JP6322443B2 - TRACKING SYSTEM, TRACKING METHOD, AND COMPUTER PROGRAM - Google Patents

Description

  The present invention relates to a technique for tracking file distribution.

  Conventionally, information is transmitted using electronic mail (hereinafter referred to as “mail”). The user of the mail can send an electronic file attached to the mail body describing the text information. In recent years, information leakage due to electronic files attached to e-mails (hereinafter referred to as “attached files”) has become a problem, and a method for tracking the distribution of attached files has been proposed (for example, see Patent Document 1). .)

JP 2012-73933 A

However, there is a problem that it is impossible to track what operation the recipient of the mail has performed on the attached file of the sent mail.
In view of the above circumstances, the present invention provides a tracking system that enables tracking of an operation performed by a mail recipient on an attached file of a transmitted mail.

  One aspect of the present invention is a tracking system including a mail terminal that transmits and receives mail, a mail server that relays mail to a destination mail terminal, and an analysis device that acquires logs from the mail terminal and the mail server. The mail terminal includes an output unit that outputs to the log information for identifying sent / received mail and information indicating what operation has been performed on the attached file of the received mail. The mail server includes an output unit that outputs information for identifying the relayed mail to a log, and the analysis device uses the log acquired from the mail terminal and the mail server in the mail terminal. The tracking system includes an analysis unit that identifies what operation has been performed on the attached file to be tracked.

  One aspect of the present invention is the tracking system described above, in which the output unit of the mail terminal further includes information regarding a file attached to the mail and information for identifying the mail with the file attached. It is a tracking system that outputs to a log.

  One aspect of the present invention is performed by a tracking system including a mail terminal that transmits and receives mail, a mail server that relays mail to a destination mail terminal, and an analysis device that acquires logs from the mail terminal and the mail server. A tracking method, in which the mail terminal outputs information for identifying sent / received mail and information indicating what operation has been performed on an attached file of the received mail to a log An output step, an output step in which the mail server outputs information for identifying the relayed mail to a log, and the analysis device is configured to output the mail based on the logs acquired from the mail terminal and the mail server. An analysis step for identifying what operation has been performed on the attached file to be tracked on the terminal. .

  One embodiment of the present invention is a computer program for causing a computer to function as the tracking system.

  One aspect of the present invention includes an output unit that outputs information for identifying sent / received mail and information indicating what operation has been performed on an attached file of the received mail to a log. , A mail terminal.

  One aspect of the present invention is the mail terminal described above, wherein the output unit further outputs, in a log, information about a file attached to the mail and information for identifying the mail attached with the file. It is a mail terminal.

  According to one embodiment of the present invention, a mail terminal outputs information for identifying transmitted / received mail and information indicating what operation has been performed on an attached file of the received mail to a log. A log output method having an output step.

  One embodiment of the present invention is a computer program for causing a computer to function as the mail terminal.

  One embodiment of the present invention is a mail server including an output unit that outputs information for identifying relayed mail to a log.

  One aspect of the present invention is a log output method including an output step in which a mail server outputs information for identifying relayed mail to a log.

  One embodiment of the present invention is a computer program for causing a computer to function as the mail server.

  According to the present invention, it is possible to trace what operation the recipient of the mail has performed on the attached file of the sent mail.

A system configuration figure showing a system configuration of tracking system 1 of an embodiment. Schematic which shows a mode that an attached file distribute | circulates a distribution channel. The functional block diagram which shows the function structure of the transmission terminal 2. FIG. FIG. 3 is a functional block diagram showing a functional configuration of the receiving terminal 3. FIG. 3 is a functional block diagram showing a functional configuration of an outgoing mail server 4. The functional block diagram which shows the function structure of the incoming mail server 5. FIG. 6 is a flowchart showing a process flow of a log output unit 25 in the transmission terminal 2. 6 is a flowchart showing a processing flow of a log output unit 35 in the receiving terminal 3. 7 is a flowchart showing a processing flow of a log output unit 44 in the outgoing mail server 4. 7 is a flowchart showing a process flow of a log output unit 54 in the received mail server 5. The figure which shows the specific example of the transmission terminal log 233 output in the file attachment process of the transmission terminal 2. FIG. The figure which shows the specific example of the transmission terminal log 233 output in the mail transmission process of the transmission terminal 2. FIG. The figure which shows the specific example of the transmission server log 423 output in the mail reception process of the transmission mail server 4. FIG. The figure which shows the specific example of the transmission server log 423 output in the mail transfer process of the transmission mail server 4. FIG. The figure which shows the specific example of the receiving server log 523 output in the mail reception process of the receiving mail server 5. FIG. The figure which shows the specific example of the receiving server log 523 output in the mail delivery process of the receiving mail server 5. FIG. The figure which shows the specific example of the receiving terminal log 333 output in the mail reception process of the receiving terminal 3. FIG. The figure which shows the specific example of the receiving terminal log 333 output in the preservation | save process of the attached file of the receiving terminal 3. 7 is a flowchart showing a specific example of processing of the log analysis device 6; Schematic which shows the mode of distribution of the attached file analyzed by the log analysis apparatus 6. FIG.

FIG. 1 is a system configuration diagram illustrating a system configuration of a tracking system 1 according to the embodiment.
The transmission terminal 2 and the reception terminal 3 are mail terminals that transmit and receive mail using protocols such as POP (Post Office Protocol), SMTP (Simple Mail Transfer Protocol), and IMAP (Internet Message Access Protocol). In this embodiment, in order to simplify the explanation, it is assumed that the transmission terminal 2 is a terminal whose user transmits an email to the user of the reception terminal 3. Further, it is assumed that the receiving terminal 3 is a terminal that receives the mail transmitted from the user of the transmitting terminal 2 by the user.

