JP6483227B2 - Method and apparatus for determining the risk of fraudulent email - Google Patents

Description

  The present embodiment relates to a method for judging the risk of fraudulent mail and an apparatus therefor.

  The contents described in this part merely provide background information for this embodiment, and do not constitute prior art.

  As the Internet infrastructure expands and develops worldwide, fraud cases through the Internet are increasing, especially security and fraud cases through email. Along with this, safe reception and transmission of e-mail has emerged as an important issue.

  In general, a spam mail management system prevents spam mail by registering the sender's mail address corresponding to the spam mail in a spam list.

  However, this method has the inconvenience that the user who receives the mail must process the reception / deletion decision for all mails. In addition, when a hacker sends a mail using a similar domain address, there is a high possibility that the user will misidentify it as a safe sender, and there is a high probability that a similar domain address cannot be registered in spam mail.

  Therefore, there is a need for a security technique to cope with a hacker's fraud method that transmits a mail using a similar domain that cannot be discerned by the naked eye with a mail address that has been transmitted and received by a user.

  In the present embodiment, the sending domain of the received mail and the customer domain are compared based on the character code value to determine the similarity between the sending domain and the customer domain, and the fraud mail of the received mail is determined based on the determined similarity. The main object is to provide a method for judging the risk of fraudulent e-mails for judging the risk and a device therefor.

  According to one aspect of the present embodiment, in the apparatus for determining the risk of fraudulent mail, a domain extraction unit that acquires a received mail transmitted from a mail server to a recipient and extracts a transmission domain of the received mail; A domain comparison unit that compares the sending domain with at least one customer domain already stored in the contact list and determines the similarity between the sending domain and the customer domain; and the received mail based on the similarity And a risk analysis unit for determining the risk of fraudulent emails. A mail firewall device is provided.

  In addition, according to another aspect of the present embodiment, in a method in which the mail firewall device determines the risk of fraudulent mail, the received mail transmitted from the mail server to the recipient is acquired, and the transmission domain of the received mail is extracted. A domain extracting step of comparing the sending domain with at least one customer domain already stored in a contact list to determine a similarity between the sending domain and the customer domain; A fraud mail risk analysis method comprising: a risk analysis process for determining a fraud mail risk level of the received mail based on the degree.

  Further, according to another aspect of the present embodiment, a domain extraction process of acquiring a received mail transmitted from a mail server to a recipient and extracting a transmission domain of the received mail in a data processing device; and A domain comparison process comparing at least one customer domain already stored in the contact list to determine a similarity between the sending domain and the customer domain; and a fraudulent email of the received mail based on the similarity Provided is a computer-readable recording medium in which a program for implementing a risk analysis process for determining a risk is recorded.

  As described above, according to the present embodiment, the mail firewall device has an effect that it is possible to cope in advance before the recipient is damaged by the fraud mail by judging the risk level of the fraud mail.

  Further, the mail firewall device has an effect that the user can accurately recognize the degree of risk of fraud mail by judging the risk level of fraud mail to a plurality of levels (grades).

  In addition, the mail firewall device has an effect of accurately detecting a similar domain that is difficult for the user to identify with the naked eye.

It is the block diagram which showed the mail firewall system for judging the risk level of the fraud mail which concerns on a present Example. It is the block block diagram which showed schematically the mail firewall apparatus for judging the risk of the fraud mail which concerns on a present Example. 3A and 3B are flowcharts illustrating a method of determining the risk level of fraud mail according to the present embodiment. It is an illustration figure for demonstrating the damage example of fraud mail. It is an illustration for demonstrating the operation | movement which compares a domain in order to judge the risk of the fraud mail which concerns on a present Example. It is the illustration figure which output the judgment result of the fraud mail which concerns on a present Example. FIG. 6 is a block diagram illustrating a schematic configuration of a mail server according to a second embodiment of the present invention. 7 is a flowchart illustrating a mail reception process in a mail server according to a second embodiment of the present invention. 7 is a flowchart illustrating a mail transmission / reception process between a normal sender (sender / sender) and a mail server according to a second embodiment of the present invention. 7 is a table illustrating effective periods corresponding to a sender or mail type according to each second embodiment of the present invention. 7 is a table illustrating effective periods corresponding to a sender or mail type according to each second embodiment of the present invention. 7 is a flowchart illustrating a schematic procedure in which a second mail server according to a second embodiment of the present invention manages a white list by setting a maintenance period based on a mail transmission history of each IP address. It is a sequential diagram showing that an image conversion part transfers fraudulent mail to a receiver. 2 is a diagram illustrating a mail firewall device and an image conversion unit.

  Hereinafter, the present embodiment will be described in detail with reference to the accompanying drawings.

  FIG. 1 is a configuration diagram illustrating a mail firewall system for determining the risk level of fraudulent mail according to the present embodiment.

  The mail firewall system according to the present embodiment includes a first mail server 120 and a mail firewall device 130.

  The first mail server 120 is a device that operates to send and receive e-mail between the sender 110 and the receiver 140, and performs a role of mediating communication between the sender 110 and the receiver 140. To do.

  The first mail server 120 according to the present embodiment performs an operation of transmitting the email transmitted from the sender 110 to the receiver 140 in order to determine the fraud risk of the email received on the receiver 140 side. Although it demonstrates centering, it is not necessarily limited to this.

