KR101989509B1 - A security system and method for e-mail - Google Patents

Abstract

The present invention relates to an e-mail processing system and a method thereof. According to the present invention, the e-mail processing system comprises an e-mail security processing unit including a malicious code detection unit removing file content when a malicious code is detected in the file content attached to an e-mail received from an external server/terminal, and an execution tag removing unit removing an execution tag included in the e-mail to prevent execution of the malicious code before a user confirms the e-mail received through an internal server/terminal. Accordingly, a delicate security process for the e-mail is realized before the user confirms the e-mail received through the internal server/terminal, thereby preventing miscommunication such as non-recognition of e-mail reception between transmission and reception sides of the e-mail.

Description

BACKGROUND OF THE INVENTION 1. Field of the Invention [0001] The present invention relates to an e-

The present invention relates to an electronic mail processing system and method, and more particularly, to an electronic mail processing system and method, and more particularly, to an electronic mail processing system and method for detecting a malicious code in a file content attached to an electronic mail received from an external server / terminal. And an execution tag removal unit for preventing an execution tag malicious code execution before a user checks an e-mail received through the internal server / terminal by removing the execution tag included in the e-mail, And more particularly, to a system and method for preventing miscommunication, such as an unauthorized reception of an electronic mail, between a sending side and a receiving side of an electronic mail by allowing a sophisticated security processing to be performed on the electronic mail before confirmation of the recipient via the internal server / terminal.

As the popularization and speeding up of the Internet become common, the speed of the PC and the line speed of the Internet environment is becoming common. These environments provide convenience for Internet use, but various PCs are vulnerable to fatal external attacks by various kinds of malicious codes (or hacking codes). Especially, most companies that perform business according to e - mail are constantly exposed to malicious code attacks. Here, malicious code is a generic term for executable code written for malicious purposes. It can be classified into viruses, worms, Trojan horses, etc., depending on the ability to self-replicate and the target of infection.

In order to prevent attacks based on malicious code, in most e-mail security systems used by companies, if a malicious code is detected in a file content attached to an e-mail transmitted from the outside, the e-mail itself is blocked A method of making the receiving side unable to confirm or a method of alternately transmitting a notification mail indicating that the receiving side has blocked the e-mail is used.

First, when the transmission of the e-mail is interrupted, the communication between the transmitting side and the receiving side of the corresponding e-mail is disconnected, and the receiving side can not recognize whether or not the e-mail is transmitted.

In addition, even when the notification mail is transmitted to the receiving side, it may happen that the content of the blocked electronic mail is completely different from that of the blocked electronic mail so that it is impossible to know which electronic mail has been blocked.

In this case, the receiving side must separately check whether the corresponding e-mail is transmitted to the transmitting side. If it is confirmed that the sending side has transmitted the e-mail, the receiving side should again check whether the e-mail is blocked from the security system operating organization, It is a reality that the process is very troublesome, so that there is a lot of disruption in the progress of the work.

In order to solve the above-described problems, the inventor of the present invention has found that when malicious code is included in file contents attached to an electronic mail, only the file content is removed and only the execution tag and executable code included in the body text are removed, The present invention discloses a new system and method for transmitting an e-mail that has been secured without compromising the layout (design) of the apparatus.

Korean Patent Publication No. 10-2017-0100234 " E-mail data security system &

SUMMARY OF THE INVENTION Accordingly, the present invention has been made keeping in mind the above problems occurring in the prior art,

When a malicious code is detected after a security check on a file content attached to an e-mail received from an external server / terminal, the file content is removed and the file content is transmitted to the internal server / Mail is not blocked in the enterprise security system, thereby preventing communication disconnection between the sender and the receiver due to the non-receipt of the e-mail. There is a purpose.

The present invention also relates to a method and apparatus for receiving content from an internal server / terminal by removing an execution tag included in a body of an electronic mail or the like in an electronic mail security processing unit before receiving an internal server / terminal of an electronic mail transmitted from an external server / Mail system and a method for preventing direct or indirect attacks using malicious code on the side of a user.