The transmission terminal 2 communicates with the transmission mail server 4 and transmits a mail addressed to the user of the reception terminal 3. The transmission terminal 2 records information regarding file attachment processing and mail transmission in a log. The transmission terminal 2 communicates with the log analysis device 6 and transmits a log.
The receiving terminal 3 communicates with the received mail server 5 and receives mail transmitted from the transmitting terminal 2. The receiving terminal 3 records information related to mail reception and attached file storage processing in a log. The receiving terminal 3 communicates with the log analysis device 6 and transmits a log.

  The transmission mail server 4 and the reception mail server 5 are mail servers that receive mail transmitted from a user terminal and relay the mail to a destination user. When the mail address of the received mail belongs to its own domain, the mail server holds the received mail in its own server and transmits the mail in response to a request from the user of the mail address. Further, when the mail address of the received mail does not belong to its own domain, the mail server transfers the mail to the mail server of the destination domain.

  In this embodiment, in order to simplify the description, it is assumed that the outgoing mail server 4 is a mail server in a domain to which the user's mail account of the sending terminal 2 belongs. For example, the outgoing mail server 4 is an SMTP server. The received mail server 5 is assumed to be a mail server in the domain to which the mail account of the user of the receiving terminal 3 belongs. For example, the incoming mail server 5 is a POP server.

  The transmission mail server 4 communicates with the transmission terminal 2 and receives the mail transmitted from the transmission terminal 2. The outgoing mail server 4 communicates with the incoming mail server 5 and transfers the received mail to the incoming mail server 5. The outgoing mail server 4 records information on mail reception and mail transfer in a log. The transmission mail server 4 communicates with the log analysis device 6 and transmits a log.

  The incoming mail server 5 communicates with the outgoing mail server 4 and receives the mail transferred by the outgoing mail server 4. The received mail server 5 communicates with the receiving terminal 3 and transmits mail in response to a mail reception request from the receiving terminal 3. The received mail server 5 records information related to mail reception and mail transmission in a log. The received mail server 5 communicates with the log analysis device 6 and transmits a log.

The log analysis device 6 communicates with the transmission terminal 2, the reception terminal 3, the transmission mail server 4, and the reception mail server 5, and acquires a log from each device. The log analysis device 6 can identify how the attached file was distributed in the distribution route and what operation was performed on the attached file by analyzing the acquired logs of each device. An analysis unit that generates various information is provided. The distribution channel refers to a terminal or a mail server that has transmitted / received or transferred mail using a mail protocol such as SMTP, POP, or IMAP.
Note that as a method for realizing the above-described analysis unit, a method disclosed in Japanese Patent Application Laid-Open No. 2012-238113 or Japanese Patent Application Laid-Open No. 2013-161288 may be used.

FIG. 2 is a schematic diagram showing a state in which the attached file is distributed through the distribution route.
FIG. 2 shows how the attached file is distributed through the distribution route by the mail processing described in FIG. The mail process is a series of processes in mail transmission / reception such as file attachment to mail, mail transmission, transfer and reception. The mail processing shown in FIG. 2 is performed in time series from the top, whereby mail is transmitted and received between the transmission terminal 2 and the reception terminal 3. The diagrams described in the columns of the transmission terminal, the transmission mail server, the reception mail server, and the reception terminal are diagrams showing processing performed by each device for the attached file in the corresponding mail processing. The processing described in the file processing column is a type of file processing corresponding to mail processing when a series of mail processing is regarded as file processing such as moving or copying.

  An arrow A1 indicates that the sending terminal 2 has attached the file F1 to the mail and generated the attached file F2. An arrow A1 indicates that, for example, the file F1 is copied to a predetermined area used by the mail transmission program by the mail transmission program. Therefore, when this mail process is regarded as a file process, it can be regarded as a copy process in which the copy source is the file F1 and the copy destination is the attached file F2.

  An arrow A2 indicates that the mail with the attached file F2 is transmitted to the transmission mail server 4. The transmission mail server 4 receives the mail transmitted by the transmission terminal 2, and holds the mail attachment file as the attachment file F3. The attached file F2 is held in the transmission terminal 2 even after the mail is transmitted. This represents, for example, a case where the mail transmission program of the transmission terminal 2 holds a transmitted mail. Therefore, when this mail process is regarded as a file process, it can be regarded as a copy process in which the copy source is the attached file F2 and the copy destination is the attached file F3.

  An arrow A3 indicates that the mail with the attached file F3 is transferred to the received mail server 5. The incoming mail server 5 receives the mail transferred from the outgoing mail server 4, and holds the attached file of the mail as the attached file F4. The attached file F3 indicated by the broken line indicates that the mail is deleted after being transferred. Therefore, when this mail process is regarded as a file process, it can be regarded as a move process in which the move source is the attached file F3 and the move destination is the attached file F4.

  An arrow A4 indicates that the mail with the attached file F4 is received by the receiving terminal 3. The receiving terminal 3 holds an attached file of the received mail as an attached file F5. The arrow A4 indicates that, for example, the attached file F5 of the received mail is stored in a predetermined area used by the mail receiving program by the mail receiving program. The attached file F4 indicated by a broken line represents that the mail is deleted after the mail is received by the receiving terminal 3. Therefore, when this mail process is regarded as a file process, it can be regarded as a move process in which the move source is the attached file F4 and the move destination is the attached file F5.