  Meanwhile, in the present embodiment, the sender 110 and the receiver 140 may be embodied as a sender terminal and a receiver terminal. The sender 110 may be a terminal that transmits an email to the terminal of the receiver 140, and the receiver 140 may be a terminal that receives an email from the terminal of the sender 110. The terminal of the sender 110 and the terminal of the receiver 140 are preferably at least one personal computer (PC), but may be a mobile communication terminal such as a smartphone. The terminal of the sender 110 and the terminal of the receiver 140 may be implemented by various types of terminals configured to be able to send and receive e-mails, and have ordinary knowledge in the related field within the technical scope of the present invention. It may be a terminal selected by those skilled in the art.

  The first mail server 120 that enables e-mail communication between the sender 110 and the receiver 140 is a publicly known and well-known technique, and various persons having ordinary knowledge in the related field may have various techniques. Needless to say, the design can be changed.

  The mail firewall device 130 means a device for preventing a fraud mail from being transmitted to the recipient 140.

  The mail firewall device 130 according to the present embodiment acquires the received mail transmitted from the first mail server 120 to the recipient 140 and determines the degree of risk that the received mail is a fraudulent mail.

  The mail firewall device 130 compares the transmission domain of the received mail with the customer domain already stored in the contact list, determines the similarity between the transmission domain and the customer domain, and the received mail is determined based on the similarity. Determine the risk of fraudulent email.

  In FIG. 1, the mail firewall apparatus 130 may be implemented by the first mail server 120 and a separate apparatus. In such a case, the mail firewall apparatus 130 maintains an existing first mail server that is generally used, A fraudulent email can be detected by being connected between the first mail server and the recipient terminal. Meanwhile, the mail firewall device 130 may be implemented as a single device combined with the first mail server 120. For example, the first mail server 120 may be implemented in the form of hardware such as a mail firewall processing unit (not shown) or software installed in the first mail server 120. The operation of determining the degree of risk that the received mail at the mail firewall device 130 is a fraudulent mail will be described in detail with reference to FIG.

  FIG. 2 is a block diagram schematically illustrating a mail firewall device for determining the risk of fraudulent mail according to the present embodiment.

  The mail firewall apparatus 130 according to the present embodiment includes a domain extraction unit 210, a domain comparison unit 220, a similar character (similar character) DB 222, a body text inspection unit 224, and a risk analysis unit 230. The mail firewall apparatus 130 illustrated in FIG. 2 is related to one embodiment, and all the blocks illustrated in FIG. 2 are not essential components, and are included in the mail firewall apparatus 130 in other embodiments. Some blocks may be added, changed or deleted.

  The domain extraction unit 210 acquires a received mail transmitted from the first mail server 120 to the recipient 140 side, and extracts a transmission domain of the received mail. The transmission domain means a domain area corresponding to the “domain name” in the transmission mail address configured by <user name @ domain name>. For example, <AAA @ KIWONTECH. When the received mail having the outgoing mail address of “com>” is acquired from the first mail server 120, the domain extracting unit 210 performs <KIWONTECH. com> is extracted as a transmission domain.

  Although the domain extraction unit 210 is described as extracting only the domain area, the present invention is not necessarily limited thereto, and the entire transmission mail address including the individual ID area corresponding to the “user name” is set by the user or the administrator. It may be extracted. The domain comparison unit 220 compares the transmission domain with at least one customer domain already stored in the contact list, and determines the similarity between the transmission domain and the customer domain. Here, the contact list means a list including email addresses of a plurality of customers who have already exchanged emails with the recipient 140, and the domain comparison unit 220 includes the email addresses of customers included in the contact list. Is extracted as a customer domain and compared with the sending domain. The contact list may be information already stored in the mail firewall device 130, that is, list information stored in a module such as a contact storage unit (not shown), but is not necessarily limited thereto. The list information may be called from the receiver 140 terminal.

  Hereinafter, an operation of comparing the transmission domain and the customer domain by the domain comparison unit 220 will be described.

  The domain comparison unit 220 compares the transmission domain with the customer domain using a code value for characters. Here, the code value for the character is preferably an ASCII code, but is not necessarily limited thereto, and various types of identification values may be applied as long as the character can be identified.

  The domain comparison unit 220 adds the code values for each of the plurality of characters included in the transmission domain to calculate the transmission domain code total value, and compares the transmission domain code total value with the customer domain code total value. To determine whether the same customer domain as the sending domain exists. In other words, the domain comparison unit 220 compares the code sum value of the transmission domain with the code sum value for each of the customer domains included in the contact list, and has the same code sum value as the code sum value of the transmission domain. If the domain exists, the sending domain and the customer domain are determined to be the same domain. Here, the domain comparison unit 220 preferably calculates the code sum value of each of the customer domains and compares it with the code sum value of the transmission domain. However, the present invention is not necessarily limited thereto, and is already stored in the contact list. The code sum value may be used to compare with the code sum value of the sending domain.

  The domain comparison unit 220 compares the code sum and determines that the transmission domain and the customer domain are the same domain, and does not determine the similarity separately, and the risk analysis unit 230 sets the lowest fraud risk. To be.

  On the other hand, when there is no customer domain having the same code sum as the code sum value of the transmission domain, the domain comparison unit 220 adds the code sum whose difference from the code sum value of the transmission domain in the contact list is less than or equal to the critical value. A customer domain having a value is extracted and the similarity between the sending domain and the extracted customer domain is determined. For example, <KIWONTECH. The code sum value of the transmission domain with respect to com> is 1049, and the domain comparison unit 220 extracts a customer domain whose difference from the code sum value of the transmission domain is 30 (critical value) or less. Here, the critical value can be changed according to the setting of the user or the administrator.

