This application is related to and claims priority under 35 U.S.C §119(a) on Japanese Patent Application No. 2007-2859 filed on Jan. 10, 2007 in the Japan Patent Office, and incorporated by reference herein.
1. Field of the Invention
The present invention relates to recording media storing terminal identifying programs, terminal identifying apparatuses, and mail systems.
2. Description of the Related Art
Japanese Unexamined Patent Application Publication No. 2004-78648 discloses the following invention: A virus checking server in which a special protocol is embedded is provided, and the virus checking server checks communication data, such as e-mails which are sent or received by client users based upon the special protocol. When the virus checking server detects communication data having a computer virus (called a virus as follows) attached to the communication data, the virus checking server removes the virus.
Furthermore, Japanese Unexamined Patent Application Publication No. 2005-204055 discloses a network management system which identifies a terminal suffering from virus infection and disconnects from a network.
According to an aspect of the present invention, there is provided a computer-readable storage medium storing a computer program for identifying a terminal infected by an e-mail with a new virus, said program causes a computer to perform the following operations of storing information of e-mails as mail archive information, distributing e-mails addressed to a terminal in response to a distribution request from the terminal, storing a distribution request history in which each distribution request is associated with a terminal identification information which serves as a terminal information for identifying the terminal that has issued the distribution request, checking the mail archive information of the e-mails on the basis of virus patterns stored in a virus definition file, identifying the terminal that has issued the distribution request of an e-mail with a new virus, the e-mail having the new virus, checking the mail archive information stored in the mail server and identifying the e-mail with the new virus, the e-mail having the new virus assigned to the e-mail, when definitions of new viruses have been added in the virus definition file, obtaining account information of the identified e-mail with the new virus, and extracting the terminal identification information of the terminal that has issued the distribution request of the e-mail with the new virus, as new-virus-infected-terminal identification information, with reference to both the account information obtained in the account-information obtaining and the distribution request history.
These together with other aspects and advantages which will be subsequently apparent, reside in the details of construction and operation as more fully hereinafter described and claimed, reference being had to the accompanying drawings forming a part hereof, wherein like numerals refer to like parts throughout.
Now, terminal identifying programs stored on storage media, terminal identifying apparatuses, and mail systems according to embodiments of the present invention will be described with reference to the accompanying drawings. The following description is directed to embodiments of a mail system which includes a mail server that executes a terminal identifying program stored on a storage medium. Hereinafter, the configuration and processing procedures of a mail system according to a first embodiment will be described. Then, similarly to the first embodiment, a mail system according to a second embodiment, a mail system according to a third embodiment, a mail system according to a fourth embodiment, and a mail system according to other embodiments will be described in order.
Overview and features of mails system according to the first embodiment.
First, main features of a mail system according to the first embodiment will be described with reference to
The mail system 106 according to the first embodiment includes a main server, and one or more routers that relay exchange of e-mails between the mail server and terminals. The mail server stores information of e-mails. The mail server distributes e-mails addressed to a terminal in response to a distribution request from the terminal. The mail server stores a distribution request history. The distribution request history contains each distribution request corresponding to terminal identification information of the terminal that issued the distribution request. The “router” corresponds to a “relaying device” in claims.
More specifically, as shown in
Furthermore, as shown in
At that time, as shown in
Then, the mail server checks the received e-mail on the basis of a “virus definition file” including a collection of features of viruses. More specifically, as shown in
Furthermore, as shown in
Main features of the mail system according to the first embodiment are both that a terminal which requested distribution of an e-mail having a virus attached is identified at the mail server, and that the terminal identified by the mail server is disconnected from the network at the relaying device.
This mail feature will now be described briefly. When definitions of new viruses have been added to the virus definition file, the mail server in the mail system according to the first embodiment checks the mail archive information to identify an e-mail having a new virus attached to the e-mail.
