JP2019159993A - Information processing device, information processing method, program, and recording medium - Google Patents

Abstract

To determine appropriateness with regard to a compressed file attached to an electronic mail and having had a password set thereto.SOLUTION: An information processing device comprises: a separation notification unit 20 which, when a received electronic mail comes attached with a first compressed file in which a password is set, stores the electronic mail in a temporary saving area and notifies a recipient of the electronic mail to the effect that the electronic mail has been stored in the temporary saving area; a decompression unit 30 for decompressing the first compressed file and extracting a first file due to that the password is inputted; and a determination processing unit 40 for determining, with regard to the first file, whether or not the first file is appropriate.SELECTED DRAWING: Figure 1

Description

  The present invention relates to an information processing apparatus, an information processing method, a program, and a recording medium that process a compressed file.

  Since there is a risk of being infected with a virus by an email received from the past, it has been proposed to perform filtering on such email. For example, Patent Document 1 discloses dealing with so-called “spoofed” e-mail, stores e-mail addressed to the user, and determines whether the e-mail addressed to the user is a spoofed mail. It is disclosed that a Web mail server is used.

  If a compressed file with a password is attached to an e-mail, the appropriateness of the file cannot be determined. For this reason, improper e-mail such as sender disguise cannot be determined using a compressed file.

JP 2012-78922 A

  The present invention provides an information processing apparatus, a program, a recording medium, and an information processing method that can determine whether or not a compressed file with a password set attached to an e-mail is appropriate.

An information processing apparatus according to the present invention includes:
When the first compressed file with the password set is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored or stored in the temporary save area. A separation notification unit for notifying the recipient of the email;
A decompression unit that decompresses the first compressed file and retrieves the first file by inputting the password;
A determination processing unit for determining whether the first file is appropriate for the first file;
May be provided.

In the information processing apparatus according to the present invention,
The determination processing unit transmits the e-mail to the recipient when it is determined that the first file is appropriate, and a predetermined action when it is determined that the first file is inappropriate. After executing, an e-mail for which an action has been performed may be sent to the recipient.

In the information processing apparatus according to the present invention,
When the determination processing unit transmits the electronic mail to the recipient, the determination processing unit may transmit the first compressed file after resetting the password.

In the information processing apparatus according to the present invention,
When the determination processing unit transmits the electronic mail to the recipient, the determination processing unit may transmit the first compressed file with the password released to the recipient.

An information processing apparatus according to the present invention includes:
A storage unit for storing the permitted transmission source;
When the transmission source is the permitted transmission source, the determination processing unit includes the first compressed file with the password set in the email, even if the first compressed file is attached. You may send to the recipient of the said email, without judging whether a 1st file is appropriate.

In the information processing apparatus according to the present invention,
The determination processing unit may delete the first compressed file that has not been decompressed by the decompression unit and transmit the email to the recipient.

In the information processing apparatus according to the present invention,
When the (n + 1) th compressed file is stored in the nth compressed file decompressed by the decompression unit (“n” is an integer equal to or greater than 1), the determination processing unit determines that the (n + 1) th compressed file exists. Notify the recipient of the email,
The decompression unit decompresses the compression of the n + 1-th compressed file by inputting the password, takes out the n + 1-th file,
The determination processing unit may determine whether the n + 1th file is appropriate for the n + 1th file.

In the information processing apparatus according to the present invention,
When the (n + 1) th compressed file is stored in the nth compressed file (“n” is an integer equal to or greater than 1) decompressed by the decompressor, the decompressor automatically assigns a password to the (n + 1) th compressed file. You may enter.

In the information processing apparatus according to the present invention,
If the (n + 1) th compressed file is not decompressed by the password automatically input by the decompression unit, the determination processing unit may notify the recipient of the e-mail that the (n + 1) th compressed file exists. .

In the information processing apparatus according to the present invention,
When a plurality of n + 1 compressed files are stored in the n th compressed file decompressed by the decompressing unit, the determination processing unit appropriately selects the n + 1 file in the n + 1 compressed file that has been decompressed. The n + 1th compressed file that has not been decompressed may be deleted.

In the information processing apparatus according to the present invention,
The upper limit number of hierarchies to be decompressed by the decompression unit is set in advance, and when the upper limit number is exceeded, the decompression unit does not have to decompress the compressed file.

An information processing method according to the present invention includes:
When the first compressed file with the password set is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored or stored in the temporary save area. Notifying the recipient of the email;
Extracting the first file by decompressing the compression of the first compressed file by inputting the password;
Determining whether the first file is appropriate for the first file;
May be provided.

The program according to the present invention is:
A program for causing an information processing apparatus to execute an information processing method,
The information processing apparatus includes:
When the first compressed file with the password set is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored or stored in the temporary save area. Notifying the recipient of the email;
Extracting the first file by decompressing the compression of the first compressed file by inputting the password;
Determining whether the first file is appropriate for the first file;
An information processing method comprising:

The recording medium according to the present invention comprises:
The program described above may be recorded.

  In the present invention, when a compressed file with a password is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored or stored in the temporary save area. In the case of adopting a mode in which the recipient of the e-mail is notified, the file is extracted by decompressing the compressed file by inputting the password, and whether the file is appropriate for the file is adopted Can quickly determine the appropriateness of a file stored in a compressed file for which a password is set.

The figure which showed an example of the flow of the process by embodiment of this invention. 1 is a block diagram of an information processing apparatus that can be used in an embodiment of the present invention. The figure which showed the aspect of the camouflage regarding the link destination information which can be used in embodiment of this invention. The figure which showed an example of the notification screen which can be used by embodiment of this invention. The figure which showed an example of the password input screen which can be used by embodiment of this invention. The figure which showed an example of the hierarchy of the compression file which can be used by embodiment of this invention. The figure which showed an example of the processing content at the time of decompress | decompressing the compression file which can be used by embodiment of this invention.