  If there is no customer domain having a code sum value whose difference from the code sum value of the sending domain is less than or equal to a critical value in the contact list, the domain comparison unit 220 newly sets the sending domain according to the content of the body of the received mail In order to register as an e-mail address or a fraud e-mail address, the body text is inspected. Text inspection is processed by the text inspection unit 224.

  On the other hand, the domain comparison unit 220 compares the extracted customer domain and the transmission domain in character units when there is at least one customer domain whose difference from the code sum value of the transmission domain is less than or equal to the critical value. Specifically, the domain comparison unit 220 sequentially compares the character codes constituting the transmission domain and the extracted character codes constituting the customer domain to determine the number of different character pairs. Here, the different character pairs mean two characters that are confirmed to be different by comparing the transmission domain and the extracted customer domain. For example, transmission domain <KlWONTECH. com> and customer domain <KIWONTECH. com>, the different character pair means (l, I). Different character pairs (l, I) include a lowercase letter L (l) and a capital letter eye (I). In addition, the transmission domain <KIWONXXCH. com> and customer domain <KIWONTECH. com>, the different character pairs mean (X, T) and (X, E). Different character pairs (X, T) include uppercase X (X) and uppercase tee (T), and different character pairs (X, E) include uppercase X (X) and uppercase E (E).

  The domain comparison unit 220 determines the similarity between the transmission domain and the extracted customer domain according to the number of different character pairs between the transmission domain and the extracted customer domain. Here, the similarity means a setting value indicating the degree of similarity between the sending domain and the customer domain, and may be set to a plurality of preset grades such as top, top, middle, bottom, bottom, However, the present invention is not necessarily limited thereto, and may be set to a preset numerical level such as a level of 1 to 10.

  The domain comparison unit 220 determines whether two characters constituting different character pairs are similar characters, and determines the similarity based on the number of character pairs made up of similar characters. Here, the similar character means two characters that are difficult to distinguish with the naked eye, and may be a character set by a user's experience or a predefined character.

  The domain comparison unit 220 can determine whether or not different character pairs are similar characters with reference to the similar character DB 222. For example, when different character pairs are already stored in the similar character DB 222, the domain comparison unit 220 can determine that two characters constituting the different character pairs are similar characters.

  According to one embodiment, the domain comparison unit 220 acquires a similar character pair list from the similar character DB 222 to determine whether different character pairs are similar characters, and different character pairs are included in the similar character pair list. You can check whether it is included.

  According to a further embodiment, the domain comparison unit 220 transmits character information for different character pairs to the similar character DB 222, and receives a matching result as to whether or not there is a matched character pair from the similar character DB 222 as a response signal. Thus, whether or not similar characters of different character pairs are acceptable may be determined.

  The domain comparison unit 220 sets the similarity to a higher level (grade) as the number of different character pairs made up of similar characters decreases, and sets the similarity to a lower level (grade) as the number of different character pairs increases. The similarity is set higher because the smaller the number of different character pairs, the more difficult it is to recognize with the naked eye. For example, the domain comparison unit 220 sets the similarity to the “top” grade when there is one different character pair consisting of similar characters, and sets the similarity to the “up” grade when there are two different character pairs. can do. The higher the degree of similarity determined by the number of different character pairs, the higher the risk that the received mail is a fraudulent mail.

  The domain comparison unit 220 preferably sets the degree of similarity within a preset level (grade) range, and the preset level (grade) range can be changed according to the setting of a user or an administrator.

  The similar character DB 222 means a database that stores and manages similar characters. Here, the similar character means two characters that are difficult to recognize the difference with the naked eye, and may be a character set by a user's experience or a predefined character.

  The similar character DB 222 can store similar characters such as (l, I), (l, 1), (m, rn), (O, 0), and the like. May be information that has been input after being determined to be similar, or information that has already been collected from an external device (not shown). (L, I) includes a lower case letter L (l) and a capital letter eye (I), and (l, 1) includes a lower case letter L (l) and the number 1. In addition, (m, rn) includes a lowercase letter M (m) and a lowercase letter R (r) / N (n), and (O, 0) includes an uppercase letter O (O) and the number 0.

  The body inspection unit 224 performs an operation of inspecting the content of the body of the received mail. The text checking unit 224 performs text checking on the received mail when the domain comparing unit 220 does not have a customer domain corresponding to the code sum value of the transmission domain and a predetermined range (the difference between the code sum values is equal to or less than a critical value). .

  As a result of inspecting the content of the text of the received mail, the text checking unit 224 registers the transmission domain of the received mail as a new mail address when it is determined that the mail is safe. On the other hand, as a result of checking the content of the text of the received mail, the text checking unit 224 registers the transmission domain of the received mail as a fraud mail address when it is determined that the mail is not safe.

  The body inspection unit 224 preferably performs the body inspection by determining whether or not there is a word corresponding to the dangerous word / phrase already stored in the body content of the received mail or by determining the body content through text recognition. However, it is not necessarily limited to this.

  The risk analysis unit 230 determines the fraud mail risk level of the received mail based on the similarity determined by the domain comparison unit 220. Here, the risk of fraudulent mail means an estimated value that the received mail is predicted to be fraudulent mail, and may be set to a plurality of preset grades such as top, top, middle, bottom, bottom, etc. However, the present invention is not necessarily limited thereto, and may be set to a preset numerical level such as a level of 1 to 10.

