JP7453886B2 - Detection device, detection method and detection program - Google Patents

Description

The present invention relates to a detection device, a detection method, and a detection program for detecting junk mail.

Traditionally, many damages have been caused by unsolicited email (spam email). In particular, there are many cases where the sender domain is spoofed and it is not possible to determine whether the email is spam or not based on domain authentication alone. Under these circumstances, methods have been proposed for detecting junk mail from among received mail.

For example, SPF in Non-Patent Document 1 is a mechanism for checking whether a sender domain is spoofed. When an email receiving server receives an email, it queries DNS for the SPF record of the sending domain, and if the sending server is not allowed in the SPF record, it determines that the sending domain has been spoofed. to refuse reception, etc.
Furthermore, DMARK in Non-Patent Document 2 is an extension of SPF, and allows a recipient to send a notification to a legitimate domain administrator that a spoofed email has been received.

Patent Document 1 and Patent Document 2 propose methods for detecting spam mail senders who have correctly set the sender in order to bypass SPF authentication. In these methods, spam mail is determined based on the fact that the contents of SPF records are common between senders of spam mail.
In Patent Document 3, the information that can be disguised (for example, the host name of the source server sent with the helo command, etc.) is different, but the information that cannot be disguised (for example, the source IP address, etc.) is the same. A method has been proposed to classify email as spam.

JP2014-63402A JP2016-31666A JP2016-38681A

“Sender Policy Framework (SPF) for Authorizing Use of Domains in E-Mail, Version 1,” RFC4408, 2006, URL <https://tools.ietf.org/html/rfc4408> “Domain-based Message Authentication, Reporting, and Conformance (DMARC),” RFC7489, 2015, URL <https://tools.ietf.org/html/rfc7489>

By the way, based on the authentication result of the sender by SPF, the email patterns are classified as follows.
Regular pattern 1: A pattern that is determined to be regular in sender authentication (Pass in SPF authentication).
Regular pattern 2: Unable to determine in sender authentication (TempError or None in SPF authentication).
Malicious pattern 1: One that is determined to be legitimate by sender authentication (Pass by SPF authentication).
Malicious pattern 2: Rejected by sender authentication (Fail in SPF authentication).
Malicious pattern 3: Unable to determine in sender authentication (TempError or None in SPF authentication).
Malicious pattern 3-1: Sender authentication information (SPF record) is not registered.
Malicious pattern 3-2: Although disguised as a legitimate domain, the FQDN does not completely match the legitimate pattern 1 and 2.

When determining whether a pattern is legitimate or malicious based only on SPF authentication, for example, in order to pass all legitimate pattern 2, if you set the SPF authentication to consider TempError or None as legitimate, malicious pattern 3 will also pass. In particular, a forged address such as malicious pattern 3-2 is also determined to be legitimate.
In this way, it has been difficult to correctly detect spam email using only authentication based on the sender domain.

An object of the present invention is to provide a detection device, a detection method, and a detection program that can accurately detect junk mail.

The detection device according to the present invention includes an address information acquisition unit that acquires email address information including DNS information regarding a known legitimate email address, and an address information acquisition unit that acquires email address information including DNS information regarding a known legitimate email address, and an address information acquisition unit that acquires email address information including DNS information regarding a known legitimate email address, and an When the result of SPF authentication based on the host part is neither success nor failure, if there is an SPF record for the address host part with the same domain name and including the domain name in the email address information, the received and a determination unit that determines that the received email is likely to be spam.

The detection device includes an email information acquisition unit that acquires email information including DNS information regarding a sending server on a transmission/reception route of the email based on header information in a known legitimate email, and the determination unit When the result of SPF authentication based on the address host part of the sender email address of the email is neither success nor failure, the information that can be spoofed matches and the information that cannot be spoofed does not match. If such email information exists, it may be determined that the received email is likely to be a spam email.

The spoofable information may include a HELO host name of a sending server that directly communicated with the receiving server, a HELO host name of a server other than the sending server, a source IP address, and a reverse host name of the source IP address.