The present invention also provides an e-mail processing method for replacing the file contents with an image file including a warning message upon removal of file contents due to malicious code detection, thereby allowing the recipient to clearly identify the existence of file contents and the cause of deletion of the file contents System, and method.

In addition, the present invention classifies an execution tag and a non-execution tag included in the body of an electronic mail, based on information on an execution tag previously stored in the storage unit, (Design) of the original is removed in order to prevent the deletion of the original layout (design) and the like related to the e-mail processing system and method.

Further, the present invention enhances the security of an e-mail receiving side through an internal server / terminal by detecting and removing an execution tag included in the body of an e-mail based on information about an execution tag previously stored in the storage unit The present invention is directed to an electronic mail processing system and method.

The present invention also provides an e-mail processing system and method for enhancing security on an e-mail receiving side by removing only the executable code when an executable code is set in the tag attribute, There is a purpose.

Further, the present invention measures the degree of mutual similarity between the first image of the original e-mail and the second image of the securely processed e-mail to check whether the layout (design) of the processed e-mail is consistent and transmits the same to the internal server / The present invention provides an electronic mail processing system and method that can maximize the preservation of the text and layout of an electronic mail original in secure electronic mail.

Further, in the present invention, if the result of the similarity measurement of the first and second images is less than / equal to a predetermined value, the layout (design) of the original e-mail is maintained by repeatedly driving the execution tag remover until the value exceeds / And an e-mail processing system and method for preventing confusion on the receiving side.

In addition, according to the present invention, the start and end portions of a non-standard execution tag learned by self-learning in accordance with the execution tag elimination repetition driving are continuously stored in one side, so that the original processing time is significantly shortened The present invention provides an e-mail processing system and method that enable faster and more accurate security processing.

In order to achieve the above-mentioned object, the present invention can be implemented by the following embodiments.

According to an embodiment of the present invention, an e-mail processing system according to the present invention includes: a malicious code detection unit for removing the file content when malicious code is detected in file contents attached to an e-mail received from an external server / terminal; And an execution tag removing unit for preventing execution of malicious code before confirming an e-mail received through the internal server / terminal by removing the execution tag included in the e-mail .

According to another embodiment of the present invention, the malicious code detecting unit of the e-mail processing system according to the present invention includes: a file content checking module for checking whether file content is present in received e-mail; A security check module for performing a security check on the file contents when a file content is attached; And a substitute image providing module for replacing the file content in which the malicious code is detected when the malicious code is detected in the attached file content, with an image file including the warning message.

According to another embodiment of the present invention, in the e-mail processing system according to the present invention, the execution tag remover includes a tag type analysis module for classifying the execution tag and the non-execution tag, And an execution tag removing module for removing the execution tag from the e-mail.

According to another embodiment of the present invention, the execution tag removing unit of the e-mail processing system according to the present invention is classified as a non-executed tag through the tag type analysis module, but when an execution code is set in the attribute of the non- And an execution code removing module for removing only the execution code from the non-execution tag.

According to still another embodiment of the present invention, the e-mail security processing unit of the e-mail processing system according to the present invention is characterized in that the e-mail security processing unit of the e-mail processing system includes an e-mail original image received from an external server / terminal and a processed e-mail image And an image comparison module for measuring mutual similarity.

According to another embodiment of the present invention, the image comparison module of the e-mail processing system according to the present invention repeatedly executes the executable code remover until the measured image similarity is equal to or less than the predetermined value And an iterative execution instruction module for instructing the execution of the instruction.

According to another embodiment of the present invention, the e-mail security processing unit of the e-mail processing system according to the present invention attaches link information for allowing the e-mail source to be viewed on one side of the body of the processed e- And a link generation unit for allowing a recipient who confirms the e-mail through the terminal to check the original if necessary.

According to another embodiment of the present invention, the e-mail security processing unit of the e-mail processing system according to the present invention continuously stores the start and end portions of the non-standard execution tag learned by the repetitive execution instruction module, And a storage unit in which information on the execution tag and / or the execution code is stored in advance.

