KR102259789B1 - Method and apparatus for filtering of outgoing and incoming spam mail - Google Patents

Abstract

The present invention relates to a method of operating a server operated by at least one processor, which includes the steps of: receiving filtering rules for determining spam mail from a blockchain network; receiving mail from an arbitrary mail server; determining whether the mail corresponds to the spam mail by an outgoing mail filtering rule or an incoming mail filtering rule included in the filtering rules; and blocking the sending or receiving of the mail, and storing the information of the mail in the blockchain network, when the mail corresponds to the spam mail, wherein mail information is provided to a plurality of mail servers connected to the blockchain network. According to the present invention, it is possible to prevent the illegal use of an account and leakage of company secrets by filtering whether a content is appropriate for security before sending.

Description

Spam filtering method and device for outgoing mail and incoming mail {METHOD AND APPARATUS FOR FILTERING OF OUTGOING AND INCOMING SPAM MAIL}

The present invention relates to a technique for filtering spam of outgoing mail and incoming mail.

Spam means an advertisement letter or message sent to an unspecified number of people through e-mail, text message, phone, etc. In order to block spam, the conventional spam filtering system checks components such as the subject, body, and attachments of an incoming mail to block advertising mail, phishing mail, or malicious programs such as viruses and malware. system could be protected.

However, since the conventional spam filtering technology filters based on the text of the mail, there is a limit to the correct spam filtering for the mail including the spam image.

In addition, since the spam filtering system is applied only to the received mail, there is a problem in that it is impossible to prevent damage caused by the theft of the email account and the leakage of internal information. It is also impossible to prevent spammers from sending to a large number of recipients in violation of the regulations related to advertising mail.

Therefore, not only the filtering method that analyzes the image contained in the mail for the incoming mail, but also whether the mail to be sent corresponds to spam mail, whether the mail to be sent is a stolen account, or inappropriate mail that leaks corporate information, etc. A method of sending only appropriate emails by checking is required.

In addition, if spam filtering is performed with only one server, there is a risk that the spam filtering service is interrupted in case of server failure or server recovery is not possible, and filtering of spam mail that has not been experienced by the server may be insufficient. Therefore, it is necessary to share the spam filtering rules with the member nodes of the blockchain network in order to safely and continuously provide spam services even for spam mails for which no filtering rules are created on the server.

The task to be solved is to determine whether the e-mail to be sent is inappropriate for security or to be considered spam before sending the e-mail, and to provide a method to block inappropriate e-mail transmission in advance.

In addition, the task to be solved is to provide a method for filtering by checking whether an image included in an incoming mail is spam.

Also, the challenge to be solved is to provide a way to share spam filtering rules over a blockchain network.

A method of operating a server operated by at least one processor according to an embodiment, comprising: receiving filtering rules for determining spam mail from a block chain network; receiving mail from an arbitrary mail server; the filtering rules Determining whether the mail corresponds to the spam mail by an outgoing mail filtering rule or an incoming mail filtering rule included in the block chain network, and if applicable, blocking the sending or receiving of the mail, and transmitting the information of the mail to the block chain network and storing the information in the mail server, wherein the mail information is provided to a plurality of mail servers connected to the blockchain network.

The outgoing mail filtering rule includes a first filtering rule for checking whether the mail contains personal information that is not permitted to leak, a second filtering rule for checking whether a recipient mail server of the mail blocks the account of the mail, and the It may include at least one of a third filtering rule for checking whether a spam phrase is included in the body of the mail or an image included in an attached file, and a fourth filtering rule for checking whether the mail is different from a pre-stored mail sending pattern.

The third filtering rule extracts an image included in the body or attachment of the mail, extracts a text area from the image, calculates a similarity with the spam phrase included in the filtering rules, and the similarity When ? exceeds a preset reference value, the e-mail may be determined as the spam e-mail.

The preset reference value may be a value provided from any one of the plurality of mail servers.

The incoming mail filtering rule may include at least one of a filtering rule for checking whether a spam phrase is included in an image included in the body or attachment of the mail, or a filtering rule for checking whether a malicious program is included in the mail can

In the receiving step, filtering rules used in the plurality of mail servers or mails determined as the spam mail by the plurality of mail servers may be provided.

The storing may include transmitting at least one of a sender mail address of the mail, a receiver mail address, and a cause corresponding to the spam mail to the administrator of the server.

As a method of operating a server operated by at least one processor according to another embodiment, receiving a filtering rule for determining spam mail or dangerous mail that violates security policy from a block chain network, an outgoing mail from an arbitrary mail server receiving an input, determining whether the outgoing mail corresponds to the spam mail or the dangerous mail by the filtering rule, and, if applicable, the information of the outgoing mail to a plurality of mail servers connected to the block chain network and storing the information of the outgoing mail in the blockchain network to be provided.

Checking whether the number of recipients of the outgoing mail exceeds a predetermined reference value, if it exceeds a first information indicating that the outgoing mail is an advertisement mail in the subject or body of the outgoing mail, the reception of the outgoing mail can be rejected Checking whether the second information including a method and third information including the fact that the recipient of the outgoing mail agrees to receive the outgoing mail is included, and any one of the first to third information If not included, the method may further include determining the outgoing mail as the dangerous mail.

