JP4732042B2 - Mail server, proxy server, server system, guided address determination method, access destination confirmation method and program - Google Patents

Description

  The present invention relates to a mail server, a proxy server, a server system, a guided address determination method, an access destination confirmation method, and a program.

In recent years, when using electronic mail, there is a case where a mail called spam mail is transmitted to a mail server (for example, see Patent Document 1).
Then, using such spam mails, passive attacks for downloading malicious programs such as “Spyware” and “Trojan horse” to a user's computer are increasing.

  For example, as shown in FIG. 19, the mail transmission server 51 notifies the user terminal 53 of the spam mail 52 as an attacker. The spam mail 52 includes a URL (Uniform Resource Locator) of the Web server 54 of an unauthorized site that is disguised as a legitimate site (existing location) of the information resource and is different from the legitimate site.

  The URL indicates the location where the information resource exists. The mail transmission server 51 notifies the user terminal 53 of the spam mail 52, thereby causing the user terminal 53 to access the Web server 54 indicated by the URL. Then, the Web server 54 downloads the malicious program to the user terminal 53. This is called a passive attack.

  On the other hand, what are called phishing scams are also increasing. That is, the mail transmission server 51 transmits a spam mail 52 that is a camouflaged mail from a legitimate bank or credit card company to the user terminal 53.

  The Web server 54 is a server of another Web site that impersonates a legitimate site and resembles the URL of the access destination, and the spam mail 52 describes the URL of the Web server 54. The mail transmission server 51 transmits the spam mail 52 to the user terminal 53 to access the Web server 54.

  Then, the Web server 54 causes the user terminal 53 to input an account number, a personal identification number, a credit card number, etc., and steals these pieces of information. Such an action is called a phishing scam.

  In passive attacks and phishing scams, the mail transmission server 51 as an attacker is very similar to the URL of a legitimate site in order to make the user terminal 53 access the Web server 54 by impersonating a legitimate site. In many cases, the URL is notified by the spam mail 52.

  For example, when the URL described in the character string as shown in FIG. 20A is a regular URL, the mail transmission server 51 as the attacker uses the spam mail 52 as shown in FIG. The guidance URL is notified to the user terminal 53.

  In this example, a URL or the like in which “l”, which is a lowercase letter of “L”, is changed to the number “1” or an uppercase letter “I” of “i” is used. When the character strings shown in FIGS. 20A and 20B are enlarged, the difference can be discriminated, but it is for the user to discriminate between the induced URL and the legitimate URL without enlarging. It ’s not easy.

  Further, when the URL described in the character string as shown in FIG. 21A is a regular URL, the mail transmission server 51 as the attacker uses the guidance URL as shown in FIG. 21B as the user terminal. 53 may be notified.

  In the guidance URL shown in FIG. 21B, the domain name is an internationalized domain name and includes a 2-byte Cyrillic character. Also in this case, the difference between the character strings shown in FIGS. 21 (a) and 21 (b) can be discriminated by enlarging them, but it is possible to discriminate between the guiding URL and the legitimate URL without enlarging. It is not easy for the user.

  As countermeasures against these passive attacks and phishing scams, two techniques of URL blocking and anti-spam filter are mainly considered. URL blocking is a technology implemented in a Web proxy server or the like, and stores a list of URLs of Web sites used for passive attacks and phishing scams in advance, and when a user computer performs Web access to the URL, It is a technology that blocks access.

Further, the anti-spam filter is a technology in which a mail server or the like detects spam mails that guide users to these unauthorized Web sites, and the mail server or the like filters the mails themselves.
JP 2000-163341 A (page 4-6, FIGS. 1 and 2)

  However, in URL blocking, it is necessary to register a list of URLs to be blocked in advance, and it is not possible to deal with URLs of newly constructed illegal websites that have not yet been registered.

  In addition, since a URL in which uppercase and lowercase letters are mixed is highly likely to be used as a guidance URL, it may be blocked when Web access is made to such a URL. The described access destination URL is normalized to all lowercase letters by the Web browser. For this reason, a Web proxy server in which URL blocking is implemented cannot discriminate between a legitimate URL and a guidance URL when uppercase letters and lowercase letters are mixed in the URL.

  The present invention has been made in view of such conventional problems, and a mail server, a proxy server, a server system, a guide URL determination method, an access destination confirmation method, and a program capable of easily determining a guide URL. The purpose is to provide.

In order to achieve this object, a mail server according to the first aspect of the present invention provides:
In the mail server that receives mail,
A mail receiving unit for receiving the mail;
A received mail storage unit for storing received mail received by the mail receiving unit;
When the received mail received by the mail receiving unit describes an address indicating the location of the information resource stored in the host computer, character analysis of the address is performed, and the address is a regular address of the information resource. A guidance address determination unit that determines whether or not there is a possibility of a guidance address that leads to a disguised place different from the existence place;
A guide address registering unit that registers data related to the guide address in a guide address database when the guide address determination unit determines that there is a possibility of the guide address and the received mail is acquired by a user terminal; ,
The guidance address determination unit
Character analysis of the address is performed, and when the host identification information for identifying the host computer is included in the address, it is determined whether or not the host identification information is described in numbers,
If it is determined that the host identification information is not described in numbers, it is determined that the address is described by a domain name that represents a hierarchical location of the host computer;
Further, the domain name is analyzed, and the first address determination condition is that each label as a character string delimited by dots of the domain name is composed of 1-byte characters. The first and second address determination conditions are checked for each label using the lower-case letter or upper-case letter as a second address determination condition, and any label is the first or second label. When the address determination condition is not satisfied, it is determined that the address included in the received mail may be the induced address,
When it is determined that the host identification information is described in numerals, it is determined that the address is described by an IP (Internet Protocol) address of the host computer, and the address included in the received mail is It is determined that there is a possibility that the address is the guidance address .

  The guided address determination unit performs character analysis of the address, determines whether the received mail received by the mail receiving unit is described in a markup language specification, and is based on the markup language specification. If it is determined that the address is described, the address described in the received mail is compared with the actual link destination address, and if both addresses do not match, the actual link destination address is determined to be a guide address, If they match, the first and second address determination conditions may be checked for each label.

When it is determined that the address included in the received mail may be a guide address, the guide address determination unit determines that the guide address is the first and second address determinations as normalization of the address. Change the lead address so that the condition is satisfied,
The induced address registration unit includes, as data related to the induced address, identification information of a user terminal that is a transmission destination of the received mail, a normalized induced address, a date and time when the user terminal captured the received mail, and time information. You may make it register to a guidance address database.

