JP2018018542A - Improper email determination device and program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To determine whether a received email is improper or not by only checking at a reception side without providing a special mechanism at a transmission side or a relay network.SOLUTION: An improper email determination device includes: improper email determination means for referring to a history database that stores a transmission history, i.e. a history of emails transmitted to the outside and a reception history, i.e. a history of emails received from the outside, and determining whether a received email is an improper email or not by using either the transmission history or the reception history, or both transmission history and reception history; and improper email control means for carrying out a process corresponding to determination of the received email being an improper email if the improper email determination means determines that the received email is an improper email.SELECTED DRAWING: Figure 13

Description

  The present invention relates to a technique for determining whether a received mail is an illegal mail.

  Currently, transmission / reception of information by mail is generally performed via a communication network. Along with the widespread use of e-mails, e-mails are used as information exchange means in various businesses, and cases in which important confidential information is exchanged via e-mails via networks are increasing.

  From such a point of view, as a technique for preventing inappropriate mail transmission such as a setting error of a destination mail address, for example, Patent Document 1 discloses a safety analysis / evaluation of a mail to be sent safely. A technique for sending mail is described.

  On the other hand, in recent years, fraudulent attack emails due to spoofing of senders are also increasing. From such a viewpoint, for example, Patent Document 2 describes a technique for verifying whether a received mail is a mail sent from a legitimate sender using a key.

JP 2010-198379 A JP 2005-142719 A

  However, regarding the technology for verifying whether or not the received email is an unauthorized email, for example, the technology described in Patent Document 2 requires a special mechanism such as generating and assigning a key on the transmission side, etc. Not easy to implement and uncommon.

  In recent years, attack mail using various techniques has increased, and therefore, there is a need for a method for determining fraudulent mail that can be realized more easily.

  The present invention has been made in view of the above points, and it is possible to accurately determine whether a received mail is illegal or not by only checking on the receiving side without providing a special mechanism on the transmitting side or the relay network. The purpose is to provide a technology that makes this possible.

According to one embodiment of the present invention, there is an unauthorized mail determination device that determines whether or not a received mail received from the outside is an unauthorized mail,
Reference is made to a history database that stores a transmission history that is a history of mail sent to the outside and a reception history that is a history of mail received from the outside, and either one of the transmission history and the reception history, or the A fraudulent mail determination means for determining whether or not the received mail is a fraudulent mail using both the transmission history and the reception history;
When the received mail is determined to be invalid by the unauthorized mail determination means, the unauthorized mail control means for executing processing according to the determination that the received mail is determined to be illegal A fraudulent mail determination device characterized by the above is provided.

  According to an embodiment of the present invention, it is possible to accurately determine whether a received mail is illegal or not only by checking on the receiving side without providing a special mechanism on the transmitting side or the relay network. Technology can be provided.

It is a figure which shows the system configuration example which concerns on embodiment of this invention. 2 is a functional configuration diagram of an unauthorized mail determination device 10. FIG. It is a sequence diagram which shows the storage process of the address information in a 1st system. It is a figure which shows the example of an outgoing mail destination log | history table. It is a sequence diagram which shows the flow of the whole process of unauthorized mail determination. It is a figure which shows the example of a confirmation screen. It is a figure which shows the example of the address information of the header of the mails 1-4 transmitted from the external terminal a to a company terminal. It is a flowchart which shows the unauthorized mail determination process in a 1st system. It is a sequence diagram which shows the storage process of the address information in a 2nd system. It is a figure which shows the example of an external received mail destination log | history table. It is a figure which shows the example of the address information of the envelope of the mails 1-4 transmitted from the external terminal a to a company terminal. It is a flowchart which shows the unauthorized mail determination process in a 2nd system. It is a figure which shows the example of the determination information setting table for every address.

  Embodiments of the present invention will be described below with reference to the drawings. The embodiment described below is only an example, and the embodiment to which the present invention is applied is not limited to the following embodiment. For example, in the present embodiment, focusing on a certain company, mail sent from the inside to outside (outside) and mail sent from outside to inside the company are targeted. However, the present invention is not limited to such a form. is not. For example, the present invention can be applied to transmission / reception of personal mail. In this embodiment, SMTP is used as the mail transfer protocol. However, the mail protocol to which the present invention can be applied is not limited to SMTP.

(Overall system configuration)
FIG. 1 shows a system configuration example according to an embodiment of the present invention. As shown in FIG. 1, in the system according to the present embodiment, a fraudulent mail determination device 10 and a destination history DB (database) server 20 are provided in a company. In the present embodiment, it is assumed that the fraudulent mail determination device 10 includes a function of an in-house mail server. However, the unauthorized mail determination device 10 and the in-house mail server may be separate devices. Further, the unauthorized mail determination device 10 and the destination history DB server 20 may be one device.

  FIG. 1 shows an external mail server 30 as an example of an external (other company, etc.) mail server. FIG. 1 shows, as an example, in-house terminals A, B, and C connected to the in-house mail server, and shows terminals a, b, and c connected to the external mail server 30. ing.