The determining may include extracting the title, body, and text of the attached file of the outgoing mail, and extracting personal information including at least one of a resident registration number, a mobile phone number, a landline phone number, and an email address in the text. , determining whether the personal information corresponds to a leak prohibited target included in the security policy, and determining the outgoing mail as the dangerous mail if the personal information corresponds to the leak prohibited target have.

The determining step includes sending a test mail from the account of the outgoing mail to a test account of the recipient mail server of the outgoing mail, and if the sending of the test mail is successful, sending the outgoing mail to the recipient mail account, and requesting the recipient mail server to unblock the outgoing mail account when the transmission of the test mail fails.

The determining may include checking whether the outgoing mail is sent in a pattern different from a pre-stored mail sending pattern, wherein the pre-stored mail sending pattern is registered by the sender of the outgoing mail or the arbitrary mail server It may be an extraction of the access pattern to

The confirming may include receiving an input of a mail server access condition including at least one of location information, an IP address, and a MAC address for accessing the arbitrary mail server, location information when receiving the outgoing mail, and an IP address and extracting the MAC address, and determining the outgoing mail as the dangerous mail if the extracted information and the mail server access condition are different.

A computing device according to an embodiment, comprising a memory and at least one processor executing instructions of a program loaded into the memory, wherein the program receives mail from an arbitrary mail server, filtering and judging whether the e-mail corresponds to a spam e-mail according to a rule, and if applicable, storing the e-mail or information of the e-mail in a blockchain network, wherein the e-mail information is It is provided to a plurality of mail servers connected to the blockchain network and applied to the spam filtering rules of each mail server.

In the storing, when the transaction generated by the hash value of the information of the mail by the plurality of mail servers is verified, the verified transaction may be stored in the blockchain network.

According to the present invention, it is possible to prevent the leakage of company secrets due to account theft by filtering whether the content is appropriate for security purposes as well as when receiving the mail, and whether the mail is violating the relevant laws when sending a large amount of mail. can be checked in advance.

In addition, according to the present invention, since member nodes connected to the block chain network share information on spam filtering rules, spam filtering performance can be improved even in the case of a server that does not have much learning data or is newly created.

1 is an explanatory diagram of a spam filtering system according to an embodiment.
2 is an explanatory diagram of a method of operating a spam filtering server according to an embodiment.
3 is a flowchart of a method of operating a spam filtering server according to an embodiment.
4 is a configuration diagram of a spam filtering server according to an embodiment.
5 is a flowchart of a spam filtering method according to an embodiment.
6 is a flowchart of a spam filtering method according to another embodiment.
7 is a flowchart of a spam filtering method according to another embodiment.
8 is a flowchart of a spam filtering method according to another embodiment.
9 is an explanatory diagram of a spam filtering method according to another embodiment.
10 is a flowchart of a spam filtering method according to another embodiment.
11 is a hardware configuration diagram of a computing device according to an embodiment.

Hereinafter, exemplary embodiments of the present invention will be described in detail with reference to the accompanying drawings so that those of ordinary skill in the art may easily implement the present invention. However, the present invention may be implemented in various different forms and is not limited to the embodiments described herein. In the drawings, parts irrelevant to the description are omitted in order to clearly describe the present invention, and similar reference numerals are attached to similar parts throughout the specification.

Throughout the specification, when a part "includes" a certain component, it means that other components may be further included rather than excluding other components unless specifically stated to the contrary. In addition, terms such as “…unit”, “…group”, and “module” described in the specification mean a unit that processes at least one function or operation, which may be implemented as hardware or software or a combination of hardware and software. have.

As used herein, spam mail refers to advertising mail sent or received to an unspecified number of people. Therefore, the outgoing e-mail may correspond to a spam e-mail or the received e-mail may correspond to a spam e-mail. For convenience, it may be referred to as 'spam'.

In this specification, dangerous mail is determined to be sent by a thief after a mail that is suspected of leaking user information, company information to which the user belongs, mail that violates the message transfer rules set by the administrator, or user account is stolen means the mail Outgoing mail may be dangerous mail.

In this specification, a filtering rule may mean a threshold value or a reference value used in each filtering method. For example, in the case of a value calculated by the degree of similarity, it may mean a threshold value, and may mean a specific text or a specific image preset by the administrator of the spam filtering server 100 .

1 is an explanatory diagram of a spam filtering system according to an embodiment.

Referring to FIG. 1 , the spam filtering system 1000 shares spam filtering rules with the spam filtering server 100 that determines whether an outgoing mail transmitted from a user to an external mail server and an incoming mail received from an external mail server are appropriate. and a blockchain network 200 that

The spam filtering system 1000 serves to block the transmission of spam or dangerous mail and the reception of spam mail. The spam filtering system 1000 may be implemented in any mail server.

The spam filtering server 100 implements the outgoing filtering unit 110 that determines whether the outgoing mail is spam or inappropriate, the receiving filtering unit 120 that determines whether the received mail is spam, and the filtering rules updated according to the filtering result in a block chain. It includes a filtering rule management unit 130 that is stored in the network 200 .

For the sake of explanation, the outgoing filtering unit 110 , the receiving filtering unit 120 , and the filtering rule management unit 130 are named and called, but these are computing devices operated by at least one processor. Here, the outgoing filtering unit 110 , the receiving filtering unit 120 , and the filtering rule manager 130 may be implemented in one computing device or distributed in separate computing devices. When distributed in separate computing devices, the outgoing filtering unit 110 , the receiving filtering unit 120 , and the filtering rule manager 130 may communicate with each other through a communication interface. A computing device may be any device capable of executing a software program written to perform the present invention, and may be, for example, a device capable of sending and receiving e-mail, such as a server, a laptop computer, or a device having a built-in Internet browser.

