JP7206488B2 - Information processing device, client terminal, control method, and program - Google Patents

Description

The present invention relates to electronic mail security technology, and more particularly to security technology for received unsolicited junk mail.

In recent years, with the development of networks, electronic mail (hereinafter simply referred to as "mail" as necessary) has come to be widely used.

As a result, there are many cases where recipients receive unsolicited spam emails that contain unwanted advertisements or harassment. There is also e-mail.

Such emails are not only annoying to recipients, but also pose various threats such as malware infection and guidance to phishing sites.

In such mail, most of the template (including mail text, attached files, URLs, etc.) is reused, and the mail is sometimes sent while changing recipient information and sender information.

For this reason, emails containing exactly the same or almost the same text, attached files, and URLs are sent from email addresses of different senders (such emails are called similar emails).

In addition, the template portion is updated periodically, and in particular, spambot emails often have the above characteristics.

In normal mail operation, situations in which similar mails arrive from various senders are rare, and are limited to specific situations such as blank mails or cases where the recipient specifies the content of transmission.

Therefore, in order to protect oneself from various threats, it is necessary to identify similar emails that may cause threats sent from the sender.

As a method for such identification, there is disclosed a method of determining whether or not the same mail has been received by using the information of the sender of the already received mail and the newly received mail and the message ID. (See Patent Document 1, for example).

Patent No. 5326785

However, in the method described in Patent Literature 1, a mailing list and a personal list included in the mailing list are set as destinations for the purpose of preventing duplicate mails from being received. Sometimes it will display the mail to the recipient in a unique way.

Therefore, there is a possibility that an e-mail that may pose a threat may be displayed, and such a problem may arise that such an e-mail is displayed and the recipient's terminal is invaded by the threat.

SUMMARY OF THE INVENTION Accordingly, it is an object of the present invention to provide a mechanism capable of identifying emails that may pose a threat and generating learning data for identifying spam emails based on the identified emails. .

In order to solve the above-mentioned problems, the present invention provides a computer, receiving means for receiving e-mails, and receiving the same or similar e-mails sent from different senders from the e-mails received by the receiving means. and generating means for generating learning data for discriminating spam e-mails using the information related to the e-mails identified as correct data .

ADVANTAGE OF THE INVENTION According to this invention, it is effective in the ability to identify the e -mail which may cause a threat, and to generate the learning data for discriminating an unsolicited junk e -mail based on the identified e -mail.

1 is a configuration diagram showing an example of a schematic configuration of an information processing system; FIG. 3 is a block diagram showing an example of hardware configurations of a mail server and a client terminal; FIG. It is a block diagram which shows an example of a software configuration. 10 is a flow chart showing an example of processing for judging junk mail. 4 is a configuration diagram showing an example of the configuration of a determination information setting file; FIG. 4 is a configuration diagram showing an example of the configuration of a shared information setting file; FIG. 4 is a configuration diagram showing an example of the configuration of a mail information table; FIG. It is a figure which shows an example of the process when using in combination with the process which determines an unsolicited junk e-mail, and an existing technique. FIG. 11 is a flowchart showing an example of processing for reusing spam e-mail; FIG. FIG. 4 is a configuration diagram showing an example of the configuration of a list screen; It is a figure which shows an example of a structure of a detail screen.

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.

FIG. 1 is a configuration diagram showing an example configuration of an information processing system according to an embodiment of the present invention.

As shown in FIG. 1, an information processing system 100 according to this embodiment includes a mail server 101, a client terminal 102 (at least one or more), and a LAN 103. It is connected to the mail server 105 .

The mail server 101 is an information processing device used for sending and receiving e-mails, and has functions such as managing e-mail addresses of e-mails and saving e-mails sent to the e-mail addresses. there is

It also performs a process (details will be described later) for judging junk e-mails for e-mails sent from the external mail server 105 .

The client terminal 102 is a terminal device operated by a user who exchanges e-mails using mail addresses managed by the mail server 101 .

The client terminal 102 is also a terminal device that provides various contents and the like provided by the external mail server 105 to the user.

Furthermore, the client terminal 102 can refer to and edit settings and data related to the present invention stored in the mail server 101 via the LAN 103 .

The external mail server 105 is a device for providing various contents to users, and may be installed by a service provider or an individual user, or may be installed as a mail server owned by an external user. or

An information processing device may be provided between the mail server 101 and the LAN 103, and the information processing device may determine whether an email sent from the external mail server 105 is junk mail.

FIG. 2 is a block diagram showing an example of the hardware configuration of the mail server 101 and client terminal 102 according to the embodiment of the present invention.

As shown in FIG. 2, the mail server 101 and the client terminal 102 are connected via a system bus 204 to a CPU (Central Processing Unit) 201, a ROM (Read Only Memory) 202, a RAM (Random Access Memory) 203, and an input controller 205. , a video controller 206, a memory controller 207, and a communication I/F controller 208 are connected.

