxx” whose registration information indicates “No” in the reception record management DB 620 illustrated in FIG. 3. The mail identification information “QWERT11@company1.co.jp” corresponding to the source IP address “xxx.xxx.xxx.xxx” is included in the response record management DB 630 shown in FIG. Count “1”. By performing this process on the mail identification information corresponding to the source IP address “xxx.xxx.xxx.xxx”, the total number of responses is acquired.

  Next, the regular address discriminating unit 350 calculates the ratio of the total number of responses acquired in step S11 to the total number of received source IP addresses (step S12).

  Next, the regular address discriminating unit 350 discriminates whether or not the ratio calculated in step S12 is a predetermined value or more (step S13). If it is determined that the ratio is not equal to or greater than the predetermined value (step S13; No), the process proceeds to step S15.

  When the ratio is equal to or greater than the predetermined value (step S13; Yes), the regular address determination unit 350 converts the transmission source IP address and the transmission source domain name corresponding to the transmission source IP address, respectively, to the normal transmission source IP address and It is stored in the regular address management DB 610 as the regular source domain name (step S14). Then, the regular address determination unit 350 updates the registration information corresponding to the transmission source IP address to “Yes” in the reception record management DB 620.

  Next, the regular address discriminating unit 350 determines whether or not the processing of steps S11 to S14 has been executed for all transmission source IP addresses whose registration information indicates “No” stored in the reception record management DB 620. It discriminate | determines (step S15). When it is determined that the above processing has not been executed for all transmission source IP addresses (step S15; No), the processing of steps S11 to S14 is repeated until it is determined that all processing has been performed.

  When it is determined that the processing in steps S11 to S14 has been executed for all the transmission source IP addresses (step S15; Yes), the regular address determination unit 350 ends this processing.

  Next, the flow of the sender discrimination process executed by the spoofed mail processing device 1 will be described. FIG. 8 is a flowchart illustrating an example of the flow of a sender determination process executed by the spoofed mail processing device 1. The transmission source determination process illustrated in FIG. 8 is started when the spoofing mail processing device 1 receives an email from the mail transmission device 3 via the communication unit 100, for example.

  First, the transmission source determination unit 310 determines whether or not the transmission source domain name of the received electronic mail is registered in the regular address management DB 610 (step S21). Specifically, the transmission source discriminating unit 310 acquires the source domain name of the email from the received header information of the email, and the email address that matches the acquired transmission source address is used as the regular transmission source address. It is determined whether or not it is registered in the regular address management DB 610.

  Next, in step S21, the transmission source determination unit 310 determines that the transmission source domain name of the received email has already been registered in the regular address management DB 610 (step S21; Yes), the received email It is determined whether or not the transmission source IP address matches the regular transmission source IP address corresponding to the transmission source address determined to be registered in step 21 (step S22).

  Next, the transmission source determination unit 310 determines that the transmission source IP address of the received electronic mail does not match the regular transmission source IP address corresponding to the transmission source address of the received electronic mail (step S22; No), the transmission source determination unit 310 determines whether or not the transmission source IP address of the received electronic mail is partially different from the regular transmission source IP address corresponding to the transmission source address of the received electronic mail ( Step S23).

  Specifically, for example, the transmission source discriminating unit 310 has three sets of numbers from the beginning of the transmission source IP address of the received electronic mail and the regular transmission source IP address corresponding to the transmission source address of the received electronic mail. It is determined whether or not the two match. When the three sets of numbers from the top match, the transmission source determination unit 310 determines that there are some differences. Also, if the three sets of numbers from the beginning do not match, it is determined that there is no partial difference, that is, a large difference. For example, if the source IP address of the received email is “192.168.0.1” and the regular source IP address corresponding to the source domain name of the received email is “192.168.0.255”, the top three sets Since the numbers “192.168.0” match, the transmission source determination unit 310 determines that the transmission source IP address of the received electronic mail and the regular transmission source IP address corresponding to the transmission source domain name of the received electronic mail are equal to each other. It is determined that the parts are different.

  The transmission source determination unit 310 determines that the transmission source address is not registered in the regular address management DB 610 (step S21; No), or transmission of the received electronic mail and the transmission source IP address of the received electronic mail. When it is determined that the legitimate source IP address corresponding to the original domain name is partially different (step S23; Yes), the spoofed mail processing unit 330 executes alert processing for the received electronic mail (step S24). ).

