JP5366204B2 - Mail filtering system, computer program thereof, and information generation method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide information available for determining appropriateness of an E-mail distribution method of advertising E-mail. <P>SOLUTION: An E-mail filtering system includes a classification database 13 provided with: an advertising E-mail transmitter database 13e for registering a set of IP addresses of transmitters of advertising E-mail; non-advertising E-mail transmitter databases 13a to 13d for registering a set of IP addresses of non-advertising E-mail transmitters. A latest search of the transmitter IP address of an E-mail header is made in the advertising transmitter database and the non-advertising transmitter database respectively and distinctiveness showing the likeliness of advertising E-mail is obtained by the latest address obtained by the latest search. The set of transmitter IP addresses of the advertising E-mail is output as information available for determination of appropriateness of an E-mail distribution method of advertising E-mail. <P>COPYRIGHT: (C)2011,JPO&amp;INPIT

Description

  The present invention relates to a mail filtering system, a computer program thereof, and an information generation method.

  In recent years, spam mail is a problem that hinders the use of electronic mail. Spam emails that are sent in large quantities to unspecified numbers have caused an increase in email traffic and spread of virus emails, causing economic losses. For this reason, a mail filtering system capable of appropriately detecting junk mail is demanded.

  As a mail filtering system, a content analysis type system that detects a spam mail (spam mail) by analyzing a sentence (content) such as a text or a title as a mail content is common.

  Here, junk e-mail (broad junk e-mail) includes harmful information and viruses that seem to be annoying to most people (narrow junk e-mail), and general companies There are emails (such as e-mails for advertisements, e-mail magazines) that are useful for those who need the information, but not for those who do not need the information. .

  The latter e-mail (hereinafter referred to as “advertising-type e-mail”) is carried out as part of normal advertising campaigns by companies, etc., and can be considered separately from spam mail in the narrow sense. , There was no idea to filter the former and the latter mail separately.

Here, the present inventor has developed and operates a mail filtering system called NNNIP (Nearest Neighbor IP address based mail Filter) (see Non-Patent Document 1).
In this NNIPF, an MTA (Mail Transfer Agent) used when a user receives mail from outside the organization is registered in the system in advance. Also, in NNIPF, a normal sender IP address set and a spam mail sender IP address set are registered in advance.

  The NNIPF determines the IP address of the mail transmission source from the Received line generated and added to the mail header when an MTA (MTAOB; MTA On Border) registered in the system by the user receives the mail from the outside.

  Then, the NNNPF performs a nearest neighbor search on the determined IP address with respect to the IP address set of normal senders and the IP address set of spam mail senders registered in advance. As a result, an IP address (nearest neighbor address) having a value closest to the determined IP address is detected from a set of IP addresses of normal senders registered in advance, and spam mails registered in advance are detected. An IP address (nearest neighbor address) having a value closest to the determined IP address is detected from the sender IP address set.

  Furthermore, NNIPF obtains the distance (distance in the address space) between the determined IP address and the nearest neighbor address of the normal sender and the nearest neighbor address of the spam mail sender, and based on these distances, A “discrimination degree” (value of 0 to 1) indicating the likelihood of spam mail is obtained. If the degree of discrimination is 0, it is almost certainly a normal mail, and conversely if it is 1, it is almost certainly determined to be a spam mail. An intermediate value between 0 and 1 indicates that the closer to 1, the higher the likelihood of spam mail.

  Here, the NNIPF determines whether the source IP address of the received mail matches or does not match the black list (junk mail IP address list) or white list (normal mail IP address list). This is different from the “list” type classification.

  When the source IP address is confirmed by the “black list / white list”, if the source IP address is different from the address included in the “black list / white list” even by one bit, it is determined as “not matching”. In order to reliably detect junk mail, it is necessary that a set of IP addresses of all servers to which junk mail may be sent be registered in the black list, but this is not operational.

  On the other hand, NNIPF obtains the distance from the nearest neighbor address of the normal sender and the nearest neighbor address of the spam mail sender, and obtains the “discrimination degree” indicating the likelihood of spam mail based on these distances. The spam mail can be identified even if all the IP addresses of the spam mail sender and the normal sender are not registered in advance.

  In addition, it has been confirmed that NNIPF can perform classification with an accuracy of 98% or more when correctly operated. This is because junk mail is often sent from a server with an IP address similar to the IP address of a server that has sent junk mail in the past, and normal mail continues to be received from before. It is based on the fact that it is often transmitted from an IP address having an address value similar to that of the source server.

The reason why such a tendency appears is that IP addresses are systematically allocated by country and organization, and there is a bias in the IP address set of spam mail senders in the entire IP address space. . For example, there is almost no spam mail coming from a certain well-known company, while the possibility of spam mail coming from an IP address assigned to a foreign cheap provider is higher than from a well-known company.
This trend is universal unless the IP address allocation rules change, so the IP addresses of servers sending spam are never evenly distributed and remain statistically significant biases, It is possible to classify continuously.

Toshikazu Wada, NNIPF, [onlin], 2007, [searched on July 13, 2009], Internet <http://vrl.sys.wakayama-u.ac.jp/~twada/NNIPF.html>

  Now, in the case of advertisement-type e-mails that are carried out as part of normal promotional advertising activities by companies, etc., it is possible to consider the appropriateness of e-mail delivery methods, such as measuring the effectiveness of e-mail delivery, such as the audience rating in TV broadcasting. Is desired.

  In this regard, the present inventor has come up with the idea that the appropriateness of the mail delivery method in the advertisement type mail can be determined based on the passage / block of the advertisement type mail in the mail filtering system.

For example, the advertisement-type mail is often transmitted from a server of a specialist who undertakes transmission of the advertisement-type mail, not from the server of the advertising advertiser. Therefore, from the viewpoint of the advertising advertiser, as a selection criterion as to which specialist trader should be selected, for example, it is important whether or not an email is likely to reach a user desired by the advertising advertiser.
In other words, it is desirable that a company wishing to advertise with advertisement-type mail passes through its own advertisement-type mail as much as possible without being blocked by the mail filtering system.

However, as described above, the conventional filtering system has not had the idea of filtering by focusing on advertisement-type mail as described above, and it is determined whether or not the blocked mail is an advertisement mail. I couldn't.
Also, the NNNPF has not been filtered by paying attention to the advertisement type mail.

Moreover, in the conventional general content analysis type mail filtering system, since the text (content) of the advertisement type mail is often difficult to distinguish from the text of the normal mail, it is possible to appropriately extract only the advertisement type mail. Can not. For the same reason, when trying to detect advertisement-type mail as spam mail (in a broad sense) in content analysis type, there is a high risk that even normal mail will be detected as spam mail.
Furthermore, whether or not the advertisement-type mail should be received or rejected depends largely on the preference of each user, so the advertisement-type mail that should be received normally and the reception rejection based only on the contents of the content It is difficult to properly distinguish from advertisement-type mail to be sent.