Embodiment << Configuration >>
Embodiments of an information processing apparatus according to the present invention will be described below with reference to the drawings. In this embodiment, “or” also includes the meanings of “and”. That is, in the present embodiment, A or B means A, B, or A and B.

  The information processing apparatus according to the present embodiment may be configured from a single apparatus, but may be configured from a plurality of apparatuses. When the information processing device is composed of a plurality of devices, the devices constituting the information processing device may be installed in different rooms or different places, and a part of the information processing device and the rest of the information processing device may be remotely located. May be arranged.

  The information processing apparatus according to the present embodiment may be provided in the internal network, may be provided in a boundary (DMZ: DeMilitarized Zone) connecting the internal network and the external network, or provided in the external network. Also good. The information processing apparatus may be an MTA (Message Transfer Agent).

  As shown in FIG. 2, the information processing apparatus according to the present embodiment includes a storage unit 10 including a temporary save area, and a first compressed file with a password attached to the received e-mail. A separate notification unit 20 (see (2) in FIG. 1) for notifying the recipient of the e-mail that the e-mail has been stored or has been stored in the temporary save area, and a password Is input, a decompression unit 30 that decompresses the compression of the first compressed file and extracts the first file, a determination processing unit 40 that determines whether the first file is appropriate for the first file, You may have. The password for the first compressed file may be input from the notified e-mail recipient (see (3) in FIG. 1). When performing the camouflage determination for determining whether or not the camouflage is camouflaged, the temporary saving may be canceled and moved from the temporary saving area to another area. An example of the compressed file is a ZIP file. The e-mail recipient is, for example, a mail address described in “Envelope To”.

  If it is not known whether or not a password is set for the first compressed file, the determination processing unit 40 may determine whether or not the transmission source is appropriate within a possible range. A mode for determining whether or not the transmission source is appropriate will be described later. The determination processing unit 40 may determine whether or not an uncompressed file (normal file) is appropriate. The first compressed file determined to be inappropriate by the determination processing unit 40 and the uncompressed file (normal file) may be deleted by the determination processing unit 40.

  As illustrated in FIG. 2, the storage unit 10 may include a first storage unit 11 that stores received e-mails and a second storage unit 12 that is isolated from the first storage unit 11. When the determination processing unit 40 determines that the e-mail transmission source is inappropriate, such as when it is determined that the e-mail transmission source information is camouflaged, the e-mail is stored in a second directory such as a dedicated directory. It may be stored in the storage unit 12.

  The e-mail separated by the separation notification unit 20 and stored in the temporary save area may be handled as an e-mail waiting for inspection, and may enter a password input waiting state. At this time, the e-mail and the file such as the first compressed file may be stored without being separated. Employing such an aspect is advantageous in that it saves the trouble of associating the e-mail and the file attached to the e-mail later. However, the present invention is not limited to this mode, and files such as the first compressed file may be stored separately from the e-mail.

  The notification to the recipient of the e-mail from the separation notification unit 20 may be performed immediately after being separated and stored in the temporary save destination, or may be repeatedly performed at predetermined intervals until a password is input. The predetermined interval may be 24 hours. For example, the notification may be issued once a day at a set time.

  The predetermined interval at which the notification is made may be shortened as time elapses, and notification is given at the interval of the first time until the first period elapses, and when the first period elapses, the second time (second time < Notification may be performed at intervals of (first time). When such an aspect is adopted, notifications are frequently issued as time passes, and it is possible to prevent a situation in which the recipient forgets to release the password lock. Further, when a certain period of time has passed, an emphasis message such as “Urgent” or “URGENT” may be displayed in the title.

  The notification may be made not only to the receiver but also to a preset administrator. When such an aspect is adopted, the administrator can grasp that the compressed file in which the password is locked and the password is not released is stored.

  The e-mail notified from the separation notification unit 20 may be in the form as shown in FIG. 4 and includes a message for prompting password input and link destination information for inputting the password (“password input screen” in FIG. 4). ), E-mail information including the subject, date / time, sender and attached file information, and e-mail text may be displayed. Employing such an aspect is advantageous in that the recipient of the e-mail cannot confirm the attached file but can confirm the mail text. The title of the e-mail notified from the separation notification unit 20 may indicate that a password input is requested as shown in FIG. When such an aspect is adopted, the receiver can easily recognize that the password input is requested. In the aspect shown in FIG. 4, it is also displayed that control is performed by “m-FILTER” (registered trademark) which is a filtering system.

  When the recipient clicks link destination information related to the password input screen, a password input screen as shown in FIG. 5 may be displayed. When there are a plurality of attached files, a password may be input for each attached file. The present invention is not limited to this mode, and even when a plurality of attached files exist, the same password may be input to each attached file. When a password is entered, it may be masked with ●●●. If an incorrect password is entered, an error message may be displayed. The input of the password is not limited to the mode performed from the password input screen as shown in FIG. 5, and may be performed by inputting the password in the reply mail for the notification mail to the recipient. When “English” in the lower right of FIG. 5 is selected, a sentence is displayed in English.

  On the password input screen, information in the header From may be displayed as the sender, and the headers To and CC may be displayed as the receiver. The mail text may be hidden. This is because it is dangerous to display the mail text because it is before detoxification.