  When the similarity is set to a low level, the risk analysis unit 230 determines that the received mail transmitted to the receiver 140 is a fraud mail. For example, when the degree of similarity is “lower”, the risk analysis unit 230 determines the risk that the received mail is a fraudulent mail as “lower”.

  On the other hand, when the similarity is set to a high level, the risk analysis unit 230 determines that the received mail transmitted to the receiver 140 is a fraud mail. Here, if the risk analysis unit 230 determines that the risk of fraudulent e-mail with respect to the received e-mail is higher than the preset notification standard class or the notification standard numerical value, the risk analysis unit 230 notifies the user or administrator of the first mail server 120. An emergency alert notification message is transmitted so that the received mail is not transmitted to the recipient 140. The emergency alert notification message may include received mail information, a transmission domain, a customer domain similar to the transmission domain, different character pair information, similarity information, risk information, and the like. For example, when the similarity is “upper”, the risk analysis unit 230 determines the risk that the received mail is a fraudulent mail as “upper”. Here, when the notification standard class is set to “medium”, the risk analysis unit 230 transmits an emergency warning notification message for the received mail to the user or administrator of the first mail server 120.

  When there is a transmission domain registered as a new mail address after processing the text inspection, the risk analysis unit 230 sets the risk of the received mail using the transmission domain to the lowest, for example, the “lowest” class can do.

  3A and 3B are flowcharts illustrating a method for determining the risk of fraud mail according to the present embodiment.

  FIG. 3A is a flowchart schematically showing a method for determining the risk of fraudulent mail by the mail firewall device 130.

  The mail firewall device 130 acquires the received mail transmitted from the first mail server 120 to the recipient 140 (S310), and extracts the transmission domain of the received mail (S320). Here, the transmission domain means a domain area corresponding to the “domain name” in the transmission mail address configured by <user name @ domain name>. For example, <AAA @ KIWONTECH. com>, when the received mail having the outgoing mail address of “com>” is acquired from the first mail server 120, the mail firewall device 130 reads <KIWONTECH. com> is extracted as a transmission domain.

  The mail firewall device 130 compares the sending domain with at least one customer domain already stored in the contact list to determine the similarity between the sending domain and the customer domain (S330). Here, the contact list means a list including mail addresses of a plurality of customers who have already exchanged emails with the recipient 140.

  The mail firewall device 130 extracts the domain area of the customer's mail address included in the contact list as a customer domain, compares it with the transmission domain, and determines the similarity between the transmission domain and the customer domain based on the comparison result. Here, the similarity means a setting value indicating the degree of similarity between the sending domain and the customer domain, and may be set to a plurality of preset grades such as top, top, middle, bottom, bottom, However, the present invention is not necessarily limited thereto, and may be set to a preset numerical level such as a level of 1 to 10. The operation of setting the similarity will be described in detail with reference to FIG.

  The mail firewall device 130 determines the fraudulent mail risk level of the received mail based on the similarity (S340). Here, the risk of fraudulent mail means an estimated value predicted that the received mail will be fraudulent mail.

  When the similarity is set to a low level, the mail firewall device 130 determines that the received mail transmitted to the recipient 140 is a fraudulent email at a low level, and when the similarity is set to a high level, the receiver 140 It is judged that the received mail transmitted to is high fraud.

  When the mail firewall device 130 determines that the risk of fraudulent email with respect to the received email is higher than the preset notification standard grade or the notification standard numerical value, an emergency warning notification message is sent to the user or administrator of the first mail server 120. And the received mail is controlled not to be transmitted to the recipient 140.

  In FIG. 3a, it is described that the steps S310 to S340 are executed in order, but this is merely an illustrative explanation of the technical idea of this embodiment, and it is common knowledge in the technical field to which this embodiment belongs. 3 can be executed by changing the order described in FIG. 3a without departing from the essential characteristics of the present embodiment, or one or more of steps S310 to S340 can be performed in parallel. FIG. 3a is not limited to a time-series order because various modifications and variations can be applied to what is executed.

  FIG. 3b is a flowchart specifically subdividing the operations of step S330 and step S340 of FIG. 3a.

  The mail firewall apparatus 130 calculates a code sum value of the transmission domain (S350). The mail firewall device 130 adds up the code values for each of the characters included in the sending domain to calculate the code sum value of the sending domain. Here, the code value for the character is preferably an ASCII code, but is not necessarily limited thereto.

  The mail firewall device 130 compares the code sum value of the transmission domain with the code sum value of the customer domain (S352), and determines whether or not there is a customer domain having the same code sum value as the code sum value of the transmission domain. (S360).

  If there is a customer domain having the same code sum value as the code sum value of the sending domain in step S360, the mail firewall device 130 determines that the sending domain and the customer domain are the same domain (S362). If the same customer domain as the sending domain exists, the mail firewall device 130 determines the risk level that the received mail is a fraudulent mail to the lowest level (grade) (S364).

  If there is no customer domain having the same code sum as the code sum value of the sending domain in step S360, the mail firewall apparatus 130 sums up the code whose difference from the code sum value of the sending domain in the contact list is less than or equal to the critical value. It is determined whether there is a customer domain having a value (S370).