  For this reason, it is difficult to use the conventional general content analysis type mail filtering system for determining the appropriateness of the mail distribution method of the advertisement type mail.

  In view of the above problems, an object of the present invention is to provide a mail filtering system and the like that can generate information that is used as a material for determining the appropriateness of a mail distribution method for advertising mail.

  The present inventor has found that the source IP address of the advertisement type mail (for example, the IP address of the advertisement type mail distributor) has a bias that can be distinguished from the narrowly defined junk mail and the normal mail address. In other words, as in the case of NNIP, in the method of obtaining the discrimination degree by performing the nearest neighbor search based on the mail source IP address, if the IP address set of the server that sent the advertisement type mail in the past is registered in advance, When filtering newly received emails, it is possible to identify advertising emails and determine the degree of distinction of advertising emails, and use this to determine the appropriateness of email delivery methods for advertising emails. The present invention was completed with the idea that information that can be used for judgment can be generated.

(1) The present invention
A classification database for registering a set of IP addresses for mail classification;
The IP address of the mail transmission source included in the mail header of the received mail is extracted, and the nearest address closest to the extracted IP address is obtained from the classification database by nearest neighbor search and received from the nearest address. A classification unit for classifying the received mail based on the degree of discrimination;
In the mail filtering system with
The classification database includes an advertisement-type mail sender database for registering an IP address set of advertisement-type mail senders, and a non-advertisement-type mail transmission for registering an IP address set of non-advertisement-type mail senders. Including the original database,
The classification unit performs the nearest neighbor search on each of the advertisement-type mail transmission source database and the non-advertisement-type mail transmission source database, and indicates the likelihood of advertisement-type mail from the nearest address obtained by the nearest neighbor search. Obtaining the degree of discrimination, configured to classify and register the IP address extracted from the received mail into either the advertisement-type mail sender database or the non-advertisement-type mail sender database according to the discrimination degree,
The IP address set that has been registered in the advertisement type e-mail source database, and output means for a force out in association with the user data,
It is the mail filtering system characterized by comprising.

(2) The classification IP database is a non-advertisement type mail transmission source database for registering the IP address set of the transmission source server that has transmitted the non-advertisement type mail. A spam mail source database for registering the IP address set of the original server, and a normal mail source database for registering the IP address set of the source server that sent the normal mail,
The classification unit performs the nearest neighbor search on each of the advertisement-type mail sender database, the junk mail sender database, and the normal mail sender database, and advertises from the nearest address obtained by the nearest neighbor search. It is preferable to be configured to obtain a degree of discrimination indicating the likelihood of a type mail.

(3) a classification database for registering a set of IP addresses for mail classification;
The IP address of the mail transmission source included in the mail header of the received mail is extracted, and the nearest address closest to the extracted IP address is obtained from the classification database by nearest neighbor search and received from the nearest address. A classification unit for classifying the received mail based on the degree of discrimination;
In the mail filtering system with
The classification database includes an advertisement-type mail sender database for registering an IP address set of advertisement-type mail senders, and a non-advertisement-type mail transmission for registering an IP address set of non-advertisement-type mail senders. Including the original database,
The classification unit performs the nearest neighbor search on each of the advertisement-type mail transmission source database and the non-advertisement-type mail transmission source database, and indicates the likelihood of advertisement-type mail from the nearest address obtained by the nearest neighbor search. Obtaining the degree of discrimination, configured to classify and register the IP address extracted from the received mail into either the advertisement-type mail sender database or the non-advertisement-type mail sender database according to the discrimination degree,
An output means for outputting the IP address set registered in the advertisement-type mail transmission source database as information usable for determining the appropriateness of the mail distribution method of the advertisement-type mail;
It is preferable that the advertisement mail transmission source IP address database is configured to separately register IP address sets for each user.

(4) The advertisement-type mail transmission source address is preferably stored in association with the transmission source IP address of the mail classified as the advertisement-type mail and the user data of the user who is the destination of the mail.

(5) The mail having the designated IP address as the transmission source address further includes means for counting the number of cases classified into the advertisement type mail and / or the number classified into the non-advertisement type mail in the classification unit. Is preferred.

(6) The present invention viewed from another viewpoint is a computer program for causing a computer to function as the mail filtering system described in any one of (1) to (4) above.

(7) According to another aspect of the present invention, the IP address of the mail transmission source included in the mail header of the received mail is extracted, and the nearest neighbor address closest to the extracted IP address is obtained by nearest neighbor search. Obtained from a classification database for registering an IP address set for mail classification, calculates a discrimination degree for classifying mail received from the nearest address, and classifies the received mail based on the discrimination degree In an email filtering system, an information generation method for generating information that can be used to determine the appropriateness of an email delivery method for advertising emails,
The classification database includes an advertisement-type mail sender database for registering an IP address set of advertisement-type mail senders, and a non-advertisement-type mail transmission for registering an IP address set of non-advertisement-type mail senders. Including the original database,
The information generation method includes:
Performing the nearest neighbor search on each of the advertisement-type mail sender database and the non-advertisement-type mail sender database;
Obtaining a degree of discrimination indicating the likelihood of advertising mail from the nearest address obtained by the nearest neighbor search;
Classifying and registering the IP address extracted from the received mail into either the advertisement-type mail sender database or the non-advertisement-type mail sender database according to the degree of discrimination;
The IP address registered in the advertisement-type mail sender database, a step of force out in association with the user data,
Is an information generation method.
(8) According to another aspect of the present invention, the IP address of the mail transmission source included in the mail header of the received mail is extracted, and the nearest neighbor address closest to the extracted IP address is obtained by nearest neighbor search. Obtained from a classification database for registering an IP address set for mail classification, calculates a discrimination degree for classifying mail received from the nearest address, and classifies the received mail based on the discrimination degree In an email filtering system, an information generation method for generating information that can be used to determine the appropriateness of an email delivery method for advertising emails,
The classification database includes an advertisement-type mail sender database for registering an IP address set of advertisement-type mail senders, and a non-advertisement-type mail transmission for registering an IP address set of non-advertisement-type mail senders. Including the original database,
The information generation method includes:
Registering the advertisement mail sender IP address database separately for each user, a set of IP addresses;
Performing the nearest neighbor search on each of the advertisement-type mail sender database and the non-advertisement-type mail sender database;
Obtaining a degree of discrimination indicating the likelihood of advertising mail from the nearest address obtained by the nearest neighbor search;
Classifying and registering the IP address extracted from the received mail into either the advertisement-type mail sender database or the non-advertisement-type mail sender database according to the degree of discrimination;
Outputting the set of IP addresses registered in the advertisement-type mail sender database as information that can be used to determine the appropriateness of the mail delivery method of the advertisement-type mail;
Is an information generation method.