The proxy server according to the second aspect of the present invention is:
In the proxy server that accesses the information resources stored in the host computer on behalf of the user terminal,
A message receiving unit that receives a message including an address indicating the location of the information resource from the user terminal;
Based on the address included in the message when the message receiving unit receives the message from the user terminal, using the address that leads to a disguised place different from the regular location of the information resource as a guide address, and induction address data retrieval unit for retrieving the contents of the induction address database that the induced address is registered,
As a result of searching the contents of the induction address database by the induction address data search unit, when the induction address matching the address included in the message exists, the address is described by an IP (Internet Protocol) address. Requests DNS reverse lookup to a DNS (Domain Name System) server, obtains a domain name representing the location of the host computer in a hierarchy, and if the address is described by the domain name, A data acquisition unit that requests the DNS server to convert to the IP address and acquires the IP address ;
And a data transmission unit that transmits access destination information including the domain name and IP address acquired by the data acquisition unit to the user terminal.

  The data acquisition unit sends the acquired domain name to a WHOIS server that searches for domain information including information on the domain owner to request a domain information search, and from the WHOIS server, as a search result, Get domain owner information,
  The data transmission unit may further transmit the domain owner information to the user terminal.

  As a result of the data transmission unit transmitting the domain name and the IP address to the user terminal, when receiving an access stop command for canceling access to the information resource from the user terminal, to the information resource You may make it cancel access of.

A server system according to a third aspect of the present invention is:
In a server system comprising: a mail server that receives mail; and a proxy server that accesses information resources stored on a web server on behalf of a user terminal,
A guidance address database for storing data relating to a guidance address that leads to a camouflaged location different from a regular location of the information resource;
The mail server is
A mail receiving unit for receiving the mail;
A received mail storage unit for storing received mail received by the mail receiving unit;
When the received mail received by the mail receiving unit describes an address indicating the location of the information resource stored in the host computer, character analysis of the address is performed, and the address is a regular address of the information resource. A guidance address determination unit that determines whether or not there is a possibility of a guidance address that leads to a disguised place different from the existence place;
A guide address registering unit that registers data related to the guide address in a guide address database when the guide address determination unit determines that there is a possibility of the guide address and the received mail is acquired by a user terminal; ,
The guidance address determination unit
Character analysis of the address is performed, and when the host identification information for identifying the host computer is included in the address, it is determined whether or not the host identification information is described in numbers,
If it is determined that the host identification information is not described in numbers, it is determined that the address is described by a domain name that represents a hierarchical location of the host computer;
Further, the domain name is analyzed, and the first address determination condition is that each label as a character string delimited by dots of the domain name is composed of 1-byte characters. The first and second address determination conditions are checked for each label using the lower-case letter or upper-case letter as a second address determination condition, and any label is the first or second label. When the address determination condition is not satisfied, it is determined that the address included in the received mail may be the induced address,
When it is determined that the host identification information is described in numerals, it is determined that the address is described by an IP (Internet Protocol) address of the host computer, and the address included in the received mail is It is determined that there is a possibility that the address is,
The proxy server is
A message receiving unit for receiving a message including the address from the user terminal;
When the message receiver receives the message from the user terminal, based on the address contained in the message, and induction address data retrieval unit that the induced address to search the contents of the induction address database to be registered,
As a result of searching the contents of the induction address database by the induction address data search unit, when the induction address matching the address included in the message exists, the address is described by an IP (Internet Protocol) address. Requests DNS reverse lookup to a DNS (Domain Name System) server, obtains a domain name representing the location of the host computer in a hierarchy, and if the address is described by the domain name, A data acquisition unit that requests the DNS server to convert to the IP address and acquires the IP address ;
And a data transmission unit that transmits access destination information including the domain name and IP address acquired by the data acquisition unit to the user terminal.

The induced address determination method according to the fourth aspect of the present invention is:
An induced address determination method for determining whether or not an address included in a received received mail has a possibility of an induced address that leads to a disguised location different from the regular location of the information resource,
The address includes host identification information for identifying a host computer that stores the information resource, and a domain name is a representation of the host identification information by hierarchizing the location of the host computer.
An analysis step of performing character analysis of the domain name;
The character string delimited by dots of the domain name is used as a label, and all labels satisfy the first address determination condition with the first address determination condition that each label is composed of 1-byte characters. A first determination step for determining for each label whether or not to
Second determination for determining for each label whether or not all labels satisfy the second address determination condition, with the second address determination condition that each label is composed of all lowercase letters or uppercase letters Steps,
Determining that an address included in the received mail is the induced address when it is determined that any label of the domain name does not satisfy the first or second address determination condition. It is characterized by that.

The access destination confirmation method according to the fifth aspect of the present invention is:
An access destination confirmation method for confirming whether an access destination to an information resource is a regular location of the information resource,
And induction address storing step of memorize in the induction addresses an address derived on where you different disguise the location of regular said information resource,
A message receiving step of receiving a message including an address indicating an access destination to the information resource from an access request source requesting access to the information resource;
A guided address search step of searching for the guided address based on an address included in the message when the message is received;
As a result of the search, if the derived address that matches the address included in the message exists and the address is described by an IP (Internet Protocol) address, the DNS reverse is sent to the DNS (Domain Name System) server. To obtain a domain name representing the hierarchical location of the host computer, and if the address is described by the domain name, request the DNS server to convert it to the IP address. A data acquisition step of acquiring the IP address ;
Characterized in that and a data transmitting step of transmitting the access destination information to the access requestor including the domain name and IP address the acquisition.

A program according to the sixth aspect of the present invention is:
On the computer,
Procedures for receiving emails,
A procedure for storing the received received mail;
When the received received mail describes an address indicating the location of the information resource stored in the host computer, the address analysis is performed, and the host identification information for identifying the host computer is included in the address. If it is included, it is determined whether or not the host identification information is described in numbers. If it is determined that the host identification information is not described in numbers, the address is the presence of the host computer. It is determined that the place is described by a domain name representing a hierarchy, and further, character analysis of the domain name is performed, and each label as a character string separated by dots of the domain name is composed of 1 byte characters. The first address determination condition is that each label is composed of all lowercase letters or uppercase letters. If the label is not satisfied with the first or second address determination condition, the first and second address determination conditions are checked for each label. And determining that the address included in the received mail may be a guide address that leads to a disguised location different from the regular location of the information resource, and determining that the host identification information is described in numbers If so, a procedure for determining that the address is described by an IP (Internet Protocol) address of the host computer and determining that the address included in the received mail may be the induced address ;
Procedure said inductive possibly address and determines the received mail, when it is acquired by the destination of the received mail, registering the induction addresses the induction address database,
Is to execute.