  Specifically, for example, the alert notification unit 331 adds a message indicating that the e-mail is likely to be a spoofed mail to the beginning of the text of the received e-mail. In addition, when the user determines that the e-mail has been transmitted from the mail address of the legitimate transmission source, the URL for receiving the e-mail to notify that and the information of the e-mail as report information is Added to the body of When an attached file is attached to the e-mail, the attached file processing unit 332 saves the attached file in the storage device and adds the save destination information and the attached file name to the body of the e-mail. Remove attachments from emails. The attached file information is stored in the attached file management DB 640. If a URL is described in the e-mail body, the URL conversion unit 333 converts the URL so that the link to the file indicated by the URL is invalid.

  Then, the transmission source determination unit 310 transmits the received electronic mail to the transmission destination (mail reception device 4) by the communication unit 100 (step S25), and ends this process.

  When it is determined that the source IP address of the received e-mail and the regular source IP address corresponding to the source domain name of the received e-mail are not partly different (step S23; No), the source The determination unit 310 determines that the received electronic mail is a spoofed mail, and deletes the received mail (step S26). Then, this process ends.

  That is, in the transmission source discrimination process, the combination of the transmission source domain name and the transmission source IP address of the received e-mail is registered in the normal address management DB 610 as a combination of the normal transmission source domain name and the normal transmission source IP address. In that case, the e-mail is sent to the destination as it is. In addition, when the sender domain name of the e-mail is not registered as a regular sender domain name, or the sender domain name is registered as a legitimate sender domain name, the sender IP address is a legitimate sender IP address. If the received e-mail is partly different from the one registered as, it is determined that there is a possibility of spoofing mail, and after alert processing is executed, it is transmitted to the destination. The sender domain name is registered as a legitimate sender domain name, but if the sender IP address is significantly different from that registered as the legitimate sender IP address, the received e-mail is a spoofed mail. It is determined that it exists and is deleted.

  As described above, in the spoofing mail processing apparatus 1 according to the present embodiment, the regular address information is acquired based on the response result information from the user with respect to the received electronic mail and stored in the regular address management DB 610. Then, since it is determined whether or not it is a spoofed mail based on the regular address information stored in the regular address management DB 610, it is possible to determine the spoofed mail with higher accuracy.

  Further, the response record information can be acquired from the user's reply mail information for the received electronic mail or the report information from the user that the mail address of the received electronic mail is valid. Therefore, it is possible to prevent an e-mail transmitted to a large number of destinations such as a mail magazine from being identified as a spoofed mail.

  Also, alert information is added to an e-mail that may be a spoofed mail. If a URL is described in the text, the URL is converted so that the link becomes invalid. Also, the attached file attached to the e-mail is saved separately, and the save destination information and attached file name are added. This prevents virus infection and access to unauthorized sites. In addition, the burden on the administrator can be reduced.

  As mentioned above, although embodiment of this invention was described, this invention is not limited by embodiment.

  For example, in the above embodiment, the case where the spoofed mail processing device 1, the mail transmitting device 3, and the mail receiving device 4 are connected to the same network 2 has been described. The network to which the transmitting device 3 is connected may be different from the network to which the spoofed mail processing device 1 and the mail receiving device 4 are connected.

  Further, the spoofing mail processing apparatus according to the present invention can be realized using a normal computer system, not a dedicated system. For example, a program for executing the above operation is stored in a computer-readable recording medium (CD-ROM, MO, etc.) and distributed to a computer connected to a network, and the program is distributed to the computer system. You may comprise the spoofing mail processing apparatus which performs the above-mentioned process by installing.

  Further, the method for providing the program to the computer is arbitrary. For example, the program may be uploaded to a bulletin board (BBS) on a communication line and distributed to a computer via the communication line. The program may be transmitted by a modulated wave obtained by modulating a carrier wave with a signal representing the program, and a device that receives the modulated wave may demodulate the modulated wave to restore the program. Then, the computer activates this program and executes it in the same manner as other applications under the control of the OS. As a result, the computer functions as a spoofed mail processing device that executes the above-described processing.

1 spoofed mail processing device 100 communication unit 200 external I / F
300 control unit 310 transmission source determination unit 320 reception result acquisition unit 330 spoof mail processing unit 331 alert notification unit 332 attached file processing unit 333 URL conversion unit 340 response result acquisition unit 341 reply result acquisition unit 342 report information acquisition unit 350 regular address determination Part 400 ROM
500 RAM
600 storage unit 610 regular address management DB
620 Received record management DB
630 Response record management DB
640 Attached file management DB
2 Network 3 Mail sending device 4 Mail receiving device

Claims (8)

