JP2023118768A - Information processing device, information processing method, and program - Google Patents

Abstract

To determine whether a password-protected compressed file attached to an email is appropriate.SOLUTION: An information processing device includes a separation notification unit 20 that stores an email in a temporary save area and notifies a recipient of the email that the email is stored or has been stored in the temporary save area when the received email has a password-protected first compressed file attached, a decompression unit 30 that decompresses the first compressed file and extracts the first file when the password is input, and a determination processing unit 40 that determines whether the first file is appropriate for the first file.SELECTED DRAWING: Figure 1

Description

The present invention relates to an information processing apparatus, information processing method, and program for processing compressed files.

Since there is a risk of virus infection by conventionally received e-mails, it has been proposed to filter such e-mails. For example, Japanese Patent Application Laid-Open No. 2002-200013 discloses a method for dealing with so-called "spoofing" e-mails. It is disclosed to use a web mail server that

If a compressed file with a password is attached to an e-mail, it is impossible to judge the appropriateness of the file. For this reason, it is not possible to determine inappropriate e-mails such as sender disguised by using compressed files.

JP 2012-78922 A

The present invention provides an information processing apparatus, a program, a recording medium, and an information processing method capable of determining whether or not a compressed file with a password attached to an e-mail is appropriate.

An information processing device according to the present invention includes:
If the first compressed file with a password is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored in the temporary save area or is stored. a separation notification unit that notifies the recipient of the e-mail;
a decompression unit for decompressing the first compressed file and extracting the first file in response to input of the password;
a judgment processing unit for judging whether the first file is appropriate for the first file;
may be provided.

In the information processing device according to the present invention,
The determination processing unit transmits the e-mail to the recipient when the first file is determined to be appropriate, and performs a predetermined action when the first file is determined to be inappropriate. may be sent to the recipient after performing the action.

In the information processing device according to the present invention,
When the determination processing unit transmits the e-mail to the recipient, the determination processing unit may attach the first compressed file after resetting the password to the e-mail.

In the information processing device according to the present invention,
When the determination processing unit transmits the e-mail to the recipient, the determination processing unit may transmit the password-unlocked first compressed file to the recipient.

An information processing device according to the present invention includes:
further comprising a storage unit for storing permitted transmission sources,
When the sender is the authorized sender, even if the first compressed file with a password is attached to the e-mail, the determination processing unit The first file may be sent to the recipient of the e-mail without determining whether it is suitable.

In the information processing device according to the present invention,
The determination processing unit may delete the first compressed file that has not been decompressed by the decompression unit and transmit the e-mail to the recipient.

In the information processing device according to the present invention,
When an n+1-th compressed file ("n" is an integer equal to or greater than 1) is stored in the n-th compressed file decompressed by the decompression unit, the determination processing unit determines that the n+1-th compressed file exists. notify the recipient of said e-mail;
The decompression unit decompresses the n+1-th compressed file by inputting the password and takes out the n+1-th file,
The determination processing unit may determine whether the n+1th file is appropriate for the n+1th file.

In the information processing device according to the present invention,
When the n+1-th compressed file is stored in the n-th compressed file ("n" is an integer equal to or greater than 1) decompressed by the decompression unit, the decompression unit may automatically input the password.

In the information processing device according to the present invention,
When the (n+1)th compressed file is not decompressed by the password automatically input by the decompression unit, the judgment processing unit may notify the recipient of the e-mail that the (n+1)th compressed file exists. .

In the information processing device according to the present invention,
When a plurality of n+1-th compressed files are stored in the n-th compressed file decompressed by the decompressing unit, the determination processing unit appropriately determines the n+1-th file in the decompressed n+1-th compressed file. The nature of the file may be determined, and the (n+1)th compressed file that has not been decompressed may be deleted.

In the information processing device according to the present invention,
An upper limit number of layers to be decompressed by the decompression unit is set in advance, and when the upper limit number is exceeded, the decompression unit may not decompress the compressed file.

The information processing method according to the present invention comprises:
If the first compressed file with a password is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored in the temporary save area or is stored. notifying recipients of said email;
decompressing the first compressed file to retrieve a first file upon input of the password;
determining whether the first file is appropriate for the first file;
may be provided.

A program according to the present invention comprises:
A program for causing an information processing apparatus to execute an information processing method,
The information processing device is
If the first compressed file with a password is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored in the temporary save area or is stored. notifying recipients of said email;
decompressing the first compressed file to retrieve a first file upon input of the password;
determining whether the first file is appropriate for the first file;
You may perform the information processing method provided with.

The recording medium according to the present invention is
You may record the program mentioned above.

In the present invention, when a compressed file with a password is attached to a received e-mail, the e-mail is stored in the temporary save area, and the e-mail is stored in the temporary save area. When the recipient of the e-mail is notified of the fact, the password is entered, the compressed file is decompressed, the file is taken out, and it is determined whether the file is appropriate for the file. can quickly determine suitability for files stored in compressed files with passwords.

The figure which showed an example of the flow of a process by embodiment of this invention. 1 is a block diagram of an information processing device that can be used in an embodiment of the present invention; FIG. The figure which showed the aspect of camouflage regarding the link destination information which can be used by embodiment of this invention. The figure which showed an example of the notification screen which can be used by embodiment of this invention. The figure which showed an example of the password input screen which can be used by embodiment of this invention. The figure which showed an example of the hierarchy of the compressed file which can be used by embodiment of this invention. The figure which showed an example of the processing content at the time of decompressing the compressed file which can be used by embodiment of this invention.