  In this embodiment, in order to make the explanation easy to understand, the users of terminal A, terminal B, terminal C, terminal a, terminal b, and terminal c are respectively user A, user B, user C, user a, user b, Assume that the user is c, and the mail addresses are A, B, C, a, b, and c.

  In the present embodiment, the fraudulent mail determination device 10 uses the address information of mail transmitted from the company to the outside and / or the address information of mail transmitted from the outside to the company as the destination history to the destination history DB server 20. Store. Then, the fraudulent mail determination device 10 determines whether the mail received from the outside is a fraudulent mail based on the history. In the present embodiment, “illegal mail” is, for example, mail that the receiver does not want to receive, mail that the receiver should not receive, mail that is not related to the receiver, and the like.

  In the present embodiment, it is determined whether or not there is a possibility of being an illegal mail, and when there is a possibility of being an illegal mail, the recipient is confirmed. However, in the processing of the fraudulent mail determination device 10, “possibly fraudulent mail” is expressed as “illegal mail”. In this embodiment, both To and Cc in the mail header are treated as “destination”.

  In this embodiment, from the following viewpoint, it is determined whether or not an email received from the outside is an unauthorized email.

  When replying to a mail by exchanging mail in business, the respondent often replies to all persons including Cc: in addition to the sender of the received mail. That is, the same address group as the sender (From :) and destination (To :, Cc :) addresses in the header of the outgoing mail is often attached to the header of the incoming mail. For example, the addresses of A (From), b (To), a, and C (Cc) are attached to the header of a mail transmitted from A to b with a and C in Cc :. When b receives this mail and replies to all, for example, addresses of b (From), A (To), a, and C (Cc) are added to the header of the reply mail.

  Therefore, in this embodiment, in the first method to be described later, the address information of the mail transmitted from the in-house terminal is stored in the destination history DB server 20 as the destination history, and the mail is received from the outside. In this case, the address information of the mail is compared with the destination history, and it is determined whether or not the mail is illegal based on whether there is a history that matches or is close to the address information.

  On the other hand, e-mail destinations sent by specific external users to the company are unlikely to differ every time they are sent, for example, the same destination at any time, or a set of the same plurality of destinations for each department that is the destination There are many cases. Therefore, in this embodiment, in the second method to be described later, address information of mail transmitted from the outside to the company is stored in the destination history DB server 20 as the destination history, and the mail is received from the outside. In this case, the address information of the mail is compared with the destination history, and it is determined whether or not the mail is illegal based on whether there is a history that matches or is close to the address information.

  FIG. 2 is a functional configuration diagram of the unauthorized mail determination device 10 according to the present embodiment. As illustrated in FIG. 2, the unauthorized mail determination device 10 according to the present embodiment includes a mail transfer processing unit 11, an address information storage processing unit 12, an unauthorized mail determination processing unit 13, and an unauthorized mail notification control unit 14.

  The mail transfer processing unit 11 is a functional unit corresponding to an in-house mail server, and performs mail transfer / delivery processing according to the SMTP protocol. The address information storage processing unit 12 is a functional unit that stores, in the destination history DB server 20, address information of mail transmitted / received by the mail transfer processing unit 11. As will be described later, in the first method, the address information of the header of the mail message is stored, and in the second method, the address information of the envelope is stored, but these are only examples.

  The fraudulent mail determination processing unit 13 determines whether the mail received from the outside is a fraudulent mail based on the address information of the mail received from the outside and the destination history for each transmission source stored in the destination history DB server 20. It is a function part to determine. The fraudulent mail notification control unit 14 notifies the destination terminal that a mail that may be a fraudulent mail has arrived when the fraudulent mail determination processing unit 13 determines that the received mail is a fraudulent mail. It is a functional unit that displays a confirmation screen on the terminal and performs mail delivery control based on the confirmation result. Note that the control for notifying the destination terminal when it is determined to be an unauthorized mail is merely an example, and as described later, the unauthorized mail notification control unit 14 determines that the received mail is an unauthorized mail. It is also possible to perform control such as discarding unauthorized mail when it is determined, or notifying a received mail list including unauthorized mail display based on a received mail presence / absence confirmation request from the terminal.

  The fraudulent mail determination apparatus 10 according to the present embodiment can be realized by causing a computer to execute a program describing the processing contents described in the present embodiment. That is, each function unit in the unauthorized mail determination device 10 is realized by executing a program corresponding to a process executed by each unit using hardware resources such as a CPU, a memory, and a hard disk built in the computer. Is possible. The above-mentioned program can be recorded on a computer-readable recording medium (portable memory or the like), stored, or distributed. It is also possible to provide the program through a network such as the Internet or electronic mail.

  In the present embodiment, the illegal mail determination device 10 is configured by causing a program corresponding to the address information storage processing unit 12, the illegal mail determination processing unit 13, and the illegal mail notification control unit 14 to be executed on an in-house mail server. However, the terminal (client) executes a program corresponding to the address information storage processing unit 12, the fraudulent mail determination processing unit 13, and the fraudulent mail notification control unit 14, so that the fraudulent mail determination process is performed on the terminal side. May be performed.