A program according to the seventh aspect of the present invention is:
On the computer,
Receiving a message including an address indicating the location of the information resource from an access request source requesting access to the information resource;
Based on the address included in the message when the message receiving unit receives the message from the user terminal, using the address that leads to a disguised place different from the regular location of the information resource as a guide address, to search the content of the induction address database that the induced address is registered,
As a result of searching the content of the derived address database, when the derived address that matches the address included in the message exists, when the address is described by an IP (Internet Protocol) address, DNS (Domain Name System) ) Request DNS reverse lookup to the server to obtain a domain name representing the location of the host computer in a hierarchy, and if the address is described by the domain name, the DNS server will receive the IP address A procedure for obtaining the IP address by requesting conversion to
A procedure for transmitting access destination information including the acquired domain name and IP address to the access request source;
Is to execute.

  According to the present invention, it is possible to easily determine the guidance URL.

Hereinafter, a server system according to an embodiment of the present invention will be described with reference to the drawings.
The configuration of the server system according to the present embodiment is shown in FIG.
The server system according to this embodiment includes a mail server 11, a database storage device 12, and a proxy server 13. The mail server 11 and the proxy server 13 are connected to the Internet 2.

  The mail server 11 is a server that receives the mail transmitted by the mail transmission server 14, and includes a CPU (Central Processing Unit), a ROM (Read Only Memory), a RAM (Random Access Memory), an HDD (Hard Disk Drive), etc. (Not shown).

  The mail transmission server 14 is a server that transmits mail including a URL to the mail server 11 via the Internet 2.

  The mail server 11 determines whether or not the received mail includes a URL as an address indicating the location of the information resource on the Internet 2, and if this URL is determined to be a guide URL, It has a function to convert.

  Specifically, the mail server 11 first determines whether or not the received mail includes a URL. As shown in FIGS. 2A and 2B, the URL is composed of a protocol identifier and a resource name.

  “Http” shown in FIG. 2A is a protocol identifier indicating the HTTP protocol, and “https” shown in FIG. 2B is a protocol identifier indicating the HTTP protocol using SSL (Secure Socket Layer).

  The characters that can be used in the URL are defined in RFC (Request For Comments) 1738 and the like. According to RFC1738, usable characters are single-byte characters such as alphabets and numbers. When an internationalized domain name is used for the URL, the internationalized domain name is composed of 2-byte characters for notation, but is 1-byte characters for data. The URL character string is represented by such a set of characters.

  The resource name indicates the location where the information resource exists, and includes a character string indicating host identification information for identifying the host (computer) storing the information resource and a character string indicating the information resource stored by the host. . The data for specifying the host may consist of a host name and domain (Domain) name or an IP address (Internet Protocol Address).

  The example shown in FIG. 2A shows a case where the host identification information is composed of a host name and a domain name, “/www.example.com/” is the host name, and “example.com” is the domain name. is there. “Example” and “com” are respectively called a second domain and a top domain, and domain names are hierarchized with the top domain (root) as a vertex. A character string delimited by dots is called a label. The description after “/” in the top domain indicates information resources such as an HTML file name and a CGI program name.

  The example shown in FIG. 2B shows a case where the host identification information consists of an IP address. The IP address is an identification number of a host assigned to each host connected to the Internet 2 or the like, and is described by a number. In IPv4 (Internet Protocol version) 4, a 32-bit number is divided into four 8 bits each by a period, and a numerical value represented by the 8 bits is converted into a decimal integer value of 0-255. The IP address is expressed by arranging four decimal integer values.

  The mail server 11 uses “https://www.example.com/” as shown in FIG. 2A and “https: // as shown in FIG. If 10.8.2.73/ "is described, character analysis of this URL is performed, it is determined that this description is a URL, and this URL is acquired from the received mail.

  Then, the mail server 11 determines that the character string following “http: //” or “https: //” in the acquired URL is a domain name or an IP address. The mail server 11 ignores descriptions such as HTML file names and CGI program names after “/”.

  If the host identification information is described with numbers, the mail server 11 determines that the numbers are IP addresses. In this case, since it is difficult to determine the guidance URL, the mail server 11 determines that the URL included in the received mail may be the guidance URL. If the mail server 11 determines in this way, the URL is stored in the built-in HDD.

  If the host identification information is described using characters other than numerals, the mail server 11 determines that the host identification information is described using a domain name. In this case, the mail server 11 analyzes the character string of the domain name.

Therefore, the mail server 11 further performs character analysis, and checks whether each label of the domain name satisfies the following URL determination condition for each label.
(1) All must be expressed in single-byte characters (2) All must be expressed in uppercase or lowercase

  The URL determination condition (1) is a condition for determining whether or not a double-byte character such as an internationalized domain name is included in the label. If any of the labels does not satisfy the URL determination condition (1), the mail server 11 determines that the URL included in the received mail may be a guidance URL.

  The URL determination condition (2) is a condition for determining a confusing label in which lowercase letters and uppercase letters are mixed. If any of the labels does not satisfy the URL determination condition (2), the mail server 11 determines that the URL included in the received mail may be a guidance URL.

  In addition, when all the labels satisfy the URL determination conditions (1) and (2), the mail server 11 determines that the URL included in the received mail is unlikely to be a guide URL.

  The mail includes not only text mail but also HTML (HyperText Markup Language) HTML mail. HTML is a specification language in which additional information such as document structure and expression attributes (bold, italic, etc.) is described in a document in accordance with preset rules.

  In the case of HTML mail, the mail server 11 acquires both the URL described in the mail text and the actual link destination URL from the received mail. The actual link destination URL is displayed in, for example, the browser address bar.

  When the URL described in the mail text and the actual link destination URL do not match, the mail server 11 determines that the actual link destination URL is a guide URL.

  On the other hand, in the mail server 11, the URL described in the mail text and the actual link destination URL are the same (match), and the host identification information is described using the domain name. If it is determined, the URL determination conditions (1) and (2) are checked for each label.