  If there is no customer domain having a code total value whose difference from the code sum value of the sending domain is less than or equal to the critical value in step S370, the mail firewall device 130 sets the sending domain to a new mail address or fraud according to the content of the body of the received mail In order to register as an e-mail address, a text inspection process is performed (S372). In step S372, the mail firewall device 130 can register the transmission domain for the received mail as a new mail address or a fraud mail address based on the text inspection result.

  If there is a customer domain having a code sum value whose difference from the code sum value of the transmission domain is equal to or less than a critical value in step S370, the mail firewall apparatus 130 extracts the customer domain (S380).

  The mail firewall device 130 sequentially compares the character codes constituting the sending domain and the extracted character codes constituting the customer domain (S382), and according to the number of different character pairs between the sending domain and the extracted customer domains. The similarity is determined (S384). Here, the similarity means a setting value indicating the degree of similarity between the sending domain and the customer domain, and may be set to a plurality of preset grades such as top, top, middle, bottom, bottom, However, the present invention is not necessarily limited thereto, and may be set to a preset numerical level such as a level of 1 to 10.

  Based on the comparison result of step S382, the mail firewall apparatus 130 refers to the similar character DB 222 to determine whether two characters constituting different character pairs are similar characters, and is similar depending on the number of character pairs composed of similar characters. Determine the degree.

  The mail firewall device 130 sets the risk level of the received mail based on the similarity (S390). The contents of step S390 are similar to the operation of step S340 of FIG.

  In FIG. 3b, the steps S350 to S390 are described as being executed in order, but this is merely illustrative of the technical idea of the present embodiment, and knowledge that is normal in the technical field to which the present embodiment belongs. 3 can be executed by changing the order described in FIG. 3b without departing from the essential characteristics of the present embodiment, or one or more of the steps S350 to S390 can be performed in parallel. FIG. 3b is not limited to the time-series order because various modifications and variations can be applied to what is executed.

  As described above, the operation of the mail firewall device 130 according to the present embodiment described in FIGS. 3A and 3B may be embodied as a program and recorded on a computer-readable recording medium. A program for implementing the operation of the mail firewall device 130 according to the present embodiment is recorded, and the computer-readable recording medium includes all types of recording devices that store data that can be read by the computer system. Examples of such computer-readable recording media include ROM, RAM, CD-ROM, magnetic tape, floppy disk, optical data storage device, etc., and are embodied in the form of a carrier wave (for example, transmission through the Internet). Including those that are made. The computer readable recording medium may be distributed in a computer system connected to a network, and a computer readable code may be stored and executed in a distributed manner. In addition, a functional program, code, and code segment for implementing the present embodiment should be easily inferred by a programmer in the technical field to which the present embodiment belongs.

  FIG. 4 is an exemplary diagram for explaining a fraud mail damage case.

  As shown in FIG. 4, “Merchant A” and “Merchant B” are merchants who have exchanged emails and made transactions. A “Hacker” can monitor the mail content between “Merchant A” and “Merchant B” and modulate the outgoing mail address to a similar domain.

  For example, each of “Seller A” and “Seller B” is <A @ 60127406. com> and <B @ 60127406. com>, the “hacker” is <A @ 6O127406. com> can be modulated to a similar domain such as “com> B” to exchange mail with “commercial company B”. Similar domain used by “Hacker” <A @ 6O127406. com> appears to be the same as the mail address of “Seller A” to the naked eye, but is actually a scam in which the second number “0” of the domain region “6O127406.com” is modulated to the capital letter “O”. It is an email address.

  In the present invention, in order to prevent the above-described damage situation in advance, the mail firewall apparatus 130 is used to determine the degree of risk that the received mail is a fraudulent mail.

  FIG. 5 is an exemplary diagram for explaining an operation of comparing domains in order to determine the risk of fraud mail according to the present embodiment.

  As shown in FIG. 5, the mail firewall device 130 transmits the transmission domain <1 @ KlWONTECH. com> and customer domain <1 @ KIWONTECH. com>, different character pairs can be detected. The mail firewall device 130 can determine the similarity between two domain addresses and transmit a message warning the user of the risk of fraudulent mail.

  As illustrated in FIG. 5, the mail firewall device 130 determines that the degree of similarity is higher as it is more difficult to discriminate by human eyes. Here, a high similarity means that there is a high risk that the received mail is a fraudulent mail. For example, the mail firewall device 130 sets the similarity to the “up” grade when there is one different character pair consisting of similar characters, and sets the similarity to the “medium” grade when there are two different character pairs. can do.

  The mail firewall device 130 determines that the higher the degree of similarity (class) determined by the number of different character pairs, the higher the risk that the received mail is a fraudulent mail.

  FIG. 6 is an exemplary diagram of outputting a fraud mail determination result according to the present embodiment.

  As shown in FIG. 6, the mail firewall device 130 is connected to <@dhl. com>, when a received mail is received in a domain similar to <com>, the similar domain <@dlhl. com> and the detection result can be output to the receiver 140 or the administrator. Here, the detected similar domain is output after determining the similarity and the fraud mail risk level, and both the similarity and the fraud mail risk level can be provided at the time of output.

  FIG. 7 is a block diagram illustrating a schematic configuration of a mail server according to the second embodiment of the present invention.

  Referring to FIG. 7, the second mail server 400 according to the second embodiment includes a communication unit 310, a storage unit 330, and a control unit 350. The control unit 350 includes an IP confirmation unit 351, a spam processing unit 353, and a DB management. A portion 355 may be included.

