JP2011034417A - Device, method and program for determining junk mail - Google Patents

Abstract

A spam mail determination apparatus and a spam mail determination method for determining whether or not a spam mail is efficiently sent without leaking host information of a communication destination to the outside without FP and FN being smaller than existing rules, and Provide a junk mail determination program.
A receiving unit that receives an e-mail, an analysis unit that analyzes header information received by the receiving unit in the course of a session, and characteristics of the e-mail based on a result analyzed by the analyzing unit. A first feature vector generation unit 13 that generates a feature vector to be shown; a classifier creation unit 14 that generates a junk mail classifier by associating the feature vector and the label; and the feature vector is input to the classifier; A first determination unit 15 that determines a label attached to the feature vector, and a receiving unit so as not to receive the body text of the email corresponding to the feature vector when the label attached to the feature vector is a junk mail And a control unit 16 that controls the control unit 11.
[Selection] Figure 1

Description

  The present invention relates to a spam mail determination device, a spam mail determination method, and a spam mail determination program for determining whether a received electronic mail is a spam mail or a normal mail.

  In recent years, the number of spam mails has been increasing due to the fact that it has become possible to easily send and receive electronic mails (hereinafter referred to as mails) due to the development of networks. Here, “spam mail” means mail that is sent indiscriminately and in large quantities without ignoring the recipient's intention and without prior request or consent. Synonyms for this spam mail include “junk mail”, “junk mail”, “UCE (Unsolicited Commercial Email)”, “UBE (Unsolicited Bulk Email)”, and the like.

  Such spam emails include virus infections due to attachments, etc., decreased productivity and efficiency of recipients due to an increase in unnecessary emails, increased load on servers and networks due to increased traffic, and fraudulent sites It can be a threat regardless of individuals or organizations in terms of privacy or leakage of confidential information due to guidance.

  The problems caused by spam emails as described above have already reached the level of social problems. In view of the fact that email addresses are available at low cost and that high-speed communications with a flat rate are provided at a low cost, spam emails are expected to increase without decreasing in the future. Effective measures against email are urgently required.

  Here, a technique has been proposed in which it is determined whether or not the mail is a spam mail from information (header information) obtained before the mail text is received, and the reception of the mail text is rejected (see Non-Patent Document 1). . According to this technology, the characteristics (character string characteristics) that frequently appear in spam mails and spam mail transmission servers are made uniform. In addition, a technique has been proposed in which it is determined whether or not a spam mail is based on header information using a blacklist of IP addresses created based on a user report, and the mail body is rejected (non-patent) See reference 2.) The “header information” is a concept including a command and an IP address during the SMTP session.

Spam mail determination method (S25R), [July 15, 2009], Internet <http: // www. gabacho-net. jp / anti-spam / paper. html> Spam mail determination method (spamhaus), [July 15, 2009], Internet <http: // www. spamhaus. org />

  By the way, in the technique according to Non-Patent Document 1, in order to determine whether or not the mail is spam mail based on the header information, the host information of the communication destination (such as which mail server the SMTP server has received the e-mail from, etc.) (Information) does not leak, but according to research by the inventors, it has been found that there is as much as 10% or more of the ratio of normal mail to be determined as spam mail (FP).

  On the other hand, spamhaus's DNSBL (Domain Name System Black List) described in Non-Patent Document 2 is based on a report from a user, according to the research of the inventors, etc., and therefore a ratio of missing spam mail (false negative: FN) ) Was found to be present at about 20%. Furthermore, in the spamhouse DNSBL, an inquiry is made to an external DSNBL server using all the host information of the communication destination as a query, so that the DNSBL server can grasp which mail server and which mail server exchange information. .

  The present invention is nuisance mail determination in which FP and FN are smaller than the techniques shown in Non-Patent Documents 1 and 2, and whether or not the host information of the communication destination is spam mail efficiently without leaking to the outside An object is to provide a device, a spam mail determination method, and a spam mail determination program.

  The present invention provides the following solutions.

  (1) In order to solve the above-described problem, the spam mail determination device according to the present invention receives an email composed of header information and a text through a series of sessions, and receives the email in the course of the session. An analysis unit that analyzes the header information received by the unit, a first feature vector generation unit that generates a feature vector indicating a feature of the e-mail based on a result analyzed by the analysis unit, and a plurality of teacher data in advance Mail log data or e-mail is collected, a feature vector indicating the characteristics of the mail log data or e-mail is generated from each mail log data or e-mail header information, and based on each mail log data or e-mail header information To determine whether the mail log data or e-mail is junk mail using a predetermined method. A classifier creating unit for generating a spam mail classifier by associating the feature vector with the label, and adding a label indicating whether the feature vector is spam or not based on the result of A feature vector generated by a first feature vector generator is input to the classifier, a first determiner that determines a label attached to the feature vector, and the feature vector by the first determiner And a control unit that controls the receiving unit so as not to receive the body of the e-mail corresponding to the feature vector.

  According to such a configuration, the junk mail determination device analyzes the header information received before receiving the body of the email, generates a feature vector indicating the feature of the email, and uses the feature vector as a predetermined method. It is determined whether or not the e-mail is a junk e-mail by inputting it into the classifier created in the above.

  Therefore, the spam mail determination device determines whether the FP and FN are smaller than the existing rules (for example, S25R, DSNBL, etc.) and is efficiently spam mail without leaking the host information of the communication destination to the outside. Can be determined.