The transmission source address indicating the transmission source mail address of the received electronic mail, the transmission source IP address indicating the transmission source IP address of the electronic mail, and the identification information of the electronic mail are acquired, and the acquired transmission source A reception result acquisition unit that associates an address, the transmission source IP address, and the identification information with each other and stores them in the reception result storage unit;
Among the received e-mails, a response record acquisition unit that acquires identification information of an e-mail that the user responds to and stores the acquired identification information in a response record storage unit;
For each of the transmission source IP addresses stored in the reception performance storage unit, based on the identification information stored in the response performance storage unit, among the emails received from the transmission source represented by the transmission source IP address, The total number of e-mails that the user responds to is acquired, and based on the acquired total number, whether the domain name of the source address corresponding to the source IP address is the domain name of the regular e-mail address of the source The domain name of the source address determined to be the domain name of the sender's regular mail address and the source IP address corresponding to the domain name of the source address are stored in the regular address storage. A normal address discriminating unit to be stored in the unit,
Based on the domain name of the source address and the source IP address stored in the regular address storage unit, it is determined whether or not the source address of the received e-mail may be spoofed A transmission source discrimination unit;
A spoofing mail processing device comprising: The response record acquisition unit acquires the identification information of the email returned by the user among the received emails, and stores the acquired identification information in the response record storage unit.
The spoofed mail processing device according to claim 1. The response record acquisition unit acquires identification information of an e-mail whose sender address is a regular e-mail address among the received e-mails by a user operation, and stores the acquired identification information in a response record storage unit ,
The fraudulent mail processing device according to claim 1 or 2. When it is determined that the sender address of the email received by the sender discriminator may be spoofed, alert information indicating that the sender address of the email may be spoofed is displayed. An alert notification unit to be added to the e-mail;
The fraudulent mail processing device according to any one of claims 1 to 3. When it is determined that there is a possibility that the sender address of the email received by the sender discrimination unit is misrepresented, the file attached to the email is stored in the attached file storage unit, and the file is stored in the file An attachment file processing unit for adding storage location information representing a location stored in the attachment file storage unit to the email and deleting the file attached to the email;
The spoofed mail processing device according to any one of claims 1 to 4. When it is determined by the transmission source determination unit that the transmission source address of the received email is likely to be spoofed, the URL described in the body of the email is linked to the file indicated by the URL Further includes a URL conversion unit that converts the URL to be invalid.
The fraudulent mail processing apparatus according to any one of claims 1 to 5, wherein The transmission source address indicating the transmission source mail address of the received electronic mail, the transmission source IP address indicating the transmission source IP address of the electronic mail, and the identification information of the electronic mail are acquired, and the acquired transmission source Storing the address, the source IP address, and the identification information in association with each other in the reception result storage unit;
Of the received e-mail, acquiring the identification information of the e-mail that the user responded to, and storing the acquired identification information in the response record storage unit,
For each of the transmission source IP addresses stored in the reception performance storage unit, based on the identification information stored in the response performance storage unit, among the emails received from the transmission source represented by the transmission source IP address, The total number of e-mails that the user responds to is acquired, and based on the acquired total number, whether the domain name of the source address corresponding to the source IP address is the domain name of the regular e-mail address of the source The domain name of the source address determined to be the domain name of the sender's regular mail address and the source IP address corresponding to the domain name of the source address are stored in the regular address storage. Storing it in a part;
Based on the domain name of the source address and the source IP address stored in the regular address storage unit, it is determined whether or not the source address of the received e-mail may be spoofed Steps,
A spoofing mail processing method characterized by comprising: Computer
The transmission source address indicating the transmission source mail address of the received electronic mail, the transmission source IP address indicating the transmission source IP address of the electronic mail, and the identification information of the electronic mail are acquired, and the acquired transmission source A reception record acquisition means for storing an address, the transmission source IP address, and the identification information in association with each other in a reception record storage unit;
Response history acquisition means for acquiring the identification information of the email to which the user responded among the received emails, and storing the acquired identification information in the response history storage unit,
For each of the transmission source IP addresses stored in the reception performance storage unit, based on the identification information stored in the response performance storage unit, among the emails received from the transmission source represented by the transmission source IP address, The total number of e-mails that the user responds to is acquired, and based on the acquired total number, whether the domain name of the source address corresponding to the source IP address is the domain name of the regular e-mail address of the source The domain name of the source address determined to be the domain name of the sender's regular mail address and the source IP address corresponding to the domain name of the source address are stored in the regular address storage. Normal address discrimination means to be stored in the unit,
Based on the domain name of the source address and the source IP address stored in the regular address storage unit, it is determined whether or not the source address of the received e-mail may be spoofed Source discrimination means,
Program to function as.

Images