  The communication unit 310 is for data communication through a communication network such as the Internet network, and the second mail server 400 is a terminal of a sender that transmits mail by the communication unit 310 or a terminal of a receiver that receives mail. Send and receive data over the communication network.

  Since the communication function in the server device is obvious to those skilled in the art, a more detailed description of the communication unit 310 is omitted.

  The storage unit 330 stores various data for the mail service (for example, customer information, transmitted / received mail information, etc.). In particular, according to the second embodiment, information on the white list is stored. The white list according to the second embodiment is information about a sender who has a history of transmitting a normal mail, and includes an IP address (IP address). Here, the sender is the computing device of the person who sent the mail, and may be a personal terminal device or a server device such as another mail server.

  In other words, the second mail server 400 according to the second embodiment registers information (such as an IP address) about a sender who has a history of transmitting normal mail that is not spam mail as a white list and stores it in the database 332. To do. In addition to IP addresses, the white list can further store the history (such as the date of mail transmission). That is, if the sender A sends a normal mail, information about A's IP address and the history of sending the mail (date information such as date and time) is stored as a white list.

  The control unit 350 performs the overall control function of each functional unit (communication unit 310, storage unit 330, etc.), but in particular the transmission using the IP address of the sender who intends to transmit the received mail. It is determined whether or not the person is a normal sender who wants to send a normal mail or a botnet that wants to send a spam mail, and the mail reception is processed accordingly.

  The IP confirmation unit 351 confirms the IP address of the sender who attempts to send a mail (mail transmission after session connection), and determines whether or not the IP address is registered as a white list. When it is confirmed whether or not the sender's IP address is registered in advance as a white list, the spam processing unit 353 performs normal processing or spam mail processing on the mail from the sender based on the confirmed information. To do.

  For example, if the sender's IP address is not registered in the white list, the spam processing unit 353 performs a reception rejection process for the mail. Of course, when the sender's IP address is registered in the white list, the mail is normally received and processed, assuming that the mail is not a botnet spam but a normal sender.

  The spam processing unit 353 receives the mail normally when mail transmission is attempted again from the same sender within a specific time after the reception rejection process.

  For example, when the sender's IP address is a new IP address not registered as a white list stored in the database 332, the second mail server 400 connects the session after replying to the SMTP Reply Code 421 only once for the initial connection. The connection of the session with the same sender after that time is to receive the mail normally. In general, based on the SMTP protocol (RFC821), when a normal mail transmission server receives a 421 Reply Code, it is constructed so that there is no problem in mail communication by reconnecting a session after a short time. Therefore, it is possible to prevent the damage caused by the botnet by detecting the spam mail by the botnet that ends with the connection attempt of one initial connection.

  When mail reception is normally processed by re-sending mail from the sender, the DB management unit 355 registers the IP address of the sender as a white list. That is, the DB management unit 355 performs a management function for registering, modifying, and deleting information in the database, but the sender's IP address is a new IP address that does not exist in the white list and is determined to be a normal sender. In the case of such a case, information about the sender (IP address, history, etc.) is newly registered as a white list.

  The DB management unit 355 can update information about each sender registered as a white list. For example, a sender who has no history of sending new mails within a certain period (for example, one month) Can be removed from the list. In addition, sender information registered as a white list can be corrected and updated under various conditions, which will be described in detail later.

  Although not shown in the drawing, a black list can be further stored in the storage unit 330, but the black list includes information about a sender determined to be a botnet (eg, IP address, mail transmission history, etc.). Can be stored. That is, after a sender having a new IP address performs a reception rejection process as the sender having a new IP address attempts to send an email, if the sender does not attempt to send an email again, the spam processor 353 sets the sender as a botnet. Could be processed. Accordingly, the DB management unit 355 can store information about the sender determined to be a botnet in the storage unit 330 as a black list, and can similarly correct or delete the information.

  Hereinafter, a mail reception process in the second mail server 400 will be described.

  FIG. 8 is a flowchart illustrating a mail reception process in the mail server according to the second embodiment of the present invention, and FIG. 9 is a flowchart of mail between a normal sender and the mail server according to the second embodiment of the present invention. 5 is a flowchart illustrating a transmission / reception process.

  Referring to FIG. 8, the second mail server 400 confirms the IP address of the mail sender (S410), and determines whether the IP address is registered as a white list (S420).

  If the sender's IP address is not registered in the white list, the second mail server 400 performs mail reception rejection processing (S430). In contrast, when the IP address is registered in advance in the white list, Normally receives the mail (S435).

  After the mail reception rejection process, the second mail server 400 determines whether or not re-transmission of mail is attempted from the sender (S440). If there is an attempt to re-send, the second mail server 400 receives the mail from the sender. Normal reception processing is performed, and sender information (IP address, etc.) is registered in the white list (S450).

  Then, as illustrated in the drawing by way of example, the second mail server 400 processes the sender as a botnet if there is no attempt to retransmit the mail before the specific time has elapsed (S455). Of course, this is only an example. If there is no attempt to retransmit the mail until a specific time elapses after the mail reception rejection process, no process may be performed.

  For convenience of understanding, a mail transmission / reception process between a normal sender who is not a botnet and the second mail server 400 will be described.

  Referring to FIG. 8, when a normal sender 320 connects a session to the second mail server 400 for mail transmission (S510), the second mail server 400 confirms the IP address of the sender 320 (S520). It is determined whether or not the IP address is a new IP address that is not registered as a white list (S530). If the IP address of the normal sender 320 is registered in the white list, the second mail server 400 normally receives mail from the sender 320 (S540).