Embodiment <Configuration>
BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, embodiments of an information processing apparatus according to the present invention will be described with reference to the drawings. In this embodiment, "or" also includes the meaning of "and". That is, A or B in this embodiment means either A, B, or A and B.

The information processing apparatus according to the present embodiment may be composed of one device, or may be composed of a plurality of devices. When the information processing device is composed of a plurality of devices, the devices constituting the information processing device may be installed in different rooms or different places, and a part of the information processing device and the rest of the information processing device may be installed in remote locations. may be placed in

The information processing apparatus according to the present embodiment may be provided in an internal network, may be provided in a boundary (DMZ: DeMilitarized Zone) connecting an internal network and an external network, or may be provided in an external network. good too. The information processing device may be an MTA (Message Transfer Agent).

As shown in FIG. 2, the information processing apparatus of the present embodiment includes a storage unit 10 including a temporary save area, and when a first compressed file with a password set is attached to a received e-mail, the e-mail A separation notification unit 20 (see (2) in FIG. 1) that stores the mail in the temporary save area and notifies the receiver of the e-mail that the e-mail is stored or has been stored in the temporary save area; is input, the decompression unit 30 extracts the first file by decompressing the first compressed file, the determination processing unit 40 determines whether the first file is appropriate for the first file, may have A password for the first compressed file may be entered by the recipient of the notified e-mail (see (3) in FIG. 1). When making a disguise judgment to determine whether or not the data is disguised, the temporary saving may be canceled and the data may be moved from the temporary saving area to another area. As a compressed file, for example, a ZIP format file can be mentioned. The recipient of the e-mail is, for example, the e-mail address described in "Envelope To".

If it is not known whether a password has been set for the first compressed file, the judgment processing unit 40 may judge whether the transmission source is appropriate or not within a possible range. Note that a mode of determining whether or not the transmission source is appropriate will be described later. The determination processing unit 40 may also determine whether or not a file that is not compressed (normal file) is appropriate. The first compressed file and the uncompressed file (normal file) determined to be inappropriate by the determination processing unit 40 may be deleted by the determination processing unit 40 .

As shown in FIG. 2 , the storage unit 10 may be provided with a first storage unit 11 for storing received e-mails and a second storage unit 12 isolated from the first storage unit 11 . If the determination processing unit 40 determines that the source of the e-mail is inappropriate, such as when the source information of the e-mail is disguised, the e-mail is sent to a second directory such as a dedicated directory. It may be stored in the storage unit 12 .

E-mails separated by the separation notification unit 20 and stored in the temporary save area may be handled as e-mails waiting for inspection, and may enter a password input waiting state. At this time, the e-mail and the files such as the first compressed file may be stored without being separated. Employing such a mode is advantageous in that it saves the trouble of associating the e-mail with the file attached to the e-mail later. However, it is not limited to such a mode, and files such as the first compressed file may be stored separately from the e-mail.

The notification to the receiver of the e-mail from the separation notification unit 20 may be performed immediately after the e-mail is separated and stored in a temporary save destination, or may be repeatedly performed at predetermined intervals until the password is entered. The predetermined interval may be 24 hours. For example, once a day, the notification may be issued at a set time.

The predetermined interval at which notifications are made may decrease over time, with notifications at first hourly intervals until the first period of time elapses, and then at second time intervals (second time < You may make it notify at intervals of 1st time). If such a mode is adopted, the notification will be issued frequently as time passes, and it is possible to prevent the receiver from forgetting to release the password lock. Also, when a certain period of time has passed, an emphatic message such as "Urgent" or "URGENT" may be displayed in the title.

The notification may be sent not only to the recipient but also to a preset administrator. When such a mode is employed, even the administrator can understand that a compressed file that is password-locked and whose password has not been released is stored.

The e-mail notified from the separation notification unit 20 may be in the form as shown in FIG. ), mail information including the subject, date and time, sender and attached file information, and the body of the mail may be displayed. Adopting such a mode is advantageous in that the recipient of the e-mail cannot check the attached file, but can check the text of the e-mail. The title of the e-mail notified from the separation notification unit 20 may indicate a request for password input as shown in FIG. If such a mode is adopted, the recipient can easily recognize that the password input is required. In the mode shown in FIG. 4, it is also displayed that the filtering system "m-FILTER" (registered trademark) has been controlled.

When the receiver clicks on the link destination information regarding the password input screen, the password input screen as shown in FIG. 5 may be displayed. If there are multiple attached files, the password may be entered for each attached file. The present invention is not limited to such a mode, and even if there are multiple attached files, the same password may be entered for each attached file. Note that when the password is entered, it may be masked with ●●●. An error message may be displayed if an incorrect password is entered. The password entry is not limited to being performed from the password entry screen shown in FIG. 5, and may be performed by entering the password in a reply mail to the notification mail to the recipient. If "English" in the lower right of FIG. 5 is selected, the text will be displayed in English.

On the password input screen, the information in the header From is displayed as the sender, and the headers To and CC may be displayed as the recipient. Also, the mail text may be hidden. This is because it is dangerous to display the body of the email since it has not yet been rendered harmless.

