JP2020166544A - Electronic mail check system, check device and electronic mail check method - Google Patents

Abstract

To check illegal mails, such as a virus mail and a fishing mail, by a simple structure which does not increase the costs even if a plurality of mail services are utilized.SOLUTION: An electronic mail check system includes a terminal 10 and a check server 30. The terminal 10 accepts the selection of an electronic mail subjected to a check on whether or not it is an illegal mail from among the received electronic mails; converts the selected electronic mail into an electronic file that contains the header information; transmits the electronic file to the check server 30; creates an electronic mail to which the electronic file is attached; and transmits such an electronic mail to the check server 30. The check server 30 determines whether or not the electronic mail converted into the attachment file is an illegal mail on the basis of the attachment file attached to the electronic mail transmitted from the terminal 10; and notifies the terminal 10 of the determination result.SELECTED DRAWING: Figure 1

Description

The present invention relates to an e-mail check system, a check device, and an e-mail check method for checking whether an e-mail is a malicious e-mail such as a virus mail or a phishing mail.

With the development of information and communication technology in recent years, it has become common to use e-mail for exchanging information. While e-mail has advantages such as immediacy and the ability to attach files, it also has the problem of fraudulent e-mail such as virus mail and phishing mail.

In the past, in order to deal with such problems, software for checking for malicious emails such as virus emails and phishing emails was installed on terminals such as personal computers, and emails received on the terminals were checked. .. In addition, software for checking for malicious emails such as virus emails and phishing emails was installed on the mail server, and the email server checked the emails sent and received to the terminals managed by the mail server.

Further, in Patent Document 1, when an e-mail is received by a mail server, the received e-mail is forwarded to a virus check server, the virus check server performs virus check and necessary virus removal, and then virus check and necessary virus removal are performed. A technique for forwarding an e-mail with necessary virus removal to a destination mail server is disclosed.

JP-A-2002-108778

However, installing the software for checking for malicious emails on a terminal as described above takes time and effort for the user, and hesitates to install it on a terminal such as a smartphone whose processing capacity is relatively low. There is a problem.

Further, in recent years, users often send and receive e-mails using a plurality of mail services, such as e-mails for smartphones, ISP e-mails for personal computers, and free e-mails. In order to check for malicious emails such as virus emails and phishing emails for all emails sent and received, it is necessary to make a contract for all email services, which is a high cost burden for users. There is a problem that it becomes.

Further, even in the technology disclosed in Patent Document 1, when a user uses a plurality of mail services, the mail service has a mechanism for forwarding e-mails to a virus check server in order to sufficiently remove the virus. There is a problem that sufficient virus removal cannot be performed when using a mail service that must be provided for all and does not have a mechanism for forwarding e-mail to a virus check server.

The present invention has been made in view of the problems of the conventional technique as described above, and the cost is not high even when a plurality of mail services are used, and the configuration is simple. An object of the present invention is to provide an e-mail check system, a check device, and an e-mail check method capable of checking illegal e-mails such as virus mails and phishing mails.

In order to achieve the above object, the present invention
The user-side device that receives the e-mail and
It has a check device for checking whether the e-mail received by the user-side device is an illegal mail.
The user-side device
A selection receiving means that accepts the selection of an e-mail that checks whether it is the above-mentioned fraudulent e-mail from the received e-mails,
A file creation method that converts the selected e-mail into an electronic file including header information,
An e-mail creation means for creating an e-mail with the electronic file as an attachment while using the check device as a transmission destination.
It has a mail sending means for sending an e-mail created by the mail creating means to the check device.
The check device
An e-mail receiving means for receiving an e-mail transmitted from the user-side device, and
Based on the attached file attached to the received e-mail, the first e-mail determination means for determining whether or not the e-mail as the attached file is an illegal e-mail, and
It has a notification means for notifying the user-side device of the result of the determination.

In addition, it is a check device that checks whether the e-mail received by the user-side device is fraudulent mail.
An e-mail sent from the user-side device and selected from the e-mails received by the user-side device is an e-mail to which an attached file is attached, which is an electronic file including header information. Receiving means and
Based on the attached file attached to the received e-mail, the first e-mail determination means for determining whether or not the e-mail as the attached file is an illegal e-mail, and
It has a notification means for notifying the user-side device of the result of the determination.

Further, it is an e-mail check method in an e-mail check system having a user-side device for receiving e-mail and a check device for checking whether or not the e-mail received by the user-side device is fraudulent mail. ,
A step in which the user-side device accepts a selection of an e-mail for checking whether or not the e-mail is a malicious e-mail from the received e-mails.
A step in which the user-side device converts the selected e-mail into an electronic file including header information.
A step in which the user-side device creates an e-mail with the check device as a transmission destination and the electronic file as an attachment.
A step in which the user-side device sends an e-mail with the attached file to the check device.
The step of receiving the e-mail sent from the user-side device by the check device, and
Based on the attachment file attached to the received e-mail, the check device determines whether or not the e-mail as the attachment is an illegal mail.
The check device has a step of notifying the user-side device of the result of the determination.

It is also an e-mail check method in a check device that checks whether the e-mail received by the user-side device is an illegal e-mail.
The check device is sent from the user-side device, and an e-mail selected from the e-mails received by the user-side device is attached as an electronic file including header information. Steps to receive emails and
Based on the attachment file attached to the received e-mail, the check device determines whether or not the e-mail as the attachment is an illegal mail.
The check device has a step of notifying the user-side device of the result of the determination.

According to the present invention, even when a plurality of mail services are used, the cost is not high, and it is possible to check for malicious mail such as virus mail and phishing mail with a simple configuration.

