JP7417847B1 - Gateway devices, communication systems, terminal devices and programs - Google Patents

Abstract

The gateway device determines, from the header of the received email, the domain name of the sender of the email, the host name or IP address of the sending server, the host name or IP address of the exit server, and the link between the sending server and the exit server in question. The number of mail routes is extracted, and the host name or IP address of the extracted sending server, the host name or IP address of the extracted exit server, and the number of mail routes from the extracted sending server to the exit server are and determining means for delivering the email when the information matches the information held in the route holding means.

Description

The present invention relates to a gateway device, a communication system, a terminal device, and a program that improve accuracy in determining the validity of received mail.

In recent years, damage caused by spoofed e-mails, such as e-mails impersonating executives of target companies (spoofed e-mails), has been increasing, causing disadvantages to recipients. In particular, if someone within the company is disguised as the sender, serious damage may occur.
Source domain authentication techniques such as SPF authentication, DKIM, and DMARC are known as techniques for detecting fraudulent emails. Since these source domain authentication techniques require registration of the domain and IP address of the source, there is a problem in that the domains that can be authenticated are limited to registered domains. Additionally, if the source domain or IP address is changed, if the registration information is not changed in a timely manner, there may be problems with authentication not being possible. Patent Document 1 adopts a method of collecting whitelists from a plurality of mail servers and distributing the integrated data to the mail servers to confirm the sender mail server using the latest appropriate sender information.

The fundamental reason why it is difficult to confirm the authenticity of emails is that information on each organization's legitimate email servers is not made public. SPF authentication was an attempt to solve this problem by having each organization register a legitimate mail server, but when the mail server is changed, the registration change may not be done properly, and it is difficult for an attacker to If a similar domain is registered and SPF authentication is set, there are problems such as the email may appear to be legitimate to the recipient.

JP2020-27510A

However, the sender's email address in the email header can be spoofed by the sender (attacker), and the sending server's IP address can also be added to the header by the sender. It is.
Furthermore, the IP address of the sending server may change due to system restart or configuration change.
For this reason, it is not sufficient to simply determine the validity of an email based on the sender's email address, the IP address of the sending server, etc.
An object of the present invention is to improve accuracy in determining the validity of received mail.

In order to solve the above-mentioned problems, the gateway device according to the present invention includes a domain name of a domain for which the number of times mail is transferred (number of routes) between the sending server and the exit server is known, and at least a route holding means that stores a host name or an IP address, at least one of the host name or IP address of the exit server, and the number of routes through which the mail is transferred; Extract the domain name of the sender of the email, the host name or IP address of the sending server, the host name or IP address of the exit server, and the number of routes for the email from the sending server to the exit server concerned device, and extract the extracted sending The host name or IP address of the server, the extracted host name or IP address of the exit server, and the extracted number of mail routes from the sending server to the exit server match the information held in the route holding means. and determining means for distributing the e-mail when the e-mail is sent.

Further, another gateway device according to the present invention includes a credibility holding means for maintaining the credibility of a sender domain according to the sending and receiving history of e-mails for each domain, and a trustworthiness holding means that holds the credibility of a sender domain according to the sending and receiving history of e-mails for each domain, and a trustworthiness holding means that maintains the credibility of the sender domain according to the sending and receiving history of e-mails for each domain. The apparatus includes an extracting means for extracting a domain name, and a distributing means for distributing an e-mail to which information indicating the trustworthiness of a sender domain corresponding to the domain name extracted by the extracting means is added.

Further, another gateway device according to the present invention includes an extraction unit that extracts a sender email address of a received email from the header of the email, and a confirmation that confirms sending of the email to the email address extracted by the extraction unit. The apparatus includes a confirmation means for transmitting an e-mail, and a determination means for distributing the received e-mail when there is a response to the confirmation e-mail.

In the gateway device of the present invention, the determining means determines, from the header of the received email, the domain name of the sender of the email, the host name or IP address of the sending server, the host name or IP address of the exit server, and the sending server. Extract the number of mail routes from the exit server to the relevant device, and extract the host name or IP address of the extracted sending server, the host name or IP address of the extracted exit server, and the number of mail routes from the extracted sending server to the exit server. When the number of routes of the email matches the information held in the route holding means, the email is delivered, thereby improving accuracy in determining the validity of the received email.