  If the mail server 11 determines that there is a possibility of the guide URL, the mail server 11 normalizes the URL. URL normalization means changing the URL so that all labels satisfy both the URL determination conditions (1) and (2).

  If the URL determination condition (2) is not satisfied, the mail server 11 converts all characters of the URL to lowercase or uppercase as URL normalization. Domain names are not case sensitive. Therefore, even if the original URL is normalized, the substance does not change between the original domain name and the normalized domain name.

  Next, when the URL determination condition (1) is not satisfied, the mail server 11 performs Punycode conversion of the URL as URL normalization. Punycode conversion is one of the encoding methods for converting 2-byte characters such as the internationalized domain into ASCII characters, and has been standardized.

  When the internationalized domain name is converted by Punycode, an identifier (ACE Prefix) of “xn--” is added in front of the character string so that it can be determined that it has been converted. This identifier makes it easy to determine that the domain name is an internationalized domain name.

  The mail server 11 performs such processing for all URLs when a plurality of URLs are described in the received mail.

  When the URL is normalized, the mail server 11 stores the normalized guide URL in the HDD.

  Then, when the received mail is acquired by the user terminal 16, the mail server 11 enters the guide URL in the guide URL database 12a.

  The guidance URL database 12a is for entry data entry, and the database storage device 12 stores the guidance URL database 12a.

  The entry data is data related to the guidance URL, and the mail server 11 stores the user name and the normalized guidance URL or host identification information as IP data in the format shown in FIG. The URL described by the address and the mail acquisition date / time are entered.

  The user name is information indicating the user terminal 16 that is the transmission destination of the received mail from which the received mail is acquired. The guidance URL is a normalized guidance URL when normalized by the mail server 11. The mail acquisition date / time is data indicating the date / time when the received mail is acquired by the user terminal 16.

  The mail server 11 deletes the entry data when a preset valid period has elapsed since the user terminal 16 acquired the mail. In order to perform such processing, the mail server 11 includes a timer that counts time, and stores a setting file that stores a value indicating a valid period in a built-in HDD.

  This valid period is set based on the time from when the mail is received until the received mail is acquired by the user terminal 16, the capacity of the guidance URL database 12a, and the entry data search time. However, if the capacity of the guidance URL database 12a is large and the entry data search time is short, the valid period may be indefinite even if the time when the received mail is acquired by the user terminal 16 is short.

  When the mail server 11 enters a guide URL or the like in the guide URL database 12a, the mail server 11 resets the count value of the timer and increments the count value. When the count value exceeds the value indicating the valid period stored in the setting file, the mail server 11 determines that the valid period has elapsed and deletes the entry data in the guidance URL database 12a.

  Next, the proxy server 13 illustrated in FIG. 1 is a server that performs access to the Web server 15 specified by the user terminal 16.

  Note that the user terminal 16 has a browser (software) and is set as a proxy. When the user terminal 16 accesses the proxy server 13, the browser normalizes the URL input in the address bar, and stores the normalized URL in the HTTP message. The user terminal 16 transmits this HTTP message to the proxy server 13.

  The proxy server 13 receives this HTTP message from the user terminal 16 and first authenticates the user terminal 16 that is the access source. The authentication may be password authentication or biometric authentication such as fingerprint authentication.

  The proxy server 13 has a function of searching for entry (registration) data in the guidance URL database 12 a and transmitting the entry data to the user terminal 16 when the authentication of the user terminal 16 is successful.

  That is, the proxy server 13 searches the contents of the guidance URL database 12a based on the access destination URL and the access source user name described in the message from the user terminal 16.

  When a guide URL that matches the URL included in the HTTP message is entered in the guide URL database 12a, the proxy server 13 requests the DNS server 17 to send the domain name and IP address of the guide URL from the DNS server 17. And get.

  DNS (Domain Name System) is a system that assigns a human-friendly name to an IP address, and the DNS server 17 performs conversion between an IP address and a domain name. The DNS server 17 receives a request from the proxy server 13 and performs reverse lookup from an IP address to a domain name, or conversion from a domain name to an IP address.

  If the guidance URL is described by an IP address, the proxy server 13 sends this IP address to the DNS server 17 to request reverse lookup of the domain name. Then, the proxy server 13 acquires a domain name corresponding to the IP address from the DNS server 17.

  If the guidance URL is described by a domain name, the proxy server 13 sends this domain name to the DNS server 17 to request conversion to an IP address. Then, the proxy server 13 acquires an IP address corresponding to the domain name from the DNS server 17.

  When the proxy server 13 acquires the domain name and IP address of the guidance URL, the proxy server 13 sends the domain name of the guidance URL to the WHOIS server 18 to request a WHOIS search.

  WHOIS is a database that stores domain information registered worldwide, such as domain owner information and name server information. This database is stored in a storage device such as an HDD.

  The WHOIS server 18 performs this WHOIS search on this database. The WHOIS server 18 receives a request from the proxy server 13 and receives a domain name, and performs a WHOIS search based on the received domain name. Then, the WHOIS server 18 transmits domain information including domain owner information to the proxy server 13 as a search result.

When the proxy server 13 acquires the domain information and the DNS information in this manner, the proxy server 13 transmits the following information to the user terminal 16 as the access destination information.
(1) Access destination (guidance) URL described by IP address
When the access destination URL is described with a domain name, it is an IP address obtained by requesting the DNS server 17.
(2) Normalized access destination (guidance) URL (lower case)
This is a URL converted to all lowercase. When Punycode conversion is performed, this URL is the URL of the converted domain name. When the access destination URL is described by an IP address, this URL is a URL described by a domain name obtained by reverse DNS lookup.
(3) Normalized access destination (guidance) URL converted to all capital letters
Numbers are not converted.
(4) Domain owner information obtained by WHOIS search

  The proxy server 13 also transmits information for acquiring a response to the inquiry to the user terminal 16, that is, information for acquiring an answer indicating whether to access or not. In this way, the proxy server 13 confirms whether or not the access destination to the information resource is a regular location of the information resource.

  When the proxy server 13 receives an access execution command for executing access from the user terminal 16, the proxy server 13 accesses the Web server 15 as an access destination instead of the user terminal 16 as the normal proxy server 13.

  On the other hand, when an access stop command for canceling access is acquired from the user terminal 16, access to the Web server 15 that is the access destination is stopped.

