JP2020004375A - Information processing apparatus, client terminal, control method, and program - Google Patents

Abstract

To provide a technology that can specify an e-mail which is likely to cause a threat.SOLUTION: An information processing apparatus includes: an extraction unit which extracts, when a mail receiving unit receives an e-mail from an external mail server, information on a body of the e-mail, an attached file, and URL; and a storage unit which stores the information in a mail information table. The information processing apparatus calculates similarity between the received e-mal and the e-mail already stored in the mail information table, and determines the received e-mail as a junk mail when the similarity is equal to or larger than a threshold of similarity set in a determination information setting file and when the number of differences between sender addresses is equal to or larger than a threshold of similar mail count set in the determination information setting file.SELECTED DRAWING: Figure 4

Description

  The present invention relates to an electronic mail security technique, and more particularly to a security technique for received junk mail.

  In recent years, with the development of networks, electronic mail (hereinafter, simply referred to as “mail” as necessary) has been widely used.

  Along with this, there are many cases where recipients receive unwanted advertisements or unsolicited spam due to harassment, etc. Among them, suspicious mail with spam mail or malware sent to a large number of unspecified recipients is attached There are also emails and the like.

  Such emails not only cause annoyance to recipients, but also cause various threats such as malware infection and introduction to phishing sites.

  Such a mail uses a large part of the template (including the body of the mail, the attached file, the URL, and the like), and the mail may be transmitted while changing the information of the recipient and the information of the transmission source.

  For this reason, mails containing the same or almost the same text, attached files, and URLs are transmitted from different senders' mail addresses (such mails are called similar mails).

  In addition, the template portion is updated regularly, and particularly, e-mails by spam bots often have the above-described characteristics.

  In ordinary mail operation, there are few situations where similar mail arrives from various transmission sources, and is limited to a specific situation such as an empty mail or a case where the recipient specifies transmission contents.

  Therefore, in order to protect yourself from various threats, it is necessary to identify similar emails that can cause threats transmitted from the sender.

  As a method of performing such identification, there is disclosed a method of determining whether or not the same mail has been received by using information of a sender and a message ID of an already received mail and a newly received mail. (For example, see Patent Document 1).

Patent No. 5326785

  However, in the method described in Patent Literature 1, the mailing list and the personal list included in the mailing list are set as destinations, so that such mails are received for the purpose of preventing reception of duplicate mails. Sometimes, the mail is displayed to the recipient so as not to be duplicated.

  Therefore, there is a possibility that an e-mail which may cause a threat may be displayed, and such an e-mail may be displayed, and a problem may occur that the terminal of the recipient is affected by the threat.

  In view of the above, an object of the present invention is to provide a mechanism capable of specifying an email that may cause a threat.

  In order to solve the above problem, the present invention is an information processing apparatus for relaying an electronic mail, and a receiving unit for receiving the electronic mail, and an electronic mail already received by the receiving unit, the same or similar electronic mail. And specifying means for specifying an electronic mail having a different transmission source.

  ADVANTAGE OF THE INVENTION According to this invention, there exists an effect that the mail which can cause a threat can be specified.

1 is a configuration diagram illustrating an example of a schematic configuration of an information processing system. FIG. 2 is a block diagram illustrating an example of a hardware configuration of a mail server and a client terminal. FIG. 3 is a block diagram illustrating an example of a software configuration. It is a flow chart which shows an example of processing which judges spam. FIG. 4 is a configuration diagram illustrating an example of a configuration of a determination information setting file. FIG. 3 is a configuration diagram illustrating an example of a configuration of a shared information setting file. FIG. 3 is a configuration diagram illustrating an example of a configuration of a mail information table. It is a figure which shows an example of the process at the time of using in combination with the process of judging unsolicited mail and existing technology. It is a flowchart which shows an example of the process which reuses a junk mail. FIG. 3 is a configuration diagram illustrating an example of a configuration of a list screen. It is a figure showing an example of composition of a detailed screen.

  Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

  FIG. 1 is a configuration diagram illustrating an example of a configuration of an information processing system according to an embodiment of the present invention.

  As shown in FIG. 1, the information processing system 100 according to the present embodiment includes a configuration including a mail server 101, a client terminal 102 (provided at least one or more), and a LAN 103, and externally via a wide area network 104. It is connected to the mail server 105.

  The mail server 101 is an information processing device used for sending and receiving e-mails, and has a function of managing e-mail addresses of e-mails and storing e-mails transmitted to the e-mail addresses. I have.

  In addition, a process (described later in detail) of determining unsolicited e-mail for the e-mail transmitted from the external mail server 105 is performed.

  The client terminal 102 is a terminal device operated by a user who exchanges e-mail using a mail address managed by the mail server 101.

  In addition, the client terminal 102 is also a terminal device that provides various contents and the like provided from the external mail server 105 to the user.

  Further, the client terminal 102 is capable of referring to and editing settings and data related to the present invention stored in the mail server 101 via the LAN 103.

  The external mail server 105 is a device that provides various contents and the like to the user, and is installed by a service provider, an individual user, or the like, or installed as a mail server owned by an external user. Or

  It should be noted that an information processing device may be provided between the mail server 101 and the LAN 103, and the information processing device may be configured to judge unsolicited e-mail sent from the external mail server 105.

  FIG. 2 is a block diagram illustrating an example of a hardware configuration of the mail server 101 and the client terminal 102 according to the embodiment of the present invention.

  As shown in FIG. 2, a mail server 101 and a client terminal 102 are connected via a system bus 204 to a CPU (Central Processing Unit) 201, a ROM (Read Only Memory) 202, a RAM (Random Access Memory) 203, and an input controller 205. , A video controller 206, a memory controller 207, and a communication I / F controller 208.