1 is a block diagram showing a configuration example of a communication system according to a first embodiment; FIG. FIG. 2 is a block diagram showing a configuration example of a determination server. A diagram showing an example of a public email address table. The figure which shows the example of a credit evaluation standard table. The figure which shows the example of an internal mail information table. The figure which shows the example of an organization basic information table. The figure which shows the example of a mail server information table. A diagram showing an example of a blacklist table. 5 is a flowchart illustrating an example of processing by a determination server when receiving an email. A diagram showing an example of an email header. A diagram showing an example of an email header. The figure which shows the example of the header which a determination part adds. The figure which shows the example of the header which a determination part adds. The figure which shows the example of the screen displayed on the display part of a user terminal. The figure which shows the example of the management screen displayed on a management terminal.

Embodiments of the present invention will be described below, but the present invention is not limited thereto and can be modified as appropriate within the scope of the technical idea of the present invention.
(Embodiment 1)
<Communication system configuration>
FIG. 1 is a block diagram showing an example of the configuration of a communication system according to the first embodiment.
This communication system includes a determination server 10 that can communicate via a network 1 such as the Internet, a receiving server 20 that receives emails, and a sending server 30 that sends emails. The determination server 10 operates as a gateway device for the receiving server 20 to determine received mail. The communication system also includes a Web server 40 that provides Web services, an administrator terminal 50 used by an administrator of the communication system, and a user terminal 60 used by users to send and receive emails. Note that the determination server 10 to user terminal 60 are provided for each organization to be managed, such as within a company or for each department. Further, since a plurality of users use the user terminal 60, a plurality of user terminals 60 are provided. Furthermore, although FIG. 1 shows a case where the reception server 20, transmission server 30, and web server 40 are provided separately from the determination server 10, some of these may be provided within the determination server 10. . Further, this communication system includes an information aggregation server 90 that aggregates data accumulated in the determination servers 10 provided for each of a plurality of organizations, for example.

This communication system also includes sending terminals 70 and 74 that send emails to the receiving server 20 and the like, and sending servers 71 and 75. Note that the sending terminal 70 and sending server 71 are assumed to be terminals used for sending legitimate mail, and the sending terminal 74 and sending server 75 are assumed to be terminals used for sending fraudulent mail.
Although it depends on the configuration of the network 1, the transfer of e-mail sent from a sending server in a remote location is generally performed via multiple sending servers (SMTP servers). , the sending server that finally sends the mail to the external network 1 is conveniently referred to as an exit server.

Mail from the sending server 71 is sent to the external network 1 via the exit server 72. Note that another transmission server may intervene between the transmission server 71 and the exit server 72 depending on the network configuration within the organization, the use of hosting services, etc. In this case, a Recieved header is added to the email when the email is transferred between the sending servers.
Further, the mail from the sending server 75 is sent to the external network 1 via the exit server 76. Note that the sending terminal 74 and the sending server 75 may be configured as one device, or the sending terminal 74, the sending server 75, and the exit server 76 may be configured as the same device.
Note that although it is assumed that the sending terminal 70 and the sending server 71 are provided outside the organization, it is also assumed that the sending terminal 70 and the sending server 71 are provided within the organization when sending mail to a destination within the organization. This communication system also includes a DNS server 81 that manages the correspondence between IP addresses and domain names.

Further, the user terminal 60 is configured with an information processing device such as a personal computer or a mobile information terminal, and includes a mail client 61 and a display section 62. As will be described later, the email client 61 includes a display plug-in 611 that displays on the display unit 62 a display corresponding to the email credibility score that is added to the email header by the determination server 10 and indicates the reliability of the sender. .

FIG. 2 is a block diagram showing an example of the configuration of the determination server 10.
The determination server 10 includes a history analysis unit 11 that analyzes the reception history of the reception server 20 and transmission history of the transmission server 30, a determination unit 12 that determines the mail received via the network 1, and holds various data. The data storage unit 13 is provided with a data holding unit 13 for storing data. The determination server 10 also operates as a gateway device (or a proxy server) that determines the validity of mail received via the network 1 and supplies the mail to the receiving server 20 if predetermined conditions are met.