  As described above, there are two types of fraudulent mail determination processing (first method and second method). Hereinafter, the first method and the second method will be described in more detail.

(First method: Judgment of fraudulent mail based on the history of outgoing mail from the company)
<Address information storage processing>
With reference to FIG. 3, the address information storage processing in the first method will be described. FIG. 3 shows an example in which a mail is transmitted from the terminal A in the company. As described above, the first method focuses on the fact that when sending a reply from outside the company, it is often the case that a reply is sent to everyone. In order to store the original information together with the original information, the address information of the From field, To field, and Cc field of the header of the mail message is acquired and stored.

  In this specification, the “mail message” includes a header and a mail text. A command for transmitting / receiving a mail message (such as MAIL From indicating a transmission source, RCPT To indicating a destination) is referred to as “envelope”. Unless otherwise specified, “mail” includes “mail message” and “envelope”. Further, MAIL From may be referred to as an envelope From and RCPT To may be referred to as an envelope To.

  In step 101 of FIG. 3, the mail transfer processing unit 11 in the fraudulent mail determination device 10 receives the mail transmitted from the terminal A. The address information storage processing unit 12 acquires the From, To, and Cc address information from the header of the mail message in the buffer in the mail transfer processing unit 11, and transmits it to the destination history DB server 20 (step 102). . The destination history DB server 20 stores address information (step 103). The mail transfer processing unit 11 performs mail transfer processing (step 104). As an example, FIG. 3 shows that the header of the transmitted mail message is From: A, To: a, Cc: b, c, B, and that these pieces of information are stored in the destination history DB server 20. ing.

  The process shown in FIG. 3 is performed every time an email is transmitted from an in-house terminal. However, in the present embodiment, since it is determined whether or not the mail received from outside the company is illegal, the processing shown in FIG. 3 is performed for the outgoing mail including the external address in the header destination (To or Cc). Store address information.

  FIG. 4 shows an example of a table (external outgoing mail destination history table) stored in the destination history DB server 20 in the first method. In the example of FIG. 4, address information (record) of a transmission source (From field address) and destination (To, Cc field address) is stored together with a pattern number. The address information may be referred to as a “pattern”.

  In addition, when storing the address information of the mail sent to the outside, if the same address information is already stored, it may be recorded in a new record, and a column for the number of cases is provided for each pattern. Alternatively, the number of cases may be incremented (increased by 1). Thus, by providing the column of the number of cases, the number of mails for each pattern can be easily grasped.

  Further, each address information may be stored in one record, the same pattern may be given the same pattern number, and the time (date and time) at which the address information is stored may be stored. By storing the time, it is possible to grasp the age of the pattern, and to perform control such that the old pattern is excluded from the determination target.

<Illegal mail judgment processing>
First, the overall flow of unauthorized mail determination processing will be described with reference to the sequence diagram of FIG. The second method is the same for the overall flow of processing. FIG. 5 shows, as an example, the envelope From, the envelope To, and the addresses of the From, To, and Cc fields of the header. As shown in these addresses, FIG. 5 shows an example in which mail is transmitted from outside a to A and B inside the company and outside b and c.

  A mail is transmitted from the external terminal a (step 201). The mail is transmitted from the external mail server 30 to the mail transfer processing unit 11 of the unauthorized mail determination device 10 (step 202). The fraudulent mail determination processing unit 13 in the fraudulent mail determination device 10 acquires the transmission source address and the destination address from the mail in the buffer (storage device) of the mail transfer processing unit 11, the address information, and the destination history DB server 20. It is determined whether or not the received mail is an illegal mail by comparing with the destination history at (steps 203 to 205). This determination is made for each in-house mail address. In the example of FIG. 5, the determination is made for destinations A and B. Therefore, even the same mail may be illegal for another destination but not for another destination.

  When it is determined that the received mail is not an illegal mail for a certain destination (B in the example of FIG. 5), the unauthorized mail determination processing section 13 notifies the mail transfer processing section 11 to that effect, and the mail transfer processing section 11 The mail is transferred to the destination (B) (step 206).

  If the unauthorized mail determination processing unit 13 determines that the received mail is an unauthorized mail for a certain destination (A in the example of FIG. 5), the unauthorized mail notification control unit 14 sends the unauthorized mail notification to the destination (in this example). To terminal A) (step 207). The unauthorized mail notification may be transmitted by mail from the mail transfer processing unit 11 or may be transmitted by other means. The unauthorized mail notification includes confirmation screen information (for example, URL) for displaying a confirmation screen on the destination terminal.

  The terminal A that has received the unauthorized mail notification displays a confirmation screen by clicking, for example, a URL (step 208). An example of the confirmation screen is shown in FIG. As shown in FIG. 6, the confirmation screen includes a button for selecting a response (whether it is a combination of destinations that is different from the usual reason) that is determined to be fraudulent mail (in this embodiment, a combination of addresses different from usual). "Delete", "Receive", "Confirm later", etc.) are displayed.