The CPU 201 comprehensively controls each device and controller connected to the system bus 204 .

ROM 202 or external memory 211 stores BIOS (Basic Input/Output System) and OS (Operating System), which are control programs executed by CPU 201, computer-readable executable programs for realizing this information processing method, and necessary various types of programs. Holds data (including data tables).

A RAM 203 functions as a main memory, a work area, and the like for the CPU 201 . The CPU 201 loads programs and the like necessary for executing processing from the ROM 202 or the external memory 211 to the RAM 203, and executes the loaded programs to realize various operations.

The input controller 205 controls inputs from input devices such as a keyboard 209 and a pointing device such as a mouse (not shown). When the input device is a touch panel, the user can give various instructions by pressing (touching with a finger or the like) an icon, cursor, or button displayed on the touch panel.

Also, the touch panel may be a touch panel, such as a multi-touch screen, capable of detecting positions touched by multiple fingers.

Video controller 206 controls display on an external output device such as display 210 . The display shall include the display of a notebook computer integrated with the main body. Note that the external output device is not limited to a display, and may be a projector, for example. In addition, an input device is also provided for the device capable of receiving the above-described touch operation.

The video controller 206 can control a video memory (VRAM) for performing display control, and can use part of the RAM 203 as a video memory area, or provide a separate dedicated video memory. It is possible.

A memory controller 207 controls access to the external memory 211 . External memory can be connected to an external storage device (hard disk), flexible disk (FD), or PCMCIA card slot for storing boot programs, various applications, font data, user files, edit files, and various data via an adapter. A compact flash (registered trademark) memory or the like can be used.

A communication I/F controller 209 connects and communicates with an external device via a network, and executes communication control processing in the network. For example, communication using TCP/IP, telephone lines such as ISDN, and communication using 3G lines for mobile phones are possible.

The CPU 201 enables display on the display 210 by, for example, rasterizing an outline font to a display information area in the RAM 203 . The CPU 201 also allows the user to issue instructions using a mouse cursor (not shown) on the display 210 .

Next, with reference to FIG. 3, an example of functional configurations of various devices according to the embodiment of the present invention will be described. It should be noted that each function will be described together with a flow chart and the like to be described later.

The mail server 101 includes a mail reception unit 300 , an extraction unit 302 , a storage unit 304 , a determination unit 306 , a processing unit 308 , a sharing unit 310 and a reuse unit 312 .

The mail receiving unit 300 receives an e-mail sent from the external mail server 105, and the extracting unit 302 extracts information about the text, attached file, URL, etc. from the e-mail received by the mail receiving unit 300 according to predetermined conditions. get.

The storage unit 304 stores the information about the e-mail acquired by the extraction unit 302 in a table, and stores the definition information used when judging junk mail in a setting file.

The determining unit 306 calculates the degree of similarity between the e-mail received by the mail receiving unit 300 and the e-mail stored by the storage unit 304 in terms of text, attached files, URLs, etc., and the calculated degree of similarity is set in the setting file. It is determined whether or not the mail is junk mail based on whether or not the number of different senders exceeds the threshold set in the setting file.

The processing unit 308 performs processing so as not to cause secondary damage or the like for e-mails determined as junk mail by the determination unit 306. Share information with other systems and users.

The reuse unit 312 inputs information about e-mails determined as junk mails to existing technologies (anti-spam software and anti-virus software) to improve overall security accuracy.

Next, the process of judging junk mail executed by the mail server 101 according to the embodiment of the present invention will be described with reference to the flowchart shown in FIG. This processing is executed by the CPU 201 of the mail server 101 reading out a predetermined control program.

In step S400, the mail receiving unit 300 receives an e-mail sent from the external mail server 105. FIG.

At step S402, the extraction unit 302 extracts information about the e-mail received at step S400.

The information about the email to be extracted includes, for example, the sender's email address and the hash value of the sender's email address (a value calculated by an arbitrary predetermined hash function as information about the sender). The same hash function is used hereafter), any identifier of the sender's email address, the domain information of the sender's email server, the IP address of the sender's email server, and the route information of the MTA (Mail Transfer Agent) and so on.

In addition, there is information about the text as information about the mail to be extracted, and the hash value of the text and the fuzzy hash value (value calculated by any predetermined fuzzy hash function. However, the same fuzzy hash function is used in the series of processes. Hereafter, the same applies), arbitrary identifier (for example, assign a number to identify the text, assign the same number if there is a duplicate text, etc.), feature amount, entire text, hash value for each element, There is information (hash value, fuzzy hash value, arbitrary identifier, feature amount, etc.). Elements of the text include, for example, each paragraph and each block of a certain size.

As for the information for each element, there are unsolicited mails in which some elements are randomly exchanged or some elements are combined to create a text.

For example, there are emails in which the whole sentence is created by randomly selecting and combining the list of sentences used in the first half of the paragraph and the list of sentences used in the second half of the paragraph, and the mail in which the signature part at the end is randomly created. exist.