According to another embodiment of the present invention, the filename of the image file provided by the substitute image providing module of the e-mail processing system according to the present invention is generated so that the malicious code matches the file name of the detected file content, And the format of the original is maintained as it is.

According to another embodiment of the present invention, the file name of the image file provided by the substitute image providing module of the e-mail processing system according to the present invention is generated so that the detected malicious code name is displayed together with the file name of the attachment, The intruder can intuitively grasp the blocking situation due to the detection of the file contents malicious code.

According to another embodiment of the present invention, an execution tag removed by driving the execution tag removal module of the e-mail processing system according to the present invention is an execution tag included in HTML.

The present invention has the following effects with the above-described configuration.

When a malicious code is detected after a security check on a file content attached to an e-mail received from an external server / terminal, the file content is removed and the file content is transmitted to the internal server / It is possible to prevent the disconnection of communication between the sender and the receiver due to not receiving the e-mail because the e-mail in which the malicious code is detected is not blocked in the enterprise security system.

The present invention also relates to a method and apparatus for receiving content from an internal server / terminal by removing an execution tag included in a body of an electronic mail or the like in an electronic mail security processing unit before receiving an internal server / terminal of an electronic mail transmitted from an external server / The attacker can prevent the direct or indirect attack using the malicious code for the user.

In addition, the present invention replaces the file content with an image file including a warning message upon removal of file content due to malicious code detection, thereby allowing the recipient to clearly understand the existence of the file content and the cause of deletion of the file content .

In addition, the present invention classifies an execution tag and a non-execution tag included in the body of an electronic mail, based on information on an execution tag previously stored in the storage unit, Feel) is removed and the layout (design) of the original is prevented from being deleted in advance.

Further, the present invention enhances the security of an e-mail receiving side through an internal server / terminal by detecting and removing an execution tag included in the body of an e-mail based on information about an execution tag previously stored in the storage unit It is possible to exhibit an effect of making it.

Also, although the present invention is classified as a non-executed tag, if the execution code is set in the tag attribute, the security of the e-mail receiving side is further enhanced by removing only the corresponding execution code.

Further, the present invention measures the degree of mutual similarity between the first image of the original e-mail and the second image of the securely processed e-mail to check whether the layout (design) of the processed e-mail is consistent and transmits the same to the internal server / So that it is possible to maximize the preservation of the text and the layout of the original e-mail in the secured e-mail.

Further, in the present invention, if the result of the similarity measurement of the first and second images is less than / equal to a predetermined value, the layout (design) of the original e-mail is maintained by repeatedly driving the execution tag remover until the value exceeds / It is possible to prevent confusion on the receiving side.

In addition, according to the present invention, the start and end portions of a non-standard execution tag learned by self-learning in accordance with the execution tag elimination repetition driving are continuously stored in one side, so that the original processing time is significantly shortened So that the security processing can be performed more quickly and accurately.

1 is a block diagram of an electronic mail processing system according to one embodiment of the present invention;
2 is a block diagram of an electronic mail security processing unit according to FIG. 1;
3 is a flowchart illustrating an e-mail processing method according to an embodiment of the present invention;

Hereinafter, embodiments of the present invention will be described in detail with reference to the accompanying drawings. The embodiments of the present invention can be modified into various forms and the scope of the present invention should not be construed as being limited to the following embodiments but should be interpreted based on the matters described in the claims. Furthermore, the present embodiments are provided to more fully explain the present invention to those skilled in the art.

Prior to describing the present invention, an e-mail 'original' refers to an unprocessed e-mail itself that has not been securely transmitted through the external server / terminal 10 at the transmitting end. The 'processed' electronic mail means an electronic mail whose file content has been deleted and / or the execution tag / code has been removed through the electronic mail security processing unit 30.

Hereinafter, an e-mail processing system and a method thereof according to an embodiment of the present invention will be described in detail with reference to the drawings.

1 is a block diagram of an electronic mail processing system according to one embodiment of the present invention; 2 is a block diagram of an e-mail security processing unit according to FIG.