  The CPU 201 generally controls each device and controller connected to the system bus 204.

  The ROM 202 or the external memory 211 stores a basic input / output system (BIOS) and an operating system (OS), which are control programs executed by the CPU 201, a computer-readable program for realizing the information processing method, and various necessary programs. Holds data (including data tables).

  The RAM 203 functions as a main memory, a work area, and the like for the CPU 201. The CPU 201 loads various programs and the like necessary for executing processing from the ROM 202 or the external memory 211 to the RAM 203, and realizes various operations by executing the loaded programs.

  The input controller 205 controls input from an input device such as a keyboard 209 and a pointing device such as a mouse (not shown). When the input device is a touch panel, various instructions can be given by the user pressing (touching with a finger or the like) in accordance with an icon, cursor, or button displayed on the touch panel.

  Further, the touch panel may be a touch panel such as a multi-touch screen that can detect a position touched by a plurality of fingers.

  The video controller 206 controls display on an external output device such as the display 210. The display shall include the display of a notebook computer integrated with the main unit. The external output device is not limited to a display, but may be, for example, a projector. In addition, an input device is provided for a device capable of accepting the above-described touch operation.

  The video controller 206 can control a video memory (VRAM) for performing display control, can use a part of the RAM 203 as a video memory area, or can provide a dedicated video memory separately. It is possible.

  The memory controller 207 controls access to the external memory 211. As an external memory, it is connected via an adapter to an external storage device (hard disk), a flexible disk (FD), or a PCMCIA card slot for storing a boot program, various applications, font data, user files, editing files, and various data. For example, a compact flash (registered trademark) memory or the like can be used.

  The communication I / F controller 209 connects and communicates with external devices via a network, and executes communication control processing on the network. For example, communication using TCP / IP, a telephone line such as ISDN, and communication using a 3G line of a mobile phone are possible.

  Note that the CPU 201 enables display on the display 210 by executing, for example, an outline font developing (rasterizing) process on a display information area in the RAM 203. Further, the CPU 201 enables a user instruction with a mouse cursor (not shown) on the display 210.

  Next, an example of a functional configuration of various devices according to the embodiment of the present invention will be described with reference to FIG. Note that each function will be described together with a flowchart and the like described later.

  The mail server 101 includes a mail reception unit 300, an extraction unit 302, a storage unit 304, a determination unit 306, a processing unit 308, a sharing unit 310, and a reuse unit 312.

  The mail receiving unit 300 receives an e-mail transmitted from the external mail server 105, and the extracting unit 302 extracts information on the body, attached file, URL, and the like from the e-mail received by the mail receiving unit 300 according to predetermined conditions. get.

  The storage unit 304 stores information about the e-mail acquired by the extraction unit 302 in a table, and stores definition information used when determining unsolicited e-mail in a setting file.

  The determination unit 306 calculates the similarity between the e-mail received by the e-mail receiving unit 300 and the e-mail stored by the storage unit 304 with respect to the body, attached file, URL, and the like, and the calculated similarity is set in the setting file. It is determined whether or not the message is spam based on whether or not the number of different senders is greater than or equal to the threshold set in the setting file.

  The processing unit 308 performs processing on the e-mail determined by the determination unit 306 as unsolicited e-mail so as not to cause secondary damage, and the sharing unit 310 performs processing on such e-mail for the same reason. Share information with other systems and users.

  The reuse unit 312 inputs information about the e-mail determined as unsolicited e-mail to existing technology (anti-spam software or anti-virus software) to improve the accuracy of overall security.

  Next, with reference to the flowchart shown in FIG. 4, a description will be given of a process performed by the mail server 101 according to the embodiment of the present invention for determining spam. This process is executed by the CPU 201 of the mail server 101 reading out a predetermined control program.

  In step S400, mail receiving section 300 receives the electronic mail transmitted from external mail server 105.

  In step S402, the extraction unit 302 extracts information on the electronic mail received in step S400.

  As the information on the e-mail to be extracted, for example, as the information on the sender, the sender's e-mail address, the hash value of the sender's e-mail address (a value calculated by an arbitrary predetermined hash function. , The same hash function is used, the same applies hereinafter), an arbitrary identifier of the sender's mail address, domain information of the sender's mail server, IP address of the sender's mail server, and route information of the MTA (Mail Transfer Agent). and so on.

  There is information about the text as information about the mail to be extracted, and a hash value of the text and a fuzzy hash value (a value calculated by an arbitrary predetermined fuzzy hash function. However, the same fuzzy hash function is used in a series of processes). The same applies hereafter), arbitrary identifiers (for example, numbers for identifying the text, and the same number if there are duplicate texts, etc.), feature amounts, the entire text, hash values for each element, Information (hash value, fuzzy hash value, arbitrary identifier, feature amount, etc.). Elements of the text include, for example, each paragraph and each block of a fixed size.

  Regarding information for each element, there is a spam mail in which some elements are randomly replaced, or some elements are combined to create a body.

  For example, from the sentence list used for the first half paragraph and the sentence list used for the second half paragraph, an e-mail that is randomly selected and combined to create the entire sentence, or an e-mail where the last signature part is created at random Exists.

  Therefore, by extracting information for each element, it is possible to increase the accuracy of identifying spam.