It is a figure which shows one Embodiment of the e-mail check system of this invention. It is a block diagram which shows the structure of the terminal shown in FIG. It is a block diagram which shows the structure of the check server shown in FIG. It is a flowchart for demonstrating the operation method of checking whether the e-mail received by the terminal is fraudulent mail in the e-mail check system shown in FIGS. 1 to 3. It is a figure which shows an example of the screen which displayed the list of the e-mail received from the mail server by the terminal on the display part. It is a figure which shows the data of the e-mail which the file creation part of a terminal makes into an electronic file. It is a figure which shows the 2nd Embodiment of the e-mail check system of this invention. It is a block diagram which shows the structure of the mail server shown in FIG. 7. It is a flowchart for demonstrating the operation method of checking whether the e-mail received to the e-mail address of the user who uses a terminal in the e-mail check system shown in FIGS. 7 and 8 is fraudulent mail.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.

(First Embodiment)
FIG. 1 is a diagram showing a first embodiment of the e-mail check system of the present invention.

As shown in FIG. 1, the e-mail check system in this embodiment includes a terminal 10, mail servers 20-1 to 20-3, a check server 30, and a network 40 such as the Internet.

The terminal 10 is a user-side device in the present invention. The terminal 10 is operated by a user who uses this system, such as a personal computer, a smartphone, a mobile phone, etc., and the user sends and receives e-mails using the terminal 10.

The mail servers 20-1 to 20-3 provide a mail service that manages the mail addresses of contracted users and relays the transmission and reception of e-mails corresponding to the mail addresses. In the present embodiment, the user of the terminal 10 subscribes to the mail service by the plurality of mail servers 20-1 to 20-3, so that the mail servers 20-1 to 20-3 provide the mail service. Each e-mail address is managed, and e-mails sent and received to the user's terminal 10 corresponding to the e-mail address are relayed.

In this embodiment, three mail servers 20-1 to 20-3 are illustrated, but the present invention is not limited to this example, and the mail server is used for each mail service used by the user of the terminal 10 by contracting. It will exist.

The check server 30 serves as a check device in the present invention, and checks whether the e-mail received by the terminal 10 is an illegal e-mail such as a virus e-mail or a phishing e-mail.

FIG. 2 is a block diagram showing the configuration of the terminal 10 shown in FIG. The illustration and description of the configuration not directly related to the operation of the present invention will be omitted.

As shown in FIG. 2, the terminal 10 shown in FIG. 1 includes a communication unit 11, a mail transmission / reception unit 12, a display unit 13, an input unit 14, a selection determination unit 15, a file creation unit 16, and a mail creation unit. It is configured to include a unit 17 and a storage unit 18.

The communication unit 11 is composed of, for example, a wired LAN or a wireless LAN network interface, and communicates with the mail servers 20-1 to 20-3 via wireless or wired communication.

The mail transmission / reception unit 12 serves as a mail transmission means in the present invention. The mail transmission / reception unit 12 transmits / receives e-mails to / from the mail servers 20-1 to 20-3 via the communication unit 11.

The display unit 13 is composed of, for example, a liquid crystal display or the like, and displays an e-mail or the like received by the mail transmission / reception unit 12.

The input unit 14 is composed of, for example, a keyboard, a touch panel laminated on the display unit 13, and the like, and is for inputting information.

The selection determination unit 15 and the input unit 14 serve as a selection reception means in the present invention. The selection determination unit 15 inputs an e-mail selection for checking whether the e-mail is a malicious e-mail such as a virus mail or a phishing e-mail from the e-mails received by the mail transmission / reception unit 12 and displayed on the display unit 13. It is accepted by the operation for the unit 14.

The file creation unit 16 serves as a file creation means in the present invention. The file creation unit 16 converts the selected e-mail received by the selection determination unit 15 into an electronic file including the header information.

The mail creation unit 17 serves as a mail creation means in the present invention. When the e-mail is converted into an electronic file by the file creation unit 16, the mail creation unit 17 attaches the electronic file as an attached file and creates an e-mail with the check server 30 as the destination. The mail transmission / reception unit 12, the selection determination unit 15, the file creation unit 16, and the mail creation unit 17 are composed of, for example, a CPU, a memory, and application software executed by them.

The storage unit 18 is composed of, for example, a hard disk device, a flash memory, or the like, and stores transmitted / received e-mails.

FIG. 3 is a block diagram showing the configuration of the check server 30 shown in FIG.

As shown in FIG. 3, the check server 30 shown in FIG. 1 includes a communication unit 31, an email transmission / reception unit 32, an email determination unit 33, a sender determination unit 34, an attachment file determination unit 35, and an attachment mail check. It is composed of a unit 36, a mail creation unit 37, and a storage unit 38.

The communication unit 31 is composed of, for example, a network interface of a wired LAN, and communicates with the mail servers 20-1 to 20-3 via the network 40.

The mail transmitting / receiving unit 32 serves as a mail receiving means in the present invention. The mail transmission / reception unit 32 receives the e-mail transmitted via the network 40 via the communication unit 31, and transmits the e-mail created by the mail creation unit 37 via the communication unit 31. The mail server for the check server 30 may have the function of the mail transmission / reception unit 32, and may be a device different from the check server 30.

The mail determination unit 33 serves as a second mail determination means in the present invention. The mail determination unit 33 determines whether or not the e-mail received by the mail transmission / reception unit 32 is an illegal mail.

The source determination unit 34 serves as a source determination means in the present invention. The sender determination unit 34 determines whether or not the sender of the e-mail received by the mail transmission / reception unit 32 is a pre-registered sender.

The attached file determination unit 35 serves as an attached file determination means in the present invention. The attachment file determination unit 35 determines whether or not the attachment file attached to the e-mail received by the mail transmission / reception unit 32 is an e-mail file (e-mail data converted into an electronic file).

The attached mail check unit 36 serves as the first mail determination means in the present invention. Based on the attached file attached to the e-mail received by the mail sending / receiving unit 32, the attached e-mail check unit 36 determines whether the e-mail as the attached file is an illegal e-mail such as a virus mail or a phishing e-mail. judge.