  An arrow A5 indicates that the reception terminal 3 has acquired the attached file F5 of the received mail and generated the file F6. An arrow A5 indicates that, for example, the attached file F5 held in a predetermined area used by the mail transmission program has been copied to another area. Therefore, when this mail process is regarded as a file process, the copy source can be regarded as a copy process with the attached file F5 and the copy destination as the file F6.

As described above, the processing for the attached file of each terminal and the mail server in the transmission / reception of mail can be regarded as file processing (processing such as copying and moving) for the attached file.
Note that the processing for the attached file in the mail processing in FIG. 2 is shown for a typical pattern for the sake of simplicity. The process for the attached file may be a different pattern from that in FIG. 2. For example, the receiving terminal 3 may leave the received mail in the received mail server 5. In that case, the mail receiving process of the receiving terminal 3 can be regarded as a copy process in which the copy source is the attached file F4 and the copy destination is the attached file F5. Further, for example, in the case of mail reception by IMAP, since the received mail is held in the mail server 5, it can be regarded as a copy process in the same manner as described above.

FIG. 3 is a functional block diagram illustrating a functional configuration of the transmission terminal 2.
The transmission terminal 2 includes a CPU (Central Processing Unit), a memory, an auxiliary storage device, and the like connected by a bus, and executes a transmission terminal program. The transmission terminal 2 functions as a device including the input unit 21, the communication unit 22, the storage unit 23, the transmission terminal control unit 24, and the log output unit 25 by executing the transmission terminal program.
Note that all or part of the functions of the transmission terminal 2 may be realized by using hardware such as an application specific integrated circuit (ASIC), a programmable logic device (PLD), or a field programmable gate array (FPGA). The transmission terminal program may be recorded on a computer-readable recording medium. The computer-readable recording medium is, for example, a portable medium such as a flexible disk, a magneto-optical disk, a ROM, a CD-ROM, or a storage device such as a hard disk built in the computer system. The transmission terminal program may be transmitted via a telecommunication line.

  The input unit 21 is configured using a communication interface such as a serial interface. The input unit 21 acquires information input by a user operation and outputs the information to the transmission terminal control unit 24. The user's operation is, for example, an operation such as creating a mail, attaching a file to the mail, or sending a mail.

  The communication unit 22 is configured using a communication interface such as a LAN (Local Area Network). The communication unit 22 communicates with the outgoing mail server 4.

  The storage unit 23 is configured using a storage device such as a magnetic hard disk device or a semiconductor storage device. The storage unit 23 stores mail data 231, an attached file 232, and a transmission terminal log 233. The mail data 231 is text data including information such as a mail text input by a user and a destination address. The attached file 232 is an attached file that is attached to the mail data 231 and transmitted. The attached file 232 is generated by selecting a file to be attached by the user. The transmission terminal log 233 is a log file in which information regarding file attachment processing and mail transmission in the transmission terminal 2 is recorded. The transmission terminal log 233 is generated by the log output unit 25.

  The transmission terminal control unit 24 is a mail transmission program that connects to the transmission mail server 4 and performs mail transmission using a protocol such as SMTP. The transmission terminal control unit 24 generates mail data 231 and an attached file 232 according to the user's operation. The transmission terminal control unit 24 transmits the mail data 231 and the attached file 232 to the mail address of the user of the reception terminal 3.

The log output unit 25 monitors the mail processing of the transmission terminal control unit 24. The log output unit 25 acquires information on mail processing such as file attachment and mail transmission performed by the transmission terminal control unit 24 from the transmission terminal control unit 24 by monitoring the mail processing.
For example, the log output unit 25 acquires information on the path and file name of the file selected as the attached file. Further, for example, the log output unit 25 acquires the path and file name information of the attached file 232 generated (copied) by the transmission terminal control unit 24 based on the selected file. Further, for example, the log output unit 25 acquires identification information of mail transmitted / received between the transmission terminal 2 and the transmission mail server 4. The mail identification information is, for example, information such as Message-ID.

  In the present embodiment, the log output unit 25 operates as a plug-in of the mail transmission program (transmission terminal control unit 24). Therefore, the log output unit 25 can communicate with the transmission terminal control unit 24 and acquire information regarding mail processing that the transmission terminal control unit 24 has. The mode of the log output unit 25 is not limited to the plug-in of the mail transmission program (transmission terminal control unit 24). For example, the log output unit 25 may monitor the mail processing of the transmission terminal control unit 24 by monitoring a log output by the mail transmission program (transmission terminal control unit 24).

The log output unit 25 outputs the information acquired from the transmission terminal control unit 24 to the log as tracking information.
The tracking information is information necessary for the log analysis device 6 to track the distribution of the attached file by sending and receiving mail. The tracking information includes time information, file information, transmission source information, transmission destination information, internal transaction information, and external transaction information. The time information is information representing the date and time when the file processing was performed. The file information is information for identifying the attached file. The file information is, for example, file path information including a file name. The sender information is information for identifying the sender of the mail. The transmission source information is information such as an IP (Internet Protocol) address of the own apparatus, for example. The destination information is information for identifying the destination of the mail. In the transmission terminal 2, the transmission destination of the mail is the transmission mail server 4. The transmission destination information is information such as the IP address of the transmission mail server 4, for example. In addition to the above information, the tracking information may include information on the program that performed the mail processing, information for identifying the user who input the operation, and the like.