  It may be determined whether or not the determination processing unit 40 is appropriate for the first file extracted by inputting the password (see (4) in FIG. 1). When the determination processing unit 40 determines that the determination processing unit 40 is appropriate, the electronic mail is transmitted to the recipient as the reception destination, and when the determination processing unit 40 is determined to be inappropriate, the predetermined action is executed. Then, the electronic mail in which the action is executed may be transmitted to the recipient who is the recipient (see (6) in FIG. 1). When link destination information is included in the first file, the appropriateness may be determined based on the link destination information. For example, when the display URL displayed as the link destination in the text in the first file is different from the actual URL that is the actual link destination (see FIG. 3A), the actual URL that is the actual link destination is prohibited. When it is a link to a file with an extension (see FIG. 3B), when a prohibited keyword is displayed in association with the actual URL that is the actual link destination (see FIG. 3C), When the actual URL that is the actual link destination includes the global IP (see FIG. 3D), and the link destination information is included in the text in the first file, but no other information is described In any one or more cases, the first file may be determined to be inappropriate. Details of this point will be described later.

  When the determination processing unit 40 transmits an e-mail to the recipient, the determination processing unit 40 may transmit the first compressed file after resetting the password that was originally set. . The present invention is not limited to such a mode. When the determination processing unit 40 transmits an e-mail to a recipient who is a recipient, the determination processing unit 40 displays the first compressed file in a state where the password is released to the receiver. You may send it.

  The storage unit 10 may store the permitted transmission source as a white list. When the transmission source is the permitted transmission source, the determination processing unit 40 is configured to display the first file in the first compressed file even if the first compressed file with the password set is attached to the e-mail. It may be transmitted to the recipient of the e-mail without judging whether or not is appropriate (see (5) in FIG. 1). Further, when the transmission source is a permitted transmission source, the separation notification unit 20 may not separate the electronic mail. As the permitted transmission source, the sender's domain, IP address, and the like may be stored in the storage unit 10. As an example, by selecting “reliable transmission source” in FIG. 5, the domain, IP address, and the like of the subject sender are stored in the storage unit 10 as the permitted transmission source. In this case, future e-mails from the sender will not be required to enter a password, and will be sent to the recipient of the e-mail without determining whether the first file in the first compressed file is appropriate. (Refer to (5) in FIG. 1). The transmission source and the reception destination may be associated and stored in the storage unit 10 and may be whitelisted by a combination thereof. In this way, the sender and receiver are combined and whitelisted. For example, when the first receiver receives an e-mail from the first sender, it is determined as the permitted sender. When a second recipient different from the recipient receives an email from the first sender, a password entry may be required to inspect the compressed file.

  When “untrusted sender” in FIG. 5 is selected, it is possible not to receive an e-mail from the sender. The transmission source and the reception destination may be associated and stored in the storage unit 10 and may be blacklisted by a combination of these. In this way, the sender and receiver are combined and blacklisted, so that, for example, when the first receiver receives an e-mail from the first sender, it is determined as a prohibited sender, but the first reception When a second recipient, who is different from the recipient, receives an email from the first sender, the email is received as a normal sender, and when a compressed file is attached, a password is entered to inspect the compressed file. It may be required. Further, the mail for which “untrusted sender” is selected may be deleted immediately.

  On the other hand, when the transmission source is not registered as the permitted transmission source, it may be determined whether or not the transmission source is locked with a password (see (1) in FIG. 1).

  The determination processing unit 40 may delete the first compressed file that has not been decompressed by the decompression unit 30 after a certain period has elapsed without inputting a correct password, and may send an e-mail to the recipient.

  When the file has a multi-stage configuration, the notification, the password input, and the decompression by the separation notification unit 20 may be repeated in each layer. That is, when the (n + 1) th compressed file is stored in the nth compressed file (“n” is an integer equal to or greater than 1) decompressed by the decompressing unit 30, the determination processing unit 40 indicates that the n + 1th compressed file exists. May be notified to the recipient of the email. The decompressing unit 30 may extract the n + 1-th file by decompressing the n + 1-th compressed file by inputting the password. The determination processing unit 40 may determine whether the (n + 1) th file is appropriate for the (n + 1) th file. For example, when the second compressed file is stored in the first file decompressed by the decompressing unit 30 (see FIG. 6), the determination processing unit 40 determines that the second compressed file exists and receives the e-mail recipient. May be notified. The decompressing unit 30 may retrieve the second file by decompressing the second compressed file by inputting the password. The determination processing unit 40 may determine whether the second file is appropriate for the second file.

  When a plurality of n + 1 compressed files are stored in the n th compressed file decompressed by the decompressing unit 30, the determination processing unit 40 determines whether the n + 1 file in the n + 1 compressed file that has been decompressed is appropriate. The (n + 1) th compressed file that has not been decompressed may be deleted. Further, it may be determined whether or not the (n + 1) th compressed file that has not been decompressed is appropriate within a possible range. As an example of a mode for determining whether or not the file is appropriate for the compressed file, the determination processing unit 40 uses the file name as a determination material, and one or a plurality of blanks are provided before the extension of the file name. If the prohibition control code is included in the file name, the compressed file may be determined to be inappropriate.

  The upper limit number of layers to be decompressed by the decompression unit 30 may be set in advance. When the upper limit is exceeded, the decompression unit 30 may not decompress the compressed file. In this case, the determination processing unit 40 may perform impersonation determination as much as possible for the compressed file that has not been decompressed by the decompression unit 30. For example, 3 to 10 may be used as the upper limit number of layers. When the password lock of all the compressed files and files can be released, or when the upper limit number of hierarchies is exceeded, the judgment processing unit 40 determines the appropriateness of the files for which the password lock is released. May be.

  When the file has a multi-stage configuration, the determination processing unit 40 may input the password input to the nth compressed file as a password to a lower layer file such as the (n + 1) th compressed file. . When the compressed file is not decompressed with this password, the separation notification unit 20 may notify the user and request the input of the password. When such an aspect is adopted, since the recipient is not required to input a common password, the troublesomeness as the recipient can be reduced.

  Such password input may be repeated. For example, when the n + 2 compressed file is stored in the n + 1 compressed file, the determination processing unit 40 inputs the password input to the n + 1 compressed file as the password for the n + 1 compressed file. The same password may be input to the n + 2 compressed file in the decompressed n + 1th file.