  (2) In the junk mail determination device, the classifier creation unit includes a collection unit that collects a plurality of mail log data or emails as the teacher data, and mail log data or emails collected by the collection unit. Analyzing header information, and based on the result of the analysis, a second feature vector generation unit that generates a feature vector indicating a feature of mail log data or email, and the collection unit based on the predetermined determination method A second determination unit that refers to the mail log data or the header information of the email collected by the above and determines whether the email log data or the email is a junk mail or a normal mail; and the second Based on the result determined by the determination unit, the number determined to be junk mail and the number determined to be normal mail for each feature vector. A comparison unit for comparing, a label adding unit for adding a label indicating spam mail or a label indicating normal mail to the feature vector based on a comparison result of the comparison unit, and labeling The classifier for classifying whether the mail is junk mail or normal mail based on the received mail log data or the header information of the e-mail based on the label given to the feature vector by the section It is preferable to provide a creation unit.

  According to such a configuration, the junk mail determination device collects a plurality of mail log data or e-mails as teacher data in advance, generates a feature vector from each mail log data or e-mail header information, A rule (for example, S25R or DNSBL) is used to determine whether the message is spam based on mail log data or email header information, and a label is assigned to the feature vector based on the determination result. Create a classifier based on the label.

  Therefore, the spam mail determination device does not determine whether or not it is simply spam mail from the header information based on the existing rules, and spam mail based on learning using a lot of header information without manual intervention for labeling in learning. Classifiers can be created. Further, the junk mail determination device generates a feature vector based on the header information of the received e-mail, and determines whether the e-mail is spam mail by applying the generated feature vector to the created classifier. In addition, it is possible to reduce the false detection by simply using the existing rule, that is, the rate of false detection of normal mail as spam mail (false positive: FP).

  Moreover, since the spam mail determination device can determine whether or not the email is spam mail based on the feature vector generated from the analysis result of the header information, it receives the body text of the email and Without analyzing the main text, it is possible to determine whether or not the mail is spam mail with high accuracy based on the feature vector generated from the analysis result of the header information. In addition, since the spam mail determination device can create a classifier regardless of the manual operation, it can perform a cold start operation by eliminating artificial elements in the process of creating the classifier.

(3) In the junk mail determination device, when only the first condition is satisfied, the label adding unit adds a label S indicating junk mail to the feature vector ri, and the second condition If it satisfies, it is preferable to assign a label H indicating that the feature vector ri is a normal mail.

  According to such a configuration, the spam mail determination device erroneously determines that normal mail is spam mail by arbitrarily setting k1 and k2 (for example, k1 = 0.001, k2 = 0). It will not be done.

但し、ｋｒ１，ｋｓ１，ｋｔ１、ｋｒ２，ｋｓ２，ｋｔ２は、０≦ｋｒ１＜１、０≦ｋｓ１＜１、０≦ｋｔ１＜１、０≦ｋｒ２＜１、０≦ｋｓ２＜１、０≦ｋｔ２＜１を満たす任意の値である。 (4) In the junk mail determination device, the label assigning unit is based on information included in the result of analyzing the mail log data or the header information of the e-mail using the feature vector ri generated by the feature vector generating unit. When the third feature vector ti is divided into the first feature vector si and the second feature vector ti and the third condition is satisfied, a label S indicating spam mail is assigned to the feature vector ri, If the third condition is not satisfied but the fourth condition is satisfied, a label H indicating normal mail is given to the feature vector ri, and the third condition and the fourth condition are given. If the fifth condition is satisfied, a first label s1 is assigned to the first feature vector si, and the fifth condition is not satisfied but the sixth condition is satisfied. When satisfying, the second label h1 is given to the first feature vector si, and when the fifth condition and the sixth condition are not satisfied, the first feature vector si is set. On the other hand, when the third label n1 is assigned and the seventh condition is satisfied, the fourth label s2 is assigned to the second feature vector ti, and the seventh condition is not satisfied. When the condition of 8 is satisfied, a fifth label h2 is assigned to the second feature vector ti, and when the seventh condition and the eighth condition are not satisfied, the second feature vector ti A sixth label n2 is assigned to the feature vector ti, and a combination of the labels assigned to the first feature vector si and the second feature vector ti is the first label s1 and the fourth label. Combination of labels s2 of the first In the case of a combination of a label s1 and the sixth label n2, or a combination of the third label n1 and the fourth label s2, a label S indicating spam is applied to the feature vector ri. If the combination of the labels assigned to the first feature vector si and the second feature vector ti is a combination other than the above-mentioned combinations, it is a normal mail for the feature vector ri. It is preferable to apply a label H indicating that this is the case.

However, kr1, ks1, kt1, kr2, ks2, kt2 are 0 ≦ kr1 <1, 0 ≦ ks1 <1, 0 ≦ kt1 <1, 0 ≦ kr2 <1, 0 ≦ ks2 <1, 0 ≦ kt2 <1 Any value that satisfies

  According to such a configuration, the spam mail determination device can arbitrarily set kr1, kr2, ks1, ks2, kt1, and kt2 (for example, kr1 = ks1 = kt1 = 0.001, kr2 = ks2 = kt2). = 0) All received mails are judged to be spam mails or normal mails, and normal mails are not mistakenly judged to be spam mails.

  (5) In order to solve the above-described problem, the spam mail determination method according to the present invention receives an email composed of header information and a body text through a series of sessions, and receives the email in the course of the session. An analysis step for analyzing the header information received by the step, a feature vector generation step for generating a feature vector indicating the feature of the e-mail based on the result analyzed by the analysis step, and a plurality of mail logs as teacher data in advance Collect data or e-mail, generate a feature vector indicating the characteristics of e-mail log data or e-mail from each e-mail log data or e-mail header information, and generate a predetermined vector based on each e-mail log data or e-mail header information Judgment method determines whether mail log data or e-mail is junk mail. A classifier creating step of generating a spam mail classifier by associating the feature vector with the label indicating whether it is spam based on a result of the determination, and associating the feature vector with the label; The feature vector generated by the feature vector generation step is input to the classifier, the determination step for determining the label attached to the feature vector, and the label attached to the feature vector by the determination step is annoying In the case of a mail, it is characterized by comprising a control step of controlling the reception step so as not to receive the body of the electronic mail corresponding to the feature vector.