The determination processing unit 40 may determine whether or not the first file retrieved by inputting the password is appropriate (see (4) in FIG. 1). If the determination processing unit 40 determines that the e-mail is appropriate, the e-mail is sent to the receiver, and if the determination processing unit 40 determines that the e-mail is inappropriate, a predetermined action is performed. , the e-mail in which the action has been executed may be sent to the recipient (see (6) in FIG. 1). In addition, when link destination information is included in the first file, appropriateness may be determined based on the link destination information. For example, if the display URL displayed as the link destination in the text in the first file is different from the actual URL that is the actual link destination (see FIG. 3(a)), the actual URL that is the actual link destination is prohibited. If the link is to a file with an extension (see FIG. 3(b)), if the prohibited keyword is displayed in association with the actual URL that is the actual link destination (see FIG. 3(c)), When the actual URL that is the actual link destination includes a global IP (see FIG. 3(d)), and the text in the first file includes link destination information but does not describe any other information The first file may be determined to be inappropriate during any one or more of the cases. Details of this point will be described later.

When the determination processing unit 40 transmits the e-mail to the recipient who is the recipient, the determination processing unit 40 may attach the first compressed file after resetting the initially set password. . It is not limited to such a mode, and when the determination processing unit 40 transmits the e-mail to the recipient who is the recipient, the determination processing unit 40 sends the first compressed file with the password unlocked to the recipient. You may send.

The storage unit 10 may store the permitted transmission sources as a whitelist. If the sender is an authorized sender, even if the first compressed file with a password is attached to the e-mail, the determination processing unit 40 (See (5) in FIG. 1). Also, if the sender is a permitted sender, the separation notification unit 20 may not separate the email. As the permitted sender, the domain, IP address, etc. of the sender may be stored in the storage unit 10 . As an example, by selecting "reliable sender" in FIG. 5, the domain, IP address, etc. of the target sender are stored in the storage unit 10 as the authorized sender. In this case, future e-mails from the sender will not be required to enter a password, and will be sent to the recipient of the e-mail without judging whether the first file in the first compressed file is appropriate. (See (5) in FIG. 1). A transmission source and a reception destination may be associated and stored in the storage unit 10, and a white list may be created by combining them. By whitelisting a combination of senders and receivers in this way, for example, when the first recipient receives an e-mail from the first sender, it is determined as an authorized sender, but When a second recipient, different from the recipient, receives the email from the first sender, a password entry may be required to inspect the compressed file.

If "unreliable source" in FIG. 5 is selected, it may be configured such that e-mails from that source are not received. A transmission source and a reception destination may be associated and stored in the storage unit 10, and blacklisted by a combination of these. By blacklisting the sender and receiver in this way, for example, when the first recipient receives an e-mail from the first sender, it is judged as a prohibited sender, but the first receiver When a second recipient different from the recipient receives an e-mail from the first sender, the e-mail will be received as a normal sender, and if a compressed file is attached, a password entry will be required to inspect the compressed file. May be requested.

On the other hand, if the sender is not registered as a permitted sender, it may be determined whether or not the sender is password locked (see (1) in FIG. 1).

The determination processing unit 40 may delete the first compressed file that has not been decompressed by the decompressing unit 30 after a certain period of time has passed without the correct password being entered, and may send an e-mail to the recipient.

If the file has a multi-tiered structure, notification by the separation notification unit 20, password input, and decompression may be repeated for each layer. That is, when the n+1-th compressed file ("n" is an integer equal to or greater than 1) is stored in the n-th compressed file decompressed by the decompression unit 30, the judgment processing unit 40 determines that the n+1-th compressed file exists. may be notified to the recipient of the e-mail. The decompression unit 30 may extract the n+1th file by decompressing the (n+1)th compressed file by inputting the password. The determination processing unit 40 may determine whether the (n+1)th file is appropriate for the (n+1)th file. For example, when the second compressed file is stored in the first file decompressed by the decompression unit 30 (see FIG. 6), the determination processing unit 40 notifies the recipient of the e-mail that the second compressed file exists. may be notified to The decompression unit 30 may extract the second file by decompressing the second compressed file when the password is input. The determination processing unit 40 may determine whether the second file is appropriate for the second file.

When a plurality of n+1-th compressed files are stored in the n-th compressed file decompressed by the decompression unit 30, the determination processing unit 40 determines whether the n+1-th file in the decompressed n+1-th compressed file is appropriate. , the (n+1)th compressed file that has not been decompressed may be deleted. Also, for the (n+1)th compressed file that has not been decompressed, it may be determined whether it is appropriate or not within a possible range. As an example of judging whether a compressed file is appropriate or not, the judging processing unit 40 uses the file name as a basis for judgment, and one or more blanks are provided before the extension of the file name. , if the file name contains a prohibited control code, the compressed file may be determined to be inappropriate.

An upper limit number of layers to be decompressed by the decompression unit 30 may be set in advance. When the upper limit number is exceeded, the decompression unit 30 may not decompress the compressed file. In this case, the determination processing unit 40 may perform camouflage determination to the extent possible for compressed files that have not been decompressed by the decompression unit 30 . For example, 3 to 10 may be used as the upper limit number of layers. When the password lock of all compressed files and files can be released, or when the upper limit number of layers is exceeded, the judgment processing unit 40 judges the appropriateness of the password-unlocked file. may

If the file has a multi-level structure, the determination processing unit 40 may input the password input for the n-th compressed file as the password for the lower layer file such as the (n+1)-th compressed file. . If the compressed file cannot be decompressed with this password, the separation notification unit 20 may notify and request the input of the password. In the case of adopting such a mode, since the recipient is not required to enter a common password, the troublesomeness of the recipient can be reduced.