Next, the operation of the server system according to this embodiment will be described.
The mail server 11 executes received mail processing according to the flowcharts shown in FIGS.

  When the mail server 11 receives a mail from the mail transmission server 14, the mail server 11 stores the received mail in the built-in HDD (step S11).

  The mail server 11 determines whether the received mail includes a URL (step S12).

  If it is determined that the received mail does not include a URL (No in step S12), the mail server 11 ends the received mail processing.

  On the other hand, when it is determined that the received mail includes a URL (Yes in step S12), the mail server 11 acquires the URL from the received mail (step S13).

  The mail server 11 determines whether the received mail is an HTML mail (step S14). If it is determined that the acquired received mail is HTML mail (Yes in step S14), the mail server 11 compares the URL described in the mail text with the actual link destination URL. Then, the mail server 11 determines whether the URL described in the mail text is the same as the actual link destination URL (step S15).

  When it is determined that the URL described in the mail text is different from the actual link destination URL (No in step S15), the mail server 11 determines that the actual link destination URL is the guide URL and the guide URL. Is normalized (step S20).

  When it is determined that the acquired received mail is not an HTML mail (No in step S14), or when it is determined that the URL described in the mail text is the same as the actual link destination URL (Yes in step S15). The mail server 11 determines whether or not the host identification information of the acquired URL is described in numbers (step S16).

  If the data is described in numbers (Yes in step S16), the mail server 11 determines that this data is an IP address and determines that the URL may be a guidance URL. When the mail server 11 determines in this way, the URL is stored in the built-in HDD (step S21).

  If it is determined that the data is not described by numbers (No in step S16), the mail server 11 determines that the acquired URL is described by a domain name. In this case, the mail server 11 checks the URL determination condition for each label (step S17).

  The mail server 11 determines whether all labels satisfy the URL determination condition (1) (step S18). If it is determined that all labels satisfy the URL determination condition (1) (Yes in step S18), the mail server 11 determines whether all labels satisfy the URL determination condition (2). (Step S19).

  If it is determined that all labels satisfy the URL determination condition (2) (Yes in step S19), the mail server 11 determines this URL as a regular URL.

  On the other hand, when it is determined that any of the labels does not satisfy the URL determination condition (1) or (2) (No in step S18 or No in step S19), the mail server 11 determines that the acquired URL is a guided URL. It is determined that

  If the mail server 11 determines in this way, the guidance URL normalization process is executed (step S20). The mail server 11 executes the guidance URL normalization process according to the flowchart shown in FIG.

  That is, the mail server 11 converts all characters of the acquired original URL into lowercase letters (step S31).

  The mail server 11 determines whether or not a 2-byte character exists in the URL (step S32). If it is determined that a 2-byte character exists in the URL (Yes in step S32), the mail server 11 converts the domain name into Punycode (step S33). Then, the mail server 11 ends the guidance URL normalization process and stores the guidance URL in the built-in HDD (step S21).

  If the mail server 11 determines in this way, the guidance URL normalization process is executed (step S20). The normalized guidance URL is stored in the built-in HDD (step S21).

  The mail server 11 determines whether another URL still exists in the received mail (step S22).

  If it is determined that another URL exists (Yes in step S22), the mail server 11 designates the next URL (step S23) and acquires this URL (step S13). And the mail server 11 performs the process of step S13-S21 about acquired URL.

  If it is determined that no other URL exists (No in step S22), the mail server 11 ends the received mail process.

  After the mail server 11 executes such received mail processing, when the user terminal 16 takes in mail from the mail server 11, the mail server 11 executes guidance URL entry processing according to the flowchart shown in FIG. To do.

That is, the mail server 11 enters the normalized guide URL in the guide URL database 12a (step S41).
The mail server 11 resets the count value of the timer (step S42).

  The mail server 11 determines whether or not the count value of the timer has exceeded the value indicating the valid period stored in the setting file (step S43).

  When it is determined that the count value is equal to or less than the value indicating the valid period (No in step S43), the mail server 11 increments the count value (step S44) and executes steps S43 and S44 again.

  If it is determined that the count value has exceeded the value indicating the valid period (Yes in step S43), the mail server 11 deletes the entered data from the guidance URL database 12a (step S45). Then, the mail server 11 ends the entry process of the guidance URL.

  Next, when receiving the HTTP message from the user terminal 16, the proxy server 13 executes the Web server access process according to the flowchart shown in FIG.

The proxy server 13 authenticates the user terminal 16 that is the access source (step S51).
The proxy server 13 determines whether or not the authentication is successful (step S52).
If it is determined that the authentication has not succeeded (No in step S52), the proxy server 13 ends the Web server access process.

  If it is determined that the authentication is successful (Yes in step S52), the proxy server 13 searches the content of the guidance URL database 12a based on the URL and the access source user name (step S53).

  The proxy server 13 determines whether the corresponding entry data exists in the guidance URL database 12a (Step S54).

  If it is determined that the corresponding entry data does not exist (No in step S54), the proxy server 13 accesses the access destination (step S62).

  On the other hand, when it is determined that the corresponding entry data exists (Yes in step S54), the proxy server 13 determines that the access destination URL described in the HTTP message is a guidance URL.

If it determines in this way, the proxy server 13 will acquire applicable entry data (step S55).
The proxy server 13 determines whether or not the guidance URL of the acquired entry data is described with an IP address (step S56).

  If it is determined that the derived URL of the corresponding entry data is described by an IP address (Yes in step S56), the proxy server 13 sends this IP address to the DNS server 17 and requests reverse lookup of the domain name. Then, the domain name as a reverse lookup result is acquired (step S57).

  If it is determined that the derived URL of the corresponding entry data is described by a domain name instead of an IP address (No in step S56), the proxy server 13 transmits the domain name to the DNS server 17 to the IP address. And obtains an IP address as a conversion result (step S58).

  When the proxy server 13 acquires the domain name and the IP address in this way, the proxy server 13 transmits the domain name to the WHOIS server 18 to request a WHOIS search, and acquires domain information including domain owner information (step S59). ).

The proxy server 13 transmits data related to the guidance URL to the user terminal 16 as access destination information (step S60).
The proxy server 13 determines whether an access execution command is received from the user terminal 16 (step S61).

  When it is determined that the access execution command has been received (Yes in step S62), the proxy server 13 accesses the access destination (step S62).

  On the other hand, when it is determined that an access stop command is received instead of an access execution command (No in step S61), the proxy server 13 stops access to the access destination and ends this Web server access process.