As shown in
Then, the mail server in the mail system according to the first embodiment obtains account information associated with the identified e-mail having the new virus attached. That is, the mail server obtains the account information “aaa” from the identified e-mail having the new virus attached (see (2) in
Then, with reference to both the obtained account information and the distribution request history, the mail server in the mail system according to the first embodiment extracts an IP address of a terminal that requested distribution of the e-mail having the new virus attached as identification information of a terminal that is infected with the new virus. For example, with reference to the distribution request history, the mail server extracts identification information of the terminal which is infected with the new virus indicating that the IP address of the terminal that requested distribution using the account information “aaa” is “192.168.20.100” (see (3) in
Then, the mail server in the mail system according to the first embodiment sends the identification information of the new-virus-infected terminal to the router. That is, the mail server sends a request for quaranting the terminal with the IP address “192.168.20.100” (see (4) in
Then, in the mail system according to the first embodiment, the mail server transmits the identification information of the new-virus-infected terminal to the first router, and the first router receives the identification information. That is, the first router receives the IP address “192.168.20.100” from the mail server as the identification information of the new-virus-infected terminal (see (5) in
Then, the router in the mail system according to the first embodiment checks whether the new-virus-infected terminal corresponding to the identification information transmitted from the mail server is a terminal that is included in the network segment that the router is in charge of. For example, when the first router receives the IP address “192.168.20.100”, since the next hop for the destination address “192.168.20.0124” is “connected” according to a routing table shown in
Then, when the router in the mail system according to the first embodiment has determined that the new-virus-infected terminal is included in the terminals whose traffic is relayed by the first router itself, the router disconnects the new-virus-infected terminal from the network. That is, since the terminal with the IP address “192.168.20.100” is included in the terminals whose traffic is relayed by the first router, the first router disconnects the new-virus-infected terminal from the network (see (7) in
When the router executes processing for prohibiting exchange of packets, the router may allow the terminal being quarantined (the terminal with the IP address “192.168.20.100”) to carry out communications for updating an operating system (OS) running on the terminal, for updating the “virus definition file”, and so forth. Furthermore, the router may cancel prohibition of packet exchange when the router is notified by the terminal of the completion of updating of the OS or updating of the “virus definition file”.
Configuration of the mail server in the first embodiment.
Next, the configuration of the mail server in the first embodiment will be described with reference to
As shown in
The communication controller 11 controls transfer of data that is transmitted or received via a network. For example, the communication controller 11 sends and receives e-mails, receives definitions of new viruses, sends new-virus-infected-terminal identification information, and so forth according to communication protocols called SMTP/POP3. The communication controller 11 corresponds to an “infected-terminal-identification-information sending unit” in claims.
The storage unit 12 stores both data that is used for various types of processing executed by the processing unit 13, and results of various types of processing executed by the processing unit 13. As components particularly relating to features of the present invention, as shown in
The processing unit 13 executes various types of processing on the basis of both data transferred from the communication controller 11 and data stored in the storage unit 12. As components particularly relating to features of the present invention, as shown in
When definitions of new viruses have been added to the virus definition file, the e-mail-with-new-virus identifying unit 13a checks mail archive information. For example, as shown in
The e-mail-with-new-virus identifying unit 13a identifies an e-mail with a new virus, i.e., an e-mail having a new virus attached to the e-mail, and stores the result of identification in the identified-e-mail-with-new-virus storage unit 12c. The e-mail-with-new-virus identifying unit 13a checks the mail-archive-information storage unit 12b shown in
The account-information obtaining unit 13b obtains account information from the information of the e-mail with the new virus. The information of the e-mail with the new virus is stored in the identified-e-mail-with-new-virus storage unit 12c. The account-information obtaining unit 13b stores the obtained account information in the obtained-account-information storage unit 12d. For example, as shown in
With reference to both the account information stored in the obtained-account-information storage unit 12d and the distribution request history stored in the distribution-request-history storage unit 12e , the infected-terminal-identification-information extracting unit 13c extracts an IP address of a terminal that requested distribution of the e-mail with the new virus, as new-virus-infected-terminal identification information. Values of account information, an IP address, and distribution request time are associated with each other as shown in
The mail server 10 sends the extracted new-virus-infected-terminal identification information to a router 20 which will be described later. For example, the mail server 10 sends an IP packet configured as shown in
Configuration of the router in the first embodiment.