  When the unauthorized mail notification control unit 14 receives a reception OK (eg, when “Receive” is selected) from the terminal A (step 209), the unauthorized mail notification control unit 14 determines that the reception is OK. The mail transfer processing unit 11 notified to the unit 11 receives the notification and transfers the mail (step 210). If the unauthorized mail notification control unit 14 receives a received NG from the terminal A (eg, when “delete” is selected), the unauthorized mail notification control unit 14 performs a mail transfer process indicating that the received message is a received NG. The mail transfer processing unit 11 that has notified the unit 210 and received the notification discards the mail.

  In the above example, when the unauthorized mail determination processing unit 13 determines that the received mail is an unauthorized mail, the unauthorized mail determination device 10 (mail server) notifies the recipient's terminal. Is just an example.

  For example, without receiving notification from the unauthorized mail determination device 10 to the terminal, the receiver (terminal) periodically checks whether there is received mail in the unauthorized mail determination device 10 and checks the target of the unauthorized mail and displays a confirmation screen. You may make it do.

  In this case, for example, the fraudulent mail notification control unit 14 of the fraudulent mail determination device 10 displays a determination result as to whether the received mail is a fraudulent mail in response to a received mail confirmation request periodically transmitted from the recipient's terminal. A function is provided for creating a received mail list including and transmitting the list to the recipient's terminal. The recipient checks the received mail list screen displayed on the terminal, and if there is an illegal mail display (mark), clicks (or checks) it, and the confirmation screen is fraudulent. Request to the mail notification control unit 14. Upon receiving the request, the unauthorized mail notification control unit 14 transmits confirmation screen information regarding the corresponding unauthorized mail to the terminal. A confirmation screen as shown in FIG. 6 is displayed on the terminal that has received the confirmation screen information. Subsequent control contents are the same as those described above.

  In addition, the terminal periodically transmits an unauthorized mail confirmation request to the unauthorized mail determination device 10, and when the unauthorized mail notification control unit 14 receives the unauthorized mail confirmation request from the terminal, the presence of the unauthorized mail is confirmed. When there is an unauthorized mail, confirmation screen information related to the unauthorized mail may be transmitted to the terminal.

  In addition, the unauthorized mail notification control unit 14 may perform control to discard the received mail for the destination when the received mail for the destination with the unauthorized mail determination processing unit 13 is determined to be an unauthorized mail.

  An example of the address information of the headers of the mails 1 to 4 transmitted from the external terminal a to the in-house terminal is shown in FIG. Details of the fraudulent mail determination process for mail transmitted from the external terminal a to the in-house terminal will be described with reference to the flowchart of FIG. 8 using the example shown in FIG.

  The fraudulent mail determination processing unit 13 of the fraudulent mail determination apparatus 10 extracts the transmission source address and the destination address from the header of the mail message received from the outside (step 301). For example, in the case of the mail 1 in FIG. 7, a is extracted as a transmission source address, and A, B, C, a, b, and c are extracted as destination addresses. In this example, since the comparison determination is performed for each internal address extracted as the destination address, the following determination processing is performed for each of A, B, and C.

  First, processing for the destination address A is performed. The fraudulent mail determination processing unit 13 extracts a history having the destination address A of the determination target mail as the transmission source and the transmission source address a as the destination from the outgoing transmission mail destination history table shown in FIG. 4 (step 302). . In the example of FIG. 4, patterns 1, 2, and 3 are extracted. In this example, if no history is extracted in step 302, it is determined to be illegal.

  Then, the fraudulent mail determination processing unit 13 compares each pattern of the history extracted in step 302 with the address of the determination target mail to determine whether it is fraudulent (step 303). For example, in step 302, a pattern having a destination address group that completely matches the destination address group excluding the transmission source address (a in this example) and the target destination address (A at this stage in this example) in the determination target mail is extracted. It can be determined that the pattern is normal if it is within the specified pattern, and is invalid if there is no completely matching pattern. For example, if the determination target mail is mail 1, the sender is a, the destination is A, B, C, a, b, c, and the destination address group B, C, a, Since b and c completely coincide with the destination address group of pattern 1 in the table of FIG. 4, it is determined to be normal. Further, for example, the mail 3 is a transmission source: a, a destination: A, B, C, E, and there is no pattern having a destination address group that completely matches the destination address group B, C, E. Is determined to be illegal.

  The degree of similarity may be calculated between each pattern and whether or not it is a fraudulent mail based on the maximum degree of similarity, instead of whether or not they completely match as described above. As the similarity, for example, a Tanimoto coefficient for evaluating the similarity of the set elements can be used. The Tanimoto coefficient T is expressed by the following equation.

T = Nc / (Na + Nb-Nc)
In the above formula, Na is the number of elements in the set a, Nb is the number of elements in the set b, and Nc is the number of elements in the common set c (product set) of the sets a and b. The Tanimoto coefficient is expressed as a number between 0.0 and 1.0, where 1.0 represents a perfectly matched set, the value decreases as the degree of similarity decreases, and a set with no match at 0.0. Represent.