The spam filtering server 100 determines whether the mail that the user intends to send is spam regardless of the user's intention, whether the user belongs to the company, whether it violates the company's confidentiality policy, and whether the user's mail sending pattern is different It determines whether the account is stolen or not, and blocks the sending of inappropriate e-mails in advance.

The outgoing filtering unit 110 checks the outgoing mail according to the RBL filtering rule, the security filtering rule, the mass sending filtering rule, the body filtering rule, the image filtering rule, and the account theft confirmation rule. If any one of the rules is met, the outgoing mail is judged as spam or dangerous mail and the sending is blocked.

Blocked mail may be moved to the user's spam mailbox. A filtering method according to each rule will be described in detail with reference to FIGS. 4 to 10 .

The reception filtering unit 120 checks the received mail according to the body filtering rule, the image filtering rule, and the malicious program filtering rule. If any one of the rules is satisfied, it is determined that the received e-mail is a spam e-mail, and the e-mail may be moved to the user's spam mailbox.

In addition, the reception filtering unit 120 may register an account of the received mail in the spam filtering server 100 .

Authentication is requested with the account of the received mail, and if authentication is successful according to the authentication result, the account of the received mail can be registered, and then the filtering rules can be performed. If authentication fails, the received e-mail is judged to be spam mail without going through the spam filtering rules and can be moved to the user's spam mailbox. Account information and authentication details of the received mail for which authentication is successful may be stored in the blockchain network 200 .

In this way, since mails coming from a large number of unauthenticated and unspecified can be treated as spam at once, the efficiency of the subject sending the spam can be reduced. Meanwhile, a method of filtering received mail according to each rule will be described in detail with reference to FIGS. 4 to 10 .

Meanwhile, each rule used in the outgoing filtering unit 110 and the receiving filtering unit 120 may be implemented as a rule-based system, machine learning, or deep learning model. .

The filtering rule management unit 130 stores the rules used by the outgoing filtering unit 110 and the receiving filtering unit 120 in the block chain network 200, and another spam filtering server 100 stored in the block chain network 200. Rules or filtering results generated in . In addition, e-mails determined to be spam may be stored or provided. In this case, the mail may be the original text itself, or it may have been changed with a hash algorithm.

Therefore, even in the case of a general mail server where filtering data is not shared and spam filtering rules are fixed or mail servers with low sending and receiving volume, all mail servers participating in the node of the blockchain network 200 share data to extend the spam filtering rules. can

The filtering rule manager 130 may provide filtering rules of the existing spam filtering servers 100 when the new spam filtering server 100 is connected to the block chain network 200 . The new spam filtering server 100 may filter outgoing mail or incoming mail according to the provided filtering rule or filtering rules set by the administrator. All of the provided filtering rules can be applied, and only some filtering rules selected by the administrator can be applied. This may be determined according to the characteristics of each filtering method.

When the filtering rule is updated by the administrator of the spam filtering server 100 , the filtering rule management unit 130 may store the changed filtering rule in the block chain network 200 . Filtering rules may be updated by an administrator's change of settings, but the case where the rules are changed is not limited thereto.

When each filtering rule is implemented as a rule-based system, a plurality of spam filtering servers 100 connected to the block chain network 200 may update their respective filtering rules by reflecting the newly stored filtering rules. You can also create new filtering rules.

On the other hand, when each filtering rule is implemented by machine learning or deep learning, the filtering rule management unit 130 stores the filtering results in the block chain network 200 . At this time, each of the spam filtering servers 100 may learn the filtering results and change the rules by themselves.

A user or an administrator may select whether to use the function of the filtering rule management unit 130 receiving filtering rules from other nodes of the spam filtering server 100 . For example, the filtering rules of the spam filtering server 100 in use are stored in the block chain network 200, but the filtering rules provided from other nodes may not be reflected in the current spam filtering server 100.

The blockchain network 200 is a kind of distributed database composed of a plurality of blocks, and is connected to a plurality of spam filtering servers 100 .

The block chain network 200 stores filtering rules for determining spam mail or dangerous mail of each spam filtering server 100 . Member nodes constituting the block chain network 200 may share the stored filtering rules for use by the outgoing filtering unit 110 or the receiving filtering unit 120 of any spam filtering server 100 . Through this, the spam filtering server 100 or the newly created spam filtering server 100 with a small amount of sending or receiving mail may also apply the filtering rules.

On the other hand, the spam filtering server 100 and the block chain network 200 may be connected through an API (Application Programming Interface) serving as a gateway.

And, the filtering rules stored in the block chain network 200 are data that can be shared between nodes, and can be called on-chain, and the filtering rules stored in each spam filtering server 100 can be called side chains. .

2 is an explanatory diagram of a method of operating a spam filtering server according to an embodiment.

Referring to FIG. 2 , each of the spam filtering servers 100-1, 100-2, and 100-3 connected to the block chain network 200 is a filtering implemented by an administrator of each server or by artificial intelligence of each server. When a rule is changed, the changed content is transmitted to the adjacent nodes, and the adjacent nodes generate a transaction for the changed content and proceed with the assurance procedure.