  In addition, there is information about the attached file as information about the mail to be extracted, and a hash value about the attached file, a fuzzy hash value about the attached file, an arbitrary identifier (for example, assigning a number for identifying the attached file, and If there is an EXCEL (registered trademark) file with a macro, an operation log is obtained by operating in a sandbox or an automatic analysis environment. Log of the operation performed by the communication destination URL, reading and writing of the file, etc. Similarly, the log of the operation performed when the execution file is executed in the execution file, or reading and writing of the communication destination URL and the file, reading and writing of the registry, and shutdown. And instructions to the PC such as restart), the attached file (Basically, just the hash value or fuzzy hash value does not matter, but if there is an attached file itself, similarity can be calculated by various methods.) Metadata (for example, file name, file type , File size, creation date, creator name, product name, version information, Exif, name detected by anti-virus software, etc.), hash value for each element, information for each element (hash value, fuzzy hash value, arbitrary identifier, Operation information (if there are a plurality of attached files, operation information of each attached file)).

  Elements of the attached file include, for example, each block of a fixed size, each section of the file, the resource portion of the file, and, in the case of Office, only the macro portion.

  Regarding information for each element, there is a junk mail to which a created file is attached by replacing some elements at random or combining some elements.

  For example, there is an attached file in which only the resource part of the file is rewritten, or an attached file in which only the Office macro part is reused and the contents are rewritten every time.

  Therefore, as described above, by extracting information for each element, it is possible to increase the accuracy of identifying spam.

  Further, there is information on a URL or the like as information on an e-mail to be extracted, and a hash value, a fuzzy hash value, an arbitrary identifier (for example, a number for identifying a URL, and the same number if there is a duplicate URL, etc.) ), Operation information (operation logs are acquired by operating in a sandbox or an automatic analysis environment. Examples of operation information include a redirect destination when accessing a URL, a file to be downloaded, etc.), the entire URL, and metadata. (If it is a domain, there are IP address, GeoLocation (IP address position information), detection information of anti-virus software, etc., hash value for each element, information for each element (hash value, fuzzy hash value, arbitrary identifier), etc.

  Elements of the URL include, for example, a domain portion, FQDN, a URL path portion, and a URL query portion.

  Regarding information for each element, there is a spam mail that creates a URL by replacing some elements at random or combining some elements.

  For example, there are a URL in which a directory portion at the end of a URL path is randomly rewritten, a URL in which a query portion of the URL is randomly replaced, and the like.

  Therefore, as described above, by extracting information for each element, it is possible to increase the accuracy of identifying spam.

  In addition, as information on the e-mail to be extracted, an address set in TO, CC, or BCC as a destination mail address, a subject, or the like may be extracted.

  Any identifier of each information can be used to distinguish data such as a sender's e-mail address, body, attached file, URL, or an identifier in which these elements are numbered one by one in addition to the hash function. , May be generally distinguishable.

  Further, each information may be processed. For example, if the information is the text, the line feed code may be deleted, or the URL portion may be deleted. Further, as long as the information is related to an attached file, file format conversion, image conversion, unpacking of an executable file, and the like may be performed.

  In step S404, the storage unit 304 stores the information extracted in step S402 in the mail information table 700 (see FIG. 7).

  FIG. 7 shows the configuration of the mail information table 700. The mail information table 700 is a table for storing the information of the e-mail extracted in step S402, and has a text hash 702 and a text Fuzzy hash 704, attached file hash 706 and attached file fuzzy hash 708, attached file URL hash 710, and source email address hash 712. ing.

  The body hash 702 stores a hash value related to the body, and the body fuzzy hash 704 stores a fuzzy hash value related to the body.

  The attached file hash 706 stores a hash value related to the attached file, and the attached file fuzzy hash 708 stores a fuzzy hash value related to the attached file.

The hash value of the URL is stored in the hash 710 of the URL, and the hash value of the mail address of the transmission source is stored in the hash 712 of the transmission source address.
Note that the storage format may be a file instead of a table. Further, the mail information table 700 may use the one constructed in the information processing system 100 or the one constructed in an external system. Further, it is possible to exchange data with a database of an external system.

  Since similar mails are frequently updated, a sufficient effect can be expected even when old data stored in the mail information table 700 is deleted.

  The timing of the deletion indicates, for example, the time when the terminal is periodically deleted or the last access (the text, the attached file, the hash value of the URL, the fuzzy hash value, the identifier, etc. is last referred to on the screen or the like. If not, it will be the reception time (time stored in the table), and if there is a similar mail, it indicates the time of last reception.) For example, data that has passed for a certain period of time may be deleted.

  This has the effect of reducing the load on resources and increasing the speed of processing for determining junk mail.

  In step S406, the determination unit 306 determines that the electronic mail stored in step S404 has a high similarity regarding the body and a low similarity regarding the information regarding the transmission source with the electronic mail already stored in the mail information table 700 (the transmission source is low). Are different), it is determined as similar mail.

  Alternatively, it is determined how many e-mails having the same text have been received from different transmission source e-mail addresses.

  In this step, the determination is made based on whether or not the similarity of the text is greater than or equal to the threshold of the similarity set in the text setting 504 of the determination information setting file 500 shown in FIG.

  Also, the total number of e-mails having the same text and transmitted from e-mail addresses of different senders is smaller than the threshold value of the number of similar e-mails set in the setting 502 regarding the entire judgment information setting file 500. Is determined based on whether or not is higher.

  The determination information setting file 500 shown in FIG. 5 is a setting file that stores information for performing each determination in the present invention.

  The determination information setting file 500 is configured to include an overall setting 502, a setting 504 related to a text, a setting 506 related to an attached file, a setting 508 related to a URL, and the like.

  The determination information setting file 500 may be read at the beginning of this processing, or only the settings necessary for each step in this processing may be read.