The non-impersonation information may include a source IP address of a transmitting server that directly communicated with the receiving server, and a reverse host name of the source IP address.

The detection method according to the present invention includes an address information acquisition step of acquiring email address information including DNS information regarding a known legitimate email address, and an address information acquisition step for acquiring email address information including DNS information regarding a known legitimate email address. When the result of SPF authentication based on the host part is neither success nor failure, if there is an SPF record for the address host part with the same domain name and including the domain name in the email address information, the received The computer executes a determination step of determining that the received email is likely to be spam.

A detection program according to the present invention is for causing a computer to function as the detection device.

According to the present invention, it is possible to accurately detect unsolicited mail that cannot be determined only by authentication based on the sender domain.

It is a diagram showing a functional configuration of a detection device in an embodiment. It is a flowchart illustrating the processing of the detection device which implements the detection method in the embodiment.

An example of an embodiment of the present invention will be described below.
In the method for detecting spam mail in this embodiment, in cases where it is not possible to determine whether or not the mail is spam based only on the source domain authentication, legitimate mail is disguised by detecting inconsistencies with the sender of legitimate mail. Spam mail is detected.

FIG. 1 is a diagram showing the functional configuration of a detection device 1 in this embodiment.
The detection device 1 is an information processing device (computer) such as a server device or a personal computer, and includes a control section 10, a storage section 20, various data input/output devices, communication devices, and the like.

The control unit 10 is a part that controls the entire detection device 1, and realizes each function in this embodiment by appropriately reading and executing various programs stored in the storage unit 20. The control unit 10 may be a CPU.

The storage unit 20 is a storage area for various programs and various data for causing the hardware group to function as the detection device 1, and may be a ROM, RAM, flash memory, hard disk drive (HDD), or the like.
Specifically, the storage unit 20 stores a program (detection program) for causing the control unit 10 to execute each function of the present embodiment, as well as known email address information, known email information, and the like.

The control unit 10 includes an address information acquisition unit 11, a mail information acquisition unit 12, a domain authentication unit 13, and a determination unit 14.

The address information acquisition unit 11 acquires email address information including the following data regarding a known legitimate email address, and stores it in the storage unit 20.
- Address host part and domain name - Presence or absence of DNS records (SPF (TXT), MX, A) for the host name, and their contents

Note that in the e-mail address, the part after the at mark (for example, @test.example.com) is called the address host part. The address host portion includes a host name (test.example.com) and a domain name (example.com).

The email information acquisition unit 12 acquires email information including the following data based on the header information of each known legitimate email and junk email, and stores it in the storage unit 20.
・Address host part and domain name written in the Return-path header or From header ・Presence or absence of DNS records (SPF (TXT), MX, A) for the host name, and their contents ・DNS related to the sending server on the email sending/receiving route The information includes the IP address, the reverse host name of the IP address, and the domain name of the reverse host.

The domain authentication unit 13 performs SPF authentication on the sender email address of the received email based on the address host part of the sender email address.
Here, as in the above-mentioned legitimate pattern 2 or malicious pattern 3, when the authentication result is neither a success (Pass) nor a failure (Fail), the determination of whether or not it is a spam email is left to the determination unit 14. .

When the authentication result by the domain authentication unit 13 is neither successful nor failed regarding the sender email address of the received email, the determination unit 14 adds the same domain name to the email address information stored in the storage unit 20. , and if there is an SPF record for the address host part that includes this domain name, the received email is determined to be highly likely to be spam email.

Further, when the authentication result by the domain authentication unit 13 is neither successful nor failed regarding the sender email address of the received email, the determination unit 14 determines that the information that can be falsified matches in the storage unit 20 and that the falsification is not possible. If there is mail information whose possible information does not match, the received mail is determined to be highly likely to be spam mail.

Here, the spoofable information is information that can be spoofed among the information related to the email header, and includes the Return-path header, the From header, as well as the sending server and other information that directly communicated with the receiving server described in the Received header. It includes the HELO host name of the sending server, the source IP address of a server other than the sending server that directly communicated with the receiving server, and the reverse lookup host name of the source IP address.
Further, the non-impersonation information includes the source IP address of the transmitting server that directly communicated with the receiving server, the reverse host name of this source IP address, and the like.