Next, a specific operation of this server system will be described.
As shown in FIG. 9, when the mail server 11 receives the received mail 21 from the mail transmission server 14, the mail server 11 acquires the first URL “http://www.exampIe.com/” (step S13). Processing).

  Since the host identification information of this URL is not described with numbers, the mail server 11 determines that the URL is described with a domain name (NO in step S16).

  The mail server 11 checks the URL determination conditions (1) and (2) for each label as shown in FIGS. 11A to 11C (processing in step S17).

As shown in FIG. 11A, since the label “www” is composed of all 1-byte lowercase characters, the URL determination conditions (1) and (2) are satisfied.
As shown in FIG. 11B, the label “exampIe” does not satisfy the URL determination condition (2) because both lowercase letters and uppercase letters are mixed.
As shown in FIG. 11C, since the label “com” is composed of all 1-byte lowercase characters, the URL determination conditions (1) and (2) are satisfied.

  Since the label “exampIe” does not satisfy the URL determination condition (2), the mail server 11 determines that this URL “http://www.exampIe.com/” may be a guidance URL.

  In this case, the mail server 11 normalizes the URL “http://www.exampIe.com/” as shown in FIG. 11D, and the normalized guidance URL “http: // www. exampie.com/ "is generated (steps S20 and S31). Then, the mail server 11 stores this normalized guidance URL in the built-in HDD (processing in step S21).

  Next, the mail server 11 acquires the second URL “https://10.8.2.73/” as shown in FIG. 10B (processing of steps S22, S23, and S13). The host data “10.8.2.73” of the URL is described with numbers, and it is determined that this URL is described with an IP address.

  When the mail server 11 determines in this way, the URL “https://10.8.2.73/” is stored in the built-in HDD.

  When the URL is a URL as shown in FIG. 12, since the domain name is an internationalized domain name and includes a 2-byte character, the mail server 11 performs Punycode conversion on the domain name, To generate a normalized guidance URL (processing in steps S20, S32, and S33).

  When the user terminal 16 acquires the received mail 21, the mail server 11 stores the user name, the normalized guide URL or IP address, the mail acquisition date / time in the guide URL database 12 a as shown in FIG. 13. Time data is entered (processing in step S41).

  When the proxy server 13 receives the HTTP message from the user terminal 16, the proxy server 13 authenticates the user terminal 16 that is the access source (the process of step S51 in FIG. 8). When the authentication is successful, the proxy server 13 acquires the URL “http://www.exampie.com/” of the access destination from the HTTP message as shown in FIG.

  This URL is normalized by the browser of the user terminal 16. The proxy server 13 searches the content of the guidance URL database 12a based on the acquired URL “http://www.exampie.com/” and the access source user name (processing in step S53).

  As shown in FIG. 13, the URL “http://www.exampie.com/” of user A is entered in the guidance URL database 12a. Since the corresponding entry data exists in the guidance URL database 12a, the proxy server 13 obtains this entry data from the guidance URL database 12a (steps S54 and S55).

  Note that the mail server 11 deletes the entry data when the preset valid period has elapsed since the user terminal 16 took in the mail (processing in steps S42 to S45).

  As shown in FIG. 15, the proxy server 13 sends the domain name “exampie.com” to the DNS server 17 to request conversion to an IP address. Assuming that the IP address corresponding to this domain name “exampie.com” is “10.8.7.24”, the proxy server 13 sends the IP address “10.8.7.24” corresponding to this domain name “exampie.com” from the DNS server 17. (Step S58).

  In the case of the second URL “https://10.8.2.73/” shown in FIG. 9, the proxy server 13 transmits this IP address “10.8.2.73” to the DNS server 17 as shown in FIG. Then, the reverse lookup of the domain name is requested, and the domain name corresponding to the IP address “10.8.2.73” is acquired from the DNS server 17 (processing in step S57).

  In the case of the guide URL “http://www.exampie.com/”, the proxy server 13 sends a domain name “exampie.com” to the WHOIS server 18 to request a WHOIS search as shown in FIG. Then, domain information including domain owner information is acquired (step S59).

  When the proxy server 13 acquires the domain information and the DNS information, the access destination URL 1 “http://10.8.2.73/” described in IP address and the access destination URL 2 “http: described in lower case as access destination information are obtained. //www.exampie.com/ ”, access URL 3“ http://WWW.EXAMPIE.COM/ ”written in capital letters, and domain owner information are transmitted to the user terminal 16 (processing in step S60) ).

  Such information is displayed on the display of the user terminal 16 as shown in FIG. When “access” is clicked, the user terminal 16 transmits an access execution command to execute access, and the proxy server 13 receives the access execution command and accesses the Web server 15 (step). Processing in S61 and S62).

  When “not access” is clicked, the user terminal 16 transmits an access cancel command for canceling access, and the proxy server 13 receives this access cancel command and cancels access to the Web server 15. To do.

  As described above, according to the present embodiment, the mail server 11 determines whether or not the URL included in the received mail is a guide URL using the URL determination condition, and the user terminal 16 receives the reception URL. When the mail is taken in, the entry is made to the guidance URL database 12a.

  Further, the proxy server 13 searches the guidance URL database 12a when there is an access request from the user terminal 16 to the Web server 15. If the guidance URL exists, the proxy server 13 sends the URL domain name, IP address, domain The owner information of was sent.

  Therefore, the user can easily determine that the URL described in the received mail is a guidance URL, and can prevent damage to the user from passive attacks and phishing scams, including unknown ones. Further, since the mail server 11 checks the URL of the received mail at the time when the mail from the mail transmission server 14 is received, even if it is the URL of a newly constructed illegal site, the guidance URL is determined. It can be carried out.

  Even if the received mail is an HTTP message and the web browser normalizes all lowercase letters, it is determined whether the URL displayed in the mail text is the same as the actual link destination URL. Even in such a case, the guidance URL can be determined.

  Further, the proxy server 13 requests the DNS server 17 and the WHOIS server 18 to perform reverse domain name lookup, domain name-to-IP address conversion, and WHOIS search, and the domain name, IP address, and domain ownership of the guidance URL. Person information was sent. For this reason, the user can easily determine the guidance URL described in the received mail.

In carrying out the present invention, various forms are conceivable and the present invention is not limited to the above embodiment.
For example, in the above embodiment, the markup language has been described as HTML. However, the markup language is not limited to HTML, and may be SGML (Standard Generalized Markup Language) or XML (eXtensible Markup Language).