The internal transaction information is identification information for associating file processing with an attached file. By recording the internal transaction information, the log analysis apparatus 6 can associate the file attachment processing performed in the terminal with the mail transmission processing.
The external transaction information is identification information for associating mail transmission / reception processing between each terminal and the mail server. By recording the external transaction information, the log analysis device 6 can associate the mail transmission / reception processing recorded in the log of the own device by each terminal and the mail server.

FIG. 4 is a functional block diagram showing a functional configuration of the receiving terminal 3.
The receiving terminal 3 includes a CPU, a memory, an auxiliary storage device, and the like connected by a bus, and executes a receiving terminal program. The receiving terminal 3 functions as a device including the input unit 31, the communication unit 32, the storage unit 33, the receiving terminal control unit 34, and the log output unit 35 by executing the receiving terminal program.
Note that all or part of the functions of the receiving terminal 3 may be realized using hardware such as an ASIC, PLD, or FPGA. The receiving terminal program may be recorded on a computer-readable recording medium. The computer-readable recording medium is, for example, a portable medium such as a flexible disk, a magneto-optical disk, a ROM, a CD-ROM, or a storage device such as a hard disk built in the computer system. The receiving terminal program may be transmitted via a telecommunication line.

  The input unit 31 is configured using a communication interface such as a serial interface. The input unit 31 acquires information input by a user's operation and outputs it to the receiving terminal control unit 34. The user operation is, for example, an operation such as receiving a mail or saving an attached file.

The communication unit 32 is configured using a communication interface such as a LAN. The communication unit 32 communicates with the received mail server 5.
The storage unit 33 is configured using a storage device such as a magnetic hard disk device or a semiconductor storage device. The storage unit 33 stores mail data 331, an attached file 332, and a receiving terminal log 333. The mail data 331 is a mail acquired from the received mail server 5. The attached file 332 is an attached file of the mail data 331 acquired from the received mail server 5. The reception terminal log 333 is a log file in which information related to mail reception and attachment file storage processing at the reception terminal 3 is recorded. The receiving terminal log 333 is generated by the log output unit 35.

  The receiving terminal control unit 34 is a mail receiving program that connects to the received mail server 5 and receives mail using a protocol such as POP. The receiving terminal control unit 34 acquires the mail data 331 and the attached file 332 from the received mail server 5 in accordance with a user operation. Further, the receiving terminal control unit 34 stores the attached file 332 in an area designated by the user in accordance with the user's operation.

The log output unit 35 monitors the mail processing of the receiving terminal control unit 34. The log output unit 35 acquires, from the receiving terminal control unit 34, information related to mail processing such as mail reception performed by the receiving terminal control unit 34 and storage of attached files by monitoring the mail processing.
In the present embodiment, the log output unit 35 operates as a plug-in of the mail receiving program (receiving terminal control unit 34). Therefore, the log output unit 35 can communicate with the receiving terminal control unit 34 and acquire information regarding mail processing that the receiving terminal control unit 34 has. The mode of the log output unit 35 is not limited to the plug-in of the mail receiving program (receiving terminal control unit 34). For example, the log output unit 35 may monitor the mail processing of the receiving terminal control unit 34 by monitoring a log output by the mail receiving program (receiving terminal control unit 34).
The log output unit 35 outputs the information acquired from the receiving terminal control unit 34 to the log as tracking information.

FIG. 5 is a functional block diagram showing a functional configuration of the outgoing mail server 4.
The transmission mail server 4 includes a CPU, a memory, an auxiliary storage device, and the like connected by a bus, and executes a transmission server program. The transmission mail server 4 functions as a device including the communication unit 41, the storage unit 42, the transmission server control unit 43, and the log output unit 44 by executing the transmission server program.
All or some of the functions of the outgoing mail server 4 may be realized using hardware such as an ASIC, PLD, or FPGA. The transmission server program may be recorded on a computer-readable recording medium. The computer-readable recording medium is, for example, a portable medium such as a flexible disk, a magneto-optical disk, a ROM, a CD-ROM, or a storage device such as a hard disk built in the computer system. The transmission server program may be transmitted via a telecommunication line.

  The communication unit 41 is configured using a communication interface such as a LAN. The communication unit 41 communicates with the transmission terminal 2.

  The storage unit 42 is configured using a storage device such as a magnetic hard disk device or a semiconductor storage device. The storage unit 42 stores mail data 421, an attached file 422, and a transmission server log 423. The mail data 421 is mail data generated by receiving a mail transmitted from the transmission terminal 2 by the transmission mail server 4. The attached file 422 is an attached file of the mail data 421. The transmission server log 423 is a log file in which information related to mail transfer processing in the transmission mail server 4 is recorded. The transmission server log 423 is generated by the log output unit 44.

  The transmission server control unit 43 is a transmission mail server program that receives a mail transmission request from the transmission terminal 2 using a protocol such as SMTP. The transmission server control unit 43 receives the mail data 421 and the attached file 422 transmitted from the transmission terminal 2. The transmission server control unit 43 transfers the received mail data 421 and the attached file 422 to the reception mail server 5.

The log output unit 44 monitors the mail processing of the transmission server control unit 43. The log output unit 44 acquires, from the transmission server control unit 43, information related to mail processing such as mail reception and mail transfer performed by the transmission server control unit 43 by monitoring the mail processing.
In this embodiment, the log output unit 44 operates as a plug-in of the transmission mail server program (transmission server control unit 43). Therefore, the log output unit 44 can communicate with the transmission server control unit 43 and acquire information regarding mail processing that the transmission server control unit 43 has. The mode of the log output unit 44 is not limited to the plug-in of the transmission mail server program (transmission server control unit 43). For example, the log output unit 44 may monitor the mail processing of the transmission server control unit 43 by monitoring a log output by the transmission mail server program (transmission server control unit 43).
The log output unit 44 outputs information acquired from the transmission server control unit 43 to the log as tracking information.