  The storage unit 10 may store a password list. The password in the password list is stored in association with the sender, and for a file attached to an e-mail from a sender, the password for the sender may be automatically input. For example, one or more first passwords are associated with the first sender, and the password for the first sender is automatically assigned to a file attached to an email from the first sender. It may be entered. Similarly, one or more second passwords are associated with the second sender, and the password for the second sender is automatically assigned to the file attached to the email from the second sender. You may make it input by. Registration in the password list may be limited to a person having a certain authority such as an administrator. The recipient may be able to register in the password list when entering the password. A registered sender address may be paired with a password to be whitelisted, or a previously registered password may be paired with a sender address to be whitelisted.

  The determination processing unit 40 may sequentially apply a plurality of passwords stored in the storage unit 10 to the password-locked file attached to the e-mail. In this way, when a plurality of passwords stored in the storage unit 10 are sequentially applied and the password cannot be released, the separation notification unit 20 separates the e-mail and notifies the separation or separation. It may be.

  When the preset retention period has passed, the e-mail stored in the temporary save area may be automatically transmitted to the recipient. The retention period may be settable. For example, it may be set such as several hours, 1 day, 3 days, or the like. Also, “same day” can be set. When “same day” is set, the holding time is set until the date changes.

  When automatic transmission is performed after a preset holding period, the determination processing unit 40 may determine the appropriateness of the e-mail as much as possible. Even when automatic transmission is performed, if the determination processing unit 40 determines that the file is inappropriate, the attached file may be deleted. However, it may be possible to set whether to delete the attached file when automatically transmitting, or it may be set so that the file is not deleted. In the case of automatic transmission, that fact may be described in the text or title of the e-mail. When such an aspect is adopted, the recipient can recognize that only a simple forged email determination is performed, and if the recipient feels necessary, the recipient can view the file attached to the email. The password may be released, and the determination processing unit 40 may be made to determine the forged mail.

  The format of the compressed file is typically ZIP, but various formats such as TAR, CAB, 7z, and RAR can be used. Note that a compressed file format that can be decompressed may be set in advance. In this case, when a file is attached to an electronic mail in a compressed file format that cannot be decompressed, the compressed file may be deleted. Further, even in a compressed file format that can be decompressed, the compressed file may be deleted in a predetermined case. For example, even if a file compressed with ZIP can be decompressed, if the compressed file is encrypted with AES128 / 192/256, the compressed file is deleted. Also good. Moreover, you may perform the camouflage determination in the range which the determination process part 40 can replace instead of deleting.

  If the file cannot be inspected, the password will not be entered, the password will be entered but it will continue to be incorrect, and if a certain amount of time has passed, or if the password will be entered incorrectly more than a certain number of times, the attachment hierarchy will be If the password is locked and it cannot be determined whether the password is locked, the password-attached attached file format is not compatible with the system.

  As an action (control mode) for a file that could not be inspected, one of transmission, quarantine, and deletion may be settable. When it is determined to be quarantined or deleted, notification to any one of the administrator, the receiver, and the sender may be performed. The notification to the administrator, the recipient, and the sender may include information on the subject and text of the target email. Further, information on a screen as shown in FIG. 4 may be transmitted by e-mail.

  If the attachment hierarchy exceeds the upper limit of the hierarchy and it cannot be determined whether the password is locked, it may be possible to send an e-mail with only the decompressed hierarchy attached, or the decompressed hierarchy. The e-mail may be transmitted after deleting all the files.

  You may make it perform a detoxification process with respect to an attached file. As the detoxification process, for example, the macro of the attached file may be removed after releasing the password lock of the attached file, or the attached file may be deleted. The attached file from which the macro has been removed may be compressed in a format such as ZIP using the original password, attached to the original e-mail, and transmitted to the recipient. Further, the attached file from which the macro has been removed may be compressed in a format such as ZIP without being passworded, attached to the original electronic mail, and transmitted to the recipient. Further, the attached file from which the macro has been removed may be attached to the original electronic mail without being compressed and transmitted to the recipient. When the detoxification process is performed, the content of the detoxification process may be notified to the recipient.

  The compression may be performed in a format different from the original compression format. For example, when it was attached to the original e-mail, it was compressed in the first format, but when it is compressed again after the password lock is released, it is compressed in a second format (for example, ZIP) different from the first format. You may do it. In addition, even when it was compressed in the second format when it was attached to the original electronic mail, it may be compressed in the second format. When such an aspect is adopted, since it can be compressed in a uniform format (second format) when it is compressed again, it is advantageous in that control becomes easy.

  If the file attached to the e-mail uses a prohibited extension, and there are multiple extensions in the file name, one or more of the file name attached to the e-mail If there are multiple blanks, if the file name attached to the e-mail contains a prohibition control code, if the file attached to the e-mail is an executable file, the file is sent to the e-mail. May be attached, but the determination processing unit 40 may determine that the mail information may be inappropriate, for example, when the body of the electronic mail is empty. In these cases, even if the file is password-locked, it is possible to determine whether it is appropriate without releasing the password lock, and these modes are included in the above-described determination in the “possible range”.

  Examples of prohibited extensions include modes where “exe” is used such as “quote.exe” and modes where multiple extensions are used such as “quote.pdf.exe” Can do. As an example of the prohibition control code, a mode in which “RLO” is used such as “estimate (RLO) xcod.exe” can be cited. Here, “RLO” is “Right-to-Left Override”, which is a symbol for reversing the horizontal arrangement of horizontally written characters. By using such “RLO”, it may be used to prevent the user from recognizing that it is an executable file, so it is determined that the mail information may be inappropriate. Also good. Examples of the case where the file is an executable file include an embodiment in which extensions such as “exe”, “dll”, “obj”, “sys”, and “com” are used. The prohibited control code or extension may be input from an input unit such as the input unit 90 shown in FIG.