  The general setting 502 stores settings relating to general processing, the setting 504 relating to the text stores settings relating to the processing of the text, and the setting 506 relating to the attached file includes the setting relating to the processing of the attached file. The setting 504 related to the URL stores the setting related to the processing of the URL.

  As another example, an e-mail in which the similarity of the fuzzy hash value for the text is equal to or greater than the similarity threshold set in the setting 504 for the text, and the number of similar mails set in the setting 502 for the whole The determination may be made based on whether or not the total number of e-mails transmitted from the IP addresses of the mail servers of different transmission sources is higher than the threshold.

  Or, the body is the same e-mail, the total number of e-mails transmitted from different transmission source e-mail addresses is higher than the threshold of the number of similar e-mails set in the overall setting 502, and The emails whose body similarity is equal to or greater than the similarity threshold set in the body setting 504, and the number of received emails is higher than the similar mail number threshold set in the overall setting 502. May be determined by a combination of.

  Note that it is also possible to make a similarity determination using information obtained by dividing the text for each element described above. At this time, in the setting 504 relating to the text, the setting may be performed for each element.

  The setting includes a threshold value of the similarity and whether to use it for detecting junk mail similar to the text, and the setting is added for each element according to the situation.

  The similar mail may be determined only when the value is equal to or larger than the value set in the “text size (for example, the number of characters or the number of bytes)” in the determination information setting file 500.

  In step S408, the determination unit 306 determines that the electronic mail stored in step S404 has a high degree of similarity with respect to the attached file and a low degree of similarity of the information regarding the transmission source with the electronic mail already stored in the mail information table 700 (transmission If the source is different), it is determined as a similar mail.

  In this step, the determination is made based on whether or not the similarity regarding the attached file is higher than the similarity threshold set in the setting 506 regarding the attached file in the determination information setting file 500 shown in FIG.

  For example, the similarity of the fuzzy hash value related to the attached file is an e-mail that is equal to or greater than the similarity threshold set in the setting 506 related to the attached file, and is larger than the threshold of the number of similar mails set in the setting 502 related to the whole. The determination is made based on whether or not the total number of mails transmitted from different transmission source addresses increases.

  Alternatively, as a result of executing the attached file in a protected area such as a sandbox, the similarity of the operation log (read / write of a file or a registry, network communication, executed API, etc.) becomes similar to the similarity set in the attached file setting 506. The total number of e-mails sent from different source e-mail addresses is higher than the threshold of the number of similar e-mails set in the general setting 502. It may be determined.

  Furthermore, similarity determination can be performed using information obtained by dividing an attached file for each element described above.

  At this time, the setting may be performed for each element in the setting 506 regarding the attached file.

  The setting includes a threshold of similarity, whether or not the attached file is used for detecting similar junk mail, and the setting is added for each element according to the situation.

  In step S <b> 406, the determination unit 306 determines that the email stored in step S <b> 404 has a high URL similarity to the email already stored in the email information table 700 and has a low similarity in the information related to the transmission source (transmission source). Are different), it is determined as similar mail.

  In this step, the determination is made based on whether or not the similarity regarding the URL is higher than the similarity threshold set in the setting 508 regarding the URL in the determination information setting file 500 shown in FIG.

  For example, the FQDN of the URL described in the e-mail is the same e-mail, and the total number of e-mails transmitted from e-mail addresses of different senders is smaller than the threshold of the number of similar e-mails set in the general setting 502. Is determined based on whether or not is high.

  Alternatively, it is an e-mail in which the similarity of the response data after accessing the URL in a protected area such as a sandbox is equal to or greater than the similarity set in the URL setting 508, and is set in the entire setting 502. For example, the determination may be made based on whether or not the total number of electronic mails transmitted from different transmission source mail addresses is higher than the threshold value of the number of similar mails.

  Further, similarity determination can be performed using information obtained by dividing the URL for each element.

  At this time, in the setting 508 relating to the URL, the setting may be performed for each element.

  The setting includes a threshold value of similarity, whether to use the same for detecting unsolicited e-mails with similar URLs, and the like, and the setting is added for each element according to the situation.

  In step S412, when the number obtained in step S406, the number obtained in step S408, or the number obtained in step S410 is equal to or more than a certain value, the determination unit 306 determines that the similar mail is unsolicited mail, and proceeds to step S414. If the process is advanced and it is not determined that the email is spam, the process advances to step S416.

  Alternatively, the determination may be made based on a combination of the number of cases in step S406, the number of cases in step S408, and the number of cases in step S410.

  Further, in a case similar to the case of perfect matching, the threshold value may be changed or the combination may be changed. For example, if three or more e-mails with the same text are received from different senders' e-mail addresses, all e-mails with the same content as the text are treated as spam.

  Alternatively, if three or more e-mails whose body text is 80% or more similar and the fuzzy hash value of the attached file is 90% or more are received from different transmission source e-mail addresses, the e-mail (the e-mail) A mail whose text is similar to the mail by 80% or more, and whose attachment is similar to the attached file by 90% or more) may be treated as junk mail.

  In step S414, the processing unit 308 performs an arbitrary process on the e-mail that has been determined as spam in step S412.

  Examples of arbitrary processing for unsolicited e-mail include deletion of the target e-mail, addition of a warning sentence to the target e-mail, detoxification of attached files and URLs, and execution in a virtual environment.

  In addition, any processing may be performed differently depending on the detection method, such as a case where a perfect match is detected or a case where similarity is detected. For example, when a perfect match is detected, the e-mail is deleted, and when the similarity is detected, a warning message is added.

  Further, a combination may be used. For example, if the number of emails with high similarity in the text is less than a certain number, but the number of emails with high similarity in attachments is more than a certain number, processing such as detoxifying the attached file without deleting it May be. As described above, the accuracy and convenience are improved by changing the process according to the detection condition.