The mail creation unit 37, together with the mail transmission / reception unit 32, serves as a notification means in the present invention. The mail creation unit 37 creates an e-mail in which the result of the determination in the attached mail check unit 35 is posted. The mail transmission / reception unit 32, the mail determination unit 33, the sender determination unit 34, the attachment file determination unit 35, the attachment mail check unit 36, and the mail creation unit 37 are, for example, a CPU, a memory, and the like. It consists of application software that is executed.

The storage unit 38 is composed of, for example, a hard disk device or the like, and stores sent / received e-mails.

The operation method for checking whether or not the e-mail received by the terminal 10 in the e-mail check system configured as described above is an illegal e-mail such as a virus mail or a phishing mail will be described below.

FIG. 4 is a flowchart for explaining an operation method for checking whether or not the e-mail received by the terminal 10 is an illegal e-mail in the e-mail check system shown in FIGS. 1 to 3.

When an e-mail addressed to the e-mail address of the user who uses the terminal 10 is sent via the network 40, the mail server 20-1 to 20- that manages the e-mail address of the user by contracting with the user of the terminal 10. Of 3, the mail server corresponding to the e-mail address of the sent e-mail receives the e-mail sent via the network 40. In this example, it is assumed that the mail server corresponding to the mail address of the e-mail transmitted via the network 40 is the mail server 20-1. Therefore, the mail server 20-1 receives the e-mail transmitted via the network 40.

When the mail server 20-1 receives an e-mail addressed to the e-mail address of the user who uses the terminal 10 transmitted via the network 40, the received e-mail data corresponds to the e-mail address of the e-mail. Remember in your mailbox. After that, when an e-mail acquisition request is received from the terminal 10, the e-mail stored in the mailbox corresponding to the e-mail address of the user of the terminal 10 is read and transmitted to the terminal 10.

Then, the mail transmission / reception unit 12 of the terminal 10 receives the e-mail transmitted from the mail server 20-1 via the communication unit 11, and the storage unit 18 stores the received e-mail and a list of e-mails. Is displayed by the display unit 13 (step 1).

FIG. 5 is a diagram showing an example of a screen in which the terminal 10 displays a list of e-mails received from the mail server 20-1 on the display unit 13.

When the terminal 10 receives an e-mail from the mail server 20-1 while the terminal 10 is activating the mailer which is the application software corresponding to the mail service provided by the mail server 20-1, the display unit 13 displays the e-mail. As shown in FIG. 5, in order to request an index information 2 showing a list of e-mails received from the mail server 20-1 and a check whether the received e-mails are malicious e-mails such as virus mails and phishing e-mails. The e-mail list display screen 1 including the check request button 3 of is displayed. The index information 2 displays, for example, a stack of identification information for identifying each e-mail such as the title of the received e-mail, the date of reception, and the sender. The check request button 3 is described as "mail check" in FIG. 5, but the wording is not limited to this, and "mail forwarding" or the like may be used. Further, instead of displaying the button shape, it may be selected from the words displayed in the menu format. Here, when one of the e-mails displayed in the index information 2 is designated as a viewing target by the input unit 14 based on the operation of the user of the terminal 10, the terminal 10 is the electronic designated as the viewing target. The data including the body of the mail is read from the storage unit 18, and the e-mail display screen including the body of the read e-mail is displayed on the display unit 13. The check request button 3 described above may also be displayed on the e-mail display screen.

After that, based on the operation of the user of the terminal 10, the input unit 14 selects an e-mail requesting to check whether the e-mail displayed in the index information 2 is an illegal e-mail such as a virus e-mail or a phishing e-mail. At the same time, when the check request button 3 is pressed, the selection determination unit 15 of the terminal 10 accepts a check as to whether or not the selected e-mail is an illegal e-mail (step 2). Here, when the check request button 3 is pressed while the e-mail display screen including the body of the e-mail is displayed on the display unit 13, the displayed e-mail becomes the selected e-mail.

When the selection determination unit 15 accepts the check, the file creation unit 16 of the terminal 10 reads the data of the selected e-mail from the storage unit 18, converts it into an electronic file such as an eml file, and makes the electronic file of the e-mail (hereinafter, hereinafter,). The e-mail file) is temporarily saved in a memory or the like (step 3).

FIG. 6 is a diagram showing e-mail data to be converted into an electronic file by the file creation unit 16 of the terminal 10.

As shown in FIG. 6, the original data 4 of the e-mail received by the terminal 10 includes the source and destination of the e-mail, the subject, the date and time of transmission, and the e-mail in addition to the e-mail body 5 of the e-mail. The route to which the data was delivered, the mail software used by the sender, and the like are included as the header information 6. The file creation unit 16 creates an e-mail file by converting the original data 4 including the mail body 5 and the header information 6 into an electronic file.

Next, the mail creation unit 17 of the terminal 10 creates and creates an e-mail with the e-mail address of the check server 30 as the destination and the e-mail file created by the file creation unit 16 as an attachment. The mail transmission / reception unit 12 transmits the e-mail that has been sent via the communication unit 11 (step 4). At that time, the mail creation unit 17 may describe in the mail body the wording determined by the check server 30 and registered in the database. Note that the e-mail created by the mail creation unit 17 is not automatically transmitted by the mail transmission / reception unit 12, but the user of the terminal 10 sends the e-mail after the mail creation unit 17 creates the e-mail. The mail transmission / reception unit 12 may perform the instruction when the instruction is input via the input unit 14. In addition, after sending the e-mail, the temporarily saved e-mail file may be deleted.

The e-mail transmitted from the communication unit 11 of the terminal 10 is received by the check server 30 via the mail server 20-1 and the network 40.