Such password entry may be repeated. For example, when the (n+2)th compressed file is stored in the (n+1)th compressed file, the determination processing unit 40 inputs the password input for the nth compressed file as the password for the (n+1)th compressed file. The same password may be entered for the (n+2)th compressed file within the (n+1)th file that has been decompressed.

The storage unit 10 may store a password list. Passwords in the password list may be stored in association with senders, and a password for a certain sender may be automatically entered for a file attached to an e-mail from a certain sender. For example, a first sender has one or more first passwords associated with it, and a file attached to an email from the first sender automatically has a password for the first sender. may be entered. Similarly, secondary senders are associated with one or more secondary passwords, and files attached to emails from secondary senders are automatically password-protected for secondary senders. You may make it input by . Registration in the password list may be limited to a person with certain authority such as an administrator. The recipient may be allowed to register in the password list when entering the password. A registered sender address may be paired with a password and whitelisted, or a pre-registered password may be paired with a sender address and whitelisted.

The determination processing unit 40 may sequentially apply a plurality of passwords stored in the storage unit 10 to the password-locked files attached to the e-mail. In this way, when the password cannot be released even if a plurality of passwords stored in the storage unit 10 are sequentially applied, the separation notification unit 20 separates the e-mail and notifies that the e-mail has been separated or has been separated. can be

When a preset retention period has passed, the e-mail stored in the temporary save area may be automatically sent to the recipient. The retention period may be configurable, eg, several hours, one day, three days, and so on. It is also possible to set "same day", and when "same day" is set, the holding time is set until the date changes.

When the e-mail is automatically sent after the retention period set in advance has passed, the determination processing unit 40 may determine the appropriateness of the e-mail to the extent possible. Even when automatically transmitting, if the judgment processing unit 40 judges that it is inappropriate, the attached file may be deleted. However, it may be possible to set whether or not to delete the attached file at the time of automatic transmission, or it may be set so that the file is not deleted. In the case of automatic transmission, that effect may be described in the text, title, or the like of the e-mail. When such a mode is adopted, the recipient can recognize that only a simple judgment of forged mail is being performed, and if the recipient feels the need, the file attached to the e-mail can be The password may be released, and the determination processing unit 40 may be made to determine the camouflaged mail.

The format of the compressed file is typically ZIP, but various formats such as TAR, CAB, 7z, RAR can be used. Note that the format of the compressed file that can be decompressed may be set in advance. In this case, when a file is attached to the e-mail in a compressed file format that cannot be decompressed, the compressed file may be deleted. Also, even if the compressed file format can be decompressed, the compressed file may be deleted in a predetermined case. As an example, even if a file compressed with ZIP can be decompressed, if the compressed file is encrypted with AES128/192/256, the compressed file will be deleted. good too. Further, instead of deleting, the judgment processing unit 40 may make a camouflage judgment within a possible range.

If the file cannot be inspected, if the password is not entered, if the password is entered incorrectly but a certain amount of time has passed, if the password is entered incorrectly more than a certain number of times, the hierarchy of the attached file is the upper limit. and cannot determine whether it is password-locked, or the format of the password-locked attached file is not supported by the system.

Any of sending, quarantining, and deleting may be set as an action (control mode) for files that could not be inspected. Any of the administrator, recipient, and sender may be notified when it is determined to be quarantined or deleted. Notifications to administrators, recipients, and senders may include information about the subject and body of the email in question. Also, the information on the screen as shown in FIG. 4 may be sent by e-mail.

If the number of layers of the attached file exceeds the maximum number of layers and it cannot be determined whether or not the file is password-locked, it is possible to send an e-mail with only the file of the unzipped layer attached, or the unzipped layer. The e-mail may be sent after deleting the files including the files in the .

You may make it perform a harmless processing with respect to an attached file. As the detoxification process, for example, the password lock of the attached file may be released and then the macro removed, or the attached file may be deleted. The attached file from which the macro has been removed may be compressed in a format such as ZIP using the original password, attached to the original e-mail, and transmitted to the recipient. Also, the attached file from which the macro has been removed may be compressed in a format such as ZIP without being password-protected, attached to the original e-mail, and transmitted to the recipient. Also, the attached file from which the macro has been removed may be attached to the original e-mail and sent to the recipient without being compressed. When the detoxification process is performed, the content of the detoxification process may be notified to the recipient.

Note that the data may be compressed in a format different from the original compression format. For example, when attached to the original e-mail, it was compressed in the first format, but when it is compressed again after the password lock is released, it is compressed in a second format different from the first format (e.g. ZIP). You may do so. It should be noted that even if the file was compressed in the second format when it was attached to the original e-mail, it may be compressed in the second format. When such a mode is employed, it is possible to perform compression in a uniform format (second format) when compressing again, which is advantageous in that control becomes easier.