Therefore, by extracting information for each element, it is possible to improve the accuracy of identifying spam.

In addition, there is information about attachments as information about emails to be extracted, hash values about attachments, fuzzy hash values about attachments, arbitrary identifiers (for example, assigning numbers to identify attachments, duplicate attachments If there is, assign the same number, etc.), operation information (operate in a sandbox or automatic analysis environment and acquire an operation log. Examples of operation information include, if it is an EXCEL (registered trademark) file with a macro, the macro Actions performed by , communication destination URL, file read/write log, etc. Similarly for execution files, log of actions performed when executing the executable file.Alternatively, communication destination URL and file read/write, registry read/write, shutdown and instructions to the PC such as restarting), the attached file itself (Basically, there is no problem with just the hash value or fuzzy hash value, but if there is an attached file itself, similarity can be calculated by various methods. ), metadata (e.g., file name, file type, file size, date and time of creation, creator name, product name, version information, Exif, name detected by anti-virus software, etc.), hash value for each element, element information (hash value, fuzzy hash value, arbitrary identifier, operation information (when there are multiple attached files, operation information of each attached file)) and the like.

Elements of the attached file include, for example, each fixed-size block, each section of the file, the resource portion of the file, and only the macro portion in the case of Office.

As for the information for each element, there are unsolicited e-mails attached with files created by randomly replacing some elements or combining several elements.

For example, there is an attached file in which only the resource portion of the file is rewritten, and an attached file in which only the macro portion of Office is reused and the content is rewritten each time.

Therefore, as described above, by extracting information for each element, it is possible to improve the accuracy of identifying spam.

In addition, there is information on URL etc. as information on e-mail to be extracted, hash value, fuzzy hash value, arbitrary identifier (for example, assigning a number to identify the URL, assigning the same number if there is a duplicate URL, etc.) ), operation information (operate in a sandbox or automatic analysis environment and acquire operation logs. Examples of operation information include redirect destinations when accessing URLs, files to be downloaded, etc.), entire URLs, metadata (For domains, IP address, GeoLocation (location information of IP address), detection information such as antivirus software, hash value for each element, information for each element (hash value, fuzzy hash value, arbitrary identifier), and the like.

The URL elements include, for example, a domain portion, an FQDN, a URL path portion, a URL query portion, and the like.

Regarding the information for each element, there are unsolicited e-mails that create a URL by randomly replacing some elements or combining several elements.

For example, there are URLs in which the directory part at the end of the URL path is randomly rewritten, and URLs in which the query part of the URL is randomly replaced.

Therefore, as described above, by extracting information for each element, it is possible to improve the accuracy of identifying spam.

In addition, as the information related to the e-mail to be extracted, the address set in TO, CC, and BCC as the destination e-mail address, the subject, and the like may be extracted.

Arbitrary identifiers for each piece of information can be used to distinguish data such as sender's email address, text, attached files, URLs, and identifiers numbered one by one in addition to hash functions. , may be roughly distinguishable.

Furthermore, each piece of information may be processed. For example, if the information is related to the text, the line feed code may be deleted, or the URL portion may be deleted. Also, if it is information related to an attached file, file format conversion, image conversion, execution file unpacking, and the like may be performed.

In step S404, the storage unit 304 stores each piece of information extracted in step S402 in the mail information table 700 (see FIG. 7).

FIG. 7 shows the structure of the mail information table 700. The mail information table 700 is a table for storing the information of the e-mail extracted in step S402. fuzzy hash 704, attached file hash 706 and attached file fuzzy hash 708 that are information about the attached file, URL hash 710 that is information about the URL, hash 712 of the sender's email address, and the like. ing.

The text hash 702 stores a hash value related to the text, and the text fuzzy hash 704 stores a fuzzy hash value related to the text.

Attachment Hash 706 stores a hash value for the attachment, and Attachment Fuzzy Hash 708 stores a fuzzy hash value for the attachment.

The URL hash 710 stores a hash value related to the URL, and the sender address hash 712 stores a hash value related to the email address of the sender.
Note that the storage format may be a file rather than a table. Also, the mail information table 700 may be constructed within the information processing system 100 or may be constructed in an external system. Furthermore, it is also possible to exchange data with databases of external systems.

Since similar e-mails are frequently updated, sufficient effects can be expected even when old data stored in the e-mail information table 700 is deleted.

The timing of deletion may be, for example, periodical deletion, or the time when the last access (text, attached file, URL hash value, fuzzy hash value, identifier, etc.) was last viewed on a screen or the like. If there is no similar mail, it will be the time it was received (the time stored in the table), and if there is a similar mail, it will indicate the last time it was received. Data that has passed a certain period of time may be deleted.

This has the effect of reducing the load on resources and improving the speed of processing for judging spam.

In step S406, the determination unit 306 determines that the e-mail stored in step S404 has a high degree of similarity with the e-mail already stored in the mail information table 700 in terms of text and a low degree of similarity in terms of the source information (sender are different), it is determined as a similar mail.