For example, when the filtering rule is changed, the filtering rule management unit 130 of the spam filtering server 1 100-1 generates and transmits the updated contents as a transaction to the spam filtering server 2 100-2, which is the nearest node. . The spam filtering server 2 (100-2) guarantees the transaction, and transmits the transaction to the spam filtering server 3 (100-3), which is an adjacent node. When the spam filtering server 3 ( 100 - 3 ) completes the guarantee, the transaction is recorded in the block chain network 200 , and the updated filtering rules can be distributed to all nodes connected to the block chain network 200 .

On the other hand, the mail itself classified as spam mail or dangerous mail by the spam filtering server 100 may be stored in the block chain network 200 . In the case of outgoing mail, a hash value may be generated from the outgoing mail address, the time the mail was sent, the sender's IP address, and the node ID of the spam filtering server 100 . The generated hash value may be stored in each node constituting the blockchain network 200 .

The received mail also generates a hash value from the sending mail address that sent the received mail, the sending time of the mail, the sender's IP address, and the node ID of the spam filtering server 100, and each Hash values can be stored in nodes.

The stored hash value may be used when creating or updating a filtering rule in each spam filtering server 100 .

3 is a flowchart of a method of operating a spam filtering server according to an embodiment.

Referring to FIG. 3 , the spam filtering server 100 receives mail from a user or an external mail server (S101).

The spam filtering server 100 classifies whether the input mail is an incoming mail or an outgoing mail (S102).

In the case of received mail, the reception filtering unit 120 filters the corresponding mail according to each rule (S103). By applying the body filtering rule, image filtering rule, and malicious program filtering rule, if any one of them is applicable, the incoming mail can be judged as spam.

It is determined whether the corresponding e-mail is spam by checking whether it corresponds to the reference value set for each rule (S104). In this case, the reference value of each rule may be set by an administrator or based on information received from the block chain network 200 . As an example, when the reception filtering unit 120 is implemented by machine learning or deep learning, the reference value may be determined as a decision boundary or a function rather than a numerical value.

When it is determined that the mail is normal, the corresponding mail is moved to the user's receiving mailbox, and when it is determined that the mail is spam, the corresponding mail is moved to the user's spam mailbox (S105, S106).

The spam filtering server 100 stores the spam filtering result in the block chain network 200 (S107). As an example, when the outgoing filtering unit 110 or the receiving filtering unit 120 is implemented as a rule-based system, the similarity value calculated in each filtering rule or text or images determined to be spam may be stored.

As another example, when the outgoing filtering unit 110 or the receiving filtering unit 120 is implemented by machine learning or deep learning, the mail itself determined to be spam or normal may be stored in the block chain network 200 .

On the other hand, when the threshold value or setting of each rule is changed by the administrator, the changed content may be stored in the blockchain network 200 .

In step S102, in the case of outgoing mail, it is checked whether the number of recipients is equal to or greater than a predetermined reference number to determine whether the mail is mass-sent (S108). The reference value for determining that the mail is mass sent may be changed by the administrator.

In the case of mass sending mail, the sending filtering unit 110 filters according to the mass sending filtering rule (S109). The bulk sending filtering rules may include laws or regulations of the country sending or receiving the mail.

If it is not a mass sent mail, the outgoing filtering unit 110 filters according to the RBL filtering rule, the security filtering rule, the body filtering rule, the image filtering rule, and the account theft confirmation rule (S110). Details of each rule will be described with reference to FIGS. 4 to 10 .

It is determined whether the corresponding e-mail is a dangerous e-mail or spam by checking whether it corresponds to the reference value set for each rule (S111).

If it is not a dangerous mail or spam, the mail is sent to the recipient and then moved to the outgoing mailbox. If it is determined that the mail is dangerous or spam, the corresponding mail is moved to the spam mailbox, and the sender is notified of transmission failure (S112, S113).

Thereafter, the filtering rule management unit 130 stores the spam filtering result in the block chain network 200 (S107).

4 is a configuration diagram of a spam filtering server according to an embodiment.

Referring to FIG. 4 , the spam filtering server 100 includes an outgoing filtering unit 110 , a receiving filtering unit 120 , and a filtering rule management unit 130 . The outgoing filtering unit 110 and the receiving filtering unit 120 include a plurality of filtering rules, and apply each rule according to the type of mail to determine whether the mail is a spam mail or a dangerous mail.

Meanwhile, as described in FIG. 1 , the outgoing filtering unit 110 and the receiving filtering unit 120 may be implemented as a rule-based system or may be implemented by machine learning or deep learning.

The filtering rule management unit 130 stores a plurality of filtering rules in the block chain network 200, and transmits filtering rules obtained from other spam filtering servers 100 stored in the block chain network 200 with the outgoing filtering unit 110 and It is applied to the rules of the reception filtering unit 120 .

Hereinafter, the RBL filtering rule, the security filtering rule, the mass sending filtering rule, the body filtering rule, the image filtering rule, and the account theft confirmation rule included in the outgoing filtering unit 110 will be described and the body included in the receiving filtering unit 120 . Describes filtering rules, image filtering rules, and malicious program filtering rules.

Security filtering rules, account hijacking checking rules, and malware filtering rules are first explained, followed by body filtering rules and image filtering rules, which are rules commonly applied to outgoing and incoming mail, RBL filtering rules, mass sending filtering Explain the rules.