Next, the configuration of the router in the first embodiment will be described with reference to
As shown in
The communication controller 21 controls data communications between the mail server 10 and terminals. More specifically, the communication controller 21 carries out communications for exchanging e-mails between the mail server 10 and terminals. The communication controller 21 receives the new-virus-infected-terminal identification information from the mail server 10. The communication controller 21 corresponds to an “infected-terminal-identification-information receiving unit” in claims.
For example, when the communication controller 21 receives an IP packet configured as shown in
The storage unit 22 stores data that is used for various types of processing executed by the processing unit 23. As components particularly relating to features of the present invention, as shown in
The processing unit 23 executes various types of processing on the basis of both data transferred from the communication controller 21 and data stored in the storage unit 22. As components particularly relating to features of the present invention, as shown in
A router 20 receives the new-virus-infected-terminal identification information from the mail server 10. With reference to the routing table stored in the path-information storage unit 22a, the infected-terminal determining unit 23a determines whether the new-virus-infected terminal corresponding to the new-virus-infected-terminal identification information is included in terminals whose traffic is relayed by the router 20. Then, the infected-terminal determining unit 23a stores the result in the infected-terminal-determination-result storage unit 22b. More specifically, as shown in
On the other hand, when the infected-terminal determining unit 23a determines that the new-virus-infected terminal corresponding to the new-virus-infected-terminal identification information is not included in the terminals whose traffic is related by the router 20, the infected-terminal determining unit 23a sends the terminal-infected-with-new-virus identification information to another router. For example, with reference to a routing table shown in
As shown in
The router 20 reports the terminal-infected-with-new-virus identification information to the infected-terminal determining unit 23a when the terminal-infected-with-new-virus identification information is an IP address of a terminal that is included in the sub-network, while otherwise the router 20 reports sends the IP address to the second router when the terminal-infected-with-new-virus identification information is not an IP address of a terminal that is included in the sub-network.
On the basis of the result of determination stored in the infected-terminal-determination-result storage unit 22b, when the new-virus-infected terminal is included in the terminals whose traffic is relayed by the router 20, the quarantine unit 23b quarantines the new-virus-infected terminal from the network (see (7) in
At that time when the terminal is quarantined (the terminal having the IP address “192.168.20.100”), the quarantine unit 23b may allow the terminal to carry out only communications for updating an OS running on the terminal, for updating the virus definition file, and so forth. Furthermore, the router 20 may cancel blocking that the terminal sends and receives packets when the terminal notifies the router that the updating of the OS or the updating of the virus definition file has been completed.
Procedure of processing executed by the mail server in the first embodiment.