  When the file attached to the e-mail is in a prohibited format or the file attached to the e-mail includes a macro, the determination processing unit 40 determines that the mail information may be inappropriate. May be.

  As an example of a case where a blank is provided before the extension of the file name of the file attached to the e-mail, for example, a mode in which the file name is “estimate.exe” can be cited. The determination processing unit 40 may determine that the mail information may be inappropriate when the number of blanks provided before the file name extension is equal to or greater than a certain value (for example, 5 words). . The number of blanks may be input from input means such as the input unit 90.

  Even when a URL that is inappropriate for browsing is included in the file attached to the e-mail, the determination processing unit 40 may determine that the mail information may be inappropriate. The inappropriate URL may be a URL (black list information) registered in the storage unit 10 in advance.

  When the camouflage determination regarding the file is performed, the content of the camouflage determination and the result thereof may be notified to the recipient. This notification may be performed by adding to the mail text of the electronic mail to be delivered, or may be transmitted as an electronic mail different from the electronic mail to be delivered.

  An inappropriate file may be collected by a honey pod or the like, and a hash value of the file may be acquired. Then, this hash value may be blacklisted and compared with the hash value of the file to be inspected.

  Virus detection may be performed on the email stored in the second storage unit 12 such as a quarantined email (see (7) in FIG. 1) using anti-virus software or the like. In addition, among the emails stored in the second storage unit 12, the email detected as dangerous by the anti-virus software may be automatically deleted. When such an aspect is adopted, the number of e-mails stored in the second storage unit 12 can be reduced, and for example, the burden of appropriateness evaluation by an in-house administrator can be reduced.

  Further, the electronic mail stored in the second storage unit 12 may be automatically deleted after a predetermined time has elapsed. The predetermined time for deleting the e-mail may be input from the input unit 90 or may be set in advance. In addition, the automatic deletion function may be switched on and off by the input unit 90.

  The administrator may be notified of the number of e-mails stored in the second storage unit 12, the number of times according to the date and time, etc., or may be stored in the storage unit 10 so that the administrator can check appropriately. It may be. When such an aspect is adopted, it is advantageous in that the number of e-mails determined to be inappropriate and the increase / decrease in the number along the time axis can be confirmed.

  A relay unit 50 (see FIG. 2) that relays web access from an internal terminal in the internal system may be provided. When the determination processing unit 40 determines that the mail information is inappropriate based on the link destination information, the relay unit 50 stores the link destination in the storage unit 10 and rejects access from the internal terminal to the link destination. Also good. An internal terminal means an information processing apparatus such as a personal computer connected to an internal network. The storage unit 10 may store e-mail information in association with the link destination. The e-mail information may include the body of the e-mail, the date and time of acquisition, the sender address, etc. When a file is attached to the e-mail, the information on the file is also included in the e-mail information. May be.

  The link destination information may include all information related to the link destination acquired from the mail text, the attached file attached to the e-mail, the macro of the attached file, or the like. The mail body may include both a text format and an HTML format, and the URL of the link portion may be acquired for the HTML format. Access to the URL stored in the storage unit 10 and prohibited from being accessed by the relay unit 50 may be permitted via the input unit 90.

  Even if the file is divided as a result of the division of the e-mail, the determination processing unit 40 may combine the divided files and restore them into one file. Then, the determination processing unit 40 may determine the appropriateness of the restored file.

  Next, other modes for determining whether or not the transmission source is appropriate will be described below.

[Sender Information]
First, an aspect in which the determination processing unit 40 determines that the received electronic mail information may be inappropriate based on the transmission source information will be described.

  The determination processing unit 40 may acquire impersonation determination information from the external terminal 100 provided outside the internal network, and may determine whether the sender information of the email is impersonated using the impersonation determination information. At this time, the determination processing unit 40 may compare the camouflage determination information and the transmission source information to determine whether the transmission source information is camouflaged. The external terminal 100 may be a DNS (Domain Name System) server, for example. The camouflage determination information may be, for example, an SPF (Sender Policy Framework) record. Whether the transmission source information of the electronic mail is camouflaged may be a connection source IP address, a transmission source mail address, an FQDN (Fully Qualified Domain Name) of the connection source MTA, or the like.

  The determination processing unit 40 may determine whether the transmission source information is camouflaged using transmission source information other than the camouflage determination information. As an example, if the header transmission destination (header From) and the envelope transmission destination (envelope From) do not match, it may be determined that the electronic mail may be inappropriate.

  Also, when the number of relay servers (Received header number) that passed from the sender to the receiver is equal to or greater than a predetermined threshold, for example, “Received: from [20x.0.xxx.1] by example1.ne.jp ; Tue, 14 Sep 2010 15: 16: 37JST "may be included in the determination processing unit 40 when the description includes a number greater than or equal to a threshold value. . Further, the threshold value may be determined in advance or may be changed from the input unit 90.

  When receiving via an unexpected waypoint (for example, China, Russia, etc.), the determination processing unit 40 may determine that the e-mail may be inappropriate. At this time, the country may be specified by the IP address of Received: from [20x.0.xxx.1]. An unexpected waypoint may be determined in advance or may be changed from the input unit 90.

  When the transmission source transmits an electronic mail using mail software different from the mail software that has been used, the determination processing unit 40 may determine that the electronic mail may be inappropriate. The mail software that has been used before is stored in the storage unit 10, and the judgment processing unit 40 compares the mail software stored in the storage unit 10 with the mail software used in the sent e-mail. You may judge. It may be input from the input unit 90 that there is no problem even if the mail software is different for the sender, and in this case, the email sent later is sent to the sender of the email The e-mail software may be correct, or both the e-mail mail software that has been used before and the e-mail mail software that has been sent later may be stored in the storage unit 10 as correct.