If the file attached to the e-mail uses a prohibited extension, or if the file name has multiple extensions, one or more before the extension of the file name of the file attached to the e-mail If there are multiple blanks, if the file name attached to the e-mail contains prohibited control codes, if the file attached to the e-mail is an executable file, the file will be sent to the e-mail. is attached but the text of the e-mail is empty, the determination processing unit 40 may determine that the mail information may be inappropriate. In these cases, even if the file is password-locked, it can be determined whether or not it is appropriate without unlocking the password lock, and these aspects are included in the above-mentioned determination in the "possible range".

Examples of prohibited extensions include a mode in which "exe" is used, such as "estimate.exe", and a mode in which multiple extensions are used, such as "estimate.pdf.exe". can be done. An example of a prohibited control code is a form in which "RLO" is used, such as "quotation (RLO) xcod.exe". Here, "RLO" stands for "Right-to-Left Override" and is a symbol for reversing the left and right arrangement of characters written horizontally. By using such "RLO", there is a possibility that it may be used to prevent the user from recognizing that it is an executable file. good too. The case where the file is an executable file includes, for example, a mode in which extensions such as "exe", "dll", "obj", "sys", and "com" are used. Control codes or extensions to be prohibited may also be input from input means such as the input unit 90 shown in FIG.

If the file attached to the e-mail is in a prohibited format, or if the file attached to the e-mail contains macros, the determination processing unit 40 determines that the mail information may be inappropriate. may

An example of a case where a blank is provided before the extension of the file name of the file attached to the e-mail is, for example, a mode in which the file name is "estimate.exe". In addition, when the number of blanks provided before the extension of the file name is equal to or greater than a certain value (for example, 5 words), the determination processing unit 40 may determine that the mail information may be inappropriate. . The number of blanks may also be input from input means such as the input unit 90 .

Even if a file attached to an e-mail contains a URL inappropriate for viewing, the determination processing unit 40 may determine that the mail information may be inappropriate. The inappropriate URL may be a URL (blacklist information) registered in the storage unit 10 in advance.

When a camouflage determination is made for a file, the content and result of the camouflage determination may be notified to the recipient. This notification may be made by adding it to the body of the email to be delivered, or may be sent as an email separate from the email to be delivered.

Inappropriate files may be collected by a honeypod or the like, and hash values of the files may be obtained. Then, this hash value may be blacklisted and compared with the hash value of the file to be inspected.

Viruses may be detected by anti-virus software or the like for e-mails stored in the second storage unit 12, such as isolated e-mails (see (7) in FIG. 1). Further, among the e-mails stored in the second storage unit 12, e-mails detected as dangerous by anti-virus software may be automatically deleted. When such a mode is adopted, the number of e-mails stored in the second storage unit 12 can be reduced, and for example, the burden of appropriateness evaluation by an in-house manager can be reduced.

Also, the e-mails stored in the second storage unit 12 may be automatically deleted after a predetermined period of time has elapsed. The predetermined time for deleting the e-mail may be input from the input unit 90, or may be set in advance. Also, the input section 90 may be used to switch ON and OFF of such an automatic deletion function.

The number of emails stored in the second storage unit 12, the number of emails according to the date and time, etc. may be notified to the administrator, or may be stored in the storage unit 10 so that the administrator can check it as appropriate. You can become When such a mode is employed, it is useful in that it is possible to check the number of e-mails judged to be inappropriate and the increase or decrease in the number of e-mails along the time axis.

A relay unit 50 (see FIG. 2) may be provided to relay web accesses from internal terminals in the internal system. When the determination processing unit 40 determines that the mail information is inappropriate based on the link destination information, the relay unit 50 stores the link destination in the storage unit 10 and denies access of the internal terminal to the link destination. good too. An internal terminal means an information processing device such as a personal computer connected to an internal network. The storage unit 10 may store the information of the e-mail in association with the link destination. The e-mail information may include the text of the e-mail, the date and time of acquisition, the sender's address, etc. If the e-mail has a file attached, the information of the file is also included in the e-mail information. may be

The link destination information may include all information related to the link destination obtained from the mail text, the attached file attached to the e-mail, the macro of the attached file, and the like. Also, the mail body may include both text format and HTML format, and for the HTML format, the URL of the link part may be obtained. Access to URLs stored in the storage unit 10 and prohibited to be accessed by the relay unit 50 may be permitted via the input unit 90 .

Note that even if the file is split as a result of splitting the e-mail, the determination processing unit 40 may combine the split files to restore a single file. Then, the determination processing unit 40 may determine the appropriateness of the restored file.

Next, other modes for judging whether or not the transmission source is appropriate will be described below.

[Sender information]
First, a manner in which the determination processing unit 40 determines that the information in the received e-mail may be inappropriate based on the sender information will be described.

The determination processing unit 40 may acquire camouflage determination information from the external terminal 100 provided outside the internal network, and use the camouflage determination information to determine whether or not the source information of the e-mail has been camouflaged. At this time, the determination processing unit 40 may compare the camouflage determination information and the transmission source information to determine whether the transmission source information is camouflaged. The external terminal 100 may be, for example, a DNS (Domain Name System) server. The impersonation determination information may be, for example, an SPF (Sender Policy Framework) record. Whether or not the source information of the e-mail is disguised may be determined using the source IP address, the source mail address, the FQDN (Fully Qualified Domain Name) of the source MTA, or the like.