  ADVANTAGE OF THE INVENTION According to this invention, the information used as the judgment material of the appropriateness of the mail delivery method of advertisement type | mold mail can be output from a mail filtering system.

It is a figure which shows arrangement | positioning of the mail filtering system of the concept of MTAOB. It is the schematic which shows the input / output function of a mail filtering system. It is the schematic which shows the internal function of a mail filtering system. It is a block diagram of the IP address database for classification. It is a block diagram of a classification | category part. It is explanatory drawing of conversion from an IP address to an IP address value. It is a figure which shows addition operation of B-tree. It is a figure which shows deletion operation of B-tree. It is a figure which shows the nearest neighbor search of B-tree. It is a figure which shows B + tree addition operation. It is a figure which shows deletion operation of B + tree. It is a figure which shows the nearest neighbor search of B + tree. It is a graph which shows the file size and search speed of GIP of B tree. It is a graph which shows the file size and search speed of BIP of B-tree. It is a graph which shows the file size of GIP of B + tree, and search speed. It is a graph which shows the file size and search speed of B + tree BIP. It is a logarithmic graph of size comparison. It is a graph of the average match average speed of GIP. It is a graph of the average match average speed of BIP. It is a graph of the nearest neighbor search average speed. It is a graph of the average speed of the operation | movement of addition / deletion.

  Hereinafter, preferred embodiments of the present invention will be described with reference to the accompanying drawings.

[1. Overview of Nearest Neighboring Filtering System and Definition of Terms]
1 and 2 illustrate an operation mode of the mail filtering system (filtering server) 1 according to the embodiment. As shown in FIG. 1, the mail transmission / reception software used by the mail user and the computer on which it operates are called “UMA” (User Mail Agent). In addition, when a plurality of MTAs (Mail Transfer Agents) are installed in a certain organization (an organization such as a company / university having a mail server, an Internet service provider, etc.) S, normal mail reception for UMA is performed. The MTA that provides the receiving mailbox is referred to as “Base MTA”. Further, when a mail user receives mail from outside the organization S, the MTA within the organization S that receives mail from an external server is referred to as MTAOB (MTA On the Border).

  In the present embodiment, the Base MTA is set to forward the mail to the filtering system (filtering server) 1 according to the embodiment when the mail is received. As shown in FIG. 2, the filtering system 1 classifies the forwarded mail, and normal mail is stored in a classified mailbox for each mail user. When the mail user receives the mail using the filtering system 1, the mail user acquires the mail from the classified mailbox of the filtering system 1 instead of the Base MTA. In other words, in the filtering system 1, abnormal mail (spam mail / advertisement mail) is blocked, and normal mail passes.

  Further, the filtering system 1 outputs information that can be used for determining the appropriateness of the mail delivery method for the advertisement-type mail based on the result of classifying the mail.

  Note that the filtering system 1 of the present embodiment may be mounted on the same server as the Base MTA. Moreover, each function of the filtering system does not need to be mounted on the same server, and may be distributed.

[2. About the mail sender IP address]
Each MTA adds a Received line as shown in FIG. 1 to the mail header each time it receives and forwards the mail. In the Received line, after “From”, the IP address of the server that sent the mail to the MTA is described, and after “by”, the IP address of the MTA is described.

  Since a mail is transferred with a plurality of MTAs, it is common that a plurality of Received lines are added to the mail header of one mail. If the MTAOB receiving mail from the server looks at the Received line described after “by”, it can be seen that the IP address after “From” in the Received line is the IP address of the mail transmission source. Since the Received line described after MTAOB is “by” is added by MTAOB of the organization S to which the user belongs, it is difficult to impersonate the source IP address, and the correct IP address of the source can be obtained. .

  The filtering system 1 classifies mail using the source IP address included in the mail header.

[3. Configuration of mail filtering system]
FIG. 3 shows functional blocks of the mail filtering system (hereinafter simply referred to as “system”) 1. The system 1 is configured by installing a mail filtering computer program on a server (computer) 1, and the function of the system 1 described below is executed by the server (computer) 1. It will be demonstrated in

  The system 1 includes an interface unit 11 for a mail user to input various settings, a classification unit 12 for classifying mail, a classification IP address database 13 in which IP addresses for classification are registered, and information on the mail user Search for searching the user database 14 registered (age, gender, region, occupation, etc.), the specified IP address storage unit 15 for storing the specified IP address, the passage rate data storage unit 16, and the database 13. And a mail filter pass rate calculation unit 18 having a designated IP address as a transmission source.

  The interface unit 11 has a function as a Web server, and a user can browse and input necessary information from a user computer (equipped with UMA) by a Web browser function. The interface unit 11 displays the classification status of each mail transferred to the classification unit 12 to the user, or is a normal mail or an abnormal mail (an advertisement-type mail or annoyance that you do not want to receive) for mail that has not yet been classified. Emails that are classified by the system, or those that are classified incorrectly by the system 1 or that are determined to be unclassifiable by the system, are manually classified by the user (advertising-type emails, spam emails, It is possible to accept input from the user for any of normal mail).

The classification unit 12 automatically categorizes the mail transferred to the classification unit 12 into one of advertisement type mail, spam mail, and normal mail, and classifies the normal mail for each mail user. Store in mailbox. For this reason, the mail user can avoid receiving unnecessary advertisement-type mail and junk mail by UMA. Normal mail may include advertisement-type mail.
Details of the classification unit 13 will be described later.

  As shown in FIG. 4, the classification IP address database 13 includes five types of databases. That is, the normal mail sender IP address common database 13a, the spam mail sender IP address common database 13b, the normal mail sender IP address personal database 13c, the spam mail sender IP address personal database 13d, and the advertisement mail sender IP. There are five types of address personal database 13e.

  The normal mail sender IP address common database 13a and the normal mail sender IP address personal database 13c are used for registering the normal mail sender IP address.

  Of these databases 13a and 13c regarding normal mail, the common database 13a is a database that is commonly used for each mail user. For example, since mails from excellent companies and public organizations should be treated as normal emails for many users, the IP address of the transmission source server of such a company or public organization is previously stored in the common database 13a. It is registered in.

On the other hand, the personal database 13c is provided for each mail user, and is classified as a normal mail among mails addressed to each user, and the transmission source IP address is not registered in the common database 13a. The sender IP address of the mail is registered.
In this personal database 13c, for example, the IP address of the transmission source server with which each user exchanges mail on a daily basis is registered.

  The spam mail sender IP address common database 13b and the spam mail sender IP address personal database 13d are used to register the sender IP address of the spam mail.

  Of the databases 13b and 13d related to these spam mails, the common database 13b is a database that is commonly used for each mail user. For example, since mail including harmful information and virus mail should be treated as spam mail for many users, the IP address of the mail transmission source server is registered in advance in the common database 13b. .

  On the other hand, the personal database 13d is provided for each mail user, and the mail addressed to each user is classified as spam mail, and the transmission source IP address is not registered in the common database 13b. The sender IP address of the mail is registered.