The security filtering rule means checking whether the subject, body, and attachments of outgoing mail contain personal information or content that should be secured. In this case, the contents to be checked may be pre-registered by the administrator in order to prevent leakage of corporate information in an e-mail sent by a user belonging to an arbitrary company.

In addition, you can check whether there is any content that falls under the laws of the recipient's country. In this case, the security filtering rule may include criteria for evaluating the illegality of mail for each country.

First, the spam filtering server 100 extracts the subject, body, and text of the attached file of the outgoing mail. After that, it is checked whether there is a text arrangement that can contain personal information such as resident registration number and mobile phone number and security contents such as URL address. For example, a resident registration number, a mobile phone number, a landline phone number, an e-mail address, and a URL address may be detected in the extracted text using the detection code of Table 1. Meanwhile, the detection content and detection code may vary depending on the recipient's country, and the implementation method may vary depending on the tool used.

Detected content detection code Resident registration number \b(?:[0-9]{2}(?:0[1-9]|1[0-2])(?:0[1-9]|[1,2][0-9] |3[0,1]))-[1-4][0-9]{6}\b mobile phone number /^01([0|1|6|7|8|9]?)-?([0-9]{3,4})-?([0-9]{4})$/ telephone number /^\d{3}-\d{3,4}-\d{4}$/ Email Address /^[0-9a-zA-Z]([-_\.]?[0-9a-zA-Z]) *@[0-9a-zA-Z]([-_\.]?[0 -9a-zA-Z])*\.[a-zA-Z]{2,3}$/i URL address ^(https?):\/\/([^:\/\s]+)(:([^\/]*))?((\/[^\s/\/]+)*)? \/?([^#\s\?]*)(\?([^#\s]*))?(#(\w*))?$

Thereafter, the spam filtering server 100 determines whether the extracted resident registration number, mobile phone number, and the like correspond to the contents prohibited from leaking. The content prohibited from leaking may be preset by an administrator or may be received by the filtering rule management unit 130 from the block chain network 200 .

When the outgoing e-mail contains contents prohibited from leaking, the spam filtering server 100 blocks the sending of the corresponding e-mail. In addition, a report including the sender's e-mail address, the time at which the transmission was attempted, the recipient's e-mail address, and the reason for blocking can be sent to the administrator. The sender can be sent a notification of failure to send including the reason for blocking.

The account hijacking check rule means that the sending of mail is allowed only when the server access conditions such as location information, IP, and MAC address set in advance by the user are satisfied.

First, the user registers in the spam filtering server 100 server access conditions including location information where he or she mainly accesses the mail account, IP and MAC address for accessing the mail account. On the other hand, this process can be directly registered by the user, but by identifying the user's access pattern, frequent location information, IP, and MAC addresses can be automatically registered as server access patterns. The server access pattern may further include a type of terminal accessed by the user, an OS, and a system environment to transmit mail, such as a browser.

Then, when the spam filtering server 100 receives the outgoing mail, it compares the environment in which the mail is transmitted and the conditions for accessing the registered user server. Specifically, it is determined whether the access environment has been changed based on server access conditions such as location, IP, MAC address, etc. preset by the user and current mail sending information.

When the access environment is changed, the spam filtering server 100 may limit the sending of the corresponding mail for a preset time, and transmit the reason for blocking the sending to the user or the administrator.

The malicious program filtering rule is to prevent the reception or transmission of programs that perform malicious actions such as inducing personal information or illegal charges without the user's consent.

The spam filtering server 100 may use a known malicious program detection tool for the attached file or extract the header of the attached program to check whether the mail includes an attached file and match the characteristics of the malicious program. The characteristic of the malicious program may be preset by an administrator or received from the blockchain network 200 . Meanwhile, since the method of detecting a malicious program is already known, a detailed description thereof will be omitted.

5 is a flowchart of a spam filtering method according to an embodiment, FIG. 6 is a flowchart of a spam filtering method according to another embodiment, FIG. 7 is a flowchart of a spam filtering method according to another embodiment, and FIG. It is a flowchart of a spam filtering method according to another embodiment, FIG. 9 is an explanatory diagram of a spam filtering method according to another embodiment, and FIG. 10 is a flowchart of a spam filtering method according to another embodiment.

Referring to FIG. 5 , the spam filtering server 100 extracts the body content of the mail (S210).

The spam filtering server 100 calculates a similarity between the extracted text and the texts of the preset spam corpus (S220). A corpus refers to a set of samples extracted from languages for a specific purpose for language research, and includes natural language sentences and information about them stored in a large-scale language database or computer-readable format.

The spam corpus is a corpus of specific words included in spam emails. For example, it may include sentences such as 'I will serve you by proxy', 'interest-free loan', 'Call me if you need cash'. Meanwhile, the spam corpus may be stored in the blockchain network 200 or an external database (not shown).

A method of determining the similarity between words or sentences is not limited to any one, for example, a word or sentence may be converted into a vector and the vector similarity may be calculated. Specifically, an embedding vector may be generated through a word embedding method, and cosine similarity between the generated vectors may be calculated. The cosine similarity value may be a real value between -1 and 1. The similarity calculation method is not limited to any one, and since it is a known technique, a detailed description thereof will be omitted.