  In this example, a set of address elements in the table pattern is set a, and a set of address information elements in the determination target mail is set b. In this case, the elements of the set of pattern 1 are A, a, b, c, B, C, and Na = 6. The element of the set of address information of the mail 1 is a, A, B, C, b, c, and Nb = 6, where a is counted as one. c is A, a, b, c, B, C, and Nc = 6. Therefore, T = 1.

  Further, for example, the elements of the set of pattern 3 are A, a, E and Na = 3, and the elements of the address information set of mail 3 are a, A, B, C, E and Nb = 5 Yes, c is A, a, E, and Nc = 3. Therefore, T = 3/5 = 0.6 between the pattern 3 and the mail 3. The elements of the set of address information of the mail 4 are a and A, Nb = 2, and c is a, A and Nc = 2. Therefore, T = 2 / 3≈0.66 between the pattern 3 and the mail 4.

  The unauthorized mail determination processing unit 13 calculates the above T between the address information of the determination target mail and each pattern extracted in step 302. If the maximum T is equal to or greater than a predetermined threshold, the unauthorized mail determination processing unit 13 is not unauthorized. If the maximum T is less than a predetermined threshold, it is determined to be illegal. When the predetermined threshold value is 1, it is determined that it is not illegal only when it is a perfect match.

  In the above example, all the elements of the address are included in the set. However, a and A, which are confirmed to match when the pattern is extracted in step 302, are obtained from the pattern address group and the determination target mail address group. The evaluation may be performed with the excluded address group.

  In the above example, the Tanimoto coefficient is used as the similarity, but this is only an example, and other values may be used as the similarity. For example, the similarity may be expressed by the ratio of the number of matching addresses to the number of elements of the address in the determination target mail in the pattern and the determination target mail.

  If it is determined in step 303 of the flow of FIG. 8 that it is illegal, processing at the time of fraud as shown in steps 207 to 210 of FIG. 5 is performed (step 304). Normal processing as shown in step 206 of FIG. 5 is performed (step 305).

  In step 306, the unauthorized mail determination processing unit 13 checks whether the determination processing has been completed for all of the in-house destination addresses, and if not, repeats the processing from step 302 for the next destination address. For example, in the case of the mail 1 shown in FIG. 7, the same processing is performed for B after A. If completed, the determination process for the corresponding received mail is terminated.

  In the above example, for example, since user A frequently performs e-mail transmission to the outside, a destination history with A as the transmission source remains in the outgoing e-mail destination history table.

  On the other hand, when an employee sends a mail to a certain destination, a boss (address D) is always added to Cc :, but the boss himself may not send a mail to the destination. In such a case, no history with D as the transmission source remains in the outgoing outgoing mail destination history table. Therefore, for example, when a mail containing the boss's address D in Cc is received from the outside and the determination process described in FIG. 8 is performed, the pattern is not extracted in step 302 of the above process. It will always be judged as illegal. In order to prevent such a situation, the “sender” in the outgoing outgoing mail destination history table may be evaluated without distinguishing it from the “destination”.

  Specifically, in step 302 of the flow of FIG. 8, a pattern in which the address of the determination target mail (From) exists as a destination is extracted from the outgoing outgoing mail destination history table. In this case, since the extraction is performed regardless of the “sender” address in the outgoing mail destination history table, the pattern is extracted even when the mail is not sent to the destination as in the above boss. .

  Then, “transmission source” in each extracted pattern is regarded as “destination”, and matching determination or similarity determination is performed. For example, since the mail 1 is a transmission source: a and a destination: A, B, C, a, b, c, this completely matches the pattern 1 in the table of FIG. It is determined that both are normal.

(Second method: fraudulent email judgment based on the history of incoming email from outside)
Next, as a second method, illegal mail determination based on the history of received mail from the outside will be described. In the following, differences from the first method will be mainly described.

<Address information storage processing>
With reference to FIG. 9, the address information storing process in the second method will be described. FIG. 9 shows an example in which a mail is transmitted from the external terminal a. As described above, in the second method, the destination of an email sent by a specific external user to the office is unlikely to differ every time it is sent. For example, the destination is always the same or every department that is the destination. In order to obtain and store information on the destination address and source address in the company accurately, an envelope indicating the source is often taken into account. The address of From (MAIL From) and the address of envelope To (RCPT To) indicating the destination are acquired and stored.

  Note that the RCPT To address acquired by the unauthorized mail determination device 10 that is also an in-house mail server includes only the address of the destination in the company.

  In step 401 of FIG. 9, a mail is transmitted from the terminal a. In step 402, the mail transfer processing unit 11 in the unauthorized mail determination device 10 receives a mail transmitted from the terminal a. The address information storage processing unit 12 acquires the source address (MAIL From address) and destination address (RCPT To address) of the envelope of the mail from the buffer in the mail transfer processing unit 11, and stores them in the destination history. It transmits to the DB server 20 (step 403). The destination history DB server 20 stores the address information as a table (step 404). The mail transfer processing unit 11 performs mail transfer processing (step 405).

