Method for judging e-mail address scanning behaviors

A technology of email address and email address, which is applied in the field of judgment of email address scanning behavior, can solve the problems of no identification and interception of email address scanning behavior, theft of important data information of users, etc., and achieve effective identification and interception of email address scanning Behavior, improve security and privacy, improve the effect of user experience

Inactive Publication Date: 2019-12-03
SICHUAN XW BANK CO LTD
4 Cites 0 Cited by

AI-Extracted Technical Summary

Problems solved by technology

Email attackers generally collect valid email addresses, and then list email addresses as advertising/spam marketing targets, or send targeted phishing, virus, and extortion emails for precise attacks. If the recipient accidentally clicks Related malicious emails will cause the computer to be infected with malware or the ...
View more

Method used

A. first intercept foreign mail and/or external mail source by safety equipment such as firewall, mail security gateway, if the intercepted foreign mail and/or external mail source can match the blacklist record in safety equipment, then Disconnect the network connection and mail communication protocol, otherwise continue to execute. In this way, the attacker c...
View more

Abstract

The invention relates to a method for judging an address scanning behavior of an email box, which comprises the following steps of: A, if an external email and/or an external email source can be matched with a blacklist record in safety equipment, disconnecting network connection and an email communication protocol, otherwise, continuing to execute; B, a mailbox address scanning analysis system analyzing whether an external mail and/or an external mail source has an electronic mailbox address scanning behavior or not, wherein the electronic mailbox address scanning behavior comprises at leastone of mailbox address invalid frequency analysis, enumeration address analysis, same sender analysis, same theme or content analysis or mailbox suffix analysis in unit time; and C, if a scanning behavior is judged, adding the sender into a blacklist to intercept, otherwise, processing according to a normal mail. According to the invention, the problem that the traditional mail security gateway cannot effectively identify and intercept the address scanning behavior of the email box is solved, the address scanning behavior of the email box can be effectively identified and intercepted, and thesecurity and privacy of a mail system are obviously improved.

Application Domain

Data switching networks

Technology Topic

Internet privacySafety Equipment +3

Image

  • Method for judging e-mail address scanning behaviors

Examples

  • Experimental program(1)