If the calculated similarity is greater than or equal to the threshold, the spam filtering server 100 determines that the corresponding mail is spam or dangerous mail (S230). The threshold value may be a value preset by an administrator or a value provided from the block chain network 200 by the filtering rule management unit 130 . On the other hand, according to the range of the similarity value, it can be determined by classifying the spam class.

6 to 7 , the image filtering rule means checking whether an image included in an outgoing mail is a spam image or a text content included in the image is spam.

Referring to FIG. 6 , in order to determine if the image itself is spam, the spam filtering server 100 first extracts an image included in the mail ( S310 ). You can extract all images included in the body of the mail or included as attachments.

The spam filtering server 100 extracts image features (S320). Image characteristics refer to characteristics that can be identified regardless of the shape, size, or location of an object. Methods for extracting image features include SIFT (Scale-Invariant Feature Transform), SURF (Speeded-Up Robust Features), FAST (Features from Accelerated Segment Test), ORB (Oriented FAST and Rotated BRIEF), but is not limited to any one. .

The spam filtering server 100 calculates a similarity with the pre-learned spam image feature (S330). At this time, the same feature may be extracted from the spam image data stored in the block chain network 200 or an external database (not shown), and the degree of similarity between the extracted features may be calculated.

Meanwhile, the method for calculating the similarity may use Euclidean Distance, Minkowski Distance, cosine similarity, and the like, but is not limited thereto.

If the similarity is greater than or equal to the threshold, the corresponding mail is determined as spam (S340). The threshold value may be set by an administrator or a threshold value of another spam filtering server 100 stored in the block chain network 200 by the filtering rule management unit 130 may be used.

On the other hand, the process of extracting arbitrary features from an image and comparing the similarity may be implemented as a machine learning or deep learning model. In this case, the feature extracted from the image and the calculated similarity value may change depending on the type of model.

Referring to FIG. 7 , the spam filtering server 100 extracts an image included in the mail body or an image included in an attached file (S410).

The spam filtering server 100 pre-processes the image and extracts only the text area (S420). As a specific example of the preprocessing method, an image is converted to gray scale using Open CV, and pixels having a value below the threshold are binarized into black, and pixels with a value above the threshold are binarized into white to generate a black and white image and contour. can be extracted. Table 2 shows this process in code.

#Gary Scale Convert/*
Img=cv2.imread(Number,cv2.IMREAD_COLOR)
Copy_img=img.copy()
Img2=cv2.cvtColor(img,cv2,COLOR_BGR2GRAY)

#Outline spot_Gaussian Filter/*
Blur=cv2.GaussianVlur(img2,(3,3),0)
Cv2.imwrite('blur.jpg', blur)

#edge export/*
Canny=cv2.Canny(blur,100,200)
Cv2.imwire('canny.jpg', canny)

#Contours search/*
Cnts.contours,hierarchy=cv2.findContours(canny,cv2.RETR_TREE,cv2.CHAIN_APPROX_SIMPLE)

#white color match/*
for i in range(len(contours)):
cnt=contours[i]
area = cv2.contourArea(cnt)
x,y,w,h = cv2.boundingRect(cnt)
rect_area=w*h #area size
aspect_ratio = float(w)/h # ratio = width/height
if
(aspect_ratio>=0.2)and(aspect_ratio<=1.0)and(rect_area>=100)and(rect_area<=700):
cv2.rectangle(img,(x,y),(x+w,y+h),(0,255,0),1)
box1.append(cv2.boundingRect(cnt))

#text Area Export/* bubble sort
for i in range(len(box1)): ##Buble Sort on python
for j in range(len(box1)-(i+1)):
if box1[j][0]>box1[j+1][0]:
temp=box1[j]
box1[j]=box1[j+1]
box1[j+1]=temp

#measure number plate size
if count > f_count:
select = m
f_count = count;
plate_width=delta_x
cv2.imwrite('snake.jpg',img)

#text area extract
number_plate=copy_img[box1[select][1]-10:box1[select][3]+box1[select][1]+20,box1[select][0]-10:140+box1[select][0 ]]
resize_plate=cv2.resize(number_plate,None,fx=1.8,fy=1.8,interpolation=cv2.INTER_CUBIC+cv2.INTER_LINEAR)
plate_gray=cv2.cvtColor(resize_plate,cv2.COLOR_BGR2GRAY)
ret,th_plate = cv2.threshold(plate_gray,150,255,cv2.THRESH_BINARY)

cv2.imwrite('plate_th.jpg',th_plate)
kernel = np.ones((3,3),np.uint8)
er_plate = cv2.erode(th_plate,kernel,iterations=1)
er_invplate = er_plate
cv2.imwrite('er_plate.jpg',er_invplate)
result = pytesseract.image_to_string(Image.open('er_plate.jpg'), lang='eng')
return(result.replace("",""))

As another example, an artificial intelligence model called Inception, which is an improved Convolutional Neural Network (CNN), can be used.

Thereafter, text can be extracted from the preprocessed image by optical character recognition (OCR). For example, you can use an OCR engine called Tesseract.

The spam filtering server 100 calculates a similarity between the extracted text and the preset languages of the spam corpus (S430). For example, you can convert text to a vector to calculate the similarity between two vectors.

Specifically, a word or sentence can be vectorized using a one-hot vector or word2vec model, and the L1 distance, Euclidean distance (L2 distance), or cosine similarity between the two vectors can be calculated. A method of calculating the similarity between texts is not limited to any one method.