The data holding unit 13 holds various tables used for judgment in the judgment unit 12, as shown in FIGS. 3 to 8, for example. Further, in the quarantine area or hold area of the data holding unit 13, mails that are “quarantined” or “held” as a result of the determination by the determination unit 12 are stored.
FIG. 3 is a diagram showing an example of the public email address table 101 stored in the data holding unit 13.
In this public e-mail address table 101, for each organization to be managed, a "destination address credibility score" is stored in association with each "e-mail address (part excluding domain)" that is made public to the outside. Specifically, as shown in FIG. 3, the destination address credibility score is lowered for email addresses published on the organization's website or the like. Note that a separate score (for example, "0.5", etc.) may be set for a limitedly disclosed e-mail address (for example, "sales" in the case of FIG. 3). Note that for e-mail addresses not included in the public e-mail address table 101, the destination address credibility score is set to "1", for example. Further, the information in the public email address table 101 is set as an initial setting, for example, when starting operation of the communication system, but the settings may be changed as appropriate from, for example, the administrator terminal 50.

FIG. 4 is a diagram showing an example of the credibility evaluation criteria table 102 stored in the data holding unit 13.
This credibility evaluation standard table 102 is a table that defines a corresponding "email credibility score" (to be described later) and a corresponding credibility rank for each "credibility rank". This credibility evaluation standard table defines a "credibility rank" corresponding to each "email credibility score" separated by a predetermined threshold. Note that the details of the operation according to the credibility rank will be described later. Further, the value of the threshold value (in the case of FIG. 4, "70" and "30") can be set as appropriate.

<Whitelist>
5 to 7 are diagrams showing examples of each table included in the "white list" stored in the data holding unit 13 and used to determine the trustworthiness of a sender of an email.
FIG. 5 is a diagram showing an example of the whitelist internal email information table 103.
This internal email information table 103 contains information about known organizations within the company, affiliated companies, existing business partners, etc. for which the route between the host name or IP address of the sending server 71 and the exit server 72 is clearly understood. For example, "organization name", "domain", "sender host name (host name of the sending server 71)", "sender IP address (IP address of the sending server 71)", "exit server name (exit server 72 host name),""exit server IP address (IP address of exit server 72)," and "route" indicating the number of routes from the sending server to the exit server are stored in association. Note that if the host names and IP addresses of the sending server 71 and the exit server 72 have a one-to-one correspondence in the DNS server 81, either one may be registered. Since the IP address may change, it is desirable to register both.

To the header of the email, each sending server that transfers the email adds the host name and IP address of the sending server that received the email, and a Received header that includes the host name and IP address of the sending server. "Route" in the above-mentioned internal mail information table 103 indicates the number of routes between the Received header added by the sending server 71 and the Received header added by the exit server 72 included in the header of the mail, as described later. It is a number. For example, in the case of company X in the first line of FIG. 5, the number of routes is three in the header of a regular email, as shown in FIG. 10, for example.
Note that when a plurality of domains exist in the same organization, each piece of information is stored in association with each domain, as shown in FIG. In the case of FIG. 5, there is a plurality of transmission servers 71 as transmission sources, but there is one exit server 72. Further, regarding affiliated companies, business partners, etc., similar information is stored for each affiliated company, business partner, etc.
Although these pieces of information are set as initial settings when the communication system starts operating, for example, the settings may be changed as appropriate from the administrator terminal 50 or the like.
For known organizations that have a clear understanding of the host name or IP address of the sending server 71, such as within the company, affiliated companies, or existing business partners, and the route to the exit server 72, use the internal email information table. 103 and determine the validity of the received email based on the table, it is possible to improve the reliability of the validity determination.

FIG. 6 is a diagram showing an example of the whitelist organization basic information table 104.
This organization basic information table 104 includes information about known communication partners (organizations) such as "organization name,""domain,""address,""telephonenumber,""number of emails sent," and "number of emails received." ”, the average value of a series of email transmissions and receptions (threads), “thread average”, “transaction period” with the organization, and “organizational credit score”, which will be described later, are stored in association with each other. Note that the "number of transmissions" is the total number of emails sent by the sending server 30 to the organization, the "number of receptions" is the total number of emails received by the receiving server 20 from the organization, and the "transaction period" is This is the number of days since the first email received by the receiving server 20.

The "organization name", "domain", "address", and "telephone number" in the organization basic information table 104 are set as initial settings when starting the operation of the communication system. The settings may be changed as appropriate. Further, "address" and "telephone number" do not necessarily have to be set.
The “number of transmissions”, “number of receptions”, “thread average”, and “transaction period” in the organization basic information table 104 are calculated by the history analysis unit 11 from the reception history of the reception server 20 and the transmission history of the transmission server 30. .
Further, the "organizational credit score" is calculated by the history analysis unit 11 using the number of transmissions, the number of receptions, the thread average, and the transaction period, as described later. The number of sent, received, thread average, and transaction period change daily, so they are updated daily. The history analysis unit 11 also updates the organizational credit score on a daily basis based on these updates.