  In contrast, when the IP address of the normal sender 320 is not registered in the white list, the second mail server 400 transmits an SMTP Reply Code 421 message to the normal sender 320 and ends the linked session. (S550).

  When the normal sender 320 connects the session to the second mail server 400 again and tries to resend the mail (S560), the second mail server 400 normally processes the reception of the mail from the sender 320 (S570). ), The IP address and the mail transmission history are stored as information about the sender 320 (S580).

  The second mail server 400 determines whether or not there is an attempt to resend the mail from the sender after the mail reception refusal processing, but determines whether or not there is an attempt to resend without limiting the period. However, according to another example, normal processing may be performed only for retransmission attempts made within a specific period.

  Here, the specific period described above may be a predetermined period (for example, 1 minute, 5 minutes, 10 minutes, one day, etc.), or may be a period that can be varied depending on the situation.

  The specific period during which retransmission attempts are allowed (hereinafter referred to as the validity period) may vary depending on the sender or the email being sent.

  Hereinafter, the variable effective period setting method will be described in detail.

  10 and 11 are tables illustrating effective periods corresponding to the types of senders or mails according to the second embodiment of the present invention.

  First, referring to FIG. 10 in which the validity period is set according to the type of the sender, the types of the sender are the white list history, the black list history, the new IP (in Korea), and the new IP (overseas). ) Etc. The existence of the white list history means a case where there is a history previously registered as a white list even if the IP address of the sender is a new address at present. For example, if the IP address a has been previously registered as a white list but has been deleted from the white list because the preset condition could not be satisfied, the IP address a is [white The validity period can be set to 10 minutes.

  The existence of the black list history similarly means a case where there is a history in which the sender's IP address is registered as a black list as described above. The existence of blacklist history means that the sender is more likely to be a botnet, so the validity period is set shorter, and conversely there is whitelist history. This means that it is highly possible that the sender is not a botnet, so the validity period is set a little longer.

  In the case of a new IP, it is a case where the new IP address does not satisfy the above two conditions and has no history, and can be classified into domestic and overseas. Generally, in the IP address system, an address band assigned to each country is determined, and the country can be confirmed only by the IP address. Therefore, it can be known whether the sender exists in the country or abroad through the IP address of the sender.

  Referring to FIG. 11 according to another example, the validity period can be set by receiving a mail to be transmitted by the sender and analyzing the mail. Of course, this requires a procedure in which mail must be received first, not immediately after the session with the sender is connected.

  Depending on the total size of email, the presence / absence and number / capacity of attachments, the presence / absence of links to other websites, and the presence of specific text (eg, advertisements, membership subscriptions, resident numbers) Validity period can vary. For example, as illustrated in the drawings, the validity period may be inversely reduced as the file size is larger, the attached file is attached, the link is present, or the specific text is present.

  As described above, the second mail server 400 manages the white list (or black list), but it is also possible to register a new IP address or delete an existing IP list. According to an example, the same maintenance period (for example, one month) may be set for each IP address, and the maintenance period may be initialized for an IP address that has newly transmitted mail. For example, when the IP address a is registered as a white list, the maintenance period is counted, and if no new mail is transmitted from the IP address a before the maintenance period elapses, the IP address a is deleted from the white list. If transmission of a new mail is processed before the maintenance period elapses, the maintenance period is counted again from that point.

  According to another embodiment, the maintenance period may be set variably. However, according to an example, the maintenance period of the IP address may be changed according to the mail history.

  FIG. 12 is a flowchart illustrating a schematic procedure in which the second mail server 400 according to the second embodiment of the present invention manages the whitelist by setting the maintenance period based on the mail transmission history of each IP address.

  Referring to FIG. 12, the second mail server 400 confirms the mail transmission history for each IP address registered in the white list.

  Here, in the second embodiment, an example is given in which only the history of mail sent from the sender is used, but according to another example, mail sent with the IP address as the destination is also used as the history. obtain.

  The number of mail transmissions (total number or the number of times during a certain period), the average period of mail transmission, the average capacity of transmitted mails, the average number of attached files, etc. can be confirmed as the mail transmission history.

  The second mail server 400 sets a maintenance period according to the mail history of each IP address (S620). For example, the maintenance period may be set shorter as the number of email transmissions is increased, or the maintenance period may be set longer as the email transmission average period is longer, or the average email capacity or the number of attached files is larger or the capacity thereof. The larger the is, the shorter the maintenance period can be set.

  The second mail server 400 manages the white list on the basis of the maintenance time of the IP addresses set in this way, but in the unlikely event that there is an IP address that has not performed transmission of new mail until the maintenance period elapses. If it exists, the IP address is deleted from the white list.

  The above-described spam mail processing method using the sender's IP address according to the present invention can be embodied as a computer-readable code on a computer-readable recording medium. Computer-readable recording media include all types of recording media that store data that can be decoded by a computer system. For example, it may be a ROM (Read Only Memory), a RAM (Random Access Memory), a magnetic tape, a magnetic disk, a flash memory, an optical data storage device, or the like. The computer-readable recording medium may be distributed in a computer system connected to a computer communication network and stored and executed as a code that can be read in a distributed manner.