In this way, the determination unit 14 determines that the received email is likely to be a spam email disguised as a legitimate email by detecting a conflict in DNS information between the received email and past legitimate emails. do.
The control unit 10 may use an existing detection method in addition to the spam email detection method used by the domain authentication unit 13 and the determination unit 14, thereby improving detection accuracy.

FIG. 2 is a flowchart illustrating the processing of the detection device 1 that implements the detection method in this embodiment.

In step S1, the detection device 1 verifies whether the email address of the received email is a fictitious address. Specifically, the control unit 10 determines whether or not there is a DNS record (for example, an MX record and an A record) according to the protocol for replying to the sender of the received email. If there is no record (if the determination is YES), it is highly likely that the sender address does not exist, and therefore the received email is determined to be highly likely to be spam.
On the other hand, if a DNS record exists (determination is NO), the process moves to step S2.

In steps S2 to S4, the detection device 1 verifies the inconsistency of the received email with the regular email as follows.
In step S2, the control unit 10 uses the domain authentication unit 13 to check the SPF authentication result of the sender email address. If the authentication result is Pass, the control unit 10 determines that the received email is a legitimate email, and if the authentication result is Fail, it can be determined that the email address is forged, so the received email may be a spam email. is judged to be high.
On the other hand, if the authentication result is neither Pass nor Fail (for example, TempError or None), the process moves to step S3.

In step S3, the control unit 10 uses the determination unit 14 to refer to the known legitimate email address information or email information stored in the storage unit 20, and determines whether the SPF record of a different host within the same domain as the sender email address is detected. Determine whether it exists. If the SPF record exists (determination is YES), the sender address of the received email can be determined to be a fake address, so the control unit 10 determines that the received email is likely to be spam email.
On the other hand, if the SPF record does not exist (determination is NO), the process moves to step S4.

In step S4, the control unit 10 causes the determination unit 14 to refer to the known legitimate email information stored in the storage unit 20, and determines whether the information that can be falsified matches the received email and the information that cannot be falsified. It is determined whether or not there is mismatched mail information. If such email information exists (determination is YES), it can be determined that the falsifiable information is falsified, so the control unit 10 determines that the received email is likely to be a spam email.
On the other hand, if the corresponding mail information does not exist (determination is NO), the process moves to step S5.

In step S5, the control unit 10 verifies the commonality between the received email and known spam email. Specifically, the control unit 10 detects information that is relatively less likely to be forged among the above-mentioned information that can be forged, for example, information about a server close to the sender among the route information described in the Received header. It is determined whether the information is the same or the information that cannot be falsified is the same, and if they are the same (determination is YES), the received email is determined to be highly likely to be a spam email.
On the other hand, if there is no common information with known spam mail (determination is NO), the process moves to step S6.

In step S6, the control unit 10 verifies the commonality between the received email and a known legitimate email. Specifically, the control unit 10 determines whether or not the information that cannot be impersonated is the same as a known legitimate email, and if the information is common (determination is YES), the control unit 10 determines that the received email is a legitimate email. judge.
If there is no common falsification impossible information (determination is NO), the control unit 10 determines that the received email is a legitimate email or is uncertain.

Here, if the result of the SPF authentication in step S2 is Pass, the control unit 10 may use, for example, the method disclosed in Patent Document 1 to verify in more detail whether the email is spam or not.
Further, for the e-mail that has been determined to be a spam e-mail in this manner, the e-mail address information and e-mail information are added by the address information acquisition section 11 and the e-mail information acquisition section 12 based on the determination result.

Note that in the processing example described above, the received mail is classified into two types, ie, whether it is junk mail or not, but it is also possible to determine whether the mail is likely to be junk mail. For example, the possibility of spam mail may be determined depending on the degree of commonality or inconsistency with known mail information.