Referring to FIG. 1, an e-mail processing system according to an embodiment of the present invention includes an external server / terminal 10; Internal server / terminal 20; And an e-mail security processing unit 30.

The external server / terminal 10 may be any known or known various arbitrary < RTI ID = 0.0 > and / or < / RTI > Means a communication device or system, and is not limited by a specific example.

The internal server / terminal 20 means any of various known or known communication devices or systems for receiving electronic mail transmitted through the external server / terminal 10.

Recently, many companies are exposed to the risk of malicious code exposure especially in the environment where the development of information and communication processes through e-mail including various types of information. In order to prevent the malicious code from being exposed, and to prevent the recipient receiving through the internal server / terminal 20 from recognizing that the e-mail has been received within a predetermined time, The e-mail processing system according to an embodiment of the present invention includes a separate e-mail security processing unit 30, which will be described in detail below.

1 and 2, the e-mail security processing unit 30 receives an e-mail transmitted from the external server / terminal 10, removes and processes various risk factors included in the e-mail, such as malicious code, / Terminal 20 to the internal server / terminal 20 to prevent an attack of the vulnerability of the internal server.

The e-mail security processing unit 30 may be a server or an apparatus that is allowed to access the Internet. For example, the e-mail security processing unit 30 may be located within the internal server / terminal 20, adjacent to the internal server / terminal 20, And the scope of the present invention is not limited by the specific examples.

The e-mail security processing unit 30 may include a malicious code detection unit 310, an execution code removal unit 330, an image comparison and analysis unit 350, a link generation unit 370, and a storage unit 390 have.

The malicious code detection unit 310 deletes the file content when a malicious code is detected in the file content attached to the e-mail received from the external server / terminal 10, A security check performing module 313, and a substitute image providing module 315. [

The file contents confirmation module 311 is a module for confirming whether or not the file contents are attached to the received electronic mail. The file content refers to various types of content that can be downloaded by a receiver, such as a document file, a moving image file, and an image file.

The security check performing module 313 is a module for performing a security check on the presence or absence of a malicious code for the file content when it is confirmed that the file content is attached to the electronic mail through the file content checking module 311. [ If malicious code or the like is not detected in the attached file content by the security check performing module 313, the file content can be transferred to the internal server / terminal 20 as it is originally attached. The security check can utilize any of various known and known methods, and there is no particular limitation thereto.

When a malicious code or the like is detected in the attached file content by the security checking module 313, the substitute image providing module 315 removes the file content from the e-mail and replaces it with an image file containing a warning message Module. For example, the image file may include a warning phrase such as 'virus infected file' or 'malicious code discovery', and may also include warning voice or moving image. In addition, it is preferable that the image file is displayed in a file attachment display position in an electronic mail so that the user can intuitively know the image file. In addition, a malicious code type detected in the image file may be additionally displayed to give reliability to the user.

In addition, or alternatively, the file name of the image file can be generated so that the malicious code matches the file name of the detected file content. Alternatively, the file name of the image file may be generated so that the attached file name of the file content and the detected malicious code name are displayed together. When two or more file contents are attached to an original of an e-mail, and when a malicious code is detected in a plurality of file contents, a replacement image file is generated for each of a plurality of file contents in which the malicious code is detected, The file name may be matched with the attached file name of the corresponding file content or the detected malicious code name may be displayed together. Therefore, there is an advantage that the format of the e-mail original is maintained by making the image file name match the attachment file name of the file contents. In addition, by adding the malicious code name, the user who confirms the e-mail through the internal server / terminal 20 can easily know the blocking status due to the detection of the file content malicious code of the e-mail.

The execution tag removal unit 330 removes various execution tags included in the e-mail received from the external server / terminal 10, thereby detecting a malicious code before confirming the e-mail received through the internal server / The tag type analysis module 331 and the executable code removal module 333 may be included in the tag type analysis module 331 and the executable code removal module 333, respectively.