The organizational credit score is calculated, for example, using the following calculation formula, but the calculation formula may be changed as appropriate depending on the actual status of email transmission and reception, the accuracy of the required determination, and the like.
Specifically, for example, if the organizational credit score is set to 100 when the following conditions are satisfied: number of transmissions: 500, number of receptions: 500, thread average: 10, and transaction period: 365 days, the calculation formula is as follows.

Organizational credibility score = MIN (25 x (number of sent/500), 25) + MIN (25 x (number of received/500), 25) + MIN (25 x (thread average/10), 25) + MIN (25 x (transaction period) /365),25)
Here, MIN(A, B) is a function that becomes B when A≧B and becomes A when A<B.

For example, in the case of Corporation A registered in the first row of the organizational credit basic information table 104 in FIG. Applying it to the formula,
Organizational credit score = MIN (25 x (201/500), 25) + MIN (25 x (254/500), 25) + MIN (25 x (23.4/10), 25) + MIN (25 x (1023/365) ), 25) = 10.05 + 12.7 + 25 + 25 = 72.75
becomes.

<Calculation of email credibility score>
Further, the determination unit 12 calculates a mail credibility score for each mail received via the network 1. For example, the following calculation formula can be used to calculate the email credibility score, but the calculation formula may be changed as appropriate depending on the actual status of email transmission and reception, the accuracy of the required determination, etc.

Email credibility score = destination email address credibility score × organization credibility score

That is, in this embodiment, the product of the "destination e-mail address credibility score" in FIG. 3 corresponding to the destination e-mail address of the received e-mail and the "organization credibility score" in FIG. 6 corresponding to the organization from which the e-mail is sent is calculated. The trustworthiness of each email is determined by

FIG. 7 is a diagram showing an example of the whitelist mail server information table 105.
This mail server information table 105 stores "organization name", the IP address of the sending server 71, and the host name of the sending server 71 in association with each other for known communication partners (organizations).
The host name to be registered in the mail server information table 105 is extracted by the history analysis unit 11 from the Received header of the email received by the reception server 20.The history analysis unit 11 stores all the extracted data in the mail server information table. Register at 105.

<Blacklist>
FIG. 8 is a diagram showing an example of the blacklist table 106 held in the data holding unit 13.
The "IP address" and "host name" of the sending server that sent the spoofed email are registered in this blacklist table 106.
Note that when starting operation of the communication system, an empty blacklist table 106 is created as an initial setting. During operation of the communication system, if the determining unit 12 determines that the received email is fraudulent, it registers the IP address and host name of the sending server of the email in a blacklist.

<Operation overview>
The communication system of this embodiment does not simply determine whether or not email delivery is possible based on the sender's email address, the sending server's IP address, etc., as in the past, but it performs the following three main processes. In combination, the accuracy in determining the legitimacy of received emails is improved.
The difficulty in determining the legitimacy of received emails is that the host name, IP address, etc. of the legitimate sender's mail server are not made public, and it is unclear whether the email was sent from a legitimate mail server. .
1. Adding email credibility score 2. Determining the route if the email is from a sender within the organization (a known organization whose route is clearly known) 3. Confirmation of the sender of the email In this embodiment, an example will be described in which all of the above three processes are implemented, but it is also possible to implement any one process or a combination of any two processes. It is also possible. By implementing at least one of the processes, it is possible to improve accuracy in determining the validity of received mail.

<Operation when receiving email>
FIG. 9 is a flowchart illustrating an example of processing by the determination server when receiving mail.
Upon receiving the email via the network 1, the determination unit 12 of the determination server 10 starts the process shown in FIG.
The determining unit 12 receives the email in S11, and in subsequent S12 extracts the IP address of the sender's mail server, the host name of the sender's mail server, and the sender's email address from the header of the received email.