Alternatively, it is determined how many e-mails with the same text have been received from different source e-mail addresses.

In this step, determination is made based on whether or not the degree of similarity regarding the text is greater than or equal to the similarity threshold set in the setting 504 regarding the text of the determination information setting file 500 shown in FIG.

In addition, the total number of e-mails with the same text but sent from different source e-mail addresses is greater than the threshold for the number of similar e-mails set in the setting 502 for the entire determination information setting file 500. is higher or not.

A determination information setting file 500 shown in FIG. 5 is a setting file that stores information for performing each determination in the present invention.

The determination information setting file 500 includes overall settings 502, settings 504 related to text, settings 506 related to attached files, settings 508 related to URLs, and the like.

The determination information setting file 500 may be read at the beginning of this process, or only settings necessary for each step in this process may be read.

The overall settings 502 store settings related to general processing, the text settings 504 store settings related to text processing, and the attachment file settings 506 store settings related to attachment file processing. , and the URL-related setting 504 stores settings related to URL processing.

As another example, the similarity of the fuzzy hash value for the text is equal to or greater than the similarity threshold set in the setting 504 for the text, and the number of similar emails set in the setting 502 for the whole is It may be determined whether or not the total number of e-mails sent from different source mail server IP addresses is higher than the threshold.

Alternatively, it is higher than the threshold for the number of similar e-mails set in the setting 502 related to the whole, and higher than the total number of e-mails sent from different source e-mail addresses, and An e-mail whose text has a degree of similarity greater than or equal to the threshold of similarity set in the setting 504 regarding the text, and the number of received e-mails is higher than the threshold of the number of similar e-mails set in the setting 502 regarding the whole. , may be used for determination.

Furthermore, it is also possible to perform similarity determination using information obtained by dividing the text for each element described above. At this time, in the setting 504 relating to the text, settings may be made for each element.

The settings include similarity thresholds and whether or not to use spam emails similar to the text, and add settings for each element according to the situation.

Similar emails may be determined only when the size of the text (for example, the number of characters, the number of bytes, etc.) of the determination information setting file 500 is greater than or equal to the value set.

In step S408, the determination unit 306 determines that the e-mail stored in step S404 and the e-mail already stored in the mail information table 700 have a high degree of similarity regarding the attached file and a low degree of similarity regarding the information regarding the sender (sent If the source is different), it is determined as a similar mail.

In this step, it is determined whether or not the similarity of the attached file is higher than the similarity threshold set in the setting 506 of the attached file of the determination information setting file 500 shown in FIG.

For example, the similarity of the fuzzy hash value of the attached file is equal to or higher than the threshold of similarity set in the setting 506 of the attached file, and the number of similar e-mails is greater than the threshold of the number of similar mails set in the setting 502 of the whole. , and whether or not the total number of mails sent from different source addresses increases.

Alternatively, as a result of executing the attached file in a protected area such as a sandbox, the similarity of the operation log (reading and writing of files and registries, network communication, executed API, etc.) is set in the setting 506 related to the attached file. Depends on whether or not the total number of e-mails equal to or higher than the degree threshold and sent from different source e-mail addresses is higher than the threshold for the number of similar e-mails set in the overall settings 502. It may be determined.

Furthermore, it is possible to perform similarity determination using information obtained by dividing the attached file for each element described above.

At this time, in the settings 506 regarding attached files, settings may be made for each element.

Settings include similarity thresholds and whether or not to use attachments to detect similar spam emails.

In step S406, the determination unit 306 determines that the e-mail stored in step S404 has a high degree of similarity in URL with an e-mail already stored in the mail information table 700, and has a low degree of similarity in terms of sender information (sender are different), it is determined as a similar mail.

In this step, it is determined whether or not the similarity of the URL is higher than the similarity threshold set in the setting 508 of the URL of the determination information setting file 500 shown in FIG.

For example, the total number of e-mails that have the same FQDN of the URL described in the e-mail and have been sent from different source e-mail addresses than the threshold for the number of similar e-mails set in the overall settings 502 is high or not.

Alternatively, the similarity of the response data after accessing the URL in a protected area such as a sandbox is equal to or higher than the similarity set in the setting 508 regarding the URL, and the e-mail is set in the setting 502 regarding the whole. It is also possible to determine whether or not the total number of e-mails sent from different source e-mail addresses is higher than the threshold value for the number of similar e-mails.

Furthermore, it is possible to perform similarity determination using information obtained by dividing the URL into elements.

At this time, in the URL-related setting 508, setting may be made for each element.

The settings include similarity thresholds and whether or not to use spam emails with similar URLs.

In step S412, if the number of cases obtained in step S406, the number of cases obtained in step S408, or the number of cases obtained in step S410 exceeds a certain value, the determination unit 306 determines that the similar e-mail is junk e-mail, and proceeds to step S414. If the process proceeds and the mail is not determined as junk mail, the process proceeds to step S416.