  In step S416, sharing section 310 shares each piece of information stored in step S404 with the user.

  The sharing destination includes, for example, a server on another user or a route, another server in the base, sharing between bases, sharing with another company or organization, and sharing with a developer.

  As a method of sharing each information with a server on the route, for example, a case is provided in which an electronic mail is branched from the external mail server 105 to the mail server B or the mail server C from the mail server A and transmitted. This system is normally used by the mail servers B and C.

  The mail server B shares information on the e-mail determined to be junk mail with the mail server A.

  The mail server A extracts only representative information to reduce the load, stores only the information shared from the mail server B, and performs similar mail determination. Thereby, the mail server C can also judge unsolicited mail.

  As information to be shared, it is possible to set a range of sharing destinations for each piece of information to be shared, such as information about a transmission source, information about a text, information about an attached file and a URL.

  The setting may be adjusted by the shared information setting file 600 as shown in FIG. The sharing information setting file 600 shown in FIG. 6 is a setting file for setting information sharing.

  The sharing information setting file 600 includes a setting 602 for sharing, a setting 604 for a transmission source, a setting 606 for a text, a setting 608 for an attached file, a setting 610 for a URL, and the like.

  The overall sharing setting 602 is for storing general sharing settings, the transmission source setting 604 is for storing transmission source sharing settings, and the text setting 606 is for text sharing. The settings 608 for the attached files are for storing the settings for sharing the attached files, and the settings 610 for the URLs are for storing the settings related to the sharing of the URLs.

  For example, in the case of sharing with the developer, a part of the hash value of the mail address of the sender (for example, the first two characters) and the mail address are set by the setting 606 related to the body and the hash value of the body by the setting 604 related to the sender Only share domain information.

  This has the effect of reducing concerns about sharing with the developer. (Here, the hash value of the email address may be able to be restored using a rainbow table (table of a set of plain text and hash value), but if the hash value is part of the hash value, the original It becomes more difficult to guess the value.

  Also, it is only necessary to be able to count the number of similar mails having different senders from a certain level or more.

  Alternatively, in the case of sharing with another mail server between bases, the hash value and fuzzy hash value for the text are set by the setting 606 for the text, and the hash value and fuzzy hash value for the attached file are set by the setting 608 for the attached file. According to the setting 610 regarding the FQDN and the transmission source according to 610, the information of the transmission source mail address and the entire hash value of the mail address may be shared.

  Further, when the present invention is implemented in each client terminal 102, similar mails may not accumulate more than a certain amount. Therefore, sharing similar mails to a mail server or the like on the route increases the number of samples and increases the determination accuracy. Can be expected to improve.

  Further, by sharing with another company, another organization, or a developer, it is possible to expect more effects than a security company alerts on the Web or the like.

  Before performing the processing in step S406, a standby time (for example, about 10 minutes when the processing is set to be short, and about 1 hour when the processing is set to be longer) is provided to temporarily wait for the processing in and after step S406. It is also possible.

  Similar spam is always sent because there is no similar mail in the first case. By providing the standby time, it is possible to allow time until a certain number of cases is accumulated, and it is possible to detect the first case and the first case. In addition, similar spam is sent in a short period of time, so an effect can be expected even with a short delay time.

  The setting of the standby time may be changed for each transmission source information. Such spam is often sent from the sender who receives it for the first time. For example, a waiting time is provided only for a transmission source that receives data for the first time. Thus, the effect of providing a delay time can be expected without delaying all e-mails.

  In addition, although junk mail is determined based on the result of determination of each similar mail in step S412, in order to increase the determination accuracy, the reception result or transmission result may be used for similar mail determination. Good.

  Many similar unsolicited e-mails are often the first time they are received. Further, even when the same transmission source is used, there is a case where only one-way reception is performed and there is no transmission result.

  As a usage method, for example, only similar senders that have no reception record, that is, senders that are received for the first time (sources that do not exist in the mail information table 700) are determined.

  Alternatively, the determination of each similar mail is performed only for a transmission source having a reception record but no transmission record. In this case, it is necessary to store, as the transmission result, information regarding the electronic mail including information regarding the transmission source of the transmitted electronic mail.

  Further, the reception result and the transmission result may be used for the similar mail determination regarding the text, the similar mail determination regarding the attached file, and the similar mail determination regarding the URL.

  For example, for an e-mail that has a reception record, the body is determined to be a similar mail, but for an e-mail that does not have a reception record, the body, the attachment file, and the URL are not determined. It is also possible to make a similar mail determination.

  As a result, attachments and URLs of e-mails that have a record of reception are less dangerous, but unlike spoofed e-mails, despite the fact that there is no record of reception, the body of the e-mail is copied and dangerous attachments and URLs are copied. It is also possible to detect certain emails.

  The setting includes, for example, a threshold value for determining how many or more similar electronic mails are judged as spam mails, whether to use transmission and reception results, and the like. The setting is added according to the situation.

  This makes it possible to automatically detect unsolicited e-mail (similar e-mail) transmitted while changing the transmission source and destination using the same template as represented by a spam bot, thereby suppressing reception.

  In addition, there is no need to prepare data in advance and machine learning is performed, and it is possible to quickly respond to frequently updated junk mail, and the user adds settings each time to frequently updated junk mail. There is no necessity, and the trouble can be reduced.

  In addition, since measures are taken only on the receiving side, measures can be taken without being affected by the specifications of the mail server on the sending side.

[Modification]
FIG. 8 is an example of a configuration diagram of a system that enhances the security accuracy of an electronic mail determined to be spam by combining with an existing technology.