  When the transmission source transmits an e-mail using free mail, the determination processing unit 40 may determine that the e-mail may be inappropriate. Also in this case, it may be input from the input unit 90 that there is no problem in using the free mail for the transmission source. In this case, the free mail is transmitted to the transmission source. The e-mail may be stored in the storage unit 10 as no problem.

[Link information]
Next, an aspect in which the determination processing unit 40 determines that the received electronic mail information may be inappropriate based on the link destination information will be described.

  If the link destination information is included in the email, the determination processing unit 40 may determine whether the email is appropriate based on the link destination information. In this aspect, when the display URL displayed as the link destination in the electronic mail is different from the actual URL that is the actual link destination (see FIG. 3A), the determination processing unit 40 becomes the actual link destination. When the actual URL is a link to a file with a prohibited extension (see FIG. 3B), when the prohibited keyword is displayed in association with the actual URL that is the actual link destination (FIG. 3C )), When the actual URL that is the actual link destination includes the global IP (see FIG. 3D), when the link destination information is included in the email, but the body of the email is empty In such cases, it may be determined that the e-mail may be inappropriate. The “link destination information” in the present embodiment includes all information related to the link destination acquired from the mail text, the attached file attached to the e-mail, the macro of the attached file, and the like. For this reason, when URL information is included in the compressed file whose password has been removed, the appropriateness of the e-mail may be determined using the URL information as described above.

In the mode shown in FIG. 3A, the email address of “ http://technet.ABC.com ” is displayed as the display URL in the body of the email, but the actual URL is “ http: // technet. ABC.com.xx "and they are different. In the mode shown in FIG. 3B, “ upload file.exe ” is obtained, and “exe” is added, which is a link to a file having a prohibited extension. In the mode shown in FIG. 3C, a forbidden keyword “authenticate now” is displayed in association with the actual URL. Here, the prohibited keyword is “related to the actual URL” because, for example, the prohibited keyword is displayed before and after the actual URL, or an arrow appears from the prohibited keyword to indicate the actual URL. Means embodiment. The prohibited keyword may be changed from input unit 90 such as input, addition, deletion, and correction. In the mode shown in FIG. 3D, the global IP of “ 123.45.67.89 ” is included.

  The determination processing unit 40 may determine that the e-mail may be inappropriate when a redirect URL including a shortened URL is used. Redirection means passing through another server without directly connecting to the server where the content is stored. The shortened URL is a shortened URL of a long character string and can be used to connect to the original long URL using redirection.

  In the case where the text registered in the storage unit 10 or the like does not include “all” but only “part”, there is a possibility that the URL is spoofed. You may decide that your email may be inappropriate. As an example, when “example.com” is registered, a URL “http: //example.com.xxxx/xxxxxx” is described.

[Body information]
Next, an aspect in which the determination processing unit 40 determines that the received electronic mail information may be inappropriate based on the text information will be described.

  The determination processing unit 40 may determine that the electronic mail may be inappropriate based on the text information of the mail.

  When a language other than a predetermined language is included in the body of the email, for example, when a non-Japanese kanji such as traditional or simplified is included, the determination processing unit 40 may have an inappropriate email. You may judge that there is. The permitted language or the prohibited language may be input from the input unit 90.

  In the case where a non-existing organization or company name or telephone number is described in the body of the e-mail, the determination processing unit 40 may determine that the e-mail may be inappropriate. In the case of adopting this mode, the determination processing unit 40 may be able to acquire information regarding an existing organization, company name, telephone number, and the like. Information regarding such an existing organization, company name, telephone number, and the like may be stored in the storage unit 10 or may be stored in an external storage unit provided in an external device. The external device in the present embodiment means any device other than the information device in the present embodiment.

  The determination processing unit 40 may determine that the electronic mail may be inappropriate if the sender's email address is different from the email address described in the signature of the email body. In addition, the determination processing unit 40 may determine that there is a possibility that the e-mail may be inappropriate when the content for requesting the description of the ID or password is described in the text.

  If nothing is described in the text, the determination processing unit 40 may determine that the electronic mail may be inappropriate.

  If the text includes “numeric character reference”, the determination processing unit 40 may determine that the electronic mail may be inappropriate. “Numerical character reference” corresponds to “character string” and “numeric character” and can be converted to each other. The decision processing unit 40 is "&#22823; &#25163; &#30010; &#12398; &#26576; &#27861; &#24459; &#20107; &#21209; &#25152; &#12391; &#24453; &#12387; &#12390; &#12356; &#12414; &#12377; It is possible to determine that “character reference” is included, or to determine whether “numeric character” as described above can be returned to “character string” according to a predetermined rule. ”, It may be determined that“ numeric character reference ”is included in the text. As an example, “&#22823; &#25163; &#30010; &#12398; &#26576; &#27861; &#24459; &#20107; &#21209; &#25152; &#12391; &#24453; &#12387; &#12390; &#12356; &#12414; &#12377; `` numeric characters '' can be applied to the Otemachi Sakai Law Office by applying a predetermined rule. It can be converted to the string “Waiting”. As described above, when the “numeric character” can be returned to the “character string” without any problem, the determination processing unit 40 may include the “numeric character reference” in the body of the email, and the email may be inappropriate. You may judge that there is. In addition, although it demonstrates using the aspect in which the "text" contains "numeric character reference" here, it is not restricted to this, For example, the title of an e-mail contains "numeric character reference" In this case, the determination processing unit 40 may determine that the electronic mail may be inappropriate.

  The reason why it is determined that there is a possibility that the electronic mail is inappropriate may be stored in the storage unit 10 and be searchable. For example, if it is determined that there is a possibility that an e-mail is inappropriate due to the use of a prohibited extension in the file, this is stored in the storage unit 10 and can be searched by the administrator. It may be.