FIG. 6 is a functional block diagram showing a functional configuration of the received mail server 5.
The reception mail server 5 includes a CPU, a memory, an auxiliary storage device, and the like connected by a bus, and executes a reception server program. The reception mail server 5 functions as a device including the communication unit 51, the storage unit 52, the reception server control unit 53, and the log output unit 54 by executing the reception server program.
All or some of the functions of the incoming mail server 5 may be realized using hardware such as an ASIC, PLD, or FPGA. The reception server program may be recorded on a computer-readable recording medium. The computer-readable recording medium is, for example, a portable medium such as a flexible disk, a magneto-optical disk, a ROM, a CD-ROM, or a storage device such as a hard disk built in the computer system. The receiving server program may be transmitted via a telecommunication line.

  The communication unit 51 is configured using a communication interface such as a LAN. The communication unit 51 communicates with the receiving terminal 3.

  The storage unit 52 is configured using a storage device such as a magnetic hard disk device or a semiconductor storage device. The storage unit 52 stores mail data 521, an attached file 522, and a reception server log 523. The mail data 521 is a mail transferred from the transmission mail server 4. The attached file 522 is an attached file of the mail data 521 transferred from the transmission mail server 4. The reception server log 523 is a log file in which information regarding reception of forwarded mail and transmission of mail in the reception mail server 5 is recorded. The reception server log 523 is generated by the log output unit 54.

  The receiving server control unit 53 is a received mail server program that receives a mail reception request of the receiving terminal 3 using a protocol such as POP. The reception server control unit 53 receives the mail data 521 and the attached file 522 transferred from the transmission mail server 4. The receiving server control unit 53 transmits the received mail data 521 and the attached file 522 to the receiving terminal 3 in response to a mail receiving request from the receiving terminal 3.

The log output unit 54 monitors the mail processing of the receiving server control unit 53. The log output unit 54 acquires, from the reception server control unit 53, information related to mail processing such as mail reception and mail transmission performed by the reception server control unit 53 by monitoring the mail processing.
In the present embodiment, the log output unit 54 operates as a plug-in of the received mail server program (receiving server control unit 53). Therefore, the log output unit 54 can communicate with the receiving server control unit 53 and acquire information regarding mail processing that the receiving server control unit 53 has. The mode of the log output unit 54 is not limited to the plug-in of the received mail server program (receiving server control unit 53). For example, the log output unit 54 may monitor the mail processing of the reception server control unit 53 by monitoring a log output by the reception mail server program (reception server control unit 53).
The log output unit 54 outputs the information acquired from the reception server control unit 53 to the log as tracking information.

FIG. 7 is a flowchart showing a flow of processing of the log output unit 25 in the transmission terminal 2.
First, the log output unit 25 monitors the processing of the transmission terminal control unit 24 (step S101). Next, the log output unit 25 determines whether or not mail processing has occurred in the processing of the transmission terminal control unit 24 (step S102). When mail processing has not occurred (step S102—NO), the log output unit 25 returns to step S101 and repeats monitoring of the transmission terminal control unit 24.

  On the other hand, when mail processing has occurred (step S102—YES), the log output unit 25 determines the type of mail processing that has occurred (step S103). When the mail processing type is file attachment processing (step S103—file attachment), the log output unit 25 adds internal transaction information to the processing (step S104).

  The given internal transaction information is information that associates the file attachment process in the transmission terminal 2 with the mail transmission process to which the file is attached. The internal transaction information may be generated by any method as long as it is unique information for each file attachment process in the transmission terminal 2. The internal transaction information may be acquired from the transmission terminal control unit 24, or may be generated by the log output unit 25 based on information obtained from the processing content of the transmission terminal control unit 24. The internal transaction information is held by the log output unit 25 until a mail with a file attached is transmitted by the processing.

  Next, the log output unit 25 acquires time information (step S105). The log output unit 25 acquires the file information of the attachment file to be processed from the transmission terminal control unit 24 (step S106). The log output unit 25 outputs the acquired internal transaction information, time information, and file information to the log as tracking information (step S107).

  On the other hand, when the mail processing type is mail transmission in step S103 (step S103-mail transmission), the log output unit 25 determines whether or not a file is attached to the transmission mail (step S108). When a file is not attached to the transmission mail (step S108—NO), the log output unit 25 returns to step S101 and repeats monitoring of the transmission terminal control unit 24. On the other hand, when a file is attached to the transmission mail (step S108-YES), the log output unit 25 acquires transmission destination information from the transmission terminal control unit 24 (step S109). The log output unit 25 acquires external transaction information from the transmission terminal control unit 24 (step S110). In this embodiment, the Message-ID assigned to the mail is used for the external transaction information. The log output unit 25 acquires internal transaction information given to the attachment process of the attached file (step S111). The log output unit 25 acquires time information (step S112). The log output unit 25 acquires the file information of the attachment file to be processed from the transmission terminal control unit 24 (step S113). The log output unit 25 outputs the acquired transmission destination information, external transaction information, internal transaction information, time information, and file information to the log as tracking information (step S114).