In S13, the determination unit 12 determines whether the domain of the sender's email address matches the domain registered in the internal email information table 103, and if they match, in S14, the domain of the received email It is determined whether the sender host name, sender IP address, exit server name, exit server IP address, and route in the header match each piece of information registered in the internal mail information table 103.
If they match, the determination unit 12 sets the email credibility score to a full score (for example, 100) in S15, and sets the score and the corresponding score in the header of the received email, for example, as shown in FIG. 12(A). Information indicating a message displaying the credibility rank (for example, an "X-Hantei" header) is added and delivered to the receiving server 20, and the process of FIG. 9 is ended.
Note that the information added to the "X-Hantei" header is not limited to this example, and may be, for example, only the credibility score or only information indicating the credibility rank.
The display plug-in 611 of the mail client 61 that receives the mail including such an "X-Hantei" header from the receiving server 20 displays the display part 62 in accordance with the "X-Hantei" header, for example, as shown in FIG. A display 621 corresponding to the "X-Hantei" header is displayed.

On the other hand, in S14, any one of the sender host name, sender IP address, exit server name, exit server IP address, and route in the header of the received mail differs from each information registered in the internal mail information table 103. In this case, since the email disguises the sender within the organization, the determining unit 12 stores the email in the isolated area of the data storage unit 13 in S16, and registers the email if it is not registered in the blacklist. , the process in FIG. 9 ends.
For example, even if the source email address in the email header (the email address in the envelope From) is within your organization, if the source host name and source IP address are different, then the legitimate sending server 71 It is not an e-mail sent by , but a fake e-mail from the sending server 75 that disguised the sender.

FIG. 10 is a diagram showing an example of the "Recieved" header 201 that is added to the receiving mail by each mail server on the transfer route until reaching the determination server when the sender within the authorized organization sends the mail. be.
Figure 11 shows the sender of a fake email. When a fake email is sent with the same "Recieved" header added to the legitimate email for camouflage, each email server in the transfer route until it reaches the determination server is sent to the receiving side. FIG. 3 is a diagram showing an example of a "Recieved" header added to an email.
In this example, the sender of the fake email (for example, the terminal device 74) adds a "Recieved" header 202 similar to that of the legitimate email for disguise, but from the sending terminal 74 that is the actual sender, the exit server Transfer history 203 up to 76 has been added.
When such an email is received, it may not be possible to distinguish it from a legitimate email simply by checking the sender's host name and IP address in the header.
However, if a disguised "Recieved" header 202 is added, a transfer history 203 from the sending terminal 74, which is the actual source, to the exit server 76 is added, and the number of routes to the actual exit server 76 increases. Therefore, as in this embodiment, by comparing the number of routes with the routes (number of routes) registered in the in-house email information table 103, it is possible to determine that the email is fraudulent, and to check the validity of the received email. The accuracy can be improved in the determination of In the case of FIG. 11, the determining unit 12 determines the difference between the "Recieived" header added last by the exit server and the "Recieived" header added (disguised as such) by the first sending server. Judge by the number of routes.

In S13, if the domain of the sender's email address does not match the domain registered in the internal email information table 103, the determination unit 12 determines in S17 that the domain of the sender's email address of the received email or It is determined whether the IP address is registered in the blacklist table 106.
If it is registered, the determination unit 12 stores the email in the isolated area of the data storage unit 13 in S18, and if it is not registered in the blacklist, it is registered and the process of FIG. 9 ends.

If the host name or IP address of the sender's email address is not registered in the blacklist table 106, the determination unit 12 determines whether the domain of the sender's email address is registered in the organization basic information table 104 in S19. Determine whether or not there is. If it is registered, the determining unit 12 determines in S20 whether the IP address of the sender's mail server matches the IP address registered in the mail server information table 105.
If they match, in S21, the determination unit 12 converts the email credibility score into the organization credibility score registered in the organization basic information table 104, as shown in FIGS. 12(B) and 12(C), for example. Then, information indicating the score (for example, "X-Hantei" header) is added to the header of the received e-mail, and the e-mail is transferred to the receiving server 20, and the process of FIG. 9 ends.
The display plug-in 611 of the mail client 61 that receives the mail including such an "X-Hantei" header from the receiving server 20 displays the message as shown in FIG. 14, for example, according to the score of the "X-Hantei" header. The section 62 displays a display 622 or a display 623 corresponding to the score of the "X-Hantei" header.