  In FIG. 9, as an example, the envelopes of mail received by the unauthorized mail determination device 10 are MAIL From: a, RCPT To: A, B, and the information is stored in the destination history DB server 20. Has been. The process shown in FIG. 9 is performed each time an e-mail is transmitted from the outside to an in-house terminal.

  FIG. 10 shows an example of an externally received mail destination history table stored in the destination history DB server 20 in the second method. In the example of FIG. 10, a transmission source (MAIL From address) and a destination (RCPT To address) are stored together with a pattern number. When storing the address information of an email received from the outside, if the same address information is already stored, it may be recorded in a new record, and a number field is provided for each pattern. The number of cases may be incremented (increased by 1). Further, similarly to the first method, the storage time may be stored for each pattern.

<Illegal mail judgment processing>
The overall flow of fraudulent mail determination processing in the second method, the confirmation screen displayed on the terminal, confirmation control, and the like are the same as those in the first method, as described with reference to FIGS.

  FIG. 11 shows an example of address information of the mails 1 to 4 transmitted from the external terminal “a” to the in-house terminal, which is a comparison target with the externally received mail destination history table shown in FIG. As shown in FIG. 11, in the second method, envelope address information (MAIL From, RCPT To) is used for comparison.

  In the second method, an illegal mail determination process for mail transmitted from an external terminal a to an in-house terminal will be described with reference to the flowchart of FIG.

  The fraudulent mail determination processing unit 11 of the fraudulent mail determination apparatus 10 extracts the transmission source address and the destination address from the envelope of the mail received from the outside (step 501). For example, in the case of the mail 1 in FIG. 11, a is extracted as the transmission source address, and A, B, C, and D are extracted as the destination addresses. In this example, since the comparison determination is performed for each in-house address extracted as the destination address, the following determination processing is performed for each of A, B, C, and D.

  First, processing for the destination address A is performed. The unauthorized mail determination processing unit 13 extracts a pattern including the transmission source address a of the determination target mail as the transmission source and the destination address A as the destination from the table illustrated in FIG. 10 (Step 502). In the example of FIG. 10, patterns 1 and 2 are extracted. In this example, if no history is extracted in step 502, it is determined to be illegal.

  Then, the fraudulent mail determination processing unit 13 compares the pattern extracted in step 502 with the address of the determination target mail to determine whether it is fraudulent. The criteria for determination are the same as in the first method. That is, for example, a pattern having a destination address group that completely matches the destination address group excluding the transmission source address (a in this example) and the target destination address (A in the present example in this example) in the determination target mail is step 502. It can be determined that the pattern is normal if it is included in the pattern extracted in step B, and is invalid if there is no pattern that completely matches. For example, the mail 1 is a transmission source: a and a destination: A, B, C, D, and the address groups B, C, D are completely the same as the address groups B, C, D of the pattern 1 in the table of FIG. Since they match, it is determined to be normal. Also, for example, mail 3 is sender: a, destinations: A, B, C, E, and mail 3 is illegal because there is no pattern having an address group that completely matches address groups B, C, E. It is determined that

  The degree of similarity may be calculated between each pattern and whether or not it is a fraudulent mail based on the maximum degree of similarity, instead of whether or not they completely match as described above. As the similarity, for example, a Tanimoto coefficient can be used as in the first method.

  Also in this example, a set of address elements in the pattern is set a, and a set of address information elements in the determination target mail is set b. In this case, for example, the elements of the set of pattern 1 are a, A, B, C, and D, and Na = 5. The elements of the mail 1 address information set are a, A, B, C, and D, and Nb = 5. c is a, A, B, C, D, and Nc = 5. Therefore, T = 1.

  Also, for example, the elements of the set of pattern 2 are a, A, B, C and Na = 4, and the elements of the set of address information of mail 3 are a, A, B, C, E and Nb = 5, c is a, A, B, C and Nc = 4. Therefore, T = 4/5 = 0.8 between the pattern 2 and the mail 3.

  The unauthorized mail determination processing unit 13 calculates the above T between the address information of the determination target mail and each pattern extracted in step 502. If the maximum T is equal to or greater than a predetermined threshold, the unauthorized mail determination processing unit 13 is not unauthorized. If the maximum T is less than a predetermined threshold, it is determined to be illegal.

  In the above example, all of the elements of the address are included in the set. However, the evaluation may be performed using addresses other than a and A, which are confirmed to match when the pattern is extracted in step 502.

  In the above example, the Tanimoto coefficient is used as the similarity, but this is only an example, and other values may be used as the similarity. For example, the similarity may be expressed by the ratio of the number of matching addresses to the number of elements of the address in the determination target mail in the pattern and the determination target mail.

  In step 503 of the flow of FIG. 12, if it is determined to be fraudulent, processing at the time of fraud as shown in steps 207 to 210 of FIG. 5 is performed (step 504). Normal processing as shown in step 206 in FIG. 5 is performed (step 505).