  According to such a configuration, the junk mail determination method analyzes the header information received before receiving the body of the email, generates a feature vector indicating the feature of the email, and uses the feature vector as a predetermined method. It is determined whether or not the e-mail is a junk e-mail by inputting it into the classifier created in the above.

  Therefore, the spam mail determination method is such that FP and FN are smaller than existing rules (for example, S25R, DSNBL, etc.), and whether or not spam mail is efficiently made without leaking the host information of the communication destination to the outside. Can be determined.

  (6) A spam mail determination program according to the present invention is a spam mail determination program for realizing, by a computer, a method for determining whether a mail is a spam mail or a normal mail in order to solve the above problem. A receiving step for receiving an email composed of header information and body text through a series of sessions, an analyzing step for analyzing the header information received by the receiving step in the course of the session, and an analysis step A feature vector generation step for generating a feature vector indicating the feature of the email based on the result, and a plurality of email log data or emails are collected in advance as teacher data, and email is sent from each email log data or email header information. Generate a feature vector indicating the characteristics of log data or email, and send each email Whether or not the mail log data or the e-mail is a junk e-mail by a predetermined determination method based on the header information of the message data or the e-mail A classifier creating step of generating a junk mail classifier by associating the feature vector with the label, and inputting the feature vector generated by the feature vector generating step to the classifier A determination step for determining a label attached to the feature vector; and when the label attached to the feature vector in the determination step is junk mail, the body text of the email corresponding to the feature vector is The control step of controlling the reception step so as not to receive is realized by a computer.

  According to such a configuration, the junk mail determination program analyzes the header information received before receiving the body of the email, generates a feature vector indicating the feature of the email, and uses the feature vector as a predetermined method. It is determined whether or not the e-mail is a junk e-mail by inputting it into the classifier created in the above.

  Therefore, the junk mail determination program determines whether FP and FN are smaller than existing rules (for example, S25R, DSNBL, etc.) and is efficiently spam mail without leaking the host information of the communication destination to the outside. Can be determined.

  According to the present invention, whether FP and FN are smaller than existing rules (for example, S25R, DSNBL, etc.) and whether or not it is spam mail efficiently without leaking the host information of the communication destination to the outside. Can be determined.

It is a block diagram which shows the structure of the junk mail determination apparatus which concerns on this embodiment. It is a block diagram which shows the structure of the classifier production | generation part of the junk mail determination apparatus which concerns on this embodiment. It is a block diagram which shows the structure of the spam mail determination system using the junk mail determination apparatus concerning this embodiment. It is a flowchart with which it uses for description about the procedure which determines whether it is a spam mail.

  Hereinafter, an exemplary embodiment of the present invention will be described with reference to FIGS. 1 to 4. The spam mail determination device 1 according to the embodiment of the present invention, in a series of sessions in which emails are transmitted and received, in a state in which header information is received, that is, in a state before the text is received, This is an apparatus that discards (blocks) reception of the body text of an e-mail if it is determined whether it is spam mail. The “header information” is a concept including a command and an IP address during the SMTP session.

As shown in FIG. 1, the junk mail determination device 1 includes a reception unit 11, an analysis unit 12, a first feature vector generation unit 13, a classifier creation unit 14, a first determination unit 15, and a control. Part 16.
The receiving unit 11 receives an electronic mail composed of header information and a text through a series of sessions. The receiving unit 11 has a function as an MTA (message transfer agent), receives an electronic mail transmitted from a user terminal, and cooperates with other servers to reach a destination server. It has a function of delivering or storing an electronic mail delivered from another server until the user's terminal receives it.

The analysis unit 12 analyzes the header information received by the reception unit 11 in the course of a series of sessions for receiving electronic mail. Specifically, the analysis unit 12 obtains country information by referring to the mapping table from information included in the header information, or performs reverse lookup of the IP address or the like.
The first feature vector generation unit 13 generates a feature vector indicating the feature of the electronic mail based on the result analyzed by the analysis unit 12. A specific method for generating feature vectors will be described later.

  The classifier creating unit 14 collects a plurality of mail log data or e-mails as teacher data in advance, generates a feature vector indicating the characteristics of the mail log data or e-mail from each mail log data or e-mail header information, Based on each mail log data or e-mail header information, it is determined whether or not the mail log data or e-mail is a junk e-mail by a predetermined determination method. A label indicating whether or not there is provided, and a feature vector and a label are associated with each other to generate a junk mail classifier. The mail log data is recorded data that remains on the SMTP server. A specific method for generating the classifier will be described later.

The first determination unit 15 inputs the feature vector generated by the first feature vector generation unit 13 to the classifier, and determines the label given to the feature vector.
When the label given to the feature vector by the first determination unit 15 is a junk mail, the control unit 16 controls the receiving unit 11 so as not to receive the body text of the email corresponding to the feature vector. .

  According to such a configuration, the junk mail determination device 1 analyzes the received header information before receiving the body of the email, generates a feature vector indicating the feature of the email, and sets the feature vector as a predetermined value. By inputting into the classifier created by the method, it is determined whether or not the electronic mail is spam mail.