  The configuration diagram of the combination with the existing technology includes a mail receiving process 800, a process 802 according to the existing technology, the above-described junk mail determination process 804, and a mail transfer process 806.

  The mail receiving process 800 performs a process of receiving an e-mail from the external mail server 105, and the process 802 of the existing technology detects a spam mail or an email with malware by using the existing technology such as anti-spam software or anti-virus software. This is the processing to be performed.

  The junk e-mail determination processing 804 is processing for determining junk e-mail described in the embodiment, and the e-mail transfer processing 806 is performed after the e-mail determination processing or the like is completed. This is the process of transferring the e-mail to the user.

  The junk e-mail determination processing 804 may be performed prior to the existing technology, or may not be performed by the same mail server 101.

  Since the junk e-mail determination processing 804 does not compete with existing technologies, it can be used in combination, and the junk e-mail detection rate is improved by using in combination.

  Next, with reference to the flowchart of FIG. 9, a process of reusing spam in the embodiment of the present invention will be described. This process is executed by the CPU 201 of the mail server 101 reading out a predetermined control program.

  According to the present invention, it is possible to automatically detect a new junk e-mail, and the data of the detected e-mail can be used for existing filtering, anti-spam software, anti-virus software, and the like.

  Further, it can be used as learning data for machine learning or as a teaching material for security training. This has the effect of improving the performance of technologies other than the present invention.

  In step S900, the reuse unit 312 reuses data relating to the source information of the e-mail determined as unsolicited e-mail.

  Since the sender information may be used for sending other spam, the sender information of the spam is registered in the filtering and blacklist settings related to sending and receiving e-mails, etc. Suppression becomes possible.

  As the transmission source information, a mail address, an IP address of a mail server, information of a mail server on a distribution route, or the like can be used.

  In step S902, the reuse unit 312 reuses the data regarding the destination information of the electronic mail determined as the junk mail.

  A combination of destination information that is not used on a daily basis may be used for spam. For example, there may be a case where a plurality of mail addresses with low relevance, such as a contact point for support of the product A and a contact point for recruitment of a company, are specified in the TO, and a contact point for inquiries regarding the Web site and an individual are specified in the CC.

  Such a combination of transmission destination information is used as a list of transmission destinations, and there is a possibility that a spam mail is transmitted again for the same combination of transmission destination information.

  Therefore, it is possible to reuse this combination of destination information. For example, a warning sentence can be added to an e-mail transmitted for this combination of destination information.

  Also, if the combination of destination information detected by the present invention using the transmission results and the reception results is a combination having no results, the combination of the destination information is filtered or blacked out for sending and receiving e-mail. You can also register on the list.

  In step S904, the reuse unit 312 reuses data related to the body information of the e-mail determined to be spam.

  The data of the unsolicited email is shared in step S416 in FIG. 4. By inputting the text information of the email determined as the unsolicited email to the existing filtering and anti-spam software, such text information is input. It is possible to specify a new e-mail including the e-mail.

  In step S <b> 906, the reuse unit 312 reuses data related to the information of the attached file of the electronic mail determined as the junk mail.

  Although the data of the unsolicited email is shared in step S416 in FIG. 4, the information of the attached file of the email determined as the unsolicited email is input to the existing filtering, anti-spam software or anti-virus software. This makes it possible to specify a new electronic mail or communication including such information of the attached file.

  This makes it possible to detect even when the file is used via the Web other than via the mail.

  In step S908, the reuse unit 312 reuses the data related to the URL of the electronic mail determined as the junk mail.

  Although the spam detected by the present invention shares data in step S416 in FIG. 4, it is also determined as spam by existing filtering, anti-spam software, anti-virus software, UTM (Unified Threat Management), and the like. By inputting information about the URL, it is possible to specify a new e-mail or communication including such information about the URL.

  This makes it possible to detect even when the file is used via the Web other than via the mail.

  In step S910, the reuse unit 312 creates a signature from the body of the e-mail determined as unsolicited e-mail, an attached file, a URL, and the like.

  As an example of the signature, a hash value or a part of data is extracted somewhere and pattern matching is performed. For example, in the case of a text, 10 characters are extracted from lines 2, 5, and 7 at a time, and the extracted character string is used as a signature. Then, an electronic mail including all the extracted character strings is determined as junk mail.

  Alternatively, in the case of a file, n bytes to n + 100 bytes and m bytes to m + 100 bytes are extracted and used as a signature. Then, an e-mail to which a file including all the extracted byte strings is attached is determined as junk e-mail.

  At this time, an overlapping portion may be extracted from those having high similarity of the spam mail. This makes it possible to improve the determination accuracy by excluding the random elements.

  It can be used not only at the time of reception but also at the time of mail transmission. Spam bots are often transmitted by spam bots or the like. Therefore, if a spam bot detects the spam, the client terminal 102 may be infected with the spam bot and become a stepping stone.

  Since the client terminal 102 infected with the spam bot uses the same template to send unsolicited e-mail, if there are a plurality of client terminals 102 infected with the same spam bot, the electronic contents of the same content are transmitted from each client terminal 102. Email is sent.

  The mail server 101 can detect such unsolicited e-mail because the same e-mail is received from various places.

  For this reason, by detecting at the time of transmission, the possibility of becoming an assailant can be reduced, and in the case where infection is spread by e-mail, the spread of damage can be suppressed.

  Furthermore, it is also possible to specify or automatically detect the client terminal 102 serving as a springboard.

  As an example of the automatic detection method, the IP address of the client terminal 102 that has transmitted the detected e-mail is inquired from the Received header of the detected e-mail to the mail server in the base used first.