Alternatively, the determination may be made based on a combination of the number of cases in step S406, the number of cases in step S408, and the number of cases in step S410.

Also, the threshold value or the combination may be changed between the case of exact match and the case of similarity. For example, if three or more e-mails with the same text are received from different sender e-mail addresses, all the e-mails with the same content as the text are treated as junk mail.

Alternatively, if three or more e-mails with texts that are 80% or more similar in text and 90% or more similar fuzzy hash values for attached files are received from different sender e-mail addresses, the e-mail (that e-mail An email whose text is 80% or more similar to the email and 90% or more similar to the attached file) may be treated as spam.

In step S414, the processing unit 308 performs arbitrary processing on the e-mail determined as junk mail in step S412.

Arbitrary processing for unsolicited e-mail includes, for example, deletion of target e-mail, addition of warning text to target e-mail, detoxification of attached files and URLs, and execution on a virtual environment.

In addition, the arbitrary processing may be performed differently depending on how the detection is performed, such as when detecting a perfect match or when detecting a similarity. For example, if an exact match is detected, the e-mail is deleted, and if similarity is detected, a warning message is added.

Additionally, combinations may be utilized. For example, if the number of e-mails with high similarity in text is less than a certain number, but there are more than a certain number of e-mails with high similarity in attached files, the attached files are rendered harmless without being deleted. It's okay. By changing the processing according to the detection conditions in this manner, accuracy and convenience are improved.

In step S416, sharing unit 310 shares each piece of information stored in step S404 with the user.

Examples of sharing destinations include other users, a server on a route, another server within a base, sharing between bases, sharing with other companies or organizations, and sharing with a developer.

As a method of sharing each information with a server on the route, for example, when the external mail server 105 has a configuration in which an e-mail is sent from the mail server A to the mail server B or the mail server C by branching. , mail servers B and C normally use this system.

The information about the e-mail judged to be junk mail by the mail server B is shared with the mail server A. - 特許庁

The mail server A extracts only typical information in order to reduce the load, stores only the information shared from the mail server B, and performs similar mail determination. Thus, even the mail server C can determine junk mail.

As the information to be shared, the range of destinations to be shared can be set for each information to be shared, such as information on the sender, information on the text, information on the attached file and URL.

The setting may be adjusted by a shared information setting file 600 as shown in FIG. A shared information setting file 600 shown in FIG. 6 is a setting file for setting information sharing.

The shared information setting file 600 includes sharing settings 602, sender settings 604, text settings 606, attachment file settings 608, URL settings 610, and the like.

The overall sharing settings 602 store general sharing settings, the sender settings 604 store settings relating to sharing of the sender, and the body settings 606 store body sharing settings. Settings related to attachments 608 store settings related to sharing of attached files, and settings related to URL 610 store settings related to sharing of URLs.

For example, when sharing with the developer, the setting 606 for the text is used to set the hash value of the text, and the setting 604 for the sender is used to set a part of the hash value of the email address of the sender (for example, the first two characters) and the email address. share domain information only.

This has the effect of reducing concerns about sharing with the developer. (Here, the hash value of the email address may be restored using a rainbow table (a table of sets of plain text and hash value), etc., but if it is part of the hash value, a collision will occur, so the original It becomes more difficult to guess the value.

Also, since it is enough to count the number of similar emails with different senders above a certain level, even if a collision occurs, the impact is small.)

Alternatively, when sharing with another mail server between bases, the setting 606 for the text is used to set the hash value and fuzzy hash value for the text, the setting 608 for the attached file is used to set the hash value and fuzzy hash value for the attached file, and the setting for the URL. By 610, the FQDN, by setting 604 regarding the sender, the information of the entire hash value of the email address and the email address of the sender may be shared.

In addition, when the present invention is implemented in each client terminal 102, there is a possibility that similar mails will not accumulate more than a certain amount. can be expected to improve

In addition, by sharing with other companies, other organizations, or developers, it is possible to expect a greater effect than security companies alerting users on the Web or the like.

Before performing the processing of step S406, a waiting time (for example, 10 minutes if set short, about 1 hour if set long) is provided to temporarily wait for the processing after step S406. is also possible.

Similar unsolicited e-mails are always sent because there is no similar e-mail for the first time. By setting a waiting time, it is possible to allow time until the number of cases reaches a certain level, and detection including the first case is possible. Also, since similar spam mails are sent in a short period of time, even a short delay time can be expected to be effective.

Also, this waiting time may be set differently for each transmission source information. Such unsolicited junk mail is often sent from a sender who receives it for the first time. For example, waiting time may be provided only for a transmission source that receives data for the first time. As a result, the effect of providing a delay time can be expected without delaying all e-mails.

Spam mail is determined based on the result of determination of similar mails in step S412. good.

Many of the similar spam emails are from senders who receive them for the first time. Moreover, even when the same transmission source is used, there is a case where the reception is one-sided and there is no transmission record.