  Therefore, the junk e-mail determination device 1 does not simply allow or reject clients that cannot be reversed based on the header information, nor does it permit or reject clients that are estimated not to be mail servers from the reverse name. Since it is not intended to determine whether or not it is spam mail from header information using a blacklist of IP addresses created based on the report and to receive the mail body, FP and FN are not subject to existing rules (for example, S25R, DSNBL, etc.), and it is possible to determine whether or not it is spam mail safely and efficiently without leaking the host information of the communication destination to the outside like DSNBL. .

  Next, a specific configuration and operation of the classifier creating unit 14 will be described. As shown in FIG. 2, the classifier creation unit 14 includes a collection unit 21, a second feature vector generation unit 22, a second determination unit 23, a comparison unit 24, a label addition unit 25, and a creation unit. 26.

  The collection unit 21 collects a plurality of mail log data or emails as teacher data. Specifically, the collection unit 21 collects mail log data or e-mail received in the past, or mail log data or e-mail stored in another server via the network 50 as teacher data. Note that the collected mail log data or electronic mail includes mail determined to be spam mail and mail determined to be normal mail.

  The second feature vector generation unit 22 analyzes the mail log data or email header information collected by the collection unit 21, and based on the result of the analysis, a feature vector indicating the feature of the mail log data or email Is generated. A feature vector generation method will be described later. In addition, since the second feature vector generation unit 22 has the same function as the first feature vector generation unit 13, the second feature vector generation unit 22 may be configured to also serve as the first feature vector generation unit 13.

  The second determination unit 23 refers to the mail log data collected by the collection unit 21 or the header information of the email based on a predetermined determination rule (for example, S25R, DNSBL, etc.), and It is determined whether the e-mail is spam mail or normal mail. In the present embodiment, the second determination unit 23 determines that it is spam mail when it is determined as spam mail in both S25R and DNSBL, but is not limited thereto.

  Based on the result determined by the second determination unit 23, the comparison unit 24 compares the number determined to be junk mail for each feature vector with the number determined to be normal mail. Based on the comparison result of the comparison unit 24, the label assigning unit 25 assigns a label indicating spam mail or a label indicating normal mail to the feature vector.

  The creation unit 26 classifies whether the mail is junk mail or normal mail based on the received mail log data or the header information of the e-mail based on the label given to the feature vector by the label giving unit 25. Create a classifier to do.

  According to such a configuration, the spam mail determination device 1 collects a plurality of mail log data or e-mails as teacher data in advance, generates a feature vector from each mail log data or e-mail header information, Judgment rules (for example, S25R, DNSBL, etc.) determine whether or not the mail is spam based on mail log data or email header information, and assign a label to the feature vector based on the determination result. Create a classifier based on the label.

  Therefore, the spam mail determination device 1 does not determine whether or not it is simply spam mail based on existing rules based on existing rules, and spam based on learning that makes heavy use of header information without manual intervention for labeling in learning. A mail classifier can be created. The spam mail determination device 1 generates a feature vector based on header information of the received electronic mail, and determines whether the electronic mail is spam mail by applying the generated feature vector to the created classifier. Therefore, it is possible to reduce a false detection by simply using an existing rule, that is, a rate of false detection of normal mail as spam mail (false positive: FP).

  Moreover, since the junk mail determination device 1 can determine whether or not the e-mail is a spam mail based on the feature vector generated from the analysis result of the header information, the junk mail determination device 1 receives the body of the e-mail (Body), Without analyzing the body, it is possible to determine whether or not it is spam mail with high accuracy based on the feature vector generated from the analysis result of the header information. Moreover, since the spam mail determination device 1 can create a classifier without manual intervention, it can perform a cold start operation by eliminating artificial elements in the process of creating the classifier.

<Feature vector generation method>
Here, a method for generating a feature vector from teacher data in the second feature vector generation unit 22 will be described. A feature vector ri is defined as follows for each of mail log data or electronic mail included in the teacher data. The method for generating a feature vector by the first feature vector generation unit 13 is the same.
r _i = (x _i1 , x _i2 , x _i3 , x _i4 , x _i5 , x _i6 , x _i7 , x _i8 , x _i9 , x _i10 , x _i11 , x _i12 )

Further, each element (x _i1 , x _i2 , x _i3 , x _i4 , x _i5 , x _i6 , x _i7 , x _i8 , x _i9 , x _i10 , x _i11, and x _i12 ) of the feature vector ri is as follows: Define.
x _i1 : “1” when the domain of the mail address in the MAIL FROM command in the SMTP (Simple Mail Transfer Protocol) session matches the domain of the reverse DNS host name of the IP address, and “0” otherwise. And
x _i2 : “1” when the domain of the mail address in the MAIL FROM command during the SMTP session matches at least one of the domain of the host name in the Authority section when the DNS reverse lookup of the IP address is performed Other than that, “0” is set.
x _i3 : “1” is set when the domain of the mail address in the MAIL FROM command in the SMTP session matches the domain of the host name in the HELO / EHLO command, and “0” is set otherwise.
x _i4 : “1” if the DNS reverse DNS host name domain of the IP address matches at least one of the host name domains in the Authority section when the reverse DNS address lookup is performed Is “0”.
x _i5 : “1” is set when the domain of the reverse DNS host name of the IP address matches the domain of the host name in the HELO / EHLO command, and “0” is set otherwise.