In S19, if the domain of the sender's e-mail address is not registered in the organization basic information table 104 of the whitelist, this is the first time the e-mail has been sent from the sender's organization, so the determination unit 12 performs S22. At this point, the mail is stored in the hold area of the data holding unit 13, and the process of FIG. 9 is ended. Note that, as will be described later, when the e-mail stored in the hold area of the data holding unit 13 is released from the hold state by an operation from the administrator terminal 50, it is transferred to the receiving server 20 and sent to the user terminal 60. It will be available for viewing from. At this time, the determination unit 12 sets the e-mail credibility score to "-1" indicating that this is the first e-mail, and, as shown in FIG. header).
The display plug-in 611 of the mail client 61 that receives the mail including such an "X-Hantei" header from the reception server 20 displays the display part 62 in accordance with the "X-Hantei" header, for example, as shown in FIG. display 624 is displayed.

In S20, the domain of the sender's e-mail address is registered in the organization basic information table 104 of the whitelist, but the IP address of the sender's mail server does not match the IP address registered in the mail server information table 105. In this case, in S23, the determination unit 12 instructs the sending server 30 to send a confirmation email addressed to the email address of the email sender.
This confirmation email includes, for example, a quoted portion of the received email and link information for the confirmation address of the Web server 40. Note that instead of the link information to the confirmation address of the Web server 40, the message may be a message requesting the other party to reply to the confirmation email.
S23 is executed when an email is sent from an organization registered in the whitelist, but the IP address of the sending server is different from the IP address registered in the mail server information table 105. , it is unclear whether the email is a spoofed email or whether the sender's system configuration has changed. Therefore, the determination unit 12 sends a confirmation email to the email address from which the email was sent.

In S24, the determination unit 12 determines whether or not the other party has accessed the Web server 40 according to the link information and confirmed the transmission of the email in response to the confirmation email sent in S23. When confirming that the other party has confirmed the transmission of the email by a notification from the web server 40, etc., the determination unit 12 adds information indicating the score to the header of the received email (for example, "X-Hantei" header) in S25. etc., and transfers the email to the receiving server 20, and changes and registers the IP address and host name of the sender of the email in the email server information table 105, and ends the process of FIG.

If it cannot be confirmed that the other party has confirmed the transmission of the email within the predetermined period, the determination unit 12 stores the received email in the isolated area of the data storage unit 13 and transmits the email in S26. The IP address and host name of the sender are registered in the blacklist table 106 in association with the organization name that is the source, and the process of FIG. 9 is ended.

<Operation of administrator terminal 50>
In addition to the maintenance and management of the various tables described above, the administrator terminal 50 is also capable of checking and managing the status of the mail stored in the data holding unit 13 in S22 described above.
Specifically, the web browser of the administrator terminal 50 is used to access a screen for managing emails stored in the quarantine area and hold area of the data storage unit 13 by the determination server 10 via the web server 40. be able to.
The determination server 10 generates HTML data for displaying a management screen in response to a request from the administrator terminal 50 via the Web server 40 and supplies it to the administrator terminal 50 via the Web server 40 . The administrator terminal 50 displays, for example, a management screen 55 shown in FIG. 15 in accordance with the supplied HTML data.
This management screen 55 includes a sender email address display area 551a, a subject display area 551b, a score display area 551c, a delivery instruction button 551d, and a delete button for each email stored in the quarantine area and hold area of the data holding unit 13. A list of displays 551 including instruction buttons 551e and an email body display area 552 in which the body of the selected email is displayed are displayed. The operator of the administrator terminal 50 selects whether to deliver or delete the email based on the reliability score, sender email address, and email text, and clicks the corresponding delivery instruction button 551d and deletion instruction button 551e. instruct.
Thereby, the operator of the administrator terminal 50 checks the contents of the mail stored in the hold area, and if there is no problem, changes the status to, for example, "deliverable". In response to this change in status, the determination server 10 delivers the email to the receiving server 20. The operator of the administrator terminal 50 can check the contents of the email stored in the quarantine area and delete it, as well as forward it to a specific address by pressing the delivery instruction button.
Note that in the above explanation, emails to be quarantined or held are stored in the quarantine area or hold area of the data holding unit 13, but emails with associated information such as the quarantine flag or hold flag are stored in the data holding unit 13. , and the quarantined or held mails may be determined based on information such as each flag.