FIG. 8 is a flowchart showing the flow of processing of the log output unit 35 in the receiving terminal 3.
First, the log output unit 35 monitors the processing of the receiving terminal control unit 34 (step S201). Next, the log output unit 35 determines whether or not mail processing has occurred in the processing of the receiving terminal control unit 34 (step S202). When mail processing has not occurred (step S202—NO), the log output unit 35 returns to step S201 and repeats monitoring of the receiving terminal control unit 34.

  On the other hand, when mail processing has occurred (step S202—YES), the log output unit 35 determines the type of mail processing that has occurred (step S203). When the mail processing type is an attachment file saving process (step S203—file saving), the log output unit 35 adds internal transaction information to the process (step S204).

  The given internal transaction information is information that associates the file storage process in the receiving terminal 3 with the mail receiving process to which the file is attached. In the present embodiment, the Message-ID assigned to the received mail is used as the internal transaction information in the attached file saving process.

  Next, the log output unit 35 acquires time information (step S205). The log output unit 35 acquires the file information of the attachment file to be processed from the receiving terminal control unit 34 (step S206). The log output unit 35 outputs the acquired internal transaction information, time information, and file information to the log as tracking information (step S207).

  On the other hand, when the mail processing type is mail reception in step 203 (step S203-mail reception), the log output unit 35 determines whether or not a file is attached to the received mail (step S208). If no file is attached to the outgoing mail (step S208—NO), the log output unit 35 returns to step S201 and repeats monitoring by the receiving terminal control unit 34. On the other hand, when the file is attached to the received mail (step S208—YES), the log output unit 35 acquires the transmission source information from the receiving terminal control unit 34 (step S209). The log output unit 35 acquires external transaction information from the receiving terminal control unit 34 (step S210). In this embodiment, the Message-ID assigned to the mail is used for the external transaction information. The log output unit 35 acquires internal transaction information from the receiving terminal control unit 34 (step S211). In this embodiment, the Message-ID assigned to the mail is used for internal transaction information. The log output unit 35 acquires time information (step S212). The log output unit 35 acquires the file information of the attachment file to be processed from the receiving terminal control unit 34 (step S213). The log output unit 35 outputs the acquired transmission source information, external transaction information, internal transaction information, time information, and file information to the log as tracking information (step S214).

FIG. 9 is a flowchart showing the flow of processing of the log output unit 44 in the outgoing mail server 4.
First, the log output unit 44 monitors the processing of the transmission server control unit 43 (step S301). Next, the log output unit 44 determines whether or not mail processing has occurred in the processing of the transmission server control unit 43 (step S302). When mail processing has not occurred (step S302—NO), the log output unit 44 returns to step S301 and repeats monitoring of the transmission server control unit 43.

  On the other hand, when mail processing occurs (step S302—YES), the log output unit 44 determines whether a file is attached to the mail to be processed (step S303). When no file is attached to the mail to be processed (step S303—NO), the log output unit 44 returns to step S301 and repeats monitoring of the transmission server control unit 43. On the other hand, when a file is attached to the mail to be processed (step S303: YES), the log output unit 44 determines whether the mail processing type is mail reception or mail transfer (step S304). When the mail processing type is mail reception (step S304-mail reception), the log output unit 44 acquires the transmission source information from the transmission server control unit 43 (step S305). The log output unit 44 acquires time information (step S306). The log output unit 44 acquires the file information of the attachment file to be processed from the transmission server control unit 43 (step S307). The log output unit 44 acquires external transaction information from the transmission server control unit 43 (step S308). In this embodiment, the Message-ID assigned to the mail is used for the external transaction information. The log output unit 44 outputs the acquired transmission source information, time information, file information, and external transaction information to the log as tracking information (step S309).

  On the other hand, when the type of mail processing is mail transfer in step S304 (step S-mail transfer), the log output unit 44 acquires transfer destination information from the transmission server control unit 43 (step S310). The log output unit 44 acquires time information (step S311). The log output unit 44 acquires the file information of the attachment file to be processed from the transmission server control unit 43 (step S312). The log output unit 44 acquires external transaction information from the transmission server control unit 43 (step S313). In this embodiment, the Message-ID assigned to the mail is used for the external transaction information. The log output unit 44 outputs the acquired transfer destination information, time information, file information, and external transaction information to the log as tracking information (step S314).

FIG. 10 is a flowchart showing the flow of processing of the log output unit 54 in the received mail server 5.
First, the log output unit 54 monitors the processing of the reception server control unit 53 (step S401). Next, the log output unit 54 determines whether mail processing has occurred in the processing of the receiving server control unit 53 (step S402). When mail processing has not occurred (step S402—NO), the log output unit 54 returns to step S401 and repeats monitoring of the reception server control unit 53.

  On the other hand, when mail processing has occurred (YES in step S402), the log output unit 54 determines whether a file is attached to the mail to be processed (step S403). When a file is not attached to the mail to be processed (step S403—NO), the log output unit 54 returns to step S401 and repeats monitoring of the reception server control unit 53. On the other hand, when a file is attached to the mail to be processed (step S403-YES), the log output unit 54 determines whether the mail processing type is mail reception or mail transmission (step S404). When the type of mail processing is mail reception (step S404-mail reception), the log output unit 54 acquires transmission source information from the reception server control unit 53 (step S405). The log output unit 54 acquires time information (step S406). The log output unit 54 acquires the file information of the attachment file to be processed from the reception server control unit 53 (step S407). The log output unit 54 acquires external transaction information from the receiving server control unit 53 (step S408). In this embodiment, the Message-ID assigned to the mail is used for the external transaction information. The log output unit 54 outputs the acquired transmission source information, time information, file information, and external transaction information to the log as tracking information (step S409).