x _i6 : “1” when at least one of the host name domains in the Authority section when the DNS of the IP address is reversely matched matches the host name domain in the HELO / EHLO command. Is “0”.
x _i7 : “1” when the DNS reverse host name of the IP address exists, “0” otherwise.
x _i8 : (number of numbers in host name in HELO / EHLO command) ≧ (number of numbers used in IP address) (eg host name in EG HELO / EHLO command: 10.5. 5.1, log-hero: 10-5-5-1.example.com) is “1”, and the others are “0”.
x _i9 : (Number of numbers in DNS reverse DNS host name of IP address) ≧ (Number of numbers used in IP address) is set to “1”, and other than “0”.
x _i10 : A case where log-hero does not end in the top level domain is set to “1”, and other cases are set to “0”.
x _i11 : “1” when coming from the home country, “0” otherwise. The relationship between the IP address and the country can be acquired by referring to the mapping table. The spam mail determination device 1 may have a mapping table itself, or may access another device having the mapping table via the network 50 to acquire country information.
x _i12 : The host name in the HELO / EHLO command does not include a dot, or the host name in the HELO / EHLO command is in the IP address format and does not match the actual IP address, or in the HELO / EHLO command When the domain of the host name matches the domain of the mail address (destination mail address) in the RCPT TO command, “1” is set, and other cases are set to “0”.

  In the present embodiment, the “domain” is defined as the second level domain or the third level domain registered in the WHOIS server or the like.

For example, the second feature vector generation unit 22 analyzes the header information of the email a, determines each element based on the analysis result, and generates the feature vector ra as follows.
_{ra = (x a1, x a2} , x a3, x a4, x a5, x a6, x a7, x a8, x a9, x a10, x a11, x a12) = (1,1,1,1,1 , 1,1,1,1,1,0,0)
The second feature vector generation unit 22 generates such a feature vector ri for all mail log data or e-mail collected as teacher data. The feature vector ri has 12 types of elements in this embodiment. Therefore, theoretically, mail log data or electronic mail can be classified into 4096 types. Each definition of the feature vector ri described above is an example, and other elements may be added. By increasing the elements, mail log data or e-mails can be classified into 4096 types or more. Depending on the number of elements, mail log data or e-mail can be classified in detail.

<Labeling (1)>
Also, the label giving unit 25, when the feature vector ri generated by the second feature vector generating unit 22 satisfies only the first condition shown below, the label S ( When the second condition shown below is satisfied, a label H (Ham) indicating a normal mail is assigned.

  According to such a configuration, the junk mail determination device 1 sets k1 and k2 arbitrarily (for example, k1 = 0.001, k2 = 0), and mistakenly identifies a normal mail as a spam mail. It will not be judged.

<Labeling (2)>
The label assigning unit 25 also uses the first feature based on the information included in the result of analyzing the mail log data or the header information of the e-mail from the feature vector ri generated by the second feature vector generating unit 22. The vector si may be divided into the second feature vector ti, and the label S or the label H may be given to the feature vector ri by the following procedure.
r _i = (x _i1 , x _i2 , x _i3 , x _i4 , x _i5 , x _i6 , x _i7 , x _i8 , x _i9 , x _i10 , x _i11 , x _i12 )
si = (x _i1 , x _i2 , x _i3 , x _i4 , x _i5 , x _i6 )
ti = (x _i7 , x _i8 , x _i9 , x _i10 , x _i11 , x _i12 )

  When the third condition shown below is satisfied, the label assigning unit 25 assigns a label S indicating spam mail to the feature vector ri and does not satisfy the third condition. If the fourth condition is satisfied, a label H indicating normal mail is assigned to the feature vector ri.

In addition, when the third condition and the fourth condition are not satisfied, the label assigning unit 25 assigns one of the first label s1 to the sixth label n2 to the feature vector ri according to the following procedure. To do.
When the fifth condition shown below is satisfied, the label assigning unit 25 assigns the first label s1 to the first feature vector si and does not satisfy the fifth condition. When the condition 6 is satisfied, the second label h1 is assigned to the first feature vector si, and when the fifth condition and the sixth condition are not satisfied, the first feature vector si is set. On the other hand, a third label n1 is given. In addition, when the seventh condition shown below is satisfied, the label assigning unit 25 assigns the fourth label s2 to the second feature vector ti and does not satisfy the seventh condition. When the eighth condition shown is satisfied, a fifth label h2 is assigned to the second feature vector ti, and when the seventh condition and the eighth condition are not satisfied, the second feature vector A sixth label n2 is assigned to ti.

但し、ｋｒ１，ｋｓ１，ｋｔ１、ｋｒ２，ｋｓ２，ｋｔ２は、０≦ｋｒ１＜１、０≦ｋｓ１＜１、０≦ｋｔ１＜１、０≦ｋｒ２＜１、０≦ｋｓ２＜１、０≦ｋｔ２＜１を満たす任意の値である。また、所定のルールとは、例えば、Ｓ２５ＲやＤＮＳＢＬ等である。 The label assigning unit 25 determines that the combination of the labels assigned to the first feature vector si and the second feature vector ti is the combination of the first label s1 and the fourth label s2, and the first label s1. And the sixth label n2, or the combination of the third label n1 and the fourth label s2, the label S indicating spam mail is assigned to the feature vector ri. In addition, when the combination of labels assigned to the first feature vector si and the second feature vector ti is a combination other than the above combination, the label assigning unit 25 sends a normal mail to the feature vector ri. The label H which shows that it is is given.

However, kr1, ks1, kt1, kr2, ks2, kt2 are 0 ≦ kr1 <1, 0 ≦ ks1 <1, 0 ≦ kt1 <1, 0 ≦ kr2 <1, 0 ≦ ks2 <1, 0 ≦ kt2 <1 Any value that satisfies The predetermined rule is, for example, S25R, DNSBL, or the like.