  In the above embodiment, the URL is used as the address indicating the location of the information resource on the Internet 2. However, the address is not limited to a URL, and may be a URI (Uniform Resource Identifier), for example. The URI is an extension of the concept of URL. The URL indicates the physical location of the resource (information resource), whereas the URI defines a virtual name of the resource.

  Further, the proxy server 13 can blink a suspicious label of the guidance URL, make it a colored character, or issue a voice warning.

  In the above embodiment, the mail server 11 ignores descriptions such as HTML file names and CGI program names after “/”. However, when it is considered that the guidance URL includes a file or the like, the mail server 11 may perform character analysis including these data.

  In the above-described embodiment, the program is described as being stored in advance in a memory or the like. However, programs for causing the mail server 11 and the proxy server 13 to operate as all or part of the apparatus or to execute the above-described processes are a flexible disk, a CD-ROM (Compact Disk Read-Only Memory), a DVD. (Digital Versatile Disk), MO (Magneto Optical disk), etc., stored in a computer-readable recording medium and distributed, installed on another computer, operated as the above-mentioned means, or executed the above-mentioned steps You may let them.

  Furthermore, the program may be stored in a disk device or the like included in a server device on the Internet, and may be downloaded onto a computer by being superimposed on a carrier wave, for example.

It is a figure which shows the structure of the server system which concerns on embodiment of this invention. It is a figure which shows URL. It is a figure which shows a guidance URL database. It is a flowchart which shows the received mail process (1) which the mail server shown in FIG. 1 performs. It is a flowchart which shows the received mail process (2) which the mail server shown in FIG. 1 performs. It is a flowchart which shows the normalization process of guidance URL which the mail server shown in FIG. 1 performs. It is a flowchart which shows the entry process of the guidance URL which the mail server shown in FIG. 1 performs. It is a flowchart which shows the web server access process which the proxy server shown in FIG. 1 performs. It is a figure which shows the specific operation | movement of a server system. It is a figure which shows the determination process of the domain name of the mail server shown in FIG. It is a figure which shows the specific process at the time of applying URL determination conditions to each label of URL. It is a figure which shows the specific process at the time of applying URL determination conditions to each label of URL described by the internationalized domain name containing a 2-byte character. It is a figure which shows the guidance URL database in which data was entered. It is a figure which shows the process which acquires URL from the HTML message which the proxy server shown in FIG. 1 received. It is a figure which shows the conversion from a domain name to an IP address. It is a figure which shows reverse lookup of a domain name. It is a figure which shows the request of WHOIS search, and the acquisition process of domain information. It is a figure which shows the example of a display of a user terminal. It is a figure which shows the conventional passive attack and phishing. It is a figure which shows the regular URL described in all the small letters, and the guidance URL in which a small letter and capital letters are mixed as a specific example of guidance URL. It is a figure which shows the guidance URL described by the internationalized domain name as a specific example of guidance URL.

Explanation of symbols

DESCRIPTION OF SYMBOLS 11 Mail server 12 Database storage device 12a Guidance URL database 13 Proxy server 14 Mail transmission server 15 Web server 16 User terminal 17 DNS server 18 WHOIS server

Claims (11)