Example Embodiment

[0026] Such as figure 1 The method for judging the scanning behavior of the email address of the present invention includes:
[0027] A. First, use firewalls, mail security gateways and other security devices to intercept incoming mail and/or external mail sources. If the intercepted incoming mail and/or external mail sources can match the blacklist record in the security device, disconnect the network Connection and mail communication protocol, otherwise continue to execute. In this way, the attacker can only perceive that the connection is disconnected, and cannot know the status code of the returned email, and thus cannot know whether the email address actually exists, and cannot achieve the purpose of email address scanning. In addition, mailbox users will not receive scanned emails, which improves user experience and prevents waste of email system resources.
[0028] If the intercepted incoming mail and/or external mail source matches the whitelist record in the security device, the security device will release the incoming mail and treat it as normal mail.
[0029] If the intercepted incoming mail and/or external mail source does not match the blacklist record and whitelist record in the security device, the security device releases the incoming mail and the email system generates a mail log.
[0030] B. Then the email address scanning analysis system obtains the mail information including at least the mail header and the mail body for the mails that do not match the black and white list records of the security device in step A, according to the Simple Mail Transfer Protocol (SMTP) and The mail log is analyzed. The main analysis fields are defined in the RFC822 document (standard email format), for example: [Return-Path] This field represents the reply address of the email, [Received] This field can track the path and source of the email transmission For IP information, [From] represents the sender’s address, [to] represents the recipient’s address, [subject] represents the subject of the email, and [Date] represents the sending time of the email.
[0031] Since the attacker judges whether the recipient's email address actually exists according to whether the email system has bounced or returned a status code, for the same reason, the email address scanning analysis system judges invalid email addresses based on the SMTP status code. The recipient’s email address is true or invalid. For example, if the SMTP status code is 250 or 251, it is recognized that the "recipient's email address actually exists", and the status code 550 is used to recognize that the email address is invalid. For a more detailed description of the SMTP status code, please refer to the RFC821 document of the SMTP protocol.
[0032] The email address scanning analysis system analyzes the mails normally released in step A, including:
[0033] (1) Analysis of the number of invalid email addresses per unit time: Count the number of invalid email addresses recorded in the unit time (manually set) in the email log record. If the number of times exceeds the threshold M1, it is judged as an email address scanning behavior;
[0034] (2) Enumeration address analysis: If the recipient address information has enumeration characteristics, for example, the recipient address received continuously is: abc1@mail.com; abc2@mail.com; abc3@mail.com, etc., and If the number of recipient addresses with enumerated characteristics exceeds the threshold M2, it is judged to be an email address scanning behavior;
[0035] (3) Analysis of the same sender: If the same sender address sends a mail to multiple recipients, and the number of invalid email address records returned by the recipient in the mail log exceeds the threshold M3, it is judged as an email address scan behavior;
[0036] (4) Analysis of the same subject or content: If different sender addresses send the same subject and/or content to multiple recipients, and the number of invalid email address records returned by the recipient in the mail log exceeds the threshold M4, It is judged as the scanning behavior of the email address;
[0037] (5) E-mail suffix analysis: If the sender's address is from the same e-mail address domain suffix, such as 123@abc.com, 234@abc.com, 345@abc.com, etc., and the invalid mailbox returned by the recipient in the mail log If the number of address records exceeds the threshold value M5, it is judged to be an email address scanning behavior;
[0038] (6) After the analysis of the above steps is completed, it is not determined to be an email address scanning behavior, but the number of invalid email address records returned by the recipient in the email log exceeds the threshold M6, then the sender's mailbox information is sent to Administrator, the administrator conducts manual analysis, and if it is judged to be an email address scanning behavior, the sender information is added to the blacklist for interception. Further enhance the identification and interception of email address scanning behavior through manual judgment.
[0039] Add the sender address judged to be the email address scanning behavior to the blacklist for interception.
[0040] At the same time, the email address scanning analysis system can also build a model based on the number of normal emails and invalid emails received by the mail server within a set time period in the collected email log records, and dynamically adjust the above threshold M1 to threshold M6, and Set different weights for each threshold according to different analysis types to flexibly adapt to different application scenarios.
[0041] C. According to the results of steps A and B, if it is judged to be a scanning behavior, the sender’s mail feature information is added to the blacklist for interception, otherwise it is processed as normal mail.

PUM

no PUM

Description & Claims & Application Information

We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.

Similar technology patents

Method and system for controlling air conditioner

Owner:GD MIDEA AIR-CONDITIONING EQUIP CO LTD +1

Video photographing control device and method, and unmanned aerial vehicle

PendingCN106027896AImprove user experience
Owner:ZEROTECH (BEIJING) INTELLIGENCE TECH CO LTD

Method and system for managing chat messages of instant message temporary session group

InactiveCN103051517AComprehensive management functionsImprove user experience
Owner:BEIJING BAIDU NETCOM SCI & TECH CO LTD

Classification and recommendation of technical efficacy words

  • Avoid wasting resources
  • Improve user experience

Visual detection equipment of circuit board

Owner:GUANGDONG LYRIC ROBOT INTELLIGENT AUTOMATION CO LTD

WEB GIS-based information management system of bridges in region

InactiveCN101916398AAvoid resource lossAvoid wasting resources
Owner:CCCC HIGHWAY CONSULTANTS

Cooperative transmission routing method for wireless sensor network based on multi-relay multi-hop

ActiveCN106993320AAvoid wasting resourcesAlleviate excessive energy consumption
Owner:JIANGSU COMSOFT TECH

Method, device and equipment for displaying multiple application windows on mobile terminal

InactiveCN102968243AImprove information acquisition efficiency and ease of operationImprove user experience
Owner:SHENZHEN YUNYINGGU TECH CO LTD

Content recommending method and device based on user characteristics

ActiveCN101957834AFacilitate the dissemination of informationImprove user experience
Owner:BAIDU ONLINE NETWORK TECH (BEIJIBG) CO LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products