  The mail server used first extracts the IP address of the client terminal from the e-mail transmission log and responds to the inquiry.

  This makes it possible to automatically detect the client terminal 102 which is automatically used as a stepping stone.

  The signature or the detected data can be used as learning data for machine learning or as a teaching material used in security training.

  In machine learning, it is necessary to create learning data before learning. However, in the present invention, since unsolicited email can be automatically detected, the detected data can be used as it is as learning data for machine learning.

  In step S912, the reuse unit 312 classifies and analyzes the junk mail.

  As an example of a classification method, spam is divided into parts such as body0, body1,..., Attachment0, attachment1,..., A hash value is calculated for each part, and the hash value of each part is the same. Spam mails are extracted, the unique number of From addresses are counted, all the spam mails having a threshold (for example, 3) or more are extracted, and classified together for each hash value. In addition, you may classify further according to Content-Type.

  By grouping junk mails having a high similarity, junk mails can be classified and displayed like the display contents of the screens shown in FIGS. 10 and 11.

  The content displayed on each screen can be changed by setting. This screen configuration is an example, and another screen configuration may be used.

  This makes it possible to find out frequently received junk mail and recent trends, and to make it easier to call attention.

  In addition, by performing the classification, the labor required for using the information for research or the like can be reduced.

  It can also be used for analysis. For example, it is possible to analyze the tendency of the attacker and the tendency of unsolicited mail by using the transmission time of the detected mail. It can also be used to track and identify attackers and attacker groups from common items.

  Also, it is possible to predict in advance the unsolicited e-mails that are sent periodically. For example, for spam sent by date, season, or event, such as “〇 Monthly Invoice” or “〇 Monthly Purchase Order,” predict the spam in advance and insert a warning text when it is sent. Is also possible.

  FIG. 10 is an example of a configuration diagram showing a configuration of a list screen 1000 for classifying and determining a list of emails determined to be spam.

  The list screen 1000 includes a display setting 1002, a classification 1004, a list display unit 1006, and the like.

  The display setting 1002 sets conditions to be displayed on the list screen 1000. The display setting 1002 includes a similar item 1008, a similarity 1010, a period 1012, and the like, and other settings may be added. .

  In the similar item 1008, it is possible to select at least one or more mails having similar texts, mails having similar attached files, mails having similar URLs, and the like.

  Among similar mails corresponding to the item selected in the similarity item 1008, the similarity 1010 can display a similar mail or the like indicating a similarity equal to or higher than the specified similarity, and the period 1012 specifies the similar mail. It is possible to display similar mails and the like received during the period.

  The classification 1004 displays the unit of the classification, and the list display unit 1006 lists similar mails or the like satisfying the conditions specified for the item set in the display setting 1102 according to the classification of the classification 1004. indicate.

  FIG. 11 is an example of a configuration diagram showing a configuration of a detail screen 1100 for classifying an email determined as unsolicited email and displaying detailed information of the email.

  The detail screen 1100 includes a display setting 1102, a classification 1104, a detailed information display unit 1106, and the like.

  The display setting 1102 sets conditions to be displayed on the detail screen 1100. The display setting 1102 includes a similar item 1108, a similarity 1110, a period 1112, and the like, and other settings may be added. .

  In the similar item 1108, it is possible to select at least one or more emails with similar texts, emails with similar attached files, emails with similar URLs, and the like.

  Among similar mails corresponding to the item selected in the similarity item 1108, the similarity 1110 can display a similar mail or the like indicating a similarity higher than or equal to the specified similarity, and the period 1112 corresponds to the specified mail. It is possible to display similar mails and the like received during the period.

  The classification 1104 displays the unit of classification, and the detailed information display unit 1106 displays similar mails or the like satisfying the conditions specified for the items set in the display setting 1102 according to the classification of the classification 1104. I do.

  The detailed screen 1100 may be displayed on the detailed information display unit 1106 by dividing the display unit for each classification. For example, by displaying only the class A and pressing a next button (not shown), it is possible to display only the class B.

  Further, the detailed information display unit 1106 may display the detailed information of one mail. For example, when the detailed information of one mail belonging to the category A is displayed and the next button (not shown) is pressed, when there is another mail belonging to the class A, the detailed information of the mail is displayed. If there is no other mail belonging to the class A, the detailed information of the mail belonging to the class B may be displayed.

  Further, by selecting the category 1004, the mail may be displayed on the detail screen 1100 of the mail belonging to the selected category, or by selecting the record displayed on the list display unit 1006, the mail details of the selected record may be displayed. Information may be displayed on the detail screen 1100.

  In the embodiment of the present invention, the processing for determining unsolicited e-mail has been described as being executed in the mail server 101, but may be executed in the client terminal 102.

  Alternatively, the information processing device in the cloud environment may be configured to execute a process of determining unsolicited e-mail, and in this case, it may be executed as an external program to the mail server 101 (or a mailbox).

  The embodiment has been described above, but the present invention can take an embodiment as, for example, a system, an apparatus, a method, a program, a recording medium, or the like. Specifically, the present invention may be applied to a system including a plurality of devices, or may be applied to an apparatus including a single device.

  The program according to the present invention is a program capable of executing the processing method of the flowcharts shown in FIGS. 4 and 9, and the storage medium of the present invention stores the program capable of executing the processing method of FIGS. Have been. The program according to the present invention may be a program for each processing method of each device in FIGS.

  As described above, the recording medium storing the program for realizing the functions of the above-described embodiments is supplied to the system or the apparatus, and the computer (or CPU or MPU) of the system or the apparatus executes the program stored in the recording medium. Needless to say, the object of the present invention can be achieved by reading and executing.