According to this embodiment, the detection device 1 acquires e-mail address information including DNS information regarding a known legitimate e-mail address. When the SPF authentication result for the sender email address of a newly received email is neither successful nor failed, the detection device 1 adds the same domain name and this domain name to the email address information. If there is an SPF record for the host containing the email, the received email is determined to be highly likely to be spam.
Therefore, the detection device 1 can detect spam email senders that could not be detected until now by detecting inconsistencies with legitimate emails, such as having the same domain but with different SPF records. By supplementing existing detection technology, spam mail can be detected with high accuracy.

Furthermore, the detection device 1 acquires mail information including DNS information regarding a sending server on the sending/receiving route of this mail based on the header information of a known legitimate mail. When the SPF authentication result is neither successful nor failed, the detection device 1 detects email information that matches the spoofable information and does not match the spoofable information for the sender email address of the received email. If it exists, the received email is determined to be highly likely to be spam.
Thereby, the detection device 1 can accurately detect spam mail by detecting inconsistencies with legitimate mail, such as receiving mail from the same mail address but from different IP addresses.

Here, the detection device 1 stores the HELO host name of the sending server that directly communicated with the receiving server, the HELO host name of the sending server other than the sending server, the sending source IP address, and the reverse lookup host of this sending source IP address, as information that can be spoofed. Browse names.
Furthermore, the detection device 1 refers to the source IP address of the transmitting server that directly communicated with the receiving server and the reverse host name of this source IP address as information that cannot be impersonated.
Thereby, the detection device 1 can efficiently detect junk mail with high accuracy.

Although the embodiments of the present invention have been described above, the present invention is not limited to the embodiments described above. Further, the effects described in the embodiments described above are merely a list of the most preferable effects resulting from the present invention, and the effects according to the present invention are not limited to those described in the embodiments.

The detection method by the detection device 1 is realized by software. When realized by software, a program constituting this software is installed in an information processing device (computer). Furthermore, these programs may be recorded on removable media such as CD-ROMs and distributed to users, or may be distributed by being downloaded to users' computers via a network. Furthermore, these programs may be provided to the user's computer as a web service via a network without being downloaded.

1 Detection device 10 Control unit 11 Address information acquisition unit 12 Email information acquisition unit 13 Domain authentication unit 14 Judgment unit 20 Storage unit

Claims (6)

an address information acquisition unit that acquires email address information including DNS information regarding known legitimate email addresses;
If the result of SPF authentication based on the address host part of the sender e-mail address of the received e-mail is neither success nor failure, the e-mail address information contains the same domain name and , a determination unit that determines that the received email is likely to be spam email if there is an SPF record of a different host for an address host section that includes the domain name. comprising an email information acquisition unit that acquires email information including DNS information regarding a sending server on a sending/receiving route of the email based on header information in a known legitimate email;
The determination unit is configured to include the same email address in the email address information when the result of SPF authentication based on the address host part of the email address of the received email is neither success nor failure. If there is an SPF record for a domain name and a different host for the address host part that includes the domain name, the received email is determined to be likely to be spam, and if the SPF record does not exist, it is determined to be a spoofed email. 2. The detection device according to claim 1, which determines that the received e-mail is highly likely to be a spam e-mail if there is e-mail information with matching falsification information and mismatching falsification impossibility information. 3. The spoofable information includes a HELO host name of a sending server that directly communicated with the receiving server, a HELO host name of a server other than the sending server, a source IP address, and a reverse lookup host name of the source IP address. Detection measures listed. 4. The detection device according to claim 2, wherein the non-impersonation information includes a source IP address of a transmitting server that directly communicated with the receiving server, and a reverse host name of the source IP address. an address information acquisition step of acquiring email address information including DNS information regarding a known legitimate email address;
If the result of SPF authentication based on the address host part of the sender e-mail address of the received e-mail is neither success nor failure, the e-mail address information contains the same domain name and , a determination step of determining that the received email is likely to be spam email if there is an SPF record of a different host for the address host part including the domain name. A detection program for causing a computer to function as the detection device according to any one of claims 1 to 4.

Images