  The method for controlling the received mail may be changed for each group. An administrator may be set for each group. The members of the group may be able to change as appropriate. When members in a group overlap, it may be possible to appropriately select which group control method is applied.

  When the determination processing unit 40 determines that the received e-mail may not be appropriate, the e-mail may be stored in the second storage unit 12 described above.

  The determination processing unit 40 may delete an electronic mail that is determined to be inappropriate. When deleting an e-mail, only a log may be left. By deleting the e-mail in this way, it is possible to prevent an accident such as the e-mail being opened by mistake.

  Further, when the attached file is deleted, the URL information is deleted, or any detoxification process is performed, the part that the detoxification process is performed and / or the content of the detoxification process is not visible to the user (for example, (Header) may be added or changed. By recording such processing, the administrator or the like may be able to search for the target e-mail later.

  If an e-mail is detoxified, the detoxification process is performed and / or the content of the detoxification process is described in the body of the e-mail and sent to the recipient and the administrator. May be.

  When the mail text is in the HTML format, the actual URL may not be displayed, so the determination processing unit 40 may acquire information regarding the actual URL.

  Permitted URL information may be stored in a storage unit such as the storage unit 10 as information regarding a URL having no problem. Even if URL information is included in the e-mail, if the URL information corresponds to the permitted URL information, the determination processing unit 40 may determine that the e-mail has no problem.

  The storage unit 10 may store a destination that has been transmitted and received a predetermined number of times (for example, 10 times) or more as permitted transmission source information. In addition, the predetermined number of times may be input from the input unit 90 and may be changed.

  The storage unit 10 may store the URL that the determination processing unit 40 has determined to be problematic. By comparing the URL with the URL stored in this manner, the determination processing unit 40 receives e-mails that will be received next time. Appropriateness may be determined. When the storage unit 10 stores the URL that is determined to have a problem as described above, the storage unit 10 may also store information on an e-mail in which the URL is described or attached. This e-mail information may include the body of the e-mail, the date and time of acquisition, the sender address, etc. If a file is attached to the e-mail, the information on the file is also included in the e-mail information. May be included.

  Note that the determination processing unit 40 does not have to make a determination regarding the appropriateness of an e-mail (eg, sender impersonation) for an e-mail transmitted via an internal network without going through an external network.

  In the present embodiment, an information processing method in all aspects related to the information processing apparatus described above, a program for generating the information processing apparatus, and a recording medium including a USB memory, a CD, a DVD, and the like that record the program are also provided. .

  The information processing apparatus according to the present embodiment is generated by installing a program such as a server program. This program may be distributed by e-mail, may be obtained by logging in after accessing a predetermined URL, or may be recorded on a recording medium. The information processing method of the present embodiment is performed by an information processing apparatus in which the program is installed.

"effect"
Next, the effects of the present embodiment having the above-described configuration that have not been described will be mainly described. Note that any configuration described in “Effects” can be used as the configuration of the present embodiment.

  When a compressed file with a password is attached to the received e-mail, the e-mail is stored in the temporary save area, and the e-mail is stored or stored in the temporary save area. If the recipient of the email is notified and the password is entered, the compressed file is decompressed and the file is extracted, and if the file is judged to be appropriate for the file, the password is Appropriateness can be quickly determined for files stored in the set compressed file. First, it can be expected that a password is quickly input by notifying the recipient. In addition, if a file is stored in a compressed file with a password set, the appropriateness of the stored file cannot be determined. However, according to this aspect, the file is stored in a compressed file with a password set. Even if is stored, the appropriateness of the file can be determined.

  In this embodiment, when it is determined that the file is appropriate, an e-mail is transmitted to the recipient, and when it is determined that the file is inappropriate, after a predetermined action is executed, the action is In the case of adopting a mode in which the executed electronic mail is transmitted to the receiver, the receiver receives the electronic mail after appropriate measures are taken.

  When the determination processing unit 40 transmits the e-mail to the recipient, the determination processing unit 40 adopts a mode in which the first compressed file after resetting the password is attached and transmitted. E-mail can be sent to the recipient in a manner that is substantially the same as

  When the determination processing unit 40 employs a mode in which the determination processing unit 40 transmits the first compressed file with the password released to the receiver when the e-mail is transmitted to the receiver, the receiver again This eliminates the need to enter a password and saves time.

  If the sender is an authorized sender, even if a compressed file with a password is attached to the email, the email is sent without determining whether the file in the compressed file is appropriate. Adopting the mode of sending to the recipients of the recipients is beneficial in that it is not necessary to judge the adequacy of the email from the sender that the user has judged to be safe.

  When the first compressed file that has not been decompressed by the decompression unit 30 is deleted and an e-mail is sent to the recipient, the first compressed file that cannot be checked for appropriateness is prevented from being sent to the recipient. However, the e-mail text and the like can be transmitted to the recipient.

  When the (n + 1) th compressed file is stored in the nth compressed file (“n” is an integer equal to or greater than 1), the determination processing unit 40 notifies the e-mail recipient that the (n + 1) th compressed file exists, When the password is input, the decompression unit 30 decompresses the compression of the (n + 1) th compressed file to extract the (n + 1) th file, and the determination processing unit 40 determines whether the n + 1th file is appropriate for the (n + 1) th file. When the folder is adopted, the suitability of the files in the folder can be determined even when the folder has a multilayer structure.

  When a plurality of n + 1 compressed files are stored in the n th compressed file decompressed by the decompressing unit 30, the determination processing unit 40 is appropriate for the n + 1 th file in the n + 1 compressed file that has been decompressed. In the case of adopting a mode in which the n + 1th compressed file that has not been decompressed is deleted, the adequacy cannot be confirmed while confirming the suitability for the decompressed file. By deleting the compressed file, safety can be ensured.