  Of the IP addresses registered in the personal databases 13c and 13d, the system 1 handles IP addresses that have been determined to have increased commonality as a result of being registered in the personal databases 13c and 13d of many users. Stored in the common databases 13a and 13b.

The above four databases 13a, 13b, 13c, and 13d register the IP address of the transmission source server that has transmitted normal mail and / or spam mail that is non-advertisement mail other than advertisement mail. Original IP address database ".
On the other hand, the advertisement-type mail sender personal database 13e is an “advertisement-type mail sender IP address database” that registers the IP address of the sender server that sent the advertisement mail.

This advertisement-type mail sender personal database 13e is provided for each mail user, and the advertisement-type mail sender IP address for each mail user is registered.
As the “advertisement type mail sender IP address database”, only this advertisement type mail sender personal database 13e is provided, and no common database is provided like normal mail and spam mail.
Therefore, all the sender IP addresses of mail classified as advertisement mail are registered in the advertisement mail sender personal database 13e of each user. By not providing a common database, it is easy to grasp the reception status of advertisement-type mail for each user.

  In the advertisement-type email sender's personal database 13e, emails that have been classified as normal emails in the past, such as advertising emails about products that have lost interest, and email magazines that can no longer be read, are now no longer needed. In addition, the IP address of a transmission source server such as a wide mail that is transmitted indiscriminately and is not desired to be received is registered. When the user classifies the mail by manual input and registers it in the database 13, it is only necessary to determine whether it is spam mail or advertisement mail based on the user's subjectivity.

[4. Details of classification section]
FIG. 5 shows functional blocks of the classification unit 12. The classification unit 12 includes a reception unit 121 that receives the forwarded mail, an IP address extraction unit 122 that extracts a transmission source IP address of the mail received by the reception unit 121, and a classification IP address based on the extracted IP address. Nearest neighbor search unit 123 that performs the nearest neighbor search in the database 13, a discrimination degree calculation unit 124 that calculates a discrimination degree from the result of the nearest neighbor search, a mail classification unit 125 that classifies received mail based on the discrimination degree, and normal mail A classified mail box 126 for storing the mail classified as, and a designated IP address detecting section 127 for detecting a mail whose designated IP address is the transmission source among the mails received by the receiving section 121.

[4.1 IP address extraction unit]
The IP address extraction unit 122 includes an MTA registered in the system 1 as the MTAOB of the user who is the recipient of the mail among the Received lines added to the mail header of the mail received by the reception unit 121. The Received line described after “by” in the Received line is extracted. Furthermore, the IP address extracting unit 122 extracts the IP address after “from” in the extracted Received row as the source IP address.
Note that the MTAOB of each user is registered in the system 1 in advance.

[4.2 Nearest neighbor search unit]
The nearest neighbor search unit 123 searches for the nearest neighbor address of the extracted address based on the nearest neighbor search theory similar to NNIPF.
That is, the nearest neighbor searching unit 123 of this embodiment uses the nearest neighbor address of the IP address (extracted IP address; unknown IP address) extracted by the IP address extracting unit 122 as the database 13a in the classification IP address database. Search is performed for each of 13b, 13c, 13d, and 13e.

Specifically, the nearest neighbor searching unit 123 performs the nearest neighbor address (first nearest neighbor address) in the normal mail sender IP address common database 13a, and the nearest neighbor address (second nearest neighbor address in the spam mail sender IP address common database 13b). Side address), normal mail sender IP address for the user who is the mail recipient, the nearest neighbor address (third nearest neighbor address) in the personal database 13c, and the spam mail sender IP address for the user who is the mail recipient Search for the nearest neighbor address (fourth nearest neighbor address) in the personal database 13d and the nearest neighbor address (fifth nearest neighbor address) in the personal database 13e of the advertisement-type mail sender IP address for the user who is the mail recipient 5 nearest neighbor addresses To.
Details of this search method will be described later.

  In addition, the nearest neighbor searching unit 123 sets an address closer to the extracted IP address among the first nearest neighbor address and the third nearest neighbor address related to normal mail as “the nearest neighbor address as normal mail” and also relates to spam mail. Of the second nearest neighbor address and the third nearest neighbor address, an address closer to the extracted IP address is set as “nearest neighbor address as spam mail”.

Here, the nearest address as a normal mail is expressed as “NN (IP; GIP)”,
The nearest address for spam is represented as “NN (IP; BIP)”
The nearest neighbor address (4th nearest neighbor address) as an advertisement mail is expressed as “NN (IP; AIP)”,
The distance between the extracted IP address (unknown IP address; IP) and the nearest address NN (IP; GIP) as normal mail is represented as D _GIP (IP) = dist (IP, NN (IP; GIP))
The distance between the extracted IP address (unknown IP address; IP) and the nearest neighbor address NN (IP; BIP) as spam mail is expressed as D _BIP (IP) = dist (IP, NN (IP; BIP)),
The distance between the extracted IP address (unknown IP address; IP) and the nearest address NN (IP; AIP) as the advertisement type mail is expressed as D _AIP (IP) = dist (IP, NN (IP; AIP)). .
Although the method of obtaining the distance will be described later, the nearest neighbor searching unit 123 _obtains and outputs each of these distances D _GIP , D _BIP , and D _AIP from the extracted IP address and each nearest neighbor address.

[4.3 Discrimination degree calculation unit]
Based on the distances D _GIP , D _BIP , and D _AIP , the discrimination degree calculation unit 124 calculates a discrimination degree that indicates the spam source of the extracted IP address and a discrimination level that indicates the likelihood of the sender of the advertisement-type mail. To do.

Here, the degree of discrimination indicating whether the extracted IP address (IP) is likely to be a spam mail sender is expressed by the following equation.

Further, the degree of discrimination indicating whether the extracted IP address (IP) is likely to be the sender of the advertisement mail is expressed by the following equation.

This is because the prior probability P (Good) of normal mail, the prior probability P (Bad) of junk mail, and the prior probability P (Adv) of advertisement-type mail are both 1/3, and the normal probability distribution is P (IP | Good) = 1 / D _GIP , P (IP | Bad) = 1 / D _BIP , P (IP | Adv) = 1 / D _AIP , the posterior probabilities of spam mail and advertisement mail are as follows: It agrees with the result calculated by Bayes rule.

The above P (Spam | IP) indicates the probability that the extracted IP address is a spam mail source IP address (spam mail discrimination degree), and takes a value of 0 to 1. The discrimination degree calculation unit 124 calculates the discrimination degree based on the above-described expression P (Spam | IP). The closer this value is to 1, the higher the probability that it is a spam mail source IP address.
Also, the above P (Adv | IP) indicates the probability that the extracted IP address is the advertisement type mail transmission source IP (advertising type mail discrimination degree), and takes a value of 0 to 1. The discrimination degree calculation unit 124 calculates the discrimination degree based on the above expression of P (Adv | IP). The closer this value is to 1, the higher the probability that it is an advertisement mail sender IP address.
The probability that the extracted IP address is a normal mail transmission source IP address (normal mail discrimination degree) is obtained by P (Good | IP) = 1− (P (Spam | IP) + P (Adv | IP)).