The tag type analysis module 331 is a module for classifying a tag related to execution and a tag irrelevant to execution. Examples of non-execution-related tags are electronic tags such as <style ..., <h1 ..., <span ..., <table ..., <div ..., Means a tag associated with the layout (design) of the mail. Also, tags related to execution include <script ..., <object ..., <embed ..., <onclick = 'javascript', <form ..., <onload = 'open url ...' . The execution tag and the non-executed tag type are stored in the storage unit 390, and the user can add / delete the information about the executed / non-executed tag in the storage unit 390. [ Such an execution-related tag can be used as a method for calling a vulnerability of an internal server / terminal 20 program when viewing an e-mail message. Therefore, it is necessary to perform a task of classifying execution-related tags and unrelated tags as preliminary operations . In addition, the tag type analysis module 331 may include an execution tag removal module 331a. Hereinafter, an execution-related tag or code is referred to as an 'execution tag' or an 'executable code', and a tag irrelevant to execution is referred to as an 'inactive tag' or a 'non-execution code'.

In addition, the 'execution tag' is understood to be limited to the execution tag included in the body HTML of the electronic mail, but the scope of the present invention is not limited thereto.

The execution tag removal module 331a is a module for removing the classified execution tags through the tag type analysis module 331. [ As described above, the execution tag can prevent the type of attack directly or indirectly, such as invoking the vulnerability of the internal server / terminal 20 program at the time of reading the e-mail through the execution tag removal module 331a.

The executable code removing module 333 is a module for removing only the executable code from the non-executable tag if the executable code is classified into the non-executable tag through the tag type analysis module 331 and the attribute is set in the attribute. For example, <span ... corresponds to a non-executable tag, but onMouseOver = 'open url' in the <span style = 'font-size: 14px' onMouseOver = 'open url' . Therefore, even if only the execution tag is checked, classified and deleted, it may not be possible to completely solve the danger such as attack through malicious code. Therefore, an execution code may be set even if the tag is classified as a non-execution tag, and the execution code can be retrieved and deleted through the execution code elimination module 333.

For example, when the received e-mail body is decoded and loaded as text, all tags created in the body of the e-mail are tree structured do. After that, visit the node of each tree, check whether it is an execution tag, and delete it if it corresponds to the execution tag. In addition, when the tag corresponds to an unexecuted tag, it checks the contents of the unexecuted tag to determine whether there is an attribute value (executable code) for calling a script, and deletes the attribute value. It should be noted, however, that this is merely an illustrative example and that the scope of the present invention is not limited thereto.

The image comparison module 350 is a module for measuring the mutual similarity between the original image of the unprocessed e-mail received from the external server / terminal 20 and the image of the processed e-mail through the execution tag removing unit 330 The first image storage module 351, the second image storage module 353, the image similarity measurement module 355, and the repetitive execution instruction module 357.

The first image storage module 351 is a module for storing an original image of a raw e-mail. For example, it is a module that loads received e-mails into an html viewer and renders them as images and saves them as they are displayed on the terminal screen. The image stored through the first image storage module 351 is referred to as a 'first image'.

The second image storage module 353 is a module for storing an image of the processed e-mail. For example, an e-mail with all malicious code detected as an execution tag / code removed is loaded into the html viewer and re-rendered as an image. The image stored through the second image storage module 353 is referred to as a 'second image'.

The image similarity measurement module 355 is a module for measuring image similarity between the first image and the second image stored through the first image storage module 351 and the second image storage module 353. [ For example, the similarity measurement by the image similarity measurement module 355 can quantify the similarity of the two images as a percentage, and measure whether the predetermined value exceeds or exceeds a predetermined value. It should be noted that the manner of measuring the degree of similarity of the first and second images may be achieved through various various known or later-known modules or configurations, and the scope of the present invention is not limited by the specific examples.

The reason why the image similarity measurement module 355 is provided will be described in detail. For example, in some non-standard execution tags, the string or attribute value of the execution tag may end with "beginning with " and not with" At this time, the html interpreter may not be able to accurately determine the start and end of the execution tag to be removed. Accordingly, it is possible to delete the tag related to the layout of the electronic mail to remove the layout (design) of the electronic mail text for communication. In order to prevent such a problem, the first and second images are compared with each other through the image similarity measurement module 355 to check whether or not only the tag or code to be removed is correctly deleted, thereby causing miscommunication between the sender of the e- The possibility can be remarkably reduced.