In the mail server that receives mail,
A mail receiving unit for receiving the mail;
A received mail storage unit for storing received mail received by the mail receiving unit;
When the received mail received by the mail receiving unit describes an address indicating the location of the information resource stored in the host computer, character analysis of the address is performed, and the address is a regular address of the information resource. A guidance address determination unit that determines whether or not there is a possibility of a guidance address that leads to a disguised place different from the existence place;
A guide address registering unit that registers data related to the guide address in a guide address database when the guide address determination unit determines that there is a possibility of the guide address and the received mail is acquired by a user terminal; e,
The guidance address determination unit
Character analysis of the address is performed, and when the host identification information for identifying the host computer is included in the address, it is determined whether or not the host identification information is described in numbers,
If it is determined that the host identification information is not described in numbers, it is determined that the address is described by a domain name that represents a hierarchical location of the host computer;
Further, the domain name is analyzed, and the first address determination condition is that each label as a character string delimited by dots of the domain name is composed of 1-byte characters. The first and second address determination conditions are checked for each label using the lower-case letter or upper-case letter as a second address determination condition, and any label is the first or second label. When the address determination condition is not satisfied, it is determined that the address included in the received mail may be the induced address,
When it is determined that the host identification information is described in numerals, it is determined that the address is described by an IP (Internet Protocol) address of the host computer, and the address included in the received mail is It is determined that the address may be the guidance address;
A mail server characterized by that. The guided address determination unit performs character analysis of the address, determines whether the received mail received by the mail receiving unit is described in a markup language specification, and is based on the markup language specification. If it is determined that the address is described, the address described in the received mail is compared with the actual link destination address, and if both addresses do not match, the actual link destination address is determined to be a guide address, If they match, the first and second address determination conditions are checked for each label.
The mail server according to claim 1 . When it is determined that the address included in the received mail may be a guide address, the guide address determination unit determines that the guide address is the first and second address determinations as normalization of the address. Change the lead address so that the condition is satisfied,
The induced address registration unit includes, as data related to the induced address, identification information of a user terminal that is a transmission destination of the received mail, a normalized induced address, a date and time when the user terminal captured the received mail, and time information. Register in the guide address database,
The mail server according to claim 1 or 2 , characterized in that In the proxy server that accesses the information resources stored in the host computer on behalf of the user terminal,
A message receiving unit that receives a message including an address indicating the location of the information resource from the user terminal;
Based on the address included in the message when the message receiving unit receives the message from the user terminal, using the address that leads to a disguised place different from the regular location of the information resource as a guide address, and induction address data retrieval unit for retrieving the contents of the induction address database that the induced address is registered,
As a result of searching the contents of the induction address database by the induction address data search unit, when the induction address matching the address included in the message exists, the address is described by an IP (Internet Protocol) address. Requests DNS reverse lookup to a DNS (Domain Name System) server, obtains a domain name representing the location of the host computer in a hierarchy, and if the address is described by the domain name, A data acquisition unit that requests the DNS server to convert to the IP address and acquires the IP address ;
A data transmission unit that transmits access destination information including a domain name and an IP address acquired by the data acquisition unit to the user terminal;
A proxy server characterized by that. The data acquisition unit sends the acquired domain name to a WHOIS server that searches for domain information including information on the domain owner to request a domain information search, and from the WHOIS server, as a search result, Get domain owner information,
The data transmission unit further transmits the information of the domain owner to the user terminal;
The proxy server according to claim 4 . As a result of the data transmission unit transmitting the domain name and the IP address to the user terminal, when receiving an access stop command for canceling access to the information resource from the user terminal, to the information resource Stop accessing,
The proxy server according to claim 4 or 5 , wherein In a server system comprising: a mail server that receives mail; and a proxy server that accesses information resources stored on a web server on behalf of a user terminal,
A guidance address database for storing data relating to a guidance address that leads to a camouflaged location different from a regular location of the information resource;
The mail server is
A mail receiving unit for receiving the mail;
A received mail storage unit for storing received mail received by the mail receiving unit;
When the received mail received by the mail receiving unit describes an address indicating the location of the information resource stored in the host computer, character analysis of the address is performed, and the address is a regular address of the information resource. A guidance address determination unit that determines whether or not there is a possibility of a guidance address that leads to a disguised place different from the existence place;
A guide address registering unit that registers data related to the guide address in a guide address database when the guide address determination unit determines that there is a possibility of the guide address and the received mail is acquired by a user terminal; ,
The guidance address determination unit
Character analysis of the address is performed, and when the host identification information for identifying the host computer is included in the address, it is determined whether or not the host identification information is described in numbers,
If it is determined that the host identification information is not described in numbers, it is determined that the address is described by a domain name that represents a hierarchical location of the host computer;
Further, the domain name is analyzed, and the first address determination condition is that each label as a character string delimited by dots of the domain name is composed of 1-byte characters. The first and second address determination conditions are checked for each label using the lower-case letter or upper-case letter as a second address determination condition, and any label is the first or second label. When the address determination condition is not satisfied, it is determined that the address included in the received mail may be the induced address,
When it is determined that the host identification information is described in numerals, it is determined that the address is described by an IP (Internet Protocol) address of the host computer, and the address included in the received mail is It is determined that there is a possibility that the address is,
The proxy server is
A message receiving unit for receiving a message including the address from the user terminal;
When the message receiver receives the message from the user terminal, based on the address contained in the message, and induction address data retrieval unit that the induced address to search the contents of the induction address database to be registered,
As a result of searching the contents of the induction address database by the induction address data search unit, when the induction address matching the address included in the message exists, the address is described by an IP (Internet Protocol) address. Requests DNS reverse lookup to a DNS (Domain Name System) server, obtains a domain name representing the location of the host computer in a hierarchy, and if the address is described by the domain name, A data acquisition unit that requests the DNS server to convert to the IP address and acquires the IP address ;
A data transmission unit that transmits access destination information including a domain name and an IP address acquired by the data acquisition unit to the user terminal;
A server system characterized by that. An induced address determination method for determining whether or not an address included in a received received mail has a possibility of an induced address that leads to a disguised location different from the regular location of the information resource,
The address includes host identification information for identifying a host computer that stores the information resource, and a domain name is a representation of the host identification information by hierarchizing the location of the host computer.
An analysis step of performing character analysis of the domain name;
The character string delimited by dots of the domain name is used as a label, and all labels satisfy the first address determination condition with the first address determination condition that each label is composed of 1-byte characters. A first determination step for determining for each label whether or not to
Second determination for determining for each label whether or not all labels satisfy the second address determination condition, with the second address determination condition that each label is composed of all lowercase letters or uppercase letters Steps,
Determining that an address included in the received mail is the induced address when it is determined that any label of the domain name does not satisfy the first or second address determination condition. The
An induced address determination method characterized by the above. An access destination confirmation method for confirming whether an access destination to an information resource is a regular location of the information resource,
And induction address storing step of memorize in the induction addresses an address derived on where you different disguise the location of regular said information resource,
A message receiving step of receiving a message including an address indicating an access destination to the information resource from an access request source requesting access to the information resource;
A guided address search step of searching for the guided address based on an address included in the message when the message is received;
As a result of the search, if the derived address that matches the address included in the message exists and the address is described by an IP (Internet Protocol) address, the DNS reverse is sent to the DNS (Domain Name System) server. To obtain a domain name representing the hierarchical location of the host computer, and if the address is described by the domain name, request the DNS server to convert it to the IP address. A data acquisition step of acquiring the IP address ;
A data transmitting step of transmitting the access destination information including the domain name and IP address the acquired to the access request source, with a,
An access destination confirmation method characterized by that. On the computer,
Procedures for receiving emails,
A procedure for storing the received received mail;
When the received received mail describes an address indicating the location of the information resource stored in the host computer, the address analysis is performed, and the host identification information for identifying the host computer is included in the address. If it is included, it is determined whether or not the host identification information is described in numbers. If it is determined that the host identification information is not described in numbers, the address is the presence of the host computer. It is determined that the place is described by a domain name representing a hierarchy, and further, character analysis of the domain name is performed, and each label as a character string separated by dots of the domain name is composed of 1 byte characters. The first address determination condition is that each label is composed of all lowercase letters or uppercase letters. If the label is not satisfied with the first or second address determination condition, the first and second address determination conditions are checked for each label. And determining that the address included in the received mail may be a guide address that leads to a disguised location different from the regular location of the information resource, and determining that the host identification information is described in numbers If so, a procedure for determining that the address is described by an IP (Internet Protocol) address of the host computer and determining that the address included in the received mail may be the induced address ;
Procedure said inductive possibly address and determines the received mail, when it is acquired by the destination of the received mail, registering the induction addresses the induction address database,
A program for running On the computer,
Receiving a message including an address indicating the location of the information resource from an access request source requesting access to the information resource;
Based on the address included in the message when the message receiving unit receives the message from the user terminal, using the address that leads to a disguised place different from the regular location of the information resource as a guide address, to search the content of the induction address database that the induced address is registered,
As a result of searching the content of the derived address database, when the derived address that matches the address included in the message exists, when the address is described by an IP (Internet Protocol) address, DNS (Domain Name System) ) Request DNS reverse lookup to the server to obtain a domain name representing the location of the host computer in a hierarchy, and if the address is described by the domain name, the DNS server will receive the IP address A procedure for obtaining the IP address by requesting conversion to
A procedure for transmitting access destination information including the acquired domain name and IP address to the access request source;
A program for running

Images