  According to such a configuration, the spam mail determination apparatus 1 arbitrarily sets kr1, kr2, ks1, ks2, kt1, and kt2 (for example, kr1 = ks1 = kt1 = 0.001, kr2 = ks2 = kt2 = 0), it is determined whether all received mails are spam mails or normal mails, and normal mails are not erroneously determined to be spam mails.

  The creating unit 26 creates a classifier based on the label given to the feature vector by the label assigning unit 25. The spam mail determination device 1 may determine whether it is a spam mail or a normal mail based on the received mail log data or the header information of the email using the classifier created in this way. it can. Further, the spam mail determination device 1 can expect a learning effect according to an increase in the number of received mail log data or emails by feeding back the determined result to the label attaching unit 25 and updating the classifier.

<Spam determination method>
Next, a method for determining whether or not the received electronic mail is a spam mail will be described with reference to the flowchart shown in FIG.
In the receiving step ST1, the receiving unit 11 receives an e-mail composed of header information and a text through a series of sessions.

In the analysis step ST2, the analysis unit 12 analyzes the header information received in the reception step ST1 during the session.
In the feature vector generation step ST3, the first feature vector generation unit 13 generates a feature vector indicating the feature of the electronic mail based on the result analyzed in the analysis step ST2.

  In the classifier creating step ST4, the classifier creating unit 14 collects a plurality of mail log data or e-mails as teacher data in advance, and determines the characteristics of the mail log data or e-mail from each mail log data or e-mail header information. A feature vector is generated, and whether or not the mail log data or the email is spam is determined by a predetermined determination method based on each mail log data or the header information of the email, and the feature is based on the result of the determination A label indicating whether or not it is a spam mail is assigned to the vector, and a spam mail classifier is generated by associating the feature vector with the label.

In the determination step ST5, the first determination unit 15 inputs the feature vector generated in the feature vector generation step ST3 to the classifier generated in the classifier creation step ST4, and uses the label given to the feature vector. judge.
In the control step ST6, when the label given to the feature vector in the determination step ST5 is a junk mail, the control unit 16 causes the receiving unit 11 not to receive the body text of the email corresponding to the feature vector. Control.

  In this way, the junk mail determination method analyzes header information received before receiving the body of the email, generates a feature vector indicating the feature of the email, and creates the feature vector by a predetermined method. It is determined whether or not the e-mail is a junk mail by inputting to the classifier.

  Therefore, the junk e-mail determination method does not simply allow or reject clients that cannot be reversed based on the header information, or does not allow or reject clients that are presumed not to be mail servers from the reverse name. Since it is not intended to determine whether it is spam mail from the header information using a black list of IP addresses created based on the IP address and to receive the mail body, FP and FN are not subject to existing rules (for example, S25R It is possible to determine whether it is spam mail safely and efficiently without leaking the host information of the communication destination to the outside as in DSNBL.

<Example>
Next, the configuration and operation of the spam mail determination system 100 using the spam mail determination device 1 will be described. As shown in FIG. 3, the spam mail determination system 100 includes an SMTP server 110, a rule creation unit 120, an SMTP server 130, and a spam mail determination DNS server 140. The SMTP server 110 has a function corresponding to the collection unit 21 of the classifier creation unit 14. The rule creation unit 120 has functions corresponding to the second feature vector generation unit 22, the second determination unit 23, the comparison unit 24, the label assignment unit 25, and the creation unit 26. The SMTP server 130 has functions corresponding to the receiving unit 11, the analyzing unit 12, and the first feature vector generating unit 13. The spam mail determination DNS server 140 has functions corresponding to the first determination unit 15 and the control unit 16.

  The SMTP server 110 includes a mail log storage unit 111 and a log output unit 112. The mail log storage unit 111 uses e-mails received in the past, e-mails stored in other servers via the network 50, mail log data (record data left on the SMTP server), etc. as teacher data. Collect and retain these history information. The log output unit 112 automatically outputs the history information stored in the mail log storage unit 111 to the rule creation unit 120.

  The rule creation unit 120 includes a log input unit 121, a rule creation unit 122, and a rule storage unit 123. The rule creation unit 120 analyzes mail log data stored in the SMTP server 110, and detects a rule for detecting spam mail ( (Corresponding to the classifier described above) is automatically created.

  Based on the log output from the log output unit 112, the log input unit 121 collects information (header information) necessary for rule creation and transmits the collected header information to the rule creation unit 122. The rule creation unit 122 processes the header information collected by the log input unit 121 to create a rule. Specifically, the rule creation unit 122 creates a rule (classifier) according to the above-described <feature vector generation method>. The rule storage unit 123 stores the rules created by the rule creation unit 122.

  The SMTP server 130 includes a MTA unit 131 and a spam mail determination engine unit 132, and is a server that actually receives a mail including a spam mail and performs a spam mail determination. The MTA unit 131 receives an e-mail transmitted from the user's terminal and delivers it to a destination server in cooperation with another server or receives an e-mail delivered from another server by the user. It has a function of storing until the terminal receives it.

  The spam mail determination engine unit 132 includes a country information acquisition unit 133, an IP address reverse lookup unit 134, a feature vector creation unit 135, and a query unit 136, and information necessary for spam mail determination (HELO, IP address, A feature vector is generated from the envelope (From, TO, etc.), the spam mail determination DNS server 140 is queried, and spam determination is performed based on the determination result.