  On the other hand, if the type of mail processing is mail transmission in step S404 (step S404-mail transmission), the log output unit 54 obtains transmission destination information from the reception server control unit 53 (step S404). S410). The log output unit 54 acquires time information (step S411). The log output unit 54 acquires the file information of the attachment file to be processed from the reception server control unit 53 (step S412). The log output unit 54 acquires external transaction information from the receiving server control unit 53 (step S413). In this embodiment, the Message-ID assigned to the mail is used for the external transaction information. The log output unit 54 outputs the acquired transfer destination information, time information, file information, and external transaction information to the log as tracking information (step S414).

FIG. 11 is a diagram illustrating a specific example of the transmission terminal log 233 output in the file attachment process of the transmission terminal 2.
The transmission terminal log 233-1 is time information acquired in step S105 of FIG. The transmission terminal log 233-2 is internal transaction information acquired in step S104 in FIG. The transmission terminal log 233-3 is the file information acquired in step S106 of FIG.

FIG. 12 is a diagram illustrating a specific example of the transmission terminal log 233 output in the mail transmission process of the transmission terminal 2.
The transmission terminal log 233-4 is time information acquired in step S212 of FIG. The transmission terminal log 233-5 is internal transaction information acquired in step S211 of FIG. The transmission terminal log 233-6 is the external transaction information acquired in step S210 of FIG. The transmission terminal log 233-7 is the transmission destination information acquired in step S109 in FIG. The transmission terminal log 233-8 is the file information acquired in step S113 in FIG.

FIG. 13 is a diagram illustrating a specific example of the transmission server log 423 output in the mail reception process of the transmission mail server 4.
The transmission server log 423-1 is time information acquired in step S306 in FIG. The transmission server log 423-2 is external transaction information acquired in step S308 of FIG. The transmission server log 423-3 is the transmission source information acquired in step S305 of FIG. The transmission server log 423-4 is the file information acquired in step S307 in FIG.

FIG. 14 is a diagram showing a specific example of the transmission server log 423 output in the mail transfer process of the transmission mail server 4.
The transmission server log 423-5 is time information acquired in step S311 of FIG. The transmission server log 423-6 is the external transaction information acquired in step S313 in FIG. The transmission server log 423-7 is the transfer destination information acquired in step S310 of FIG. The transmission server log 423-8 is the file information acquired in step S312 of FIG.

FIG. 15 is a diagram illustrating a specific example of the reception server log 523 output in the mail reception process of the reception mail server 5.
The reception server log 523-1 is time information acquired in step S406 in FIG. The reception server log 523-2 is the external transaction information acquired in step S408 in FIG. The reception server log 523-3 is the transmission source information acquired in step S405 of FIG. The reception server log 523-4 is the file information acquired in step S407 in FIG.

FIG. 16 is a diagram showing a specific example of the reception server log 523 output in the mail distribution process of the reception mail server 5.
The reception server log 523-1 is time information acquired in step S410 of FIG. The reception server log 523-1 is the external transaction information acquired in step S413 in FIG. The reception server log 523-1 is the transmission destination information acquired in step S410 of FIG. The reception server log 523-1 is the file information acquired in step S412 of FIG.

FIG. 17 is a diagram illustrating a specific example of the receiving terminal log 333 output in the mail receiving process of the receiving terminal 3.
The receiving terminal log 333-1 is time information acquired in step S212 of FIG. The receiving terminal log 333-2 is internal transaction information acquired in step S211 of FIG. The receiving terminal log 333-3 is the external transaction information acquired in step S <b> 210 in FIG. 8. The receiving terminal log 333-4 is the transmission source information acquired in step S209 in FIG. The receiving terminal log 333-5 is the file information acquired in step S213 in FIG.

FIG. 18 is a diagram showing a specific example of the receiving terminal log 313 output in the attached file saving process of the receiving terminal 3.
The receiving terminal log 333-1 is time information acquired in step S205 in FIG. The receiving terminal log 333-2 is internal transaction information acquired in step S204 of FIG. The receiving terminal log 333-3 is the file information acquired in step S <b> 206 in FIG. 8.

  In the tracking system 1 of the embodiment configured as described above, each terminal and the mail server output the tracking information of the attached file to the log in the mail processing of the own device. The tracking information includes transaction information for mail processing performed by each terminal and mail server. Therefore, the user can track how the file attached to the mail was manipulated by the mail recipient by matching the logs of each terminal and mail server based on the transaction information. Become. Further, the user can track how the file attached to the mail is distributed in the distribution route.

  Even if the log of the receiving terminal 3, the log of the outgoing mail server 4, and the log of the incoming mail server 5 cannot be acquired, the user of the tracking system 1 can send at least an email based on the log of the transmitting terminal 2. It becomes possible to specify a mail address of a destination to which the attached file is transmitted.

  Even if the log of the transmission mail server 4 and the log of the reception mail server 5 cannot be acquired, the user of the tracking system 1 can send the transmission terminal log 233 of the transmission terminal 2 and the reception terminal log of the reception terminal 3. By 333, it is possible to estimate the correspondence between the mail transmitted from the transmission terminal 2 and the mail received by the reception terminal 3. For example, based on the time information output to the log, the two may be associated with an approximate probability. Further, for example, identification information unique to a mail such as Message-ID is recorded in a log as external transaction information, so that both are associated one-to-one.