  The method for determining the risk of fraudulent mail according to the third embodiment of the present invention and the apparatus therefor include the method for determining the risk of fraudulent mail according to the above-described embodiment and the configuration of the apparatus for the same. The fire wall 130 further includes an image conversion unit 240. FIG. 13 is a sequential diagram showing that the image conversion unit 240 forwards fraudulent mail to the recipient, and FIG. 14 is a diagram showing the mail firewall device 130 and the image conversion unit 240. When the received mail is determined to be a fraudulent mail or when it is recognized that other malicious code is included, the image conversion unit 240 converts the text-format body of the mail into an image. In detail, when the received mail is classified as a fraudulent mail, the image conversion unit 240 converts the text body into an image and forwards it to the receiver so that the user can link the text body. Can be connected to prevent infection by malicious code. In addition, when an image file that is classified as fraudulent mail is transferred to the user, the original text of the fraudulent mail is recorded on the first mail server 120, the mail firewall device 240, or other recording medium. And the original text of the recorded fraudulent email can be viewed by the user. In detail, the mail that is imaged and forwarded to the user is forwarded so that the link of the position where the original text is recorded is included together so that the user can view the original text. In addition, when classified as a fraudulent email, if there is a text format attachment, the attachment is imaged as described above and transferred to the user. Further, even when the attached file is an image, the malicious code included in the image can be blocked by being further imaged as described above.

  The above description is merely illustrative of the technical idea of the present embodiment, and any person having ordinary knowledge in the technical field to which the present embodiment belongs does not depart from the essential characteristics of the present embodiment. Various modifications and variations may be possible within the scope. Therefore, the present embodiment is not intended to limit the technical idea of the present embodiment but to explain it, and the scope of the technical idea of the present embodiment is not limited by such an embodiment. . The protection scope of the present embodiment should be construed in accordance with the following claims, and all technical ideas within the equivalent scope should be construed as being included in the scope of rights of the present embodiment. .

110: Sender 120: First mail server 130: Mail firewall device 140: Recipient 210: Domain extraction unit 220: Domain comparison unit 222: Similar character DB
224: Body inspection unit 230: Risk analysis unit 240: Image conversion unit 310: Communication unit 320: Normal sender 330: Storage unit 332: White list 350: Control unit 351: IP confirmation unit 353: Spam processing unit 355: DB management unit 400: second mail server

Claims (9)

In a device that determines the risk of fraudulent emails,
A domain extraction unit that acquires a received mail transmitted from a mail server to a recipient and extracts a transmission domain of the received mail;
A domain comparison unit that compares the sending domain with at least one customer domain already stored in a contact list and determines a similarity between the sending domain and the customer domain;
Look including a risk analysis unit for determining the mail fraud risk of the incoming mail on the basis of the degree of similarity,
The domain comparison unit
The code value for each of the plurality of characters included in the transmission domain is summed to calculate the code sum value for the transmission domain, and the code sum value for the transmission domain is compared with the code sum value for each of the customer domains Then, the similarity is determined . The domain comparison unit
When there is a customer domain having the same code sum value as the code sum value of the sending domain, the sending domain and the customer domain are determined to be the same domain, and the risk analysis unit has the lowest risk of the received mail. The mail firewall device according to claim 1, wherein the mail firewall device is determined. The domain comparison unit
When there is no customer domain having the same code sum value as the code sum value of the sending domain, the customer domain having a code sum value whose difference from the code sum value of the sending domain in the contact list is not more than a critical value The mail firewall apparatus according to claim 1, wherein the mail firewall apparatus determines the similarity between the transmission domain and the extracted customer domain. The risk analysis unit
When there is no customer domain having a code sum value that is less than or equal to a critical value in the contact list, the sender domain is assigned a new mail address or a mail address according to the content of the body of the received mail. 4. The mail firewall apparatus according to claim 3, wherein a text inspection process is performed in order to register as a fraud mail address. The domain comparison unit
The character code constituting the transmission domain and the character code constituting the extracted customer domain are sequentially compared to determine the similarity between the transmission domain and the extracted customer domain. The mail firewall device according to claim 3, wherein: The domain comparison unit
6. The mail firewall device according to claim 5, wherein the similarity is determined based on the number of different character pairs between the transmission domain and the extracted customer domain. The risk analysis unit
The fraud risk is set to be highest when the number of different character pairs is one, and the fraud risk is set to be lower as the number of different character pairs is increased. Mail firewall device. In the method in which the email firewall device determines the risk of fraudulent email,
A domain extraction process of obtaining a received mail transmitted from a mail server to a recipient and extracting a transmission domain of the received mail;
Comparing the sending domain with at least one customer domain already stored in a contact list and determining a similarity between the sending domain and the customer domain;
And the risk analysis process to determine the fraudulent e-mails risk of the incoming mail on the basis of the similarity seen including,
The code value for each of the plurality of characters included in the transmission domain is summed to calculate the code sum value for the transmission domain, and the code sum value for the transmission domain is compared with the code sum value for each of the customer domains The fraud mail risk analysis method is characterized in that the similarity is determined . In data processing equipment,
A domain extraction process of obtaining a received mail transmitted from a mail server to a recipient and extracting a transmission domain of the received mail;
Comparing the sending domain with at least one customer domain already stored in a contact list and determining a similarity between the sending domain and the customer domain;
A risk analysis process for determining a fraudulent email risk of the received email based on the similarity;
The code value for each of the plurality of characters included in the transmission domain is summed to calculate the code sum value for the transmission domain, and the code sum value for the transmission domain is compared with the code sum value for each of the customer domains Then , a computer-readable recording medium on which a program for realizing the process of determining the similarity is recorded.