[4.4 Mail classification section]
The mail classifying unit 125 converts the received mail to be classified into spam mail, advertisement mail, normal, based on the above-described discrimination levels P (Spam | IP), P (Adv | IP), and P (Good | IP). Categorize as either email.

The mail classification unit 125 has a classification with the largest value among the three discrimination levels P (Spam | IP), P (Adv | IP), and P (Good | IP) (spam mail, advertisement mail, normal mail). The received mail is sorted into the classification, and the transmission source IP address (extracted IP address) of the received mail is registered in the corresponding databases 13a to 13e. Moreover, normal mail is stored in the classified mail box 126, and UMA can acquire mail.
When the determined classification is junk mail or normal mail, the extracted IP address is registered in the personal databases 13c and 13d when the extracted IP address is not registered in the common databases 13a and 13b.

  Further, when the determined classification is an advertisement type mail, the mail classification unit 125 acquires user data of a user who is a mail recipient from the user database 14, and associates the user data with an extracted IP address. The extracted IP address is registered in the advertisement-type mail sender IP address personal database 13e. The personal databases 13c and 13d may be registered in association with the extracted IP address and user data.

  As described above, in the present system 1, advertisement mail can be filtered, and data (database 13e) that associates the transmission source IP address of the blocked advertisement mail with the user data of the blocked user (mail destination user). ) Is obtained. This data is used as information that is used as a material for determining the appropriateness of the mail delivery method of the advertisement-type mail.

  In addition, a threshold may be used when classifying mail using the degree of discrimination. For example, if the spam discrimination level or the advertisement-type email discrimination level is not equal to or higher than a predetermined threshold T1, it can be handled as not regarded as a spam email or an advertisement-type email. Also, two or three or more threshold values may be provided, and the likelihood of junk mail or advertisement-type mail may be determined according to the threshold value. Further, the determination result can be used for color-coded display of each classified mail for the user.

[4.5 Designated IP address detector]
The designated IP address detecting unit 127 detects the reception status (the total number of received messages) of mail in which the designated IP address stored in the designated IP address storage unit 15 is the source IP address, and the designated IP address is It detects the number of mails that have been classified as normal mails and / or the number of mails classified as advertisement-type mails. Also, the number classified as junk mail may be detected.

  In the designated IP address storage unit 15, for example, an IP address designated by the advertiser of the advertisement mail (input address of the advertisement mail) is input and stored. The designated IP address detection unit 127 determines the number of advertisement mails having the designated IP address that have passed through the system 1 based on the classification result in the classification IP address database 13 and / or the classification unit 125, The number of blocked cases can be detected.

These detection results are used by the passage rate calculation unit 18 to calculate the passage rate and / or block rate of the advertisement mail. The passing rate can be calculated by [number of emails with specified IP address classified as normal email / total number of emails with specified IP address], and the blocking rate is [mail with specified IP address becomes advertising mail] The number of classified items / the total number of emails with the specified IP address] can be calculated.
This calculation result is output from the system 1 and becomes information provided to the advertiser of the advertising mail. In addition, user data of a user who has passed or blocked may be added to the calculation result. By obtaining such a passing rate or blocking rate, it becomes possible for the advertiser to examine whether or not the requested advertisement mail distributor has an appropriate source IP address.

[5. Search IP address database for classification]
The search unit 17 searches the classification IP address database 13 using the IP address as a search key, and searches for and outputs whether or not the IP address of the search key is registered in each of the databases 13a to 13e. Can do.
Further, when the advertisement type mail sender IP address personal database 13e is searched from the search unit 17 using the IP address as a search key, user data registered in association with the IP address can be extracted from the database 13e. it can.
For example, when an advertiser of an advertisement type mail wants to know to what extent the advertisement type mail is blocked as an advertisement type mail in the system 1, it searches for the sender IP address of the advertisement type mail. The user data may be input and searched as a key, and the extracted user data may be analyzed.

[6. Details of nearest neighbor search]
Hereinafter, the nearest neighbor search theory by the nearest neighbor search unit 123 will be described.

[6.1 IP address]
The IP address used in the present embodiment is based on the IPv4 protocol that is currently widely used. IPv4 IP is usually expressed in a notation in which four sets of numbers from 0 to 255 are connected by dots. In the present embodiment, when calculating the distance of the IP address, the IP address is converted into a decimal number notation by considering the IP address as a 256 number in the same manner as the NNIPF. In order to obtain the IP address value from the IP address, as shown in FIG. 6, the left side of the IP address is the upper digit, and 256 ³ , 256 ² , 256 ¹ , 256 ⁰ Multiply the digit weight to obtain a decimal IP address. The distance calculation based on the IP address value adopts NNIPF, and it has been confirmed that the classification can be appropriately performed by the distance calculation based on the IP address value.

  In the databases 13a to 13e, the IP address and the IP address value are stored. The IP address is stored as binary data. When the IP address is converted into binary data, each octet of the IP address becomes 1 byte, so that one IP address can be handled with 4 bytes.

[6.2 Construction Method of Database 13]
In the present system 1, the source IP address extracted from the mail is classified by nearest neighbor search. For this reason, a set of known IP addresses corresponding to the number of classifications is required. That is, if classified into three types of normal mail, spam mail, and advertisement mail, a set of IP addresses of normal mail senders with known IP (databases 13a and 13c), IP addresses of known spam mail senders, A set (databases 13b and 13d) and a set of IP addresses (database 13e) of known advertisement-type mail senders are required, and the nearest neighbor address of the source IP address extracted from the mail out of these sets Will be extracted.

  In the conventional NNIPF, in order to store a set of known IP addresses, hundreds to thousands of IP addresses are used in the hierarchical structure of the directory, and the address closest to the input mail IP address (nearest address) Explore. Therefore, a normal file system has a problem that a large amount of disk space is consumed. In order to avoid this problem, a method may be considered in which the individual databases 13a to 3e are stored in a single file, and the nearest neighbor search is performed by reading the database. However, since this system 1 is activated every time a mail arrives, it is not efficient to read thousands of data from a file.

  In order to solve such a problem, the present embodiment employs a method of performing a nearest neighbor search without expanding data stored in an auxiliary storage device (hard disk or the like) of the computer 1 into a memory. This sort of content can be called an external nearest neighbor search when the sort algorithm is classified into an internal sort and an external sort. In this embodiment, a B-tree or a B + tree is used for this outer nearest neighbor search. These data structures are originally based on a match type search, but in the present embodiment, these are used for nearest neighbor search.