In the check server 30, when the mail transmission / reception unit 32 receives the e-mail transmitted from the terminal 10 via the communication unit 31 (step 5), the e-mail is stored in the storage unit 38, and the mail determination unit 33 receives the e-mail. It is determined whether or not the e-mail received by the mail transmission / reception unit 32 is an illegal e-mail such as a virus mail (step 6). This can be determined by a well-known technique using a database or the like.

When it is determined that the e-mail received by the mail transmission / reception unit 32 is not an illegal mail, the sender determination unit 34 then determines that the sender of the e-mail received by the mail transmission / reception unit 32 is the check server. It is determined whether or not the e-mail address of the user is registered in advance by contracting with 30 (step 7). Specifically, in the determination of the sender of the e-mail by the sender determination unit 34, the email address of the user who has made a contract with the check server 30 is registered in the database, and the sender determination unit 34 receives the e-mail. This is done by searching for the email address from which the email was sent and the email address registered in this database. Further, for example, when the e-mail transmitted from the terminal 10 contains the wording determined by the specified conditions with the check server 30 as described above, the sender determination unit In 34, the sender of the e-mail received by the mail transmission / reception unit 32 is determined by whether or not the same wording as the wording registered in the database is described in the e-mail received by the mail transmission / reception unit 32. It is possible to determine whether or not the terminal is a terminal of a user registered in advance. In addition, the wording to be described in the e-mail is changed by the check server 30 to the terminal 10 according to the specified conditions (eg, created based on a unique key, changed every predetermined period, etc.). It can be changed by sending a wording, which can improve security. Further, the sender determination unit 34 may determine the sender of the e-mail by combining the sender e-mail address and the wording, and the database has a contract according to the determination method of the sender of the e-mail. The e-mail address of the user who made the contract and the wording determined by the specified conditions may be stored in association with each other, or one of them may be stored.

When it is determined that the sender of the e-mail received by the e-mail transmission / reception unit 32 is the e-mail address of the user registered in advance, the attachment file determination unit 35 is then received by the e-mail transmission / reception unit 32. It is determined whether or not the attached file attached to the e-mail is an e-mail (e-mail data converted into an electronic file) (step 8). Specifically, for example, the attached file determination unit 35 analyzes the data content of the attached file, compares it with the format of the reference e-mail data stored in advance, and determines. Here, it may be determined not only whether the attached file is an e-mail but also whether it is an e-mail sent to the e-mail address of the contracted user. The operation order of steps 6 to 8 may be other than this order.

Then, when it is determined that the attached file attached to the e-mail received by the mail sending / receiving unit 32 is an e-mail (e-mail data converted into an electronic file), the attached mail checking unit 36 moves the mail sending / receiving unit 36. The attached file is taken out from the e-mail received in 32, and it is determined whether or not the e-mail by the taken-out attached file is a malicious mail such as a virus mail or a phishing mail (step 9). Specifically, as described above, the data content of the e-mail file as an attached file includes the sender and destination of the e-mail, the subject, the date and time of transmission, and further, in addition to the e-mail body of the e-mail. Since the route to which the e-mail was delivered, the e-mail software used by the sender, etc. are included as header information, the attached e-mail check unit 36 includes the header information, the text, etc. included in the data of the e-mail file as the attached file. Based on the above, it is determined whether or not the e-mail by the attached file is an e-mail such as a virus e-mail or a phishing e-mail by using a database or the like in which the criterion information indicating the genuine e-mail or the fraudulent e-mail is stored. At this time, an identification number (characters or symbols may be included) that can identify each determination result may be generated and stored in association with the e-mail stored in the storage unit 38. ..

After that, the mail creation unit 37 is an e-mail (hereinafter referred to as a reply e-mail) in which the sender e-mail address of the e-mail received by the e-mail transmission / reception unit 32 is set as the destination and the determination result is replied to the subject. Create a reply e-mail that describes the default identification phrase (example: [judgment result], etc.) indicating that and the title of the e-mail attached as an attached file, and describes the judgment result of the attached e-mail check unit 36 in the text. Then, the mail transmission / reception unit 32 transmits the reply mail via the communication unit 31 (step 10). In addition, a symbol (eg, "true" or "false") that simply indicates the judgment result may be added to the title, and the above-mentioned identification number of the judgment result, the title of the e-mail attached as an attachment, etc. may be added to the text. May be described.

The reply mail sent from the check server 30 is received by the terminal 10 via the network 40 and the mail server 20-1. The explanation of the operation from the mail server 20-1 receiving the reply mail to the terminal 10 is described by sending an e-mail addressed to the mail address of the user who uses the terminal 10 by the mail server 20-1 as described above. This is omitted because it is the same as the operation from receiving and storing in the mailbox to transmitting to the terminal 10 according to the request for acquiring the e-mail from the terminal 10.

In the terminal 10, the mail transmission / reception unit 12 receives the reply mail sent from the check server 30 via the communication unit 11, the storage unit 18 stores the received reply mail, and the display unit 13 is displaying. The subject and sender of the reply mail are reflected in the index information 2 of the e-mail list display screen and displayed (step 11).

When the reply mail is specified by the input unit 14 from the e-mails included in the index information 2 displayed on the display unit 13 by the user of the terminal 10, the storage unit 18 reads the text of the designated reply mail. The display unit 13 displays. As a result, the user can know whether or not the e-mail selected in step 2 is a fraudulent e-mail by viewing the body of the displayed reply e-mail. At that time, since the title of the reply mail includes the title of the e-mail selected in step 2, the user of the terminal 10 can easily identify which e-mail is the result of the check. be able to. Furthermore, by writing the response result symbol in the title of the reply mail, the result of the e-mail check can be easily determined by looking at the mail index information 2 of the received mail list without checking the body of the reply mail. it can.