As explained above, in this embodiment, emails that are determined to be fraudulent are isolated without being forwarded to the receiving server 20, and emails that cannot be determined to be fraudulent are determined by the credibility of the email. By adding information indicating the email and forwarding it to the receiving server 20, the recipient of the email (the user of the user terminal 60) can judge the credibility of the received email, and the authenticity of the received email can be determined accurately. can improve sex. In addition to this, you can further improve accuracy by sending confirmation emails to suspicious emails.
Note that, for example, a confirmation email may be sent for all received emails. This makes it possible to improve accuracy in determining the validity of received mail.
Furthermore, for example, by simply adding the above-mentioned information indicating the credibility of the email to the email transferred to the receiving server 20, the recipient of the email (the user of the user terminal 60) can judge the credibility of the received email. It is possible to improve accuracy in determining the validity of received mail.
In addition, in this embodiment, a known organization that can accurately grasp the host name and IP address of the sending server 71 such as within a company, an affiliated company, or an existing business partner and the route to the exit server 72 sends data. By determining the route of the original email, it is possible to improve accuracy in determining the validity of the received email.

Note that the determination unit 12 transmits the information listed in the blacklist table 106 in FIG. 8 to the information aggregation server 90. Although the judgment server 10 is provided for each organization, the blacklist information aggregated in the information aggregation server 90 may be provided to the judgment servers 10 of other organizations according to requests, permission conditions, etc. good. In this case, the determination server 10 is provided with a function of registering the provided blacklist. By registering and managing the blacklist table 106 using blacklist tables of other organizations, the blacklist table 106 can be refined, and the workload can be reduced.

DESCRIPTION OF SYMBOLS 1... Network, 10... Judgment server, 11... History analysis unit, 12... Judgment unit, 13... Data holding unit, 20... Receiving server, 30... Transmitting server, 40... Web server, 50... Administrator terminal, 60... User Terminal, 61, Mail client, 611... Display plug-in, 62... Display unit, 70, 74... Sending terminal, 71, 75... External sending server, 72, 76... Exit server, 81... DNS server, 90... Information aggregation server

Claims (9)

A domain name of a domain for which the number of times mail is transferred (number of routes) between the sending server and the exit server is known, at least one of the host name or IP address of the sending server, and at least the host name of the exit server. or a route holding means that associates and holds one of the IP addresses and the number of routes through which the email is transferred;
From the header of the received email, the domain name of the sender of the email, the host name or IP address of the sending server, the host name or IP address of the exit server, and the number of email routes from the sending server to the exit server in question. The route holding means extracts the host name or IP address of the extracted sending server, the extracted host name or IP address of the exit server, and the number of mail routes from the extracted sending server to the exit server. a determining means for delivering the email if the information matches the information held in the email;
A gateway device comprising: Equipped with a credibility maintenance means that maintains the credibility of the sender domain according to the email sending and receiving history for each domain name,
The determining means is
Extracting means for extracting a domain name of a sender email address of a received email from the header of the email;
Adding means for adding information indicating trustworthiness of a source domain corresponding to the domain name extracted by the extraction means;
The gateway device according to claim 1, further comprising: Equipped with a confirmation means that sends a confirmation email to confirm the sending of the email to the email address of the email sender in the header of the received email,
The determining means is
delivering the received email when there is a response to the confirmation email;
The gateway device according to claim 1 or claim 2, characterized in that: The determining means is
blacklist holding means for holding at least either the host name or the IP address of the sending server of the email to be quarantined;
a registration means for registering a blacklist of determination means of other organizations;
The gateway device according to claim 1 or 2 , comprising: The determining means is
blacklist holding means for holding at least either the host name or the IP address of the sending server of the email to be quarantined;
a registration means for registering a blacklist of determination means of other organizations;
4. The gateway device according to claim 3, further comprising: The gateway device according to claim 1 or claim 2 ;
A receiving server that receives emails,
A communication system comprising: The gateway device according to claim 3;
A receiving server that receives emails,
A communication system comprising: The gateway device according to claim 4,
A receiving server that receives emails,
A communication system comprising: to the computer,
From the header of the received email, the domain name of the sender of the email, the host name or IP address of the sending server, the host name or IP address of the exit server, and the number of email routes from the sending server to the exit server in question. to extract,
The host name or IP address of the extracted sending server, the host name or IP address of the extracted exit server, and the number of mail routes from the extracted sending server to the exit server, from the sending server to the exit server. a domain name of a domain for which the number of times (number of routes) mail is forwarded to is known; at least one of the host name or IP address of the sending server; and at least one of the host name or IP address of the exit server; Delivering the email if the information matches the information held in the route holding means that associates and holds the number of routes through which the email is forwarded;
A computer program characterized by:

Images