In the present embodiment, files corresponding to each of the five databases 13a to 13e are provided in the auxiliary storage device (hard disk or the like) of the computer 1. In the file, IP address values (and IP addresses) are stored in a B-tree or B + tree structure.
By constructing a B-tree or B + -tree in the file, the search can be performed only by movement within the file, and it is not necessary to load all the data into the memory, which is efficient.
Hereinafter, a method of searching for the nearest neighbor without saving disk space by loading an IP address value (IP address) in a file using a B tree and a B + tree and loading it into a memory will be described.

[6.2.1 IP Address Storage Using B-Tree]
Here, operations such as definition, addition, and deletion of the B-tree are introduced, and a method of storing an IP address in a file using the B-tree and a nearest neighbor search of the B-tree are described.

[6.2.1.1 B-tree]
The B-tree is a tree structure used for an index or file system in the system, and is a kind of balanced tree. The B-tree has an order k value that determines the number of keys in the node. For a k-th order B-tree, it is defined as follows.

In the clauses other than the root, k or more and 2k or less keys are stored. Each key (m) is a [1], ..., a [m].
・ 1 to 2k keys are stored in the root.
Any section other than leaves has m + 1 pointers to subtrees, where m is the number of keys stored in that section. Let these pointers be p [1],..., P [m].
・ All leaves are at the same level.
In any clause, the key sequences a [1],..., A [m] are aligned. The key a [i] (1 ≦ i ≦ m) is larger than any key in the subtree pointed to by p [i−1], and conversely smaller than any key in the subtree pointed to by p [i].
The above is the definition of the k-th order B-tree.
In this embodiment, an IP address value is stored as a key.

  In addition, the key search is performed by binary search because the key strings in each section are aligned. A major feature of the B-tree is a buffering effect on dynamic file operations. When the node is divided by the key division, the node immediately after the division has enough free space, so that a major restructuring like the division does not occur for a while. The same applies to deletion. In particular, in a situation where addition and deletion are congested, almost no node division or connection operation is required due to the buffer effect.

[6.2.1.2 Addition of B tree key (IP address value)]
An operation for adding a key (IP address value) of a B tree is shown by taking the secondary B tree of FIG. 7A as an example.

(1) Addition of Key (IP Address Value) 10 First, in the B-tree shown in FIG. 7A, when the key 10 is searched, a node to be stored is found. As shown in FIG. 7B, this node includes two keys, and even if one key is added, the condition is satisfied, so it may be simply added.

(2) Addition of Key (IP Address Value) 30 When searching for the key 30 in the B-tree shown in FIG. 7A, a node to be stored is found. As shown in FIG. 7C, the upper limit of four keys is stored in this section. In this case, after the key 30 is temporarily inserted, the key 30 is divided into two and the center key (here, “30”) is raised to the parent clause.

  As shown in the above (1) and (2), the key is added to the B-tree by simple addition or division. The split will send the center key to the parent clause, but if the parent clause already contains the maximum number of keys, the parent node will be split again and the center key will be sent to its parent. This happens repeatedly, and sometimes the root itself is split and the height of the tree increases by one. The height of the B tree increases when the split operation reaches the root in this way.

[6.2.1.3 Deletion of B-tree key (IP address value)]
An operation for deleting a key from the B-tree will be described by taking the secondary B-tree in FIG. 8A as an example.

(1) Deletion of key 62 When the key 62 is searched, a leaf node is found. In this case, even if the key 62 is deleted, the condition is maintained because there are still two keys. Therefore, it is simply deleted as shown in FIG.

(2) Deletion of key 85 When a node containing key 85 is searched, a leaf node is found.
If the key 85 is deleted, the rest becomes one key 80 and the condition is not satisfied. As shown in FIG. 8C, when the next sibling node is examined, since the three keys are in the sibling node immediately to the left, the parent node key 77 is also joined and moved to the missing node. In this way, a key is handed over from an adjacent sibling node.

(3) Deletion of key 90 When key 90 is searched, a leaf node is found.
In this case as well, there is only a minimum number of keys in the node. In addition, even if you look at the next sibling node, there is no node that can afford to yield. In such a case, as shown in FIG. 8D, the nodes are combined into one node together with the adjacent nodes. This operation is called connection. In this example, since the parent node itself does not satisfy the condition, the connection with the sibling node of the parent node is caused again. In this way, the connection may ripple toward the root, and as a result, when the root node participates in the connection, the height of the B-tree is reduced by one.

(4) Deletion of key 88 The examples of (1), (2), and (3) are all deletions of keys included in leaf nodes. However, the current deletion of the key 88 is a key in the branch node. In such a case, a key immediately after the key 88 is searched first. In the example, it is the key 90. After the 90 is copied to the storage location 88, the key 90 in the leaf node is deleted. The deletion of the leaf node key 90 is as described in (3).

[6.2.1.4 Nearest neighbor search of B-tree]
The nearest neighbor search of B-tree is shown as an example of the secondary B-tree in FIG.
The key (IP address value) for performing the nearest neighbor search is 82. In this case, first, it moves to the root node. A binary search is performed in the root node to find a position where... key n <82 <key n + 1. In FIG. 9, the position is 60 <82.

When the position of key 1... Key n <82 <key n + 1... Is found, the distance between key n and key n + 1 is calculated. The distance is calculated as a difference (absolute value) between keys. In FIG. 9, 82-60 = 22 is the shortest distance from the key in the root node.
Next, move from the pointer on the right of 60 to the child node. Even for child nodes, binary search and distance calculation are performed. When the distance calculation is performed in FIG. 9, the shortest distance from the key in this node is 5 from 82−77 = 5 and 88−82 = 6. If the B-tree is deep, repeat this until it moves to the leaf node.

The binary search and the distance calculation are performed in the leaf node, and the return process is terminated with the smallest value among the shortest distances as the shortest distance between the extracted address and the nearest neighbor address. In FIG. 9, when a binary search is performed on a leaf node, a position of 80 <82 <85 is found, and when a distance calculation is performed, 82-80 = 2 and 85-82 = 3. The shortest distance is 2. Since the smallest value in the shortest distance is 2, return 2 as the distance to the nearest neighbor address of the key 82 (extracted IP address), and return the IP address corresponding to the key 80 as the nearest neighbor address, The process ends.
Since the keys of the B-tree are sorted and stored, the nearest neighbor search can be performed with a single search, so that processing can be performed at high speed.

[6.2.2 IP address storage using B + tree]
In the following, when the B + tree is adopted in the characteristics of the B + tree obtained by extending the B tree, the key addition / deletion operation, and the databases 13a to 13e of this embodiment, the IP address is converted into a file using the B + tree. The storage method and the nearest neighbor search of the B + tree will be described.