  In this case, the program itself read from the recording medium implements the novel function of the present invention, and the recording medium on which the program is recorded constitutes the present invention.

  Examples of a recording medium for supplying a program include a flexible disk, a hard disk, an optical disk, a magneto-optical disk, a CD-ROM, a CD-R, a DVD-ROM, a magnetic tape, a nonvolatile memory card, a ROM, an EEPROM, and a silicon. A disk or the like can be used.

  When the computer executes the readout program, not only the functions of the above-described embodiments are realized, but also an OS (operating system) or the like running on the computer based on the instructions of the program. It goes without saying that a case where some or all of the processing is performed and the functions of the above-described embodiments are realized by the processing is also included.

  Further, after the program read from the recording medium is written into a memory provided in a function expansion board inserted into the computer or a function expansion unit connected to the computer, the program is executed based on the instruction of the program code. It goes without saying that a CPU or the like provided in the function expansion unit performs part or all of the actual processing, and the processing realizes the functions of the above-described embodiments.

  In addition, the present invention may be applied to a system including a plurality of devices or an apparatus including a single device. Needless to say, the present invention can be applied to a case where the present invention is achieved by supplying a program to a system or an apparatus. In this case, by reading the recording medium storing the program for achieving the present invention into the system or the apparatus, the system or the apparatus can enjoy the effects of the present invention.

  Further, by downloading and reading a program for achieving the present invention from a server, a database, or the like on a network by a communication program, the system or apparatus can enjoy the effects of the present invention. It should be noted that all configurations obtained by combining the above-described embodiments and their modifications are also included in the present invention.

100 information processing system 101 mail server 102 client terminal 103 LAN
104 Wide area network 105 External mail server

Claims (21)

An information processing device for relaying an electronic mail,
Receiving means for receiving an e-mail;
Specifying means for specifying the same or similar e-mail from the e-mails already received by the receiving means and e-mails having different transmission sources;
An information processing apparatus comprising:   The information processing apparatus according to claim 1, wherein the specifying unit specifies a predetermined number or more of the e-mails having different transmission sources.   The information processing apparatus according to claim 1, wherein the specifying unit specifies a different e-mail having a low degree of similarity of the information related to the transmission source.   4. The information processing apparatus according to claim 1, wherein the identical or similar electronic mail is an electronic mail in which elements of the body of the electronic mail are the same or similar. 5.   The information processing apparatus according to claim 1, wherein the same or similar electronic mail is an electronic mail that has the same or similar attached file to the electronic mail.   The information processing apparatus according to any one of claims 1 to 5, wherein the same or similar electronic mail is an electronic mail in which elements of an attached file of the electronic mail are the same or similar.   The information according to any one of claims 1 to 6, wherein the same or similar e-mail is the same or similar e-mail as information obtained as a result of executing an attached file of the e-mail. Processing equipment.   The information processing apparatus according to any one of claims 1 to 7, wherein the same or similar electronic mail is an electronic mail having the same or similar URL.   The information processing apparatus according to any one of claims 1 to 8, wherein the same or similar electronic mail is an electronic mail whose URL element is the same or similar.   The information processing according to any one of claims 1 to 9, wherein the same or similar e-mail is an e-mail whose information obtained as a result of accessing by an e-mail URL is the same or similar. apparatus.   11. The apparatus according to claim 1, further comprising: a determination unit configured to determine whether the e-mail is unsolicited e-mail by a method of specifying the same or similar e-mail by the specifying unit. 12. An information processing apparatus according to claim 1.   The information processing apparatus according to claim 11, further comprising a processing unit that changes processing for the junk mail determined by the determination unit according to the same electronic mail or the similar electronic mail.   After a predetermined period of time has passed since the receiving unit received the e-mail, the specifying unit specifies the same or similar e-mails from different e-mails from the e-mails already received by the receiving unit. The information processing apparatus according to claim 1, wherein:   After the predetermined time elapses after the first reception from the source of the e-mail by the reception unit, the same or similar e-mails from the e-mails already received by the reception unit and having different transmission sources are specified. The information processing apparatus according to claim 13, wherein: A record determining unit for confirming a record of reception from the sender of the e-mail received by the receiving unit,
The information according to any one of claims 1 to 14, wherein the specifying unit is executed when the result determining unit determines that there is no reception result from the transmission source of the e-mail. Processing equipment.   16. The method according to claim 15, wherein the specifying unit is executed when the performance determining unit determines that the electronic mail has a reception performance from the transmission source but has no transmission performance at the transmission source. Information processing device.   17. The electronic device according to claim 1, further comprising a control unit configured to control transmission of an e-mail including e-mail information that is the same as or similar to the e-mail information specified by the specifying unit. An information processing apparatus according to claim 1.   18. The information processing apparatus according to claim 1, further comprising a display control unit configured to classify the electronic mail and control display based on a method specified by the specifying unit. An information processing device for sending and receiving e-mails,
Receiving means for receiving an email,
Specifying means for specifying the same or similar e-mail from the e-mails already received by the receiving means and e-mails having different transmission sources;
An information processing apparatus comprising: A method for controlling an information processing device that relays an electronic mail,
The information processing device,
A reception step for receiving an e-mail;
A specifying step of specifying the same or similar e-mail from the e-mails already received by the receiving step, the e-mails having different transmission sources;
A method for controlling an information processing apparatus, comprising: Computer
Receiving means for receiving an e-mail;
Specifying means for specifying the same or similar e-mail from the e-mails already received by the receiving means and e-mails having different transmission sources;
Program to make it work.

Images