  Further, each terminal and the mail server output the tracking information of the attached file to the log, so that the log analysis device 6 can analyze and visualize the log of each terminal and the mail server. For example, as in the example of FIG. 2, when a series of mail processing is regarded as file processing for an attached file, the log analysis device 6 can be visualized in a manner as shown in the following example.

FIG. 19 is a flowchart illustrating a specific example of processing of the log analysis device 6.
First, the log analysis device 6 acquires logs from the transmission terminal 2, the reception terminal 3, the transmission mail server 4, and the reception mail server 5 (step S501). The log analysis device 6 supplements information based on the type of mail processing recorded in the acquired log. For example, when the mail process is a mail transmission from the transmission terminal 2 to the transmission mail server 4, the log analysis device 6 supplements information on a processing type (copy process) when this mail process is regarded as a file process ( Step S502). Next, the log analysis device 6 combines the log of the file attachment process and the mail transmission process based on the internal transaction information (step S503). Based on the external transaction information, the log analysis device 6 combines logs of mail transmission processing, mail transfer processing, and mail reception processing (step S504).

FIG. 20 is a schematic diagram showing a state of distribution of an attached file analyzed by the log analysis device 6.
When the log analysis device 6 performs the processing shown in the example of FIG. 19, the user can represent the distribution of the attached file by sending and receiving mail as file processing like the example of FIG. Therefore, the user can track the distribution of the attached file by sending and receiving mail in combination with the distribution of the file by normal file processing. In the example of FIG. 20, each terminal and mail server on the distribution route are represented as areas for storing files. The attached file circulates in each area by being copied (Copy) or moved (Move) between the areas.

<Modification>
The log information supplementation performed by the log analysis device 6 may be executed in advance in each terminal and mail server.

  You may make it implement | achieve the tracking system 1 in embodiment mentioned above with a computer. In that case, a program for realizing this function may be recorded on a computer-readable recording medium, and the program recorded on this recording medium may be read into a computer system and executed. Here, the “computer system” includes an OS and hardware such as peripheral devices. The “computer-readable recording medium” refers to a storage device such as a flexible medium, a magneto-optical disk, a portable medium such as a ROM and a CD-ROM, and a hard disk incorporated in a computer system. Furthermore, the “computer-readable recording medium” dynamically holds a program for a short time like a communication line when transmitting a program via a network such as the Internet or a communication line such as a telephone line. In this case, a volatile memory inside a computer system serving as a server or a client in that case may be included and a program held for a certain period of time. Further, the program may be a program for realizing a part of the above-described functions, and may be a program capable of realizing the functions described above in combination with a program already recorded in a computer system. You may implement | achieve using programmable logic devices, such as FPGA (Field Programmable Gate Array).

  The embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes designs and the like that do not depart from the gist of the present invention.

DESCRIPTION OF SYMBOLS 1 ... Tracking system, 2 ... Transmission terminal, 21 ... Input part, 22 ... Communication part, 23 ... Memory | storage part, 231 ... Mail data, 232 ... Attached file, 233 ... Transmission terminal log, 24 ... Transmission terminal control part, 25 ... Log output unit, 3 ... receiving terminal, 31 ... input unit, 32 ... communication unit, 33 ... storage unit, 331 ... mail data, 332 ... attached file, 333 ... receiving terminal log, 34 ... receiving terminal control unit, 35 ... log Output unit, 4 ... transmission mail server, 41 ... communication unit, 42 ... storage unit, 421 ... mail data, 422 ... attached file, 423 ... transmission server log, 43 ... transmission server control unit, 44 ... log output unit, 5 ... Receiving mail server, 51 ... communication unit, 52 ... storage unit, 521 ... mail data, 522 ... attached file, 523 ... receiving server log, 5 ... receiving server control unit, 54 ... log output portion, 6 ... log analyzer

Claims (4)

A tracking system comprising: a mail terminal that transmits and receives mail; a mail server that relays mail to a destination mail terminal; and an analysis device that acquires and analyzes logs related to mail transmission and reception from the mail terminal and the mail server. And
The mail terminal outputs the identification information of the transmitted / received mail, the identification information of the operation performed on the attached file of the mail, and the information associating the transmission / reception of the mail with the operation to a log,
The mail server outputs identification information of the relayed mail to a log,
The analysis device acquires the log from the mail terminal and the mail server , and performs processing for specifying an operation performed on the attached file of the mail in the transmission / reception of the mail based on the acquired log , When the operation is transmission or reception of the mail with the attached file attached, information indicating a processing type in which transmission or reception of the mail is regarded as file processing is supplemented to the result of the processing.
Tracking system. The mail terminal further outputs information on a file attached to the mail to a log.
The tracking system according to claim 1. Performed by a tracking system comprising: a mail terminal that transmits / receives mail; a mail server that relays mail to a destination mail terminal; and an analysis device that acquires and analyzes logs related to mail transmission / reception from the mail terminal and the mail server A tracking method,
The mail terminal outputs to the log identification information of the transmitted / received mail, identification information of an operation performed on the attached file of the mail, and information associating the transmission / reception of the mail with the operation;
The mail server outputting the identification information of the relayed mail to a log;
The analysis device acquires the log from the mail terminal and the mail server, and based on the acquired log, performs processing for specifying an operation performed on the attached file of the mail in the transmission / reception of the mail , When the operation is transmission or reception of the mail with the attached file attached, a step of supplementing the result of the processing with information indicating a processing type assuming transmission or reception of the mail as file processing ;
Having a tracking method.   A computer program for causing a computer to function as the tracking system according to claim 1.

Images