The determination processing unit 40 may determine whether or not the source information is camouflaged using source information other than the disguise determination information. As an example, if the destination of the header (Header From) and the destination of the envelope (Envelope From) do not match, it may be determined that the email may be inappropriate.

Further, when the number of relay servers (the number of Received headers) passed through from the sender to the receiver is equal to or greater than a predetermined threshold value, for example, "Received: from [20x.0.xxx.1] by example1.ne.jp Tue, 14 Sep 2010 15:16:37 JST" is included in a number equal to or greater than the threshold value, the determination processing unit 40 may determine that the email may be inappropriate. . Also, the threshold may be determined in advance, or may be changeable from the input unit 90 .

If the e-mail has been received via an unexpected route (for example, China, Russia, etc.), the determination processing unit 40 may determine that the e-mail may be inappropriate. At this time, Received: from [20x. 0. xxx. 1], the country may be specified by the IP address. Also, the unexpected waypoint may be determined in advance, or may be changed from the input unit 90 .

If the sender is sending an e-mail using mail software different from the mail software that has been used before, the determination processing unit 40 may determine that the e-mail may be inappropriate. The mail software previously used is stored in the storage unit 10, and the judgment processing unit 40 compares the mail software stored in the storage unit 10 with the mail software used in the sent e-mail. You can judge. It may be input from the input unit 90 that there is no problem even if the mail software is different for the sender. may be stored in the storage unit 10 as the correct mail software, or both the mail software for the previously used e-mail and the mail software for the e-mail sent later are correct.

If the sender is using free mail to send the e-mail, the determination processing unit 40 may determine that the e-mail may be inappropriate. In this case as well, it may be possible to input from the input unit 90 that there is no problem in using the free mail for the sender. The e-mail may be stored in the storage unit 10 as a non-problematic one.

[Link destination information]
Next, a mode in which the judgment processing unit 40 judges that the information in the received e-mail may be inappropriate based on the link destination information will be described.

If the e-mail contains link destination information, the determination processing unit 40 may determine whether the e-mail is appropriate based on the link destination information. In this aspect, when the display URL displayed as the link destination in the e-mail and the actual URL that is the actual link destination are different (see FIG. 3A), the determination processing unit 40 becomes the actual link destination. If the actual URL is a link to a file with a prohibited extension (see FIG. 3(b)), and if the prohibited keyword is displayed in association with the actual URL that is the actual link destination (see FIG. 3(c) )), when the actual URL that is the actual link destination includes a global IP (see Fig. 3(d)), when the email includes link destination information but the text of the email is empty etc., it may be determined that the e-mail may be inappropriate. The "link destination information" in the present embodiment includes all information related to link destinations obtained from e-mail texts, attached files attached to e-mails, macros of attached files, and the like. Therefore, when URL information is included in the password-unlocked compressed file, the URL information may be used to determine the suitability of the e-mail, as described above.

In the mode shown in FIG. 3(a), the mail text of the e-mail displays the mail address of "http://technet.ABC.com" as the display URL, but the actual URL is "http://technet.ABC.com". ABC.com.xx" and both are different. In the mode shown in FIG. 3(b), it becomes " uploaded file.exe " and "exe" is attached, which is a link to a file with a prohibited extension. In the mode shown in FIG. 3(c), the forbidden keyword "authenticate now" is displayed in association with the actual URL. Here, the prohibited keyword is "related to the actual URL", for example, the prohibited keyword is displayed before and after the actual URL, or an arrow comes out from the prohibited keyword and points to the actual URL. means manner. It should be noted that the prohibited keyword may be input, added, deleted, modified, etc., from the input section 90 . The global IP of " 123.45.67.89 " is included in the aspect shown in FIG.3(d).

The determination processing unit 40 may determine that the e-mail may be inappropriate when a redirect URL including a shortened URL is used. Redirection means passing through another server without directly connecting to the server where the content is stored. A shortened URL is a shortened URL of a long character string, and may be used to connect to the original long URL using redirection.

Since there is a possibility that the URL is camouflaged if the text does not include "all" of the name registered in the storage unit 10 or the like but includes only "part" of the name, in this case the determination processing unit 40 You may decide that the email may be inappropriate. As an example, when "example.com" is registered, the URL "http://example.com.xxxx/xxxxxx" is described.

[Text information]
Next, a mode in which the judgment processing unit 40 judges that the information in the received e-mail may be inappropriate based on the text information will be described.

The determination processing unit 40 may determine that the e-mail may be inappropriate based on the text information of the e-mail.

If the text of the e-mail contains a language other than the predetermined language, for example, if it contains kanji characters other than Japanese such as traditional Chinese characters and simplified Chinese characters, the determination processing unit 40 may determine that the e-mail is inappropriate. You can judge that there is. The permitted language or prohibited language may also be input from the input unit 90 .

If the text of the e-mail contains a non-existent organization or company name or telephone number, the determination processing unit 40 may determine that the e-mail may be inappropriate. When adopting this aspect, the determination processing unit 40 may be configured to acquire information regarding an existing organization, company name, telephone number, and the like. Such information about existing organizations, company names, telephone numbers, etc. may be stored in the storage unit 10 or may be stored in an external storage unit provided in an external device. An external device in this embodiment means any device other than the information device in this embodiment.