  When the upper limit number of hierarchies to be decompressed by the decompression unit 30 is set in advance, and when the compressed file is not decompressed by the decompression unit 30 when the upper limit number is exceeded, the decompression to the compressed file is performed. An upper limit can be set, and the load on the determination processing unit 40 can be limited.

  The determination processing unit 40 may have an artificial intelligence function, and may learn a password for the transmission source by using the association between the transmission source information and the password information used for decompression as teacher data. When such an aspect is adopted, the possibility that the compressed file can be decompressed without the password input from the recipient can be increased.

  When the relay unit 50 adopts a mode in which the access of the internal terminal based on the link destination information is rejected when the determination processing unit 40 determines that the mail information is inappropriate based on the link destination information, an e-mail is used. It is beneficial not only to prevent access to dangerous websites, but also to employees who have not received e-mails with suspicious eligibility in that they can prevent access to dangerous websites. .

  In the case of adopting an aspect in which access to a URL that is prohibited by the relay unit 50 is permitted via the input unit 90, for example, it is possible to permit access to a URL that is determined to be safe by an administrator. This is advantageous in that it is possible to prevent unnecessarily excessive restrictions on access to URLs.

  The description of the above-described embodiment and the disclosure of the drawings are merely examples for explaining the invention described in the claims, and are described in the claims by the description of the above-described embodiments or the disclosure of the drawings. The invention made is not limited. The description of the scope of claims at the beginning of the application can be changed as appropriate within the scope of the present patent specification, and the scope can be expanded.

  Each component including the separation notification unit 20, the decompression unit 30, the determination processing unit 40, the relay unit 50, the storage unit 10 and the like in each of the above embodiments is a logic circuit formed in an integrated circuit such as an IC chip or an LSI. (Hardware) or a dedicated circuit, or software using a CPU, memory, or the like. Each component may be realized by one or a plurality of integrated circuits, and a plurality of components may be realized by one integrated circuit. The control unit may be considered as a component including the separation notification unit 20, the decompression unit 30, the determination processing unit 40, the relay unit 50, and the like.

DESCRIPTION OF SYMBOLS 10 Memory | storage part 11 1st memory | storage part 12 2nd memory | storage part 20 Separation notification part 30 Decompression | decompression part 40 Judgment processing part 50 Relay part

Claims (14)

When the first compressed file with the password set is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored or stored in the temporary save area. A separation notification unit for notifying the recipient of the email;
A decompression unit that decompresses the first compressed file and retrieves the first file by inputting the password;
A determination processing unit for determining whether the first file is appropriate for the first file;
An information processing apparatus comprising:   The determination processing unit transmits the e-mail to the recipient when it is determined that the first file is appropriate, and a predetermined action when it is determined that the first file is inappropriate. The information processing apparatus according to claim 1, wherein an e-mail for which an action has been executed is transmitted to the recipient after execution of.   3. The determination processing unit, when the determination processing unit transmits the electronic mail to the recipient, transmits the first compressed file after resetting the password. The information processing apparatus described.   3. The determination processing unit transmits the first compressed file with the password released to the recipient when the determination processing unit transmits the electronic mail to the recipient. The information processing apparatus described. A storage unit for storing the permitted transmission source;
When the transmission source is the permitted transmission source, the determination processing unit includes the first compressed file with the password set in the email, even if the first compressed file is attached. The information processing apparatus according to claim 1, wherein the first file is transmitted to a recipient of the electronic mail without determining whether the first file is appropriate.   The said judgment process part deletes the 1st compression file which was not decompress | decompressed by the said decompression | decompression part, and transmits the said email to the said recipient, The Claim 1 characterized by the above-mentioned. Information processing device. When the (n + 1) th compressed file is stored in the nth compressed file decompressed by the decompression unit (“n” is an integer equal to or greater than 1), the determination processing unit determines that the (n + 1) th compressed file exists. Notify the recipient of the email,
The decompression unit decompresses the compression of the n + 1-th compressed file by inputting the password, takes out the n + 1-th file,
The information processing apparatus according to claim 1, wherein the determination processing unit determines whether or not the n + 1th file is appropriate for the n + 1th file.   When the (n + 1) th compressed file is stored in the nth compressed file (“n” is an integer equal to or greater than 1) decompressed by the decompressor, the decompressor automatically assigns a password to the (n + 1) th compressed file. The information processing apparatus according to claim 1, wherein an information is input.   When the n + 1th compressed file is not decompressed by the password automatically input by the decompression unit, the determination processing unit notifies the recipient of the e-mail that the n + 1th compressed file exists. The information processing apparatus according to claim 8.   When a plurality of n + 1 compressed files are stored in the n th compressed file decompressed by the decompressing unit, the determination processing unit appropriately selects the n + 1 file in the n + 1 compressed file that has been decompressed. 10. The information processing apparatus according to claim 7, wherein the n + 1th compressed file whose compression is not decompressed is deleted.   11. The upper limit number of hierarchies to be decompressed by the decompression unit is set in advance, and when the upper limit number is exceeded, the decompression unit does not decompress the compressed file. The information processing apparatus according to any one of claims. When the first compressed file with the password set is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored or stored in the temporary save area. Notifying the recipient of the email;
Extracting the first file by decompressing the compression of the first compressed file by inputting the password;
Determining whether the first file is appropriate for the first file;
An information processing method comprising: A program for causing an information processing apparatus to execute an information processing method,
The information processing apparatus includes:
When the first compressed file with the password set is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored or stored in the temporary save area. Notifying the recipient of the email;
Extracting the first file by decompressing the compression of the first compressed file by inputting the password;
Determining whether the first file is appropriate for the first file;
A program characterized by executing an information processing method comprising:   A recording medium on which the program according to claim 13 is recorded.