[6.2.2.1 B + tree]
The B + tree is an equilibrium tree obtained by extending the B tree, and is divided into a root node and a node node as index pages and a leaf node as a data page.
In the B + tree, all data is stored in the leaf, and only the index and branch are included in the nodes from the root to the leaf. The B + tree functions as an index, and has better storage efficiency than the B tree. The index page of the B + tree is composed of a process of inserting and deleting data. The basic definition is the same as the B-tree.

[6.2.2.2 Add B + tree key]
An operation for adding a B + tree is shown by taking the secondary B + tree of FIG. 10A as an example.

(1) Addition of key 28 When searching with key 28, a leaf node to be stored is found.
Since this leaf node has two keys and the number of keys has not reached the upper limit, it is simply added. FIG. 10B shows after the addition.

(2) Addition of key 70 When the key 70 is searched, a leaf node to be stored is found.
However, this leaf node contains the upper limit of four. In this case, after adding the key 70, the central key is raised to the index node which is the parent node, and the leaf node is divided.
FIG. 10C shows the result after the division.

If the number of keys of the index node that is the parent node is the upper limit, the index node is divided by raising the central index key to the parent index.
FIG. 10D in which the key 95 is added is shown below.

[6.2.2.3 Delete B + tree key]
An operation for deleting a key from a B-tree is shown by taking the secondary B + tree of FIG. 11A as an example.

(1) Deletion of key 70 When a node containing the key 70 is searched, a leaf node is found.
Since 60, 65, and 70 are contained in this node and two keys remain even if the key 70 is deleted, the condition is satisfied. Therefore, it is simply deleted. FIG. 11B shows the state after deletion.

(2) Deletion of key 25 When key 25 is searched, a leaf node is found. This leaf node has 25, 28, and 50, and even if the key 25 is deleted, two remain, so the condition is satisfied. However, since there are 25 index nodes, 28 is added to the index node after the index node 25 is deleted. FIG. 11C shows the state after the key 25 is deleted.

(3) Deletion of key 60 When the key 60 is searched, a leaf node is found. Since this leaf node has only two keys, if the key 60 is deleted, the condition is not satisfied, so it is combined with the sibling node.
Furthermore, since there is 60 in the root index node, 60 is deleted and child index nodes of root are combined to become a root index. FIG. 11D shows the state after the key 60 is deleted.

[6.2.2.4 B + tree nearest neighbor search]
The nearest neighbor search of the B + tree is shown by taking the secondary B + tree of FIG. 12 as an example. The key for performing the nearest neighbor search is 57. First, move to the root node. A binary search is performed in the root node, and a position where key n <57 <key n + 1. In FIG. 12, the position is 50 <57 <75.

  When the position of key 1... Key n <57 <key n + 1... Is found, the distance between key n and key n + 1 is calculated. In FIG. 12, since 57-50 = 7 and 75-57 = 18, the shortest distance from the key in the root node is 7.

Next, move from the pointer between 50 and 75 to the child node. Binary search and distance calculation are also performed on child nodes. If the B + tree is deep, repeat this until it moves to the leaf node. A binary search and distance calculation are performed within the leaf node, and the smallest value among the shortest distances is returned and the process is terminated. In FIG. 12, when a binary search is performed on a leaf node, a position of 55 <57 <60 is found, and when a distance calculation is performed, 57−55 = 2 and 60−57 = 3. Therefore, the shortest distance from the key in the leaf node Is 2. The IP address corresponding to 2 which is the smallest value in the shortest distance is returned and the process is terminated.
Since the keys of the B + tree are sorted and stored in the same manner as the B tree, the nearest neighbor search can be performed with a single search, and processing can be performed at high speed.

[7. Experiment]
Here, an IP address is stored in a file using the B tree and the B + tree, and the result of comparing the size and the search speed with the conventional storage method (storage method using a directory hierarchical structure) will be described.

[7.1 Comparison of file size and search speed with varying degree k]
The B tree and B + tree have an order k that determines the number of keys in the node. The difference in file size and search time between the B-tree and B + -tree according to the value of k was compared.

The data to be used is an IP address set GIP, BIP used in the current NNIPF. The number of GIP and BIP IP addresses is shown below.
GIP: Normal mail sender IP address set (number of IP addresses: 842)
BIP: Spam mail sender IP address set (number of IP addresses: 3037)

Tables 1 to 4 show the file sizes and search speeds of the B tree and B + tree when the order k is changed, and FIGS. 13 to 16 show graphs summarizing the results.

Looking at the table and graph (Table 1 and FIG. 13) for the B-tree GIP, it can be seen that when k is 32, the file size is small, and when k is 8, the exact mach time is fast.
However, the difference in exact match time is 33 [ms] when k = 8 and 33.9 [ms] when k = 32, so k = 32 is the smallest file size in the BIP tree of GIP. It is preferable to use it.

Looking at the BIP BIP table and graph (Table 2 and FIG. 14), it can be seen that when k is 32, the file size decreases, and when k is 8, the exact mach time increases.
However, the difference in the exact match time is 33.8 [ms] when k = 8 and 35 [ms] when k = 32, so k = 32 is the smallest file size in the BIP B-tree. It is preferable to use it.

From the table and graph (Table 3 and FIG. 15) for the B + tree GIP, it can be seen that when k is 32, the file size is small, and when k is 8, the exact mach time is fast.
However, the difference in the exact match time is 12.6 [ms] when k = 8 and 14.0 [ms] when k = 32, so that the file size is the smallest and k = 32 is set to B + of GIP. Use with wood is preferred.

Looking at the B + tree BIP table and graph (Table 4 and FIG. 16), it can be seen that when k is 32, the file size is small, and when k is 8, the exact mach time is fast.
However, the difference in the exact match time is 13.3 [ms] when k = 8 and 15.5 [ms] when k = 32, so that the file size is the smallest and k = 32 is set to B + of BIP. Use with wood is preferred.

[7.2 Comparison of size and search time with conventional methods]
The size and search speed were compared between the B-tree and B + -tree at the order k = 32 obtained in 7.1 and the conventional hierarchical structure of the directory.
Table 5 below shows a comparison between the conventional method and the sizes of the B tree and the B + tree. In addition, FIG. 17 shows the result of size comparison on the logarithmic axis.

  From Table 5 and FIG. 17, the size was successfully made smaller than the storage in the directory hierarchical structure. It was also found that the file size of the B + tree is smaller than that of the B tree. This shows that the storage efficiency of the B + tree is better than that of the B tree.

Next, the time difference of search speed is shown. The exact match speed comparison is shown in FIG. 18 and FIG. 18 and 19, it was found that the exact match speed was slightly faster for the B-tree than the conventional method, and the B + -tree was the fastest.
The speed of the B-tree and B + -tree is faster than the conventional method. The conventional method opens the directory four times, whereas the B-tree and B + -tree only need to open the file once, so the speed is increased. .
The reason why the speed of the B + tree is faster than that of the B tree is considered to be that the number of times of searching up to the leaf node is reduced because the storage rate of the node of the B + tree is better than that of the B tree.