  In step 506, the unauthorized mail determination processing unit 13 confirms whether the determination processing has been completed for all destination addresses (step 506), and if not, repeats the processing from step 502 for the next destination address. . For example, in the case of the mail 1 shown in FIG. 11, the same processing is performed for B after A. If completed, the determination process for the corresponding received mail is terminated.

(About threshold setting method)
As described above, as one determination method in the first method and the second method, a Tanimoto coefficient is calculated and compared with a “predetermined threshold value” to determine whether or not the mail is fraudulent. This threshold is obtained by providing a learning period, for example. During the learning period, every time an email is received, the fraudulent mail determination processing unit 13 accumulates the destination history in each corresponding table, and calculates the Tanimoto coefficient between each pattern in the same manner as the above-described determination processing. Then, the Tanimoto coefficient is stored in a storage means such as a memory. Then, the distribution of the Tanimoto coefficient is examined, for example, an intermediate value of the Tanimoto coefficient is set as a threshold value, and a mode value among values exceeding the threshold value is adopted as a “predetermined threshold value”. The predetermined threshold is obtained for each of the first method and the second method.

  Also, in the actual operation stage, if the maximum Tanimoto coefficient in the received mail is smaller than a predetermined threshold, it is quarantined as an illegal mail, but if the received mail is selected by the user, the received mail Add address information to the destination history. In addition, since the Tanimoto coefficient is calculated every time an email is received from the outside, the predetermined threshold is obtained as described above using the calculated Tanimoto coefficient and the Tanimoto coefficient calculated so far. Will be updated. The update of the predetermined threshold value may be performed every time a mail is received, or may be performed every time a predetermined number of mails are received.

(About judgment pattern setting for each address)
In the present embodiment, the fraudulent mail determination device 10 has a function of determining both the first method and the second method. However, the unauthorized mail determination device 10 may have a function of only one of the first method and the second method.

  The fraudulent mail determination device 10 having both functions may perform only one of the first method and the second method in the fraud determination of received mail from the outside. Both determinations may be made. When performing both determinations, for example, the fraudulent mail determination processing unit 13 determines when the determination target mail is not a fraudulent mail in both the determination by the first method and the determination by the second method. If it is determined that the target email is not illegal and one of them is determined to be illegal, it may be determined that the target email is invalid. May be determined not to be illegal.

  Further, the fraudulent mail determination processing unit 13 selects whether the determination target mail is determined by the first method or the second method according to the mail transmission / reception characteristics of the destination user. It is good to do.

  For example, e-mail transmission / reception characteristics vary depending on users who receive a lot (such as superiors who are always included in many subordinates Cc), users who frequently send (such as sales representatives), and dedicated reception addresses (inquiries).

  In the present embodiment, a “determination pattern” is set according to characteristics, and effective determination (decision processing time reduction, etc.) is performed. FIG. 13 shows a determination information setting table for each address in which information including the determination pattern is recorded. This table is stored in the storage device of the unauthorized mail determination device 10 or an external DB server (for example, the destination history DB server 20), and is referred to by the unauthorized mail determination processing unit 13 during the unauthorized mail determination processing. In the embodiment using the table, each of the history tables shown in FIG. 4 and FIG. 10 includes address information of all sent / received mails to / from the outside by the fraudulent mail determination device 10 (in-house mail server). The storage date is recorded.

  In the example of FIG. 13, for example, for the user at the address A, when a mail is received from the outside addressed to the address A, the second method (external reception history) is preferentially used. “Use with priority” means, for example, that the second method is used except when the determination by the second method is not possible (for example, the number of patterns is not sufficient).

  “History matching deadline determination” in FIG. 13 is determined to be normal when a pattern within a predetermined date in the destination history table matches (or the similarity is equal to or greater than a threshold). That is, when the latest pattern that matches the determination target mail is a pattern accumulated in the history table at an old time (e.g., before 30 days), it is determined as an illegal mail. Such a determination method is effective when determining a project that is performed only for a predetermined period.

  “History match count determination” is determined as a fraudulent email if the latest pattern that matches the email to be judged (or whose similarity is equal to or greater than the threshold) is not a pattern based on emails within the predetermined number of messages sent and received most recently. It is. For example, when the determination pattern is “reception history” (second method) and the number of “history matching number determination” is 100, the latest matching with the determination target mail (or the similarity is equal to or greater than the threshold) If the pattern is within the last 100 patterns from the latest mail pattern in the externally received mail destination history table shown in FIG.

  “Pattern matching number determination” is to consider the number of patterns matching the determination target mail (or greater than or equal to a threshold) in the determination. For example, when the “number of pattern matches” is 5, when the number of matched patterns is 4 or less, it is determined as an unauthorized mail, and when it is 5 or more, it is determined as not an unauthorized mail.

  As described above, in this embodiment, paying attention to the fact that groups of users (addresses) that perform mail transmission / reception tend to match to some extent, groups (patterns) remaining as history and received mails Measures the degree of similarity between groups of addresses and detects the heterogeneity of received mail. By adopting such a method, it is possible to accurately determine whether the received mail is illegal or not only by checking on the receiving side without providing a special mechanism on the transmitting side or the relay network. .