The country information acquisition unit 133 holds a mapping table in which the correspondence relationship between the IP address and the country information is recorded, refers to the mapping table, and based on the IP address included in the header information of the email Earn country information. The country information acquisition unit 133 determines whether or not the acquired country information matches the country in which the SMTP server 130 is located, and determines whether or not an e-mail is transmitted from the home country. The country information acquisition unit 133 determines the country in which the SMTP server 130 is located by registering the IP address of the SMTP server 130 in advance. Further, the feature vector creation unit 135 determines the value of the element “x _i11 ” depending on whether or not the country information acquisition unit 133 receives the email from the home country.

  The IP address reverse lookup unit 134 performs DNS reverse lookup of the IP address, and acquires the host names of the answer section and the authority section.

The feature vector creation unit 135 has the same functions as the first feature vector generation unit 13 and the second feature vector generation unit 22, and in accordance with the <feature vector generation method> described above, country information, IP address reverse information, and HELO, envelope from, the feature vector from the TO or the like _{(r i = (x i1,} x i2, x i3, x i4, x i5, x i6, x i7, x i8, x i9, x i10 , X _i11 , x _i12 )).

  The query unit 136 creates a query based on the feature vector created by the feature vector creation unit 135. Specifically, the query unit 136 has a host name of the spam mail determination DNS server 140 of “xxx.example.com” and a feature vector of “0,0,0,0,0,0,1,1, In the case of “0, 1, 0, 0”, “00000010100.xxx.example.com” is created as a query, and the forward lookup is obtained from the spam mail determination DNS server 140.

  Further, the query unit 136 determines whether or not the email is spam mail based on a response result (spam mail (S) or normal mail (H)) from the reply unit 141 described later, and transmits the spam mail to the MTA unit 131. Based on the determination result (spam mail (S) or normal mail (H)) transmitted from the query unit 136, the MTA unit 131 determines whether to receive the body text of the email. Specifically, if the determination result transmitted from the query unit 136 is spam mail (S), the MTA unit 131 discards (blocks) the email body without receiving it, and the query unit 136 When the transmitted determination result is a normal mail (H), the body of the electronic mail is received.

  The spam mail determination DNS server 140 includes an answering unit 141 and a determining unit 142. The response unit 141 receives the query “00000010100.xxx.example.com” from the query unit 136, extracts the feature vector “00000010100” from the received query, and transmits the extracted feature vector to the determination unit 142. In addition, the reply unit 141 transmits the determination result (spam mail (S) or normal mail (H)) by the determination unit 142 to the query unit 136.

The determination unit 142 receives the feature vector “00000010100” and inquires the rule storage unit 123 about necessary information. Specifically, the determination unit 142 has a label attached to the same feature vector as the feature vector received from the answer unit 141 based on the rules (classifier) stored in the rule storage unit 123. It is confirmed whether the label S indicates spam mail or the label H indicates normal mail.
And when the determination part 142 confirms that the label S which shows spam mail is provided, it transmits "1277.0.0.1 (temporary)" to the reply part 141 as a determination result, When it is confirmed that the label H indicating normal mail is given, “127.0.0.2 (provisional)” is transmitted to the reply unit 141 as a determination result.

  When the reply unit 141 receives “127.0.0.1 (temporary)” from the determination unit 142, the response unit 141 transmits a determination result indicating that the mail is spam mail (S) to the query unit 136. When “127.0.0.2 (temporary)” is received from the server, a determination result indicating that the mail is normal mail (H) is transmitted to the query unit 136.

  In this way, the spam mail determination system 100 does not simply allow or reject clients that cannot be reversed based on the header information, or does not allow or reject clients that are presumed not to be mail servers from the reverse name. Since it is not intended to determine whether it is spam mail from the header information using the IP address black list or the like created based on the user's report, and to refuse to receive the mail text, the FP and FN are the existing rules. (E.g., S25R, DSNBL, etc.) can be made smaller, and the host information of the communication destination is not leaked to the outside unlike DSNBL, and it is determined whether or not it is spam mail safely and efficiently. be able to. In this embodiment, the answer unit 141 returns the answer result to the query unit 136, but the present invention is not limited to this, and the answer result may be sent directly to the MTA unit 131.

  Moreover, a series of processes by the spam mail determination device 1 and the spam mail determination system 100 described above can also be performed by software. When a series of processing is performed by software, a program constituting the software is installed in a general-purpose computer or the like. The program may be recorded on a removable medium such as a CD-ROM and distributed to the user, or may be distributed by being downloaded to the user's computer via a network.

DESCRIPTION OF SYMBOLS 1 Spam mail determination apparatus 11 Receiving part 12 Analysis part 13 1st feature vector production | generation part 14 Classifier creation part 15 1st determination part 16 Control part 21 Collection part 22 2nd feature vector generation part 23 2nd determination part 24 comparison unit 25 label addition unit 26 creation unit 50 network 100 spam mail determination system 111 mail log storage unit 112 log output unit 110 SMTP server 120 rule creation unit 121 log input unit 122 rule creation unit 123 rule storage unit 130 SMTP server 131 MTA Unit 132 spam mail determination engine unit 133 country information acquisition unit 134 IP address reverse lookup unit 135 feature vector creation unit 136 query unit 140 spam mail determination DNS server 141 answer unit 142 determination unit

Claims (6)