If the similarity is greater than or equal to the threshold, it is determined that the mail is spam (S440). The threshold value may be set by an administrator, or a threshold value of another spam filtering server 100 stored in the block chain network 200 by the filtering rule management unit 130 may be used.

8 and 9 , the RBL (Real-time Blocking List) filtering rule means checking the recipient mail server of the outgoing mail, and checking whether the mail server blocks the sender's mail address. do. That is, it is checked in advance whether the sender's account is registered as a blacklist in the recipient's mail server.

The spam filtering server 100 creates a test account in a plurality of mail servers (S510). This is to check whether the mail server has registered the sender's mail address in RBL.

After the caller enters his or her account on the screen, he clicks the check account button (S520). For example, the sender's e-mail address may be input on the screen as shown in FIG. 9(a).

The spam filtering server 100 sends a test mail from the sender account to the test account of different portals (S530).

The spam filtering server 100 checks the mail reception result in each test account, and displays the reception or not on the screen (S540). For example, a screen as shown in (b) of FIG. 9 may be provided.

Afterwards, the user can send a request to the mail server marked as blocked to remove the sender's mail address from the RBL.

Through this, the blocking state of the user's e-mail address can be recognized, and when it is blocked, an RBL release request can be made to the server, and the e-mail can be safely delivered to the recipient.

On the other hand, if there is a blocked site, if the user proceeds to send, it notifies the recipient of the corresponding mail account that it may not be delivered.

Referring to FIG. 10 , when the number of recipients is greater than or equal to a predetermined number, the mass sending filtering rule means checking whether there is an expression such as guidance information that must be included in an outgoing mail to prevent damage to recipients due to spam mail.

The mass-sent mail means a case in which the number of recipients is equal to or greater than a preset reference value. For example, the spam filtering server 100 may determine the mass-sent mail when the number of recipients is 30 or more. Meanwhile, in this specification, mass-sent mail is considered to be sent for commercial purposes. Hereinafter, a case of sending a mass sending mail will be described.

The spam filtering server 100 extracts the text of the subject and body of the outgoing mail (S610).

The spam filtering server 100 checks whether there is a phrase informing the advertisement mail in the mail title (S620). Specifically, in the mass-sent mail, the subject line of the outgoing mail must include a text indicating that the mail is an advertisement for commercial purposes. Therefore, check if there is a phrase such as (advertisement) or (adult advertisement) in the title.

The spam filtering server 100 checks whether a method for rejecting reception of the mail is provided in the body of the outgoing mail (S630). For example, you can check whether a link to unsubscribe from an email from the corresponding sender's email address is included.

The spam filtering server 100 checks whether content guiding the fact that the recipient agrees to receive the outgoing mail is included (S640). For example, it may include the time when the recipient agrees to receive the corresponding mail.

When the spam filtering server 100 includes all of the contents of S620 to S640, the spam filtering server 100 sends the corresponding mail (S650).

If any one of the contents of S620 to S640 is not satisfied, the spam filtering server 100 determines that the mass sent mail is a dangerous mail, and blocks the sending of the corresponding mail (S660). In addition, a report including the sender's e-mail address, the time the transmission was attempted, the recipient's e-mail address, and the reason for blocking can be sent to the administrator. The sender can be sent a notification of failure to send including the reason for blocking.

11 is a hardware configuration diagram of a computing device according to an embodiment.

Referring to FIG. 11 , the outgoing filtering unit 110 , the receiving filtering unit 120 , and the filtering rule management unit 130 are described to execute the operation of the present invention in the computing device 300 operated by at least one processor. Executes a program containing instructions.

The hardware of the computing device 300 may include at least one processor 310 , a memory 320 , a storage 330 , and a communication interface 340 , and may be connected through a bus. In addition, hardware such as an input device and an output device may be included. The computing device 300 may be loaded with various software including an operating system capable of driving a program.

The processor 310 is a device for controlling the operation of the computing device 300 , and may be a processor 310 of various types that processes instructions included in a program, for example, a central processing unit (CPU), an MPU ( It may be a micro processor unit), a micro controller unit (MCU), a graphic processing unit (GPU), or the like. The memory 320 loads the corresponding program so that the instructions described to execute the operation of the present invention are processed by the processor 310 . The memory 320 may be, for example, read only memory (ROM), random access memory (RAM), or the like. The storage 330 stores various data, programs, etc. required for executing the operation of the present invention. The communication interface 340 may be a wired/wireless communication module.

According to the present invention, it is possible to prevent the leakage of company secrets due to account theft by filtering whether the content is appropriate for security purposes as well as when receiving the mail, and whether the mail is violating the relevant laws when sending a large amount of mail. can be checked in advance.

In addition, according to the present invention, since member nodes connected to the block chain network share information on spam filtering rules, spam filtering performance can be improved even in the case of a server that does not have much learning data or is newly created.

The embodiments of the present invention described above are not implemented only through an apparatus and a method, but may be implemented through a program that realizes a function corresponding to the configuration of the embodiment of the present invention or a recording medium in which the program is recorded.

Although the embodiments of the present invention have been described in detail above, the scope of the present invention is not limited thereto, and various modifications and improvements by those skilled in the art using the basic concept of the present invention defined in the following claims are also provided. It belongs to the scope of rights.