  In the present embodiment, the example of the device configuration of the unauthorized mail determination device 10 is shown in FIG. 2, but the device configuration is not limited to FIG. 2, and the unauthorized email determination process described in the present embodiment is performed. Any configuration is possible as long as it can be implemented. For example, the fraudulent mail determination device 10 is a fraudulent mail determination device that determines whether a mail received from the outside is a fraudulent mail, and is transmitted and received between a terminal connected to the fraudulent mail determination device and the outside. Referring to a history database that stores the source address and destination address of each mail as a history, the source address and destination address of received mail received from the outside, and the source address and destination address of each mail in the history database By comparing the illegal mail determination means for determining whether or not the received mail is illegal mail, and when the received mail is determined to be illegal mail by the illegal mail determination means, the destination of the received mail Whether the received mail is forwarded to the terminal according to the input information on the confirmation screen displayed on the terminal It may be configured as bad mail determination device and a fraudulent mail control means for determining.

  For example, the unauthorized mail control means transmits confirmation screen information to the terminal by transmitting an unauthorized mail notification to the terminal of the received mail or based on a confirmation request received from the terminal. Further, the unauthorized mail control means may discard the received mail when the unauthorized mail determination means determines that the received mail is an unauthorized mail.

  The fraudulent mail determination device stores the source address and destination address of each mail transmitted from the terminal to the outside, or the address information for storing the source address and destination address of each mail received from the outside in the history database. Storage processing means is provided.

  The fraudulent mail determination means determines whether there is a pattern that matches the transmission source address and the destination address of the received mail in the pattern consisting of the transmission source address and the destination address in the history database. It can be determined whether the received mail is an illegal mail. Further, the fraudulent mail determination means calculates a similarity between each pattern composed of a source address and a destination address in the history database and a source address and a destination address of the received mail, and the maximum similarity is calculated. By determining whether or not it is equal to or greater than a predetermined threshold, it is possible to determine whether or not the received mail is an unauthorized mail.

The following items are disclosed in the specification.
(Section 1)
A fraudulent mail determination device that determines whether an externally received mail is a fraudulent mail,
Refers to a history database that stores a source address and a destination address of each mail transmitted / received between a terminal connected to the unauthorized mail determination device and the outside as a history, a source address of a received mail received from the outside, and Illegal mail determination means for determining whether the received mail is an illegal mail by comparing a destination address with a source address and a destination address of each mail in the history database;
When the received mail is determined to be illegal mail by the illegal mail determination means, the received mail is sent to the terminal according to input information on a confirmation screen displayed on the destination terminal of the received mail. A fraudulent mail determination device comprising: fraudulent mail control means for determining whether to forward or not.
(Section 2)
A fraudulent mail determination device that determines whether an externally received mail is a fraudulent mail,
Refers to a history database that stores a source address and a destination address of each mail transmitted / received between a terminal connected to the unauthorized mail determination device and the outside as a history, a source address of a received mail received from the outside, and Illegal mail determination means for determining whether the received mail is an illegal mail by comparing a destination address with a source address and a destination address of each mail in the history database;
A fraudulent mail determination device comprising: a fraudulent mail control means for discarding the received mail when the fraudulent mail determination means determines that the received mail is a fraudulent mail.
(Section 3)
The source address and destination address of each mail transmitted from the terminal connected to the unauthorized mail determination device to the outside, or the source address and destination address of each mail received from the outside are stored in the history database. The fraudulent mail determination device according to item 1 or 2, further comprising address information storage processing means.
(Section 4)
A program for causing a computer to function as each means in the unauthorized mail determination device according to any one of Items 1 to 3.

  The present invention is not limited to the above-described embodiments, and various modifications and applications are possible within the scope of the claims.

DESCRIPTION OF SYMBOLS 10 Unauthorized mail determination apparatus 20 Destination history DB server 30 External mail server 11 Mail transfer process part 12 Address information storage process part 13 Unauthorized mail determination process part 14 Unauthorized mail notification control part

Claims (4)

A fraudulent mail determination device that determines whether a received mail received from outside is a fraudulent mail,
Reference is made to a history database that stores a transmission history that is a history of mail sent to the outside and a reception history that is a history of mail received from the outside, and either one of the transmission history and the reception history, or the A fraudulent mail determination means for determining whether or not the received mail is a fraudulent mail using both the transmission history and the reception history;
When the received mail is determined to be invalid by the unauthorized mail determination means, the unauthorized mail control means for executing processing according to the determination that the received mail is determined to be illegal A fraudulent mail determination device characterized by the above. The fraudulent mail determination device according to claim 1, wherein the fraudulent mail determination unit performs the determination by using the transmission history and the reception history properly according to a mail transmission / reception characteristic of a user. The fraudulent mail determination device according to claim 1, wherein the transmission history is information on a header of a mail, and the reception history is information on an envelope of the mail.   The program for functioning a computer as each means in the unauthorized mail determination apparatus of any one of Claims 1 thru | or 3.

Images