As a usage, for example, each similar mail is determined only from a sender who has no record of reception, that is, a sender who receives it for the first time (a sender who does not exist in the mail information table 700).

Alternatively, each similar mail is judged only from a sender who has a record of reception but has no record of transmission. In this case, it is necessary to store information on e-mails including information on the senders of sent e-mails as the transmission record.

Also, the reception record and the transmission record may be used for each of the similar mail determination regarding the text, the similar mail determination regarding the attached file, and the similar mail determination regarding the URL.

For example, for e-mails that have been received, similar e-mails are judged for the text, but similar e-mails for attached files and URLs are not judged. It is also possible to perform similar mail judgment of

As a result, attachment files and URLs of e-mails that have been received are less dangerous, but like spoofed e-mails, even if there is no reception record, the text can be copied and dangerous attachments and URLs can be sent. It is also possible to detect certain e-mails.

The settings include a threshold value for judging the number of similar e-mails as junk e-mails, whether to use transmission and reception records, and other settings depending on the situation.

This makes it possible to automatically detect unsolicited e-mails (similar e-mails) that are sent to different senders and destinations using the same template, as represented by spambots, and suppress their reception.

In addition, there is no need to prepare data in advance and perform machine learning, and it is possible to respond quickly to spam emails that are updated frequently, and users can add settings each time they are updated spam emails. No need, less hassle.

In addition, since countermeasures are taken only on the receiving side, it is possible to take countermeasures without being affected by the specifications of the mail server on the sending side.

[Modification]
FIG. 8 is an example of a configuration diagram of a system that enhances security accuracy for e-mails determined to be junk e-mails by combining with existing technology.

The block diagram of this combination with existing technology consists of mail reception processing 800, processing 802 by existing technology, junk mail judgment processing 804 and mail forwarding processing 806 described above.

Mail reception processing 800 performs processing for receiving e-mails from the external mail server 105, and processing 802 using existing technology detects spam e-mails and e-mails containing malware using anti-spam software and anti-virus software, which are existing technologies. It is a process to

Spam mail judgment processing 804 is processing for judging spam mail described in the embodiment. This is a process of forwarding the e-mail to, for example.

The unsolicited e-mail determination processing 804 may be processed prior to the existing technology, or may not be processed by the same mail server 101 .

Since the unsolicited e-mail determination process 804 is a process that does not compete with existing techniques, it can be used in combination, and by using it in combination, the unsolicited e-mail detection rate is improved.

Next, processing for reusing unsolicited junk e-mails according to the embodiment of the present invention will be described with reference to the flowchart of FIG. This processing is executed by the CPU 201 of the mail server 101 reading out a predetermined control program.

In the present invention, it is possible to automatically detect new unsolicited e-mails, so the detected e-mail data can be used for existing filtering, anti-spam software, anti-virus software, and the like.

It can also be used as learning data for machine learning and teaching materials used in security training. This has the effect of improving the performance of techniques other than the present invention.

In step S900, the reuse unit 312 reuses the data regarding the sender information of the e-mail determined as spam.

Since the sender information may also be used to send other spam emails, it is important to prevent spam emails by registering the sender information of spam emails in filtering or blacklist settings related to sending and receiving emails. suppression becomes possible.

A mail address, an IP address of a mail server, information on a mail server on a delivery route, or the like can be used as the source information.

In step S902, the reuse unit 312 reuses the data regarding the destination information of the e-mail determined as spam.

Unsolicited mail may use a combination of destination information that is not used on a daily basis. For example, there are cases in which a plurality of e-mail addresses with little relevance are specified, such as a support contact for product A and a company hiring contact for TO, and an inquiry contact for a website and an individual address for CC.

Such a combination of destination information is used as a list of destinations, and there is a possibility that unsolicited mail may be sent to the same combination of destination information again.

Therefore, it is possible to reuse this combination of destination information. For example, it can be used to add a warning text to the e-mail sent for this combination of destination information.

In addition, by using the transmission record and the reception record, if the combination of destination information detected by the present invention is a combination that has no track record, the combination of destination information is filtered or blacklisted for sending and receiving e-mails. You can also register on the list.

In step S904, the reuse unit 312 reuses the data regarding the text information of the e-mail determined as junk mail.

Spam e-mail data is shared in step S416 of FIG. It becomes possible to specify new e-mails that contain.

In step S906, the reuse unit 312 reuses the data related to the attached file information of the e-mail determined as spam.

For spam mail, data is shared in step S416 of FIG. 4, but the information of the attached file of the email determined as spam is also input to existing filtering, anti-spam software, or anti-virus software. This makes it possible to identify new e-mails and communications that include such attached file information.

As a result, it is possible to detect even if the file is used via the Web instead of via e-mail.

In step S908, the reuse unit 312 reuses the data regarding the URL of the e-mail determined as junk mail.

Spam emails detected by the present invention are shared as data in step S416 of FIG. By inputting information about URLs, it becomes possible to identify new e-mails and communications that contain information about such URLs.