The repeat execution instruction module 357 is a module for re-executing the execution tag removal section 330 when the first and second image similarities are less than or equal to a predetermined value. The execution tag removal unit 330 is restarted through the iteration execution instruction module 357. It is preferable that the repetition operation continues until the first and second images exceed the predetermined value. Therefore, in the processed e-mail, it is possible to preserve the original text and the layout (design) as much as possible.

The link generation unit 370 attaches link information on the e-mail source, for example, stored in the storage unit 390, to one side of the body of the e-mail processed by the e-mail security processing unit 30, It is a configuration that allows you to check the e-mail source when necessary.

The storage unit 390 controls the entire e-mail security processing unit 30. For example, the first and second images may be stored. In addition, information on the execution tag and / or execution code can be stored in advance. In addition, the e-mail origin may be stored so that the recipient can view the original when clicking the link information according to the link generation unit 370. Also, the start and end portions of the non-standard execution tag, which is self-learned by the repeat execution instruction module 370, are continuously stored. Therefore, as the utilization time of the e-mail processing system 1 according to the embodiment of the present invention is extended, the processing time of the e-mail original is remarkably shortened, and an advantage that the security processing can be performed more quickly can be realized. In addition, the storage unit 390 is shown separately from the execution tag removal unit 330 or the image comparison module 350. However, the storage unit 390 is for convenience of explanation and is not limited thereto.

3 is a flowchart illustrating an e-mail processing method according to an embodiment of the present invention;

Hereinafter, an e-mail processing method (S1) according to an embodiment of the present invention will be described in detail. The e-mail processing method S1 according to an embodiment of the present invention includes performing a file content security step S10, an execution tag tracking step S30, an image comparison step S50, and a link information generating step S70 can do. It should be noted that the order of execution for each of the above steps is arbitrary and not limited by the order described below.

Referring to FIG. 3, the file content security step S10 is performed. In step S110, whether file content is attached to the e-mail received from the external server / terminal 10 is confirmed. If the file content is attached, the security check is performed on the existence of the malicious code with respect to the file content (S130). The security checks may be performed using any of a variety of known methods or modules, and the scope of the present invention is not limited by the specific examples.

If a malicious code or the like is detected during the security check, the file content is removed from the e-mail message and replaced with an image file including an alert message (S150). As described above, the image file may include a warning phrase such as 'virus infected file' or 'malicious code discovery', and may include a warning voice or image. It is further preferable to display the detected malicious code type in the image file.

Referring to the execution tag tracking step S30, the tag included in the e-mail received from the external server / terminal 10 is classified into the active tag and the non-active tag at step S310. The example for the run tag and the non-run tag is replaced with the tag type analysis module 331.

Thereafter, the tag type classified by the execution tag is removed from the e-mail (S330), and the tag type classified by the non-executed tag is maintained. Then, when the tag is classified as the non-tagged tag, if the tag has the tagged executable code, only the tagged tag is removed from the tag (S350).

Then, the image comparison step S50 is performed. Specifically, a step of comparing the first image of the received e-mail source before the execution tag tracking step (S30) and the second image of the e-mail processed through the execution tag tracking step (S30) (S510).

If the first and second images are greater than or equal to the predetermined value in step S510, the security check for the e-mail is terminated. On the other hand, if the first and second images are less than / less than the predetermined value, the execution tag tracking (S30) is repeatedly performed until the predetermined value is greater than or equal to a predetermined value (S530). By continuously storing the start and end portions of the non-standard execution tags learned by self-learning by repeating the above step S530 in the storage unit 390, it is possible to quickly and accurately perform security processing by shortening the processing time of the e-mail original as time passes It becomes.

After completing the file content security step S10 and / or the execution tag tracking step S30, link information about the e-mail source is attached to one side of the processed e-mail body so that the receiver can check it whenever necessary .