Next, processing executed by the mail server 10 in the first embodiment will be described with reference to
First, at the mail server 10 in the first embodiment, when definitions of new viruses have been added to the virus definition file stored in the virus-definition-file storage unit 12a (Yes in operation S1401), the e-mail-with-new-virus identifying unit 13a checks the mail archive information stored in the mail-archive-information storage unit 12b (operation S1402). When the e-mail-with-new-virus identifying unit 13a does not detect any e-mail with a new virus, i.e., any e-mail having a new virus attached to the e-mail (No in operation S1402), the mail server 10 exits the procedure of
On the other hand, when an e-mail with new virus, i.e., an e-mail having a new virus attached to the e-mail, is detected by the e-mail-with-new-virus identifying unit 13a (Yes in operation S1402), information of the e-mail with the new virus is stored in the identified-e-mail-with-new-virus storage unit 12c, and the account-information obtaining unit 13b obtains account information from the information of the e-mail with the new virus (operation S1403). For example, as shown in
Then, with reference to both the obtained account information and the distribution request history stored in the distribution-request-history storage unit 12e, the infected-terminal-identification-information extracting unit 13c extracts an IP address of a terminal that requested distribution of the e-mail with the new virus, as new-virus-infected-terminal identification information (operation S1404). For example, the infected-terminal-identification-information extracting unit 13c extracts new-virus-infected-terminal identification information indicating that the IP address of the terminal which requested distribution using the account information “aaa” is “192.168.20.100”, as shown in
Then, the mail server 10 sends the IP address to the router 20 as the new-virus-infected-terminal identification information (operation S1405), and then exits the procedure of
When an e-mail with a new virus, i.e., an e-mail having a new virus attached to the e-mail, is identified by the infected-terminal-identification-information extracting unit 13c (Yes in operation S1402), information of the e-mail with the new virus may be deleted from the mail archive information stored in the mail-archive-information storage unit 12b. However, according to the present invention, the information need not necessarily be deleted.
Procedure of processing executed by the router in the first embodiment.
Next, processing which is executed by the router 20 in the first embodiment will be described with reference to
First, when the router 20 receives an IP address from the mail server 10 as new-virus-infected-terminal identification information (Yes in operation S1501), the infected-terminal determining unit 23a of the router 20 determines whether the new-virus-infected terminal corresponding to the new-virus-infected-terminal identification information is included in terminals whose traffic is relayed by the router 20 (operation S1502). When the infected-terminal determining unit 23a has determined that the new-virus-infected terminal is not included in the terminals whose traffic is relayed by the router 20 (No in operation S1502), the infected-terminal determining unit 23a sends the new-virus-infected-terminal identification information to another router (operation S1504). For example, with reference to a routing table shown in
On the other hand, when the infected-terminal determining unit 23a has determined that the new-virus-infected terminal is included in the terminals whose traffic is relayed by the router 20 (Yes in operation S1502), the quarantine unit 23b quarantines the new-virus-infected terminal from the network (operation S1503), and then exits the procedure of
At that time, the quarantine unit 23b may allow the terminal being quarantined (the terminal with the IP address “192.168.20.100”) to carry out only communications for updating an OS running on the terminal, for updating the virus definition file, and so forth. Furthermore, the router 20 may cancel blocking that the terminal sends and receives packets when the terminal notifies the router by that the updating of the OS or the updating of the virus definition file has been completed.
The first embodiment described above relates to a case where only one mail server is provided. In a second embodiment described below, a mail server is connected to other mail servers, and one of these mail servers functions as a mail gateway.
Overview and features of a mail system according to the second embodiment.
First, main features of a mail system according to the second embodiment will be described with reference to
The mail system according to the second embodiment includes a mail gateway, a plurality of mail servers, and a router. For example, as shown in
As shown in
Furthermore, similarly to the mail server in the first embodiment, each of the mail servers other than the mail gateway (the second mail server and the third mail server shown in
For example, in the mail archive information, the third mail server (mail3.jp.xyz.com, an IP address “10.10.30.3”) shown in
Furthermore, a router is provided between the mail server and the terminal. For example, the router shown in
First, when definitions of new viruses have been added to the virus definition file, the mail gateway in the mail system according to the second embodiment checks the mail archive information to identify an e-mail with a new virus, i.e., an e-mail having a new virus attached to the e-mail. More specifically, as shown in
Then, the mail gateway in the mail system according to the second embodiment obtains account information of the identified e-mail with the new virus. For example, the mail gateway obtains account information “aaa” from the identified e-mail with the new virus (see (2) in
Then, with reference to the distribution history request, when the obtained account information is not included in the distribution request history, the mail gateway in the mail system according to the second embodiment reports the account information to the other mail servers. That is, since no distribution request from a terminal having the account information “aaa” is included in the distribution request history of the mail gateway (see (3) in
Upon receiving the account information from the mail gateway, each of the mail servers in the mail system according to the second embodiment obtains the reception time of the e-mail with the new virus with reference to the mail archive information. For example, when the third mail server receives an e-mail addressed to “mail3.jp.xyz.com,” shown in
Then, each of the mail servers in the mail system according to the second embodiment extracts an IP address that serves as new-virus-infected-terminal identification information, with reference to the distribution request history using the obtained account information and the reception time of the e-mail with the new virus. For example, when the third mail server receives a distribution request from the terminal having the account information “aaa” (having a distribution request time “November 24, 2006 (Fri.), 17:00:12”), the third mail server refers to the distribution request history on and after “November 24, 2006 (Fri.), 15:40:09” in the distribution request history shown in
Then, similarly to the first embodiment, each of the mail servers in the mail system according to the second embodiment sends the extracted new-virus-infected-terminal identification information to the router (see (4) in
Configuration of the mail gateway in the second embodiment.