As a result, it is possible to detect even if the file is used via the Web instead of via e-mail.

In step S910, the reuse unit 312 creates a signature from the text, attached file, URL, etc. of the e-mail determined as spam.

As an example of a signature, a hash value or a part of data is extracted from several places and pattern matching is performed. For example, in the case of the text, 10 characters are extracted from each of lines 2, 5, and 7, and the extracted character strings are used as signatures. Then, an e-mail containing all of the extracted character strings is determined as an unsolicited e-mail.

Alternatively, in the case of a file, n bytes to n+100 bytes and m bytes to m+100 bytes are extracted as signatures. Then, an e-mail attached with a file containing all of the extracted byte strings is determined as an unsolicited e-mail.

At this time, overlapping parts may be extracted from spam mails with a high degree of similarity. As a result, it is possible to improve the determination accuracy by excluding random elements.

In addition, it can be used not only when receiving mail, but also when sending mail. Spam emails are often sent by spambots and the like, so if the signature is detected at the time of sending, the client terminal 102 may be infected by the spambots and become a stepping stone.

Client terminals 102 infected with spambot use the same template to send unsolicited spam emails. Email is sent.

The mail server 101 can detect such unsolicited junk e-mails because e-mails with the same contents are received from various places.

For this reason, by detecting at the time of transmission, it is possible to reduce the possibility of becoming a perpetrator, and in the case where infection spreads due to e-mail, it is possible to suppress the spread of damage.

Furthermore, it is also possible to specify or automatically detect the client terminal 102 that is a stepping stone.

As an example of the automatic detection method, the IP address of the client terminal 102 that sent the detected e-mail is inquired from the Received header of the detected e-mail to the mail server in the first used site.

The mail server used first extracts the IP address of the client terminal from the email transmission log and responds to the inquiry.

This makes it possible to automatically detect the client terminal 102 that is automatically used as a stepping stone.

Signatures or detected data can also be used as learning data for machine learning or as teaching materials for security training.

In machine learning, it is necessary to create learning data before learning, but since the present invention can automatically detect spam, the detected data can be used as it is as learning data for machine learning.

In step S912, the reuse unit 312 classifies and analyzes the spam mail.

As an example of classification method, spam is divided into parts such as body 0, body 1, attachment 0, attachment 1, . . . Extract spam mails, count the number of unique From addresses, extract all spam mails exceeding a threshold value (for example, 3), and classify them collectively by hash value. Further, the classification may be made for each Content-Type.

By grouping together highly similar unsolicited emails, it is possible to classify and display the unsolicited emails like the display contents of the screens shown in FIGS. 10 and 11 .

In addition, the contents to be displayed on each screen can be changed by setting. Also, this screen configuration is an example, and other screen configurations may be used.

As a result, it is possible to understand the spam mails that are frequently received and the recent trends, and to make it easier to call attention.

In addition, classification can reduce the labor required for use in research or the like.

Furthermore, it can be used for analysis. For example, it is possible to analyze the trends of attackers and the trends of spam emails by using the transmission times of detected emails. It can also be used to track and identify attackers and attacker groups based on common items.

It is also possible to predict in advance spam mails that are periodically sent. For example, anticipate spam emails sent by date, season, event, such as "Invoice of XX month" or "Purchase order of XX month", and insert a warning message when it is sent. is also possible.

FIG. 10 is an example of a configuration diagram showing the configuration of a list screen 1000 for classifying and listing emails determined to be junk emails.

The list screen 1000 includes a display setting 1002, a category 1004, a list display section 1006, and the like.

The display setting 1002 sets the conditions for displaying on the list screen 1000. The display setting 1002 includes a similar item 1008, a degree of similarity 1010, a period 1012, etc., and other settings may be added. .

Further, for the similar item 1008, it is possible to select at least one or more of e-mails with similar texts, e-mails with similar attached files, e-mails with similar URLs, and the like.

Of the similar emails corresponding to the item selected in the similar item 1008, the similarity 1010 can display similar emails showing a similarity greater than or equal to the specified similarity. It is possible to display similar e-mails received during the period.

A classification 1004 displays a unit of classification, and a list display section 1006 displays a list of similar e-mails etc. satisfying conditions specified for the items set in the display settings 1102 according to the classification of the classification 1004. indicate.

FIG. 11 is an example of a configuration diagram showing the configuration of a detailed screen 1100 for classifying emails determined to be junk mails and displaying detailed information about the emails.

The detailed screen 1100 includes a display setting 1102, a category 1104, a detailed information display section 1106, and the like.

The display settings 1102 set the conditions for displaying on the detailed screen 1100. The display settings 1102 include similar items 1108, degree of similarity 1110, period 1112, etc., and other settings may be added. .

For the similar item 1108, it is possible to select at least one e-mail with a similar text, an e-mail with a similar attached file, an e-mail with a similar URL, or the like.