A receiving unit that receives an email composed of header information and a body through a series of sessions;
An analysis unit that analyzes the header information received by the reception unit in the course of the session;
A first feature vector generation unit that generates a feature vector indicating a feature of an e-mail based on a result analyzed by the analysis unit;
Collecting a plurality of mail log data or emails as teacher data in advance, generating a feature vector indicating the characteristics of the email log data or email from each email log data or email header information, and sending each email log data or email Based on the header information, it is determined whether or not the mail log data or the e-mail is a junk mail by a predetermined determination method, and indicates whether or not the feature vector is a junk mail based on the result of the determination A classifier creating unit that assigns a label and associates the feature vector with the label to generate a junk mail classifier;
A first determination unit that inputs the feature vector generated by the first feature vector generation unit to the classifier and determines a label given to the feature vector;
A control unit that controls the receiving unit so as not to receive a body of an e-mail corresponding to the feature vector when the label given to the feature vector by the first determination unit is a junk mail. An unsolicited e-mail determination device. The classifier creating unit
A collection unit for collecting a plurality of mail log data or emails as the teacher data;
A second feature vector generation unit that analyzes mail log data or email header information collected by the collection unit and generates a feature vector indicating the feature of the mail log data or email based on the analysis result When,
Based on the predetermined determination method, the mail log data or the email header information collected by the collection unit is referred to, and it is determined whether the email log data or the email is a junk mail or a normal mail. A second determination unit that
Based on the result determined by the second determination unit, a comparison unit that compares the number determined to be junk mail and the number determined to be normal mail for each feature vector;
Based on the comparison result of the comparison unit, a label providing unit that provides a label indicating spam mail or a label indicating normal mail to the feature vector;
The classifier for classifying whether the mail is junk mail or normal mail based on the received mail log data or the header information of the e-mail based on the label given to the feature vector by the label giving unit The junk mail determination device according to claim 1, further comprising: a creation unit that creates a message. The label attaching unit assigns a label S indicating spam mail to the feature vector ri when only the first condition is satisfied, and adds the label S to the feature vector ri when the second condition is satisfied. 3. The spam mail determination device according to claim 2, wherein a label H indicating that the mail is a normal mail is assigned.

The label adding unit is configured to generate a first feature vector based on information included in a result of analyzing mail log data or header information of an e-mail from the feature vector ri generated by the second feature vector generating unit. dividing into si and second feature vector ti,
If the third condition is satisfied, a label S indicating spam is given to the feature vector ri,
If the third condition is not satisfied but the fourth condition is satisfied, a label H indicating normal mail is given to the feature vector ri,
When the third condition and the fourth condition are not satisfied,
If the fifth condition is satisfied, a first label s1 is given to the first feature vector si,
If the fifth condition is not satisfied but the sixth condition is satisfied, a second label h1 is assigned to the first feature vector si,
When the fifth condition and the sixth condition are not satisfied, a third label n1 is given to the first feature vector si,
If the seventh condition is satisfied, a fourth label s2 is assigned to the second feature vector ti,
If the seventh condition is not satisfied but the eighth condition is satisfied, a fifth label h2 is assigned to the second feature vector ti,
If the seventh condition and the eighth condition are not satisfied, a sixth label n2 is assigned to the second feature vector ti,
The combination of the labels assigned to the first feature vector si and the second feature vector ti is a combination of the first label s1 and the fourth label s2, and the first label s1 and the second label. In the case of the combination of the label n2 of 6, or the combination of the third label n1 and the fourth label s2, the label S indicating spam mail is given to the feature vector ri,
If the combination of the labels assigned to the first feature vector si and the second feature vector ti is a combination other than the above combination, it indicates that the feature vector ri is a normal mail. The junk mail determination device according to claim 2, wherein a label H is given.

However, kr1, ks1, kt1, kr2, ks2, kt2 are 0 ≦ kr1 <1, 0 ≦ ks1 <1, 0 ≦ kt1 <1, 0 ≦ kr2 <1, 0 ≦ ks2 <1, 0 ≦ kt2 <1 Any value that satisfies A receiving step of receiving an email composed of header information and body text through a series of sessions;
An analysis step of analyzing the header information received by the reception step in the course of the session;
A feature vector generation step of generating a feature vector indicating the feature of the email based on the result analyzed by the analysis step;
Collecting a plurality of mail log data or emails as teacher data in advance, generating a feature vector indicating the characteristics of the email log data or email from each email log data or email header information, and sending each email log data or email Based on the header information, it is determined whether or not the mail log data or the e-mail is a junk mail by a predetermined determination method, and indicates whether or not the feature vector is a junk mail based on the result of the determination A classifier creating step of generating a junk mail classifier by assigning a label and associating the feature vector with the label;
A determination step of inputting the feature vector generated by the feature vector generation step to the classifier and determining a label attached to the feature vector;
And a control step of controlling the receiving step so that the body of the e-mail corresponding to the feature vector is not received when the label given to the feature vector by the determining step is spam. Junk mail determination method. A spam mail determination program for realizing, by a computer, a method for determining whether it is spam mail or normal mail,
A receiving step of receiving an email composed of header information and body text through a series of sessions;
An analysis step of analyzing the header information received by the reception step in the course of the session;
A feature vector generation step of generating a feature vector indicating the feature of the email based on the result analyzed by the analysis step;
Collecting a plurality of mail log data or emails as teacher data in advance, generating a feature vector indicating the characteristics of the email log data or email from each email log data or email header information, and sending each email log data or email Based on the header information, it is determined whether or not the mail log data or the e-mail is a junk mail by a predetermined determination method, and indicates whether or not the feature vector is a junk mail based on the result of the determination A classifier creating step of generating a junk mail classifier by assigning a label and associating the feature vector with the label;
A determination step of inputting the feature vector generated by the feature vector generation step to the classifier and determining a label attached to the feature vector;
When the label attached to the feature vector in the determination step is a junk mail, a control step of controlling the reception step so as not to receive the body of the e-mail corresponding to the feature vector is realized by a computer Junk e-mail judgment program.

Images