  Next, FIG. 20 shows a comparison of speeds of nearest neighbor search. From the speed experiment of the nearest neighbor search, it was found that the speed of the B-tree and the B + -tree was faster than the conventional method.

[7.3 Comparison of key addition and deletion operations for B-tree and B + tree]
When storing IP addresses in files using B-trees or B + -trees, we compared differences in the speed of operations such as adding and deleting keys. The result is shown in FIG.
In this experiment, neither the B-tree nor the B + -tree was a deep tree, so a large-scale operation did not occur, and addition and deletion operations could be performed at high speed.

[8. Addendum]
In addition, the matter disclosed as embodiment of this specification is an illustration, Comprising: This invention is not limited and various deformation | transformation are possible.

DESCRIPTION OF SYMBOLS 1 Filtering system 11 Interface part 12 Classifying part 13 Classification IP address database 13a Normal mail sender IP address common database 13b Spam mail sender IP address common database 13c Normal mail sender IP address personal database 13d Spam mail sender IP address Common database 13e Advertising mail sender IP address personal database 14 User database 15 Designated IP address storage unit 16 Pass data storage unit 17 Search unit 18 Pass rate calculation unit

Claims (8)

A classification database for registering a set of IP addresses for mail classification;
The IP address of the mail transmission source included in the mail header of the received mail is extracted, and the nearest address closest to the extracted IP address is obtained from the classification database by nearest neighbor search and received from the nearest address. A classification unit for classifying the received mail based on the degree of discrimination;
In the mail filtering system with
The classification database includes an advertisement-type mail sender database for registering an IP address set of advertisement-type mail senders, and a non-advertisement-type mail transmission for registering an IP address set of non-advertisement-type mail senders. Including the original database,
The classification unit performs the nearest neighbor search on each of the advertisement-type mail transmission source database and the non-advertisement-type mail transmission source database, and indicates the likelihood of advertisement-type mail from the nearest address obtained by the nearest neighbor search. Obtaining the degree of discrimination, configured to classify and register the IP address extracted from the received mail into either the advertisement-type mail sender database or the non-advertisement-type mail sender database according to the discrimination degree,
The IP address set that has been registered in the advertisement type e-mail source database, and output means for a force out in association with the user data,
An email filtering system characterized by comprising: The classification IP database is a non-advertisement type mail transmission source database for registering an IP address set of a transmission source server that has transmitted a non-advertisement type mail. A spam mail source database for registering an IP address set, and a normal mail source database for registering an IP address set of a source server that has sent a normal mail,
The classification unit performs the nearest neighbor search on each of the advertisement-type mail sender database, the junk mail sender database, and the normal mail sender database, and advertises from the nearest address obtained by the nearest neighbor search. The mail filtering system according to claim 1, wherein the mail filtering system is configured to obtain a discrimination degree indicating the likelihood of a type mail. A classification database for registering a set of IP addresses for mail classification;
The IP address of the mail transmission source included in the mail header of the received mail is extracted, and the nearest address closest to the extracted IP address is obtained from the classification database by nearest neighbor search and received from the nearest address. A classification unit for classifying the received mail based on the degree of discrimination;
In the mail filtering system with
The classification database includes an advertisement-type mail sender database for registering an IP address set of advertisement-type mail senders, and a non-advertisement-type mail transmission for registering an IP address set of non-advertisement-type mail senders. Including the original database,
The classification unit performs the nearest neighbor search on each of the advertisement-type mail transmission source database and the non-advertisement-type mail transmission source database, and indicates the likelihood of advertisement-type mail from the nearest address obtained by the nearest neighbor search. Obtaining the degree of discrimination, configured to classify and register the IP address extracted from the received mail into either the advertisement-type mail sender database or the non-advertisement-type mail sender database according to the discrimination degree,
An output means for outputting the IP address set registered in the advertisement-type mail transmission source database as information usable for determining the appropriateness of the mail distribution method of the advertisement-type mail;
Before Symbol advertising mail sender IP address database is configured to register separately the IP address set for each user
Mail filtering system. The advertisement-type email source address is stored in association with a source IP address of email classified as an advertisement-type email and user data of a user who is the destination of the email. The described email filtering system. The mail further comprising a means for aggregating the number of mails classified as advertisement-type mails and / or the number of mails classified as non-advertisement-type mails in the mail whose designated IP address is a source address. The mail filtering system of any one of -4.   A computer program for causing a computer to function as the mail filtering system according to any one of claims 1 to 5. A classification for registering an IP address set for mail classification by extracting the IP address of the mail transmission source included in the mail header of the received mail and searching for the nearest address closest to the extracted IP address by nearest neighbor search In a mail filtering system that calculates a discrimination level for classifying mail received from the nearest address, and classifies the received mail based on the discrimination level, a mail distribution method for advertising mail An information generation method for generating information that can be used to determine appropriateness,
The classification database includes an advertisement-type mail sender database for registering an IP address set of advertisement-type mail senders, and a non-advertisement-type mail transmission for registering an IP address set of non-advertisement-type mail senders. Including the original database,
The information generation method includes:
Performing the nearest neighbor search on each of the advertisement-type mail sender database and the non-advertisement-type mail sender database;
Obtaining a degree of discrimination indicating the likelihood of advertising mail from the nearest address obtained by the nearest neighbor search;
Classifying and registering the IP address extracted from the received mail into either the advertisement-type mail sender database or the non-advertisement-type mail sender database according to the degree of discrimination;
The IP address registered in the advertisement-type mail sender database, a step of force out in association with the user data,
Information generation method. A classification for registering an IP address set for mail classification by extracting the IP address of the mail transmission source included in the mail header of the received mail and searching for the nearest address closest to the extracted IP address by nearest neighbor search In a mail filtering system that calculates a discrimination level for classifying mail received from the nearest address, and classifies the received mail based on the discrimination level, a mail distribution method for advertising mail An information generation method for generating information that can be used to determine appropriateness,
The classification database includes an advertisement-type mail sender database for registering an IP address set of advertisement-type mail senders, and a non-advertisement-type mail transmission for registering an IP address set of non-advertisement-type mail senders. Including the original database,
The information generation method includes:
Registering the advertisement mail sender IP address database separately for each user, a set of IP addresses;
Performing the nearest neighbor search on each of the advertisement-type mail sender database and the non-advertisement-type mail sender database;
Obtaining a degree of discrimination indicating the likelihood of advertising mail from the nearest address obtained by the nearest neighbor search;
Classifying and registering the IP address extracted from the received mail into either the advertisement-type mail sender database or the non-advertisement-type mail sender database according to the degree of discrimination;
Outputting the set of IP addresses registered in the advertisement-type mail sender database as information that can be used to determine the appropriateness of the mail delivery method of the advertisement-type mail;
Information generation method.

Images