The determination processing unit 40 may determine that the e-mail may be inappropriate when the e-mail address of the sender and the e-mail address written in the signature of the e-mail are different. Further, the determination processing unit 40 may determine that the e-mail may be inappropriate if the text includes a request for an ID or password.

Also, if nothing is described in the text, the determination processing unit 40 may determine that the e-mail may be inappropriate.

Further, if the text includes "refer to numerical characters", the determination processing unit 40 may determine that the e-mail may be inappropriate. A "numeric character reference" is a correspondence between a "character string" and a "numeric character" that can be converted to each other. &#25163;&#30010;&#12398;&#26576;&#27861;&#24459;&#20107;&#12387;&#12390;&#12356;&#12414;&#12377; It may be determined that a "character reference" is included, or whether or not a "numeric character" as described above can be converted back to a "character string" according to a predetermined rule, and a "character string , it may be determined that the text contains ``numerical character reference''. &#25163;&#30010;&#12398;&#26576;&#27861;&#24459;&#20107;&#12387;&#12390;&#12356;&#12414;&#12377; I'm waiting" can be converted to a string. In this way, when the "numerical character" can be returned to the "character string" without any problem, the determination processing unit 40 determines that the e-mail contains "numerical character reference" in the text and that the e-mail is inappropriate. It may be determined that there is Here, the description will be made using a mode in which the "text" includes "numerical character reference", but the present invention is not limited to this. For example, the e-mail title includes "numerical character reference". In this case, the determination processing unit 40 may determine that the e-mail may be inappropriate.

The reason why the e-mail may be inappropriate may be stored in the storage unit 10 and made searchable. For example, if it is determined that the e-mail may be inappropriate because the file uses a prohibited extension, this fact is stored in the storage unit 10 so that it can be retrieved by the administrator. can be

The method of controlling incoming mail may be set so that it can be changed for each group. An administrator may be set for each group. The members of the group may be able to change from time to time. If the members in the group overlap, it may be possible to appropriately select which group's control method is to be applied.

When the determination processing unit 40 determines that the received e-mail may not be appropriate, the e-mail may be stored in the second storage unit 12 described above.

The determination processing unit 40 may delete emails determined to be inappropriate. When deleting an e-mail, only a log may be left. By deleting the e-mail in this manner, it is possible to prevent an accident such as the e-mail from being opened by mistake.

In addition, when the attached file is deleted, the URL information is deleted, or some kind of detoxification processing is performed, the fact that the detoxification processing was performed and/or the content of the detoxification processing cannot be seen by the user (for example, header) may be added or changed. Such processing may be recorded so that the administrator or the like can later search for the target e-mail.

In addition, when detoxification processing is performed on an e-mail, the fact that detoxification processing has been performed and/or the content of the detoxification processing is described in the text of the e-mail and sent to the recipient and the administrator. may be

If the mail text is in HTML format, the actual URL may not be displayed, so the determination processing unit 40 may acquire information on the actual URL.

Permission URL information may be stored in a storage means such as the storage unit 10 as information about URLs that have no problem. Even if URL information is included in the e-mail, if the URL information corresponds to the permitted URL information, the determination processing unit 40 may determine that the e-mail has no problem.

The storage unit 10 may store, as the permitted transmission source information, a destination with which transmission/reception has been performed a predetermined number of times (for example, 10 times) or more. Also, the predetermined number of times may be input from the input unit 90 and may be changed.

The storage unit 10 may store the URLs that the judgment processing unit 40 has judged to be problematic. Appropriateness can be determined. When the storage unit 10 stores the URL determined to be problematic, the storage unit 10 may also store the information of the e-mail in which the URL is described or attached. The information in this e-mail may include the text of the e-mail, the date and time of acquisition, the sender's address, etc. If the e-mail has a file attached, the information in that file will also be included in the e-mail information. may be included.

Note that the determination processing unit 40 does not have to determine the appropriateness of the email (sender disguise, etc.) for the email sent via the internal network without going via the external network.

The present embodiment also provides an information processing method in any aspect of the information processing apparatus described above, a program for generating the information processing apparatus, and a recording medium including a USB memory, CD, DVD, etc., in which the program is recorded. .

The information processing apparatus of this embodiment is generated by installing a program such as a server program. This program may be delivered by e-mail, may be obtained by logging in after accessing a predetermined URL, or may be recorded on a recording medium. The information processing method of this embodiment is performed by an information processing apparatus in which the above program is installed.

"effect"
Next, the effects of the present embodiment having the above-described configuration, which have not yet been described, will be mainly described. It should be noted that all configurations described in "Effects" can be used as configurations of the present embodiment.

When a compressed file with a password is attached to the received e-mail, the e-mail is stored in the temporary save area, and the e-mail is stored in the temporary save area or is notified to the said electronic mail. If you notify the recipient of the e-mail and enter the password, decompress the compressed file, extract the file, and judge whether the file is appropriate for the file. Appropriateness can be quickly determined for files stored in the set compressed file. First, by notifying the recipient, it can be expected that the password will be entered quickly. Further, when a file is stored in a compressed file with a password set, the suitability of the stored file cannot be determined. is stored, the appropriateness of the file can be determined.

In this embodiment, when the file is determined to be appropriate, an e-mail is sent to the recipient, and when the file is determined to be inappropriate, a predetermined action is executed, and then the action is executed. In the case of adopting the mode of sending the executed e-mail to the recipient, the recipient will receive the e-mail after the appropriate action has been taken.