Next, the configuration of the mail gateway in the second embodiment will be described with reference to
As shown in
The communication controller 31 controls transfer of data that is transmitted or received via a network. More specifically, the communication controller 31 sends and receives e-mails, receives definitions of new viruses, sends account information, sends new-virus-infected-terminal identification information, and so forth according to communication protocols called SMTP/POP3. The communication controller 31 executes processing corresponding to an “account-information sending” in claims, and also corresponds to an “infected-terminal-identification-information sending unit” in claims.
The storage unit 32 stores both data used for various types of processing executed by the processing unit 33 and results of various types of processing executed by the processing unit 33. As components particularly relating to features of the present invention, as shown in
The processing unit 33 executes various types of processing on the basis of both data transferred from the communication controller 31 and data stored in the storage unit 32. As components particularly relating to features of the present invention, as shown in
Similarly to the e-mail-with-new-virus identifying unit 13a in the first embodiment, the e-mail-with-new-virus identifying unit 33a checks mail archive information when definitions of new viruses have been added to the virus definition file. For example, as shown in
Similarly to the e-mail-with-new-virus identifying unit 13a in the first embodiment, the e-mail-with-new-virus identifying unit 33a identifies an e-mail with a new virus, i.e., an e-mail having a new virus attached to the e-mail. The e-mail-with-new-virus identifying unit 33a stores the identified e-mail with the new virus in the identified-e-mail-with-new-virus storage unit 32c. More specifically, the e-mail-with-new-virus identifying unit 33a checks the mail archive information in the mail-archive-information storage unit 32b. And the e-mail-with-new-virus identifying unit 33a identifies that, for example, a new virus is attached to an e-mail addressed to “aaa@jp.xyz.com” (a message ID of the e-mail is “AAAAAAAA.11111111@jp.xyz.com”) (see (1) in
Similarly to the account-information obtaining unit 13b in the first embodiment, the account-information obtaining unit 33b obtains account information from the information of the e-mail with the new virus. The information of the e-mail with the new virus is stored in the identified-e-mail-with-new-virus storage unit 32c. The account-information obtaining unit 33b stores the obtained account information in the obtained-account-information storage unit 32d. For example, as shown in
Similarly to the infected-terminal-identification-information extracting unit 13c in the first embodiment, with reference to the account information stored in the obtained-account-information storage unit 32d and the distribution request history stored in the distribution-request-history storage unit 32e , when the account information is included in the distribution request history, the infected-terminal-identification-information extracting unit 33c extracts an IP address of a terminal that requested distribution of the e-mail with the new virus, as new-virus-infected-terminal identification information. When the account information is not included in the distribution request history, the infected-terminal-identification-information extracting unit 33c reports the account information to a plurality of mail servers via the communication controller 31. That is, when no distribution request from the terminal having the account information “aaa” is included in the distribution