Of the similar emails corresponding to the item selected in the similar item 1108, the similarity 1110 can display similar emails showing a similarity greater than or equal to the specified similarity. It is possible to display similar e-mails received during the period.

A classification 1104 displays a unit of classification, and a detailed information display section 1106 displays similar emails etc. that satisfy conditions specified for the items set in the display settings 1102 according to the classification of the classification 1104 . do.

The detailed information display unit 1106 may display the detailed screen 1100 by dividing the display unit for each classification. For example, it is possible to display only category A and then press a next button (not shown) to display only category B.

Further, the detailed information display section 1106 may display detailed information of one mail. For example, by displaying the detailed information of one email belonging to category A and pressing the next button (not shown), if there is another email belonging to category A, the detailed information of that email is displayed. , when there is no other mail belonging to the category A, the detailed information of the mail belonging to the category B may be displayed.

Further, by selecting the category 1004, the detailed screen 1100 of the mail belonging to the selected category may be displayed, and by selecting the record displayed in the list display area 1006, the details of the mail of the selected record may be displayed. Information may be displayed on the details screen 1100 .

In the embodiment of the present invention, the mail server 101 is configured to execute the process of judging unsolicited junk mail, but the client terminal 102 may be configured to execute the process.

Alternatively, an information processing apparatus in a cloud environment may be configured to execute the process of judging junk mail. In this case, the process may be executed as an external program to the mail server 101 (or mailbox).

Although the embodiments have been described above, the present invention can be embodied as, for example, systems, devices, methods, programs, recording media, and the like. Specifically, it may be applied to a system composed of a plurality of devices, or may be applied to an apparatus composed of a single device.

Further, the program in the present invention is a program that allows a computer to execute the processing methods of the flow charts shown in FIGS. It is The program according to the present invention may be a program for each processing method of each device shown in FIGS.

As described above, a recording medium recording a program for realizing the functions of the above-described embodiments is supplied to a system or device, and the computer (or CPU or MPU) of the system or device reads the program stored in the recording medium. Needless to say, the object of the present invention can also be achieved by reading and executing.

In this case, the program itself read from the recording medium implements the novel functions of the present invention, and the recording medium recording the program constitutes the present invention.

Examples of recording media for supplying programs include flexible disks, hard disks, optical disks, magneto-optical disks, CD-ROMs, CD-Rs, DVD-ROMs, magnetic tapes, non-volatile memory cards, ROMs, EEPROMs, silicon A disk or the like can be used.

Further, by executing the program read by the computer, not only the functions of the above-described embodiments are realized, but also based on the instructions of the program, the OS (operating system) and the like running on the computer are actually executed. Needless to say, a case where part or all of the processing is performed and the functions of the above-described embodiments are realized by the processing are included.

Furthermore, after the program read from the recording medium is written in the memory provided in the function expansion board inserted into the computer or the function expansion unit connected to the computer, the function expansion board is read according to the instruction of the program code. It goes without saying that a case where a CPU or the like provided in a function expansion unit performs part or all of the actual processing and the functions of the above-described embodiments are realized by the processing.

Moreover, the present invention may be applied to a system composed of a plurality of devices or to an apparatus composed of a single device. Moreover, it goes without saying that the present invention can also be applied to a case in which a program is supplied to a system or apparatus. In this case, by loading a recording medium storing a program for achieving the present invention into the system or device, the system or device can enjoy the effects of the present invention.

Furthermore, by downloading and reading out the program for achieving the present invention from a server, database, etc. on the network using a communication program, the system or device can enjoy the effects of the present invention. It should be noted that all configurations obtained by combining each of the above-described embodiments and modifications thereof are also included in the present invention.

100 information processing system 101 mail server 102 client terminal 103 LAN
104 wide area network 105 external mail server

Claims (6)

the computer,
a receiving means for receiving e-mail;
an identifying means for identifying the same or similar e-mails sent from different senders, among the e-mails received by the receiving means;
generating means for generating learning data for discriminating spam by using the information related to the identified e-mail as correct data ;
A program to function as 2. The generation means generates learning data for discriminating spam mail based on information relating to at least one of the text, attached file, and URL of the identified e-mail. program described in . 3. The program according to claim 1, wherein the data generated by said generating means is data used in machine learning. 4. The program according to any one of claims 1 to 3, wherein the data generated by said generating means is data for determining whether a received e -mail is junk mail. a receiving means for receiving e-mail;
an identifying means for identifying the same or similar e-mails sent from different senders, among the e-mails received by the receiving means;
generating means for generating learning data for discriminating spam by using the information related to the identified e-mail as correct data ;
An information processing device comprising: A control method for an information processing device,
a receiving step in which the receiving means receives an e-mail;
an identifying step in which identifying means identifies identical or similar e-mails sent from different senders from among the e-mails received in the receiving step;
a generation step in which the generation means generates learning data for discriminating spam by using the information related to the identified e-mail as correct data ;
A control method for an information processing device, comprising:

Images