As described above, in the present embodiment, when the user of the terminal 10 requests the check of whether or not the e-mail received by the terminal 10 is an illegal mail, the e-mail requested to check the e-mail is the header information. An e-mail that has been converted into an e-mail including the e-mail and the e-mail is attached is sent to the check server 30, and the e-mail requested to be checked is sent to the check server 30 based on the e-mail data of the attached file. Since it is determined whether or not the email is fraudulent, the cost is not high even when using a plurality of email services, and the fraudulent email can be checked with a simple configuration.

At that time, the check server 30 determines whether the e-mail received by the mail transmission / reception unit 32 is an illegal e-mail such as a virus mail, and then only the e-mail determined not to be an illegal e-mail is terminal. By determining whether or not the e-mail selected in 10 is fraudulent mail, the check server 30 can avoid erroneous determination due to fraudulent mail.

Further, when the check server 30 determines whether or not the sender of the e-mail received by the mail transmission / reception unit 32 is a pre-registered user, and then determines that the e-mail is a pre-registered user. Only, by determining whether or not the e-mail selected by the terminal 10 is an illegal e-mail, the service can be provided only to the user who has a contract with the check server 30.

Further, the check server 30 determines whether or not the attached file attached to the e-mail received by the mail sending / receiving unit 32 is an e-mail (e-mail data converted into an electronic file), and the attached file is an e-mail. Unnecessary processing in the check server 30 by determining whether the e-mail selected by the terminal 10 is an illegal e-mail only when it is determined that the e-mail data is (e-mail data converted into an electronic file). It is possible to avoid doing.

(Second Embodiment)
FIG. 7 is a diagram showing a second embodiment of the e-mail check system of the present invention.

As shown in FIG. 7, the e-mail check system in this embodiment is configured to include terminals 10-1 to 10-n, a mail server 203, a check server 30, and a network 40 such as the Internet, so-called. It is a Web mail system, and the mail server 20 has a function such as creation of an attached file possessed by the terminal 10 shown in FIG. The description of the same configuration as that of the first embodiment will be omitted.

The terminals 10-1 to 10-n are operated by a user who uses this system, such as a personal computer, a smartphone, a mobile phone, etc., and the user sends an e-mail using the terminals 10-1 to 10-n. Send and receive. Note that n is an integer, and the number of terminals owned by each user varies.

The mail server 20 is a user-side device in the present invention. The mail server 20 manages the mail address of the contracted user, and provides a mail service that relays the transmission and reception of e-mail to the terminal used by the user at that mail address. In the present embodiment, the user of the terminals 10-1 to 10-n subscribes to the mail service by the mail server 20, so that the mail server 20 manages the user's mail address and the terminals 10-1 to 1 to 1 The e-mail sent and received for 10-n will be relayed. The mail server may have a mail server other than the mail server 20 that manages different mail addresses of users.

The check server 30 is a check device according to the present invention, and has the same configuration as that shown in FIG. 1 and described in the first embodiment.

FIG. 8 is a block diagram showing the configuration of the mail server 20 shown in FIG. 7.

As shown in FIG. 8, the mail server 20 shown in FIG. 7 includes a communication unit 21, a mail transmission / reception unit 22, a selection determination unit 23, a file creation unit 24, a mail creation unit 25, and a mailbox 26. It is configured to have.

The communication unit 21 is composed of, for example, a network interface of a wired LAN, and communicates with terminals 10-1 to 10-n and network 40.

The mail transmission / reception unit 22 serves as a mail transmission means in the present invention. The mail transmission / reception unit 22 transmits / receives e-mails to / from terminals 10-1 to 10-n and the network 40 via the communication unit 21.

The selection determination unit 23 serves as a selection receiving means in the present invention. The selection determination unit 23 checks whether or not the e-mails received from the network 40 by the mail transmission / reception unit 22 and sent to the terminals 10-1 to 10-n are malicious e-mails such as virus mails and phishing e-mails. The selection of the e-mail to be sent is accepted by the operation for the terminals 10-1 to 10-n.

The file creation unit 24 is a file creation means in the present invention. The file creation unit 24 converts the selected e-mail received by the selection determination unit 23 into an electronic file including the header information.

The mail creation unit 25 serves as a mail creation means in the present invention. When the file creation unit 24 converts an e-mail into an electronic file, the mail creation unit 25 attaches the electronic file as an attached file and creates an e-mail with the check server 30 as a destination. The mail transmission / reception unit 22, the selection determination unit 23, the file creation unit 24, and the mail creation unit 25 are composed of, for example, a CPU, a memory, and application software executed by them.

The mailbox 26 is composed of, for example, a hard disk device, a flash memory, or the like, stores e-mails addressed to an e-mail address managed by the mail server 20, and is specified to be viewed from the terminals 10-1 to 10-n. E-mail screen information of e-mail is transmitted to 1 to 10-n.

Below, in the e-mail check system configured as described above, it is checked whether the e-mail received to the e-mail address of the user who uses the terminal 10-1 is malicious e-mail such as virus mail or phishing mail. The operation method to be performed will be described.

FIG. 9 describes an operation method for checking whether or not the e-mail received to the e-mail address of the user who uses the terminal 10-1 in the e-mail check system shown in FIGS. 7 and 8 is an illegal e-mail. It is a flowchart for.

When an e-mail addressed to the e-mail address of the user who uses the terminal 10-1 is transmitted via the network 40, the mail server 20 which manages the e-mail address of the user by contracting with the user of the terminal 10-1 , The mail transmission / reception unit 22 receives the e-mail transmitted via the network 40 via the communication unit 21 (step 101).

When the mail server 20 receives an e-mail addressed to the e-mail address of the user who uses the terminal 10-1 transmitted via the network 40, the mail server 20 stores the received e-mail in the mailbox 26 corresponding to the e-mail address. .. Further, the mail server 20 push-notifies the terminal 10-1 that the e-mail addressed to the e-mail address of the user who uses the terminal 10-1 has been received (step 102). This notification includes information indicating the sender and subject of the e-mail addressed to the e-mail address of the user who uses the terminal 10-1. Further, the mail server 20 responds to a communication confirming whether or not an e-mail periodically transmitted from the terminal 10-1 to the mail server 20 has been received instead of the push notification from the mail server 20. The terminal 10-1 may be notified that an e-mail addressed to the mail address of the user who uses the terminal 10-1 has been received.

When the terminal 10-1 receives the notification from the mail server 20, the terminal 10-1 receives the information indicating the sender and the subject of the e-mail to the e-mail address of the user who uses the terminal 10-1 included in the notification. It is displayed on the display as a result. In response to this display, when the user operates the input unit and instructs the mail application or WEB browser installed in the terminal 10-1 to display the e-mail list, the terminal 10-1 is set to the mail server by the communication unit. A request for displaying a list of e-mails addressed to the user's e-mail address is sent to 20. When the mail server 20 receives a request for displaying a list of e-mails addressed to the e-mail address of the user who uses the terminal 10-1 from the terminal 10-1, the mail server 20 receives the e-mail stored in the mailbox 26 corresponding to the e-mail address. The e-mail list display screen information including the index information indicating the sender and the subject is transmitted to the terminal 10-1. When the terminal 10-1 receives the e-mail list display screen information, the terminal 10-1 displays the e-mail list display screen including the index information (step 103). At this time, on the displayed e-mail list display screen, a check for requesting a check as to whether the received e-mail is a malicious e-mail such as a virus mail or a phishing mail is similar to that shown in FIG. The request button is displayed on the terminal 10-1. The check request button may be included in the e-mail list display screen and sent to the terminal 10-1 by the mail server 20, or may be stored in the terminal 10-1 in advance. In addition, the e-mail list display screen, index information, and check request button displayed on the terminal 10-1 are the same as those in the first embodiment, and thus detailed description thereof will be omitted. Here, when one of the e-mails displayed in the index information is designated as a browsing target by the input unit of the terminal 10-1 based on the operation of the user of the terminal 10-1, the mail server 20 performs the browsing. The data including the body of the e-mail designated as the target is read from the corresponding mailbox 26, and the e-mail display screen information including the body of the read e-mail is transmitted to the terminal 10-1. The above-mentioned check request button may also be displayed on the e-mail display screen that receives the e-mail display screen information and displays it on the display unit of the terminal 10-1.

After that, among the e-mails included in the e-mail list display screen displayed as index information by the input unit of the terminal 10-1 based on the operation of the user of the terminal 10-1, a malicious e-mail such as a virus mail or a phishing mail is used. When an e-mail requesting a check for existence is selected and the check request button is pressed, the terminal 10-1 is pressed with an e-mail identifier that identifies the selected e-mail and a check request button. A check request identifier indicating that effect is transmitted to the mail server 20 (step 104). Here, when the check request button 3 is pressed while the e-mail display screen including the body of the e-mail is displayed on the display unit of the terminal 10-1, the displayed e-mail is selected. It becomes an e-mail, and an e-mail identifier that identifies the displayed e-mail is sent to the mail server 20. When the selection determination unit 23 of the mail server 20 receives the e-mail identifier and the check request identifier via the communication unit 21, it requests a check whether the e-mail specified by the e-mail identifier is an illegal mail. Accept (step 105).

When the selection determination unit 23 receives the check request, the file creation unit 24 of the mail server 20 takes out the e-mail data specified by the e-mail identifier from the mailbox 26, converts it into an electronic file such as an eml file, and makes the electronic file. The mail file is primarily saved in a memory or the like (step 106). At this time, similarly to the file creation unit 16 shown in FIG. 2 and described in the first embodiment, the file creation unit 24 electronically files the original data including the body and header information of the e-mail shown in FIG. Create an e-mail file by converting.

Next, the mail creation unit 25 of the mail server 20 is created by the file creation unit 24 with the mail address of the check server 30 as the transmission destination and the mail address of the user who uses the terminal 10-1 as the transmission source. An e-mail with an e-mail file attached as an attached file is created, and the e-mail transmission / reception unit 22 transmits the created e-mail via the communication unit 21 (step 107). At that time, the mail creation unit 25 may describe the wording determined by the specified conditions with the check server 30 in the mail body.

The e-mail transmitted from the communication unit 21 of the mail server 20 is received by the check server 30 via the network 40.

In the check server 30, when the mail transmission / reception unit 32 receives the e-mail transmitted from the mail server 20 via the communication unit 31 (step 108), the e-mail is stored in the storage unit 38 and the mail determination unit 33 stores the e-mail. , It is determined whether or not the e-mail received by the mail sending / receiving unit 32 is an illegal e-mail such as a virus e-mail (step 109). This can be determined by a well-known technique using a database or the like.

When it is determined that the e-mail received by the mail transmission / reception unit 32 is not an illegal mail, the sender determination unit 34 then determines that the sender of the e-mail received by the mail transmission / reception unit 32 is the check server. It is determined whether or not the e-mail address of the user is registered in advance by contracting with 30 (step 110). Specifically, in the determination of the sender of the e-mail by the sender determination unit 34, the email address of the user who has made a contract with the check server 30 is registered in the database, and the sender determination unit 34 receives the e-mail. This is done by searching for the email address from which the email was sent and the email address registered in this database. Further, for example, when the e-mail sent from the mail server 20 contains the wording determined by the specified conditions with the check server 30 as described above, the sender is determined. In section 34, the sender of the e-mail received by the mail sending / receiving unit 32 depends on whether or not the e-mail received by the mail sending / receiving unit 32 contains the same wording as the wording registered in the database. , It is possible to determine whether or not the terminal is a pre-registered user's terminal. In addition, the wording to be described in the e-mail is changed by the check server 30 to the mail server 20 according to the specified conditions (eg, created based on a unique key, changed every fixed period, etc.). It can be changed by sending the wording, thereby improving security. Further, the sender determination unit 34 may determine the sender of the e-mail by combining the sender e-mail address and the wording, and the database has a contract according to the determination method of the sender of the e-mail. The e-mail address of the user and the wording determined by the specified conditions may be stored in association with each other, or one of them may be stored.

When it is determined that the sender of the e-mail received by the e-mail transmission / reception unit 32 is the e-mail address of the user registered in advance, the attachment file determination unit 35 is then received by the e-mail transmission / reception unit 32. It is determined whether or not the attached file attached to the e-mail is an e-mail (e-mail data converted into an electronic file) (step 111). Specifically, for example, the attached file determination unit 35 analyzes the data content of the attached file, compares it with the format of the reference e-mail data stored in advance, and determines. Here, it may be determined not only whether the attached file is an e-mail but also whether it is an e-mail sent to the e-mail address of the contracted user. The operation order from steps 109 to 111 may be other than this order.

Then, when it is determined that the attached file attached to the e-mail received by the mail sending / receiving unit 32 is an e-mail (e-mail data converted into an electronic file), the attached mail checking unit 36 moves the mail sending / receiving unit 36. The attached file is taken out from the e-mail received in 32, and it is determined whether or not the e-mail by the taken out attached file is an illegal mail such as a virus mail or a phishing mail (step 112). Specifically, as described above, the data content of the e-mail file as an attached file includes the sender and destination of the e-mail, the subject, the date and time of transmission, and further, in addition to the e-mail body of the e-mail. Since the route to which the e-mail was delivered, the e-mail software used by the sender, etc. are included as header information, the attached e-mail check unit 36 includes the header information, the text, etc. included in the e-mail file data as the attached file. Based on this, it is possible to determine whether the e-mail by the attached file is an e-mail such as a virus e-mail or a phishing e-mail by using a database or the like in which the determination criterion information indicating the genuine e-mail or the fraudulent e-mail is stored. At this time, an identification number (characters or symbols may be included) that can identify each determination result may be generated and stored in association with the e-mail stored in the storage unit 38. ..

After that, the mail creation unit 37 is an e-mail (hereinafter referred to as a reply e-mail) in which the sender e-mail address of the e-mail received by the e-mail transmission / reception unit 32 is set as the destination and the determination result is replied to the subject. Create a reply e-mail that describes the default identification phrase (example: [judgment result], etc.) indicating that and the title of the e-mail attached as an attached file, and describes the judgment result of the attached e-mail check unit 36 in the text. Then, the mail transmission / reception unit 32 transmits the reply mail via the communication unit 31 (step 113). In addition, a symbol (eg, "true" or "false") that simply indicates the judgment result may be added to the title, and the above-mentioned identification number of the judgment result, the title of the e-mail attached as an attachment, etc. may be added to the text. May be described.

The reply mail sent from the check server 30 is received by the mail server 20 via the network 40 (step 114). The description of the operation of receiving the reply mail by the mail server 20 is the same as the operation of receiving the e-mail in step 101, and thus the details will be omitted.

In the mail server 20, when the mail sending / receiving unit 22 receives the reply mail via the communication unit 21, the received reply mail is stored in the mailbox 26. Further, the mail server 20 indicates that the terminal 10-1 has received an e-mail addressed to the e-mail address of the user who uses the terminal 10-1 (here, the received e-mail is described as only a reply e-mail). Is pushed (step 115). This notification includes information indicating the sender and the subject of the reply mail addressed to the mail address of the user who uses the terminal 10-1. Here, in step 103, since the e-mail list display screen is already displayed on the display unit by the mail application, the WEB browser, or the like on the terminal 10-1, the push notification is omitted and the sender of the received reply mail is sent. The e-mail list display screen information in which the information indicating the title or the title is reflected in the index information may be transmitted to the terminal 10-1. If the display of the e-mail list display screen is finished, the same process as in steps 102 to 103 is performed.

When the terminal 10-1 receives the e-mail list display screen information from the mail server 20 via the communication unit (step 116), the reply mail addressed to the e-mail address of the user who uses the terminal 10-1 included in this notification. Display the e-mail list display screen that contains the index information that reflects the information indicating the sender and subject of. The e-mail list display screen is the same as that described in FIG. 5 and step 103.

After that, the reply mail sent from the check server 30 among the e-mails included in the e-mail list display screen displayed as index information is sent by the input unit of the terminal 10-1 based on the operation of the user of the terminal 10-1. When viewing of the reply mail is specified by designating it as a viewing target, the terminal 10-1 sets an e-mail identifier that identifies the specified e-mail and a viewing identifier indicating that it has been designated as a viewing target as a mail server. It is transmitted to 20 (step 117). When the e-mail identifier and the browsing identifier are received by the mail server 20 via the communication unit 21, the mail server 20 accepts the designation of browsing the e-mail specified by the e-mail identifier (step 118). At this time, the index information transmitted from the mail server 20 to the terminal 10-1 includes information indicating the subject of the e-mail as described above, and the subject of the reply e-mail is the terminal 10 in step 104. Since the subject of the e-mail selected by the user of -1 is included, the user of the terminal 10-1 can easily identify the reply e-mail from the check server 30. Further, if the check server 30 adds a symbol indicating the determination result to the title of the reply mail, the judgment result of the reply mail can be easily identified when the index information is displayed.

When the e-mail viewing designation is accepted by the mail server 20, the mail sending / receiving unit 22 of the mail server 20 includes an e-mail including the body of the reply e-mail specified as the e-mail specified by the e-mail identifier. The screen information is taken out from the mailbox 26 and transmitted to the terminal 10-1 via the communication unit 21 (step 119).

The e-mail screen information of the reply mail sent from the mail server 20 is received by the terminal 10-1 via the communication unit, and is displayed as an e-mail screen on the display unit (step 120).

The user of the terminal 10-1 can know whether or not the e-mail selected in step 104 is an illegal e-mail by viewing the body of the reply e-mail displayed on the display unit of the terminal 10-1.

As described above, also in this embodiment, when the user of the terminal 10-1 requests a check for the e-mail received by the terminal 10-1, the e-mail requested to check the e-mail is displayed. , The e-mail including the header information is converted into an electronic file, and the e-mail with the electronic file attached as an attached file is sent from the mail server 20 to the check server 30, and the check server 30 includes the header information and the like included in the attached file. Based on the e-mail data of, it is determined whether the e-mail requested to be checked is fraudulent e-mail, so even if you are using multiple e-mail services, the cost will not be high and it will be simple. You can check for malicious emails with a simple configuration.

1 E-mail list display screen 2 Index information 3 Check request button 4 Original data 5 E-mail body 6 Header information 10,10-1-10-3 Terminal 11,21,31 Communication unit 12,22,32 E-mail transmission / reception unit 13 Display unit 14 Input unit 15, 23 Selection judgment unit 16, 24 File creation unit 17, 25, 37 Mail creation unit 18, 38 Storage unit 20, 20-1 to 20-3 Mail server 26 Mailbox 30 Check server 33 Mail judgment unit 34 Source Judgment Unit 35 Attached File Judgment Unit 36 Attached E-mail Checking Unit 40 Network

Claims (9)

The user-side device that receives the e-mail and
It has a check device for checking whether the e-mail received by the user-side device is an illegal mail.
The user-side device
A selection receiving means that accepts the selection of an e-mail that checks whether it is the above-mentioned fraudulent e-mail from the received e-mails,
A file creation method that converts the selected e-mail into an electronic file including header information,
An e-mail creation means for creating an e-mail with the electronic file as an attachment while using the check device as a transmission destination.
It has a mail sending means for sending an e-mail created by the mail creating means to the check device.
The check device
An e-mail receiving means for receiving an e-mail transmitted from the user-side device, and
Based on the attached file attached to the received e-mail, the first e-mail determination means for determining whether or not the e-mail as the attached file is an illegal e-mail, and
An e-mail check system having a notification means for notifying the user-side device of the result of the determination. In the email check system according to claim 1,
The check device has a second mail determination means for determining whether or not the e-mail received by the mail receiving means is an illegal mail.
In the first e-mail determination means, only the e-mail determined by the second e-mail determination means to be not a fraudulent e-mail, and the e-mail as an attachment attached to the e-mail is a fraudulent e-mail. An email check system that determines if. In the email check system according to claim 1 or 2.
The check device has an attachment file determining means for determining whether or not the attachment file attached to the e-mail received by the mail receiving means is the e-mail data converted into an electronic file.
The first e-mail determination means is an e-mail as an attached file only when the attached file attached to the e-mail received by the e-mail receiving means is e-mail data converted into an electronic file. An email check system that determines if is a malicious email. In the e-mail check system according to any one of claims 1 to 3.
The check device has a sender determining means for determining whether or not the sender of the e-mail received by the mail receiving means is a pre-registered sender.
The first e-mail determination means is an e-mail as an attachment file attached to the e-mail only for the e-mail whose sender is determined to be a pre-registered sender by the sender determination means. An email check system that determines if is a malicious email. In the email check system according to claim 4,
The mail composing means sends the check device as a transmission destination, attaches the attached file, and further creates an e-mail in which the wording determined by the prescribed conditions received from the check device is described.
The sender determining means determines whether or not the sender of the e-mail is a pre-registered sender depending on whether or not the wording is described in the e-mail received by the mail receiving means. Email check system. In the e-mail check system according to any one of claims 1 to 5.
The notification means is an e-mail in which the title of the e-mail attached to the attached file, a default identification phrase indicating that the e-mail is an e-mail for replying to the determination result, and a symbol indicating the determination result are described in the title. An e-mail check system that notifies the user-side device of the result of the determination. A check device that checks whether the e-mail received by the user's device is malicious.
An e-mail sent from the user-side device and selected from the e-mails received by the user-side device is an e-mail to which an attached file is attached, which is an electronic file including header information. Receiving means and
Based on the attached file attached to the received e-mail, the first e-mail determination means for determining whether or not the e-mail as the attached file is an illegal e-mail, and
A check device having a notification means for notifying the user side device of the result of the determination. An e-mail check method in an e-mail check system having a user-side device for receiving e-mail and a check device for checking whether or not the e-mail received by the user-side device is fraudulent mail.
A step in which the user-side device accepts a selection of an e-mail for checking whether or not the e-mail is a malicious e-mail from the received e-mails.
A step in which the user-side device converts the selected e-mail into an electronic file including header information.
A step in which the user-side device creates an e-mail with the check device as a transmission destination and the electronic file as an attachment.
A step in which the user-side device sends an e-mail with the attached file to the check device.
The step of receiving the e-mail sent from the user-side device by the check device, and
Based on the attachment file attached to the received e-mail, the check device determines whether or not the e-mail as the attachment is an illegal mail.
An e-mail check method, wherein the check device includes a step of notifying the user side device of the result of the determination. This is an e-mail check method in the check device that checks whether the e-mail received by the user-side device is malicious.
The check device is sent from the user-side device, and an e-mail selected from the e-mails received by the user-side device is attached as an electronic file including header information. Steps to receive emails and
Based on the attachment file attached to the received e-mail, the check device determines whether or not the e-mail as the attachment is an illegal mail.
An e-mail check method, wherein the check device includes a step of notifying the user side device of the result of the determination.

Images