When the determination processing unit 40 sends an e-mail to the recipient, if the determination processing unit 40 adopts a mode in which the first compressed file after resetting the password is attached and sent, the original e-mail E-mail can be sent to recipients in a manner substantially the same as

When the determination processing unit 40 transmits the e-mail to the recipient, if the determination processing unit 40 adopts the mode of transmitting the first compressed file with the password unlocked to the recipient, the recipient can It eliminates the need to enter a password, saving time and effort.

If the sender is an authorized sender, even if the e-mail has a compressed file with a password attached, the e-mail will be sent without judging whether the file in the compressed file is appropriate. is useful in that it is not necessary to judge the suitability of an e-mail from a sender that the user has determined to be safe.

When adopting a mode of deleting the first compressed file that has not been decompressed by the decompressing part 30 and sending the e-mail to the recipient, it is possible to prevent the first compressed file whose adequacy cannot be confirmed from being sent to the recipient. However, the text of the e-mail can be sent to the recipient.

If the n+1-th compressed file is stored in the n-th compressed file ("n" is an integer equal to or greater than 1), the judgment processing unit 40 notifies the recipient of the e-mail that the n+1-th compressed file exists, A mode in which the decompression unit 30 extracts the n+1th file by decompressing the n+1th compressed file by inputting a password, and the determination processing unit 40 determines whether the n+1th file is appropriate for the n+1th file. is adopted, even if the folder has a multi-layered structure, it is possible to determine the appropriateness of the files in the folder.

When a plurality of n+1-th compressed files are stored in the n-th compressed file decompressed by the decompression unit 30, the judgment processing unit 40 determines whether the n+1-th file in the decompressed n+1-th compressed file is appropriate. In the case of adopting a mode of judging the nature and deleting the (n+1)th compressed file that has not been decompressed, while confirming the appropriateness of the decompressed file, the appropriateness could not be confirmed. Security can be ensured by deleting compressed files.

The upper limit number of layers to be decompressed by the decompressing unit 30 is set in advance, and when the decompressing unit 30 does not decompress the compressed file when the upper limit number is exceeded, it is possible to decompress the compressed file. An upper limit can be set, and the load on the judgment processing unit 40 can be limited.

The determination processing unit 40 may have an artificial intelligence function, and may learn a password for a transmission source using the relationship between the transmission source information and the password information used for decompression as training data. When such an aspect is adopted, it is possible to increase the possibility that the compressed file can be decompressed without password input from the recipient.

When the relay unit 50 adopts a mode of denying the access of the internal terminal based on the link destination information when the determination processing unit 40 determines that the mail information is inappropriate based on the link destination information, the e-mail is used. Not only can you prevent access to dangerous websites that have been sent to you, but it is also beneficial in that you can prevent employees, etc. who have not received e-mails of questionable appropriateness from accessing dangerous websites. .

If access to URLs prohibited by the relay unit 50 is permitted via the input unit 90, for example, access to URLs determined to be safe by the administrator can be permitted. , which is advantageous in that it can prevent unnecessary and excessive access restrictions to URLs.

The above description of the embodiment and the disclosure of the drawings are only examples for explaining the invention described in the scope of claims, and the description of the embodiment and the disclosure of the drawings described above constitute the scope of the claims. The claimed invention is not limited. The description of the claims as originally filed can be changed as appropriate within the scope of the present patent specification, and the scope can be expanded.

Each component including the separation notification unit 20, the decompression unit 30, the judgment processing unit 40, the relay unit 50, the storage unit 10, etc. in each of the above embodiments is a logic circuit formed in an integrated circuit such as an IC chip or LSI. (hardware) or a dedicated circuit, or software using a CPU, memory, or the like. Also, each component may be implemented by one or more integrated circuits, and a plurality of components may be implemented by one integrated circuit. Also, a control unit may be considered as a component including the separation notification unit 20, the decompression unit 30, the determination processing unit 40, the relay unit 50, and the like.

10 storage unit 11 first storage unit 12 second storage unit 20 separation notification unit 30 decompression unit 40 judgment processing unit 50 relay unit

Claims (4)

If the first compressed file with a password is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored in the temporary save area or is stored. a separation notification unit that notifies the recipient of the e-mail;
a decompression unit for decompressing the first compressed file and extracting the first file in response to input of the password;
a judgment processing unit for judging whether the first file is appropriate for the first file;
An information processing device comprising: The determination processing unit transmits the e-mail to the recipient when the first file is determined to be appropriate, and performs a predetermined action when the first file is determined to be inappropriate. 2. The information processing apparatus according to claim 1, wherein an e-mail in which the action has been executed is sent to the recipient after executing the action. If the first compressed file with a password is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored in the temporary save area or is stored. notifying recipients of said email;
decompressing the first compressed file to retrieve a first file upon input of the password;
determining whether the first file is appropriate for the first file;
An information processing method comprising: A program for causing an information processing apparatus to execute an information processing method,
The information processing device is
If the first compressed file with a password is attached to the received e-mail, the e-mail is stored in the temporary save area and the e-mail is stored in the temporary save area or is stored. notifying recipients of said email;
decompressing the first compressed file to retrieve a first file upon input of the password;
determining whether the first file is appropriate for the first file;
A program characterized by executing an information processing method comprising:

Images