Claims (15)

A method of operating a server operated by at least one processor, comprising:
A step of receiving filtering rules for determining spam mail from a blockchain network in which a plurality of mail servers are connected,
step of receiving outgoing mail,
determining whether the outgoing mail corresponds to the spam mail by an outgoing mail filtering rule included in the filtering rules; and
In the case of the spam mail, blocking the transmission of the outgoing mail to a recipient mail server, and storing the information of the outgoing mail as a spam mail in the block chain network,
The outgoing mail information stored in the blockchain network is provided to a plurality of mail servers connected to the blockchain network,
The filtering rules are updated through a transaction and guarantee procedure for the changed filtering rule among the plurality of mail servers when a filtering rule is changed in any mail server among the plurality of mail servers, and in the blockchain network Recorded and distributed, how it works. In claim 1,
The outgoing mail filtering rule is
A first filtering rule for checking whether the outgoing mail contains personal information that is not allowed to leak, a second filtering rule for checking whether the recipient mail server of the outgoing mail blocks the account of the outgoing mail, the body of the outgoing mail or at least one of a third filtering rule for checking whether an image included in an attachment contains a spam phrase, and a fourth filtering rule for checking whether the outgoing mail is different from a pre-stored mail sending pattern. In paragraph 2,
The third filtering rule is,
The third filtering rule is,
Extracts an image included in the body or attachment of the outgoing mail, extracts a text area from the image, calculates a similarity with the spam phrase included in the filtering rules, and the similarity exceeds a preset reference value If so, determining the outgoing mail as the spam mail, the operating method. In claim 3,
The preset reference value is
a value provided from any one of the plurality of mail servers. delete In claim 1,
The receiving step is
Filtering rules used in the plurality of mail servers or receiving mails determined as the spam mail from the plurality of mail servers. In claim 1,
The saving step is
Storing at least one of a sender mail address of the outgoing mail, a receiver mail address, and a cause corresponding to the spam mail. A method of operating a server operated by at least one processor, comprising:
A step of receiving a filtering rule for judging spam mail or dangerous mail that violates security policies from a blockchain network in which a plurality of mail servers are connected;
step of receiving outgoing mail,
Determining whether the outgoing mail corresponds to the spam mail or the dangerous mail by the filtering rule, and
In the case of the spam mail or the dangerous mail, storing the information of the outgoing mail in the block chain network so that the information of the outgoing mail is provided to a plurality of mail servers connected to the block chain network, ,
The filtering rule is updated through a transaction and guarantee procedure for the changed filtering rule among the plurality of mail servers when a filtering rule is changed in any mail server among the plurality of mail servers, and is stored in the blockchain network. Recorded and distributed, how it works. In claim 8,
checking whether the number of recipients of the outgoing mail exceeds a predetermined reference value;
If it exceeds, first information indicating that the outgoing mail is an advertisement mail in the subject or body of the outgoing mail, second information including a method for refusing to receive the outgoing mail, and the recipient of the outgoing mail Checking whether third information including the fact that you have consented to receive outgoing mail is included; and
If any one of the first information to the third information is not included, determining the outgoing mail as the dangerous mail
Further comprising, the method of operation. In claim 8,
The determining step,
extracting the subject, body, and text of the attached file of the outgoing mail;
extracting personal information including at least one of a resident registration number, a mobile phone number, a landline phone number, and an email address from the text;
Determining whether the personal information corresponds to the subject of the leakage prohibition included in the security policy, and
Determining the outgoing e-mail as the dangerous e-mail when the personal information falls under the prohibited subject
comprising, a method of operation. In claim 8,
The determining step,
sending a test mail from the account of the outgoing mail to a test account of the recipient mail server of the outgoing mail; and
If the sending of the test mail is successful, sending the outgoing mail to the recipient's mail account, and if the sending of the test mail fails, requesting the recipient's mail server to unblock the outgoing mail account
comprising, a method of operation. In claim 8,
The determining step,
Checking whether the outgoing mail is sent in a pattern different from a pre-stored mail sending pattern,
The pre-stored mail sending pattern is registered by the sender of the outgoing mail, or an access pattern to the arbitrary mail server is extracted. In claim 12,
The checking step is
receiving an input of a mail server access condition including at least one of location information for accessing the arbitrary mail server, an IP address, and a MAC address;
extracting location information, IP address, and MAC address when receiving the outgoing mail; and
Determining the outgoing mail as the dangerous mail if the extracted information and the mail server access condition are different
comprising, a method of operation. A computing device comprising:
memory, and
at least one processor executing instructions of a program loaded into the memory;
the program is
Storing a filtering rule provided from a blockchain network in which a plurality of mail servers are connected;
step of receiving outgoing mail,
determining whether the outgoing mail corresponds to spam mail according to the filtering rule; and
In the case of the spam mail, it includes instructions described to execute the step of storing the outgoing mail or information of the outgoing mail in the block chain network,
When the transaction is verified by the plurality of mail servers, the outgoing mail information is stored in the blockchain network and distributed to a plurality of mail servers connected to the blockchain network,
The filtering rule is updated through a transaction and guarantee procedure for the changed filtering rule among the plurality of mail servers when a filtering rule is changed in any mail server among the plurality of mail servers, and is stored in the blockchain network. A computing device that is recorded and distributed. delete

Images