When the above-described steps are all completed, the processed e-mail is made visible to the recipient through the internal server / terminal 20. [

The foregoing detailed description is illustrative of the present invention. In addition, the foregoing is intended to illustrate and explain the preferred embodiments of the present invention, and the present invention may be used in various other combinations, modifications and environments. That is, it is possible to make changes or modifications within the scope of the concept of the invention disclosed in this specification, within the scope of the disclosure, and / or within the skill and knowledge of the art. The above-described embodiments illustrate the best mode for carrying out the technical idea of the present invention, and various modifications required for specific application fields and uses of the present invention are also possible. Accordingly, the detailed description of the invention is not intended to limit the invention to the disclosed embodiments.

1: E-mail processing system
10: external server / terminal 20: internal server / terminal
30: E-mail security processing unit
310: malicious code detection unit
311: file content confirmation module 313: security check execution module
315: Alternative image provision module
330: Run tag removal
331: Tag type analysis module 331a: Execution tag removal module
333: Execution Code Removal Module
350: Image comparison module
351: first image storage module 353: second image storage module
355: image similarity measurement module 357: repeat execution instruction module
370: Link generation unit 390:
S1: E-mail processing method
S10: Performing file content security steps
S110: File content attachment checking step S130: Security check performing step
S150: image file replacement step
S30: Execution tag tracking step
S310: Execution tag classification step S330: Execution tag removal step
S350: Steps to remove executable code
S50: Image comparison step
S510: First and second image comparison step S530: Repeat step
S70: link information generation step

Claims (11)

And an execution tag removing unit for preventing the malicious code from being executed before the confirmation of the e-mail received through the internal server / terminal by removing the execution tag included in the e-mail received from the external server / terminal,
The execution tag removing unit classifies an execution tag irrelevant to the layout of the e-mail body and a non-executed tag related to the layout of the body of the e-mail, and removes an tag, A tag type analysis module including the tag type analysis module; And an executable code removing module for removing only the executable code from the non-executable tag if the executable code is classified into the non-executable tag through the tag type analysis module but the attribute of the non-executed tag is set. Email processing system.
The method according to claim 1,
And a malicious code detection unit for removing the file content when malicious code is detected in a file content attached to an electronic mail received from an external server / terminal.
3. The method of claim 2,
The malicious code detection unit
A file contents confirmation module for confirming whether or not file contents are present in the received electronic mail; A security check module for performing a security check on the file contents when a file content is attached; And a substitute image providing module for replacing the file content in which the malicious code is detected when the malicious code is detected in the attached file content, with an image file including the warning message.
delete The method according to claim 1,
And an image comparison module for measuring the mutual similarity degree between the e-mail original image received from the external server / terminal and the processed e-mail image according to the execution code removal operation.
6. The method of claim 5,
The image comparison module
And an iterative execution instruction module for instructing the execution tag canceller to repeat the execution tag canceller until the value exceeds or exceeds the predetermined value if the measured image similarity is equal to or less than a predetermined value.
The method according to claim 6,
And a link generation unit for attaching link information for viewing the original e-mail to one side of the body of the processed e-mail, so that a recipient who confirms the e-mail through the internal server / terminal can check the original if necessary Mail processing system.
The method according to claim 6,
And a storage unit for continuously storing the start and end parts of the non-standard execution tag learned by the repeated execution instruction module and storing information about the execution tag and / or the execution code, Mail processing system.
The method of claim 3,
Wherein the file name of the image file provided by the substitute image providing module is generated so that the malicious code matches the file name of the detected file content, thereby maintaining the format of the original e-mail.
10. The method of claim 9,
The file name of the image file provided by the substitute image providing module is generated such that the detected malicious code name is displayed together with the attached file name so that the e-mail recipient can intuitively grasp the blocking status according to the detection of the file content malicious code E-mail processing system.
The method according to claim 1,
Wherein the execution tag removed by the execution tag removal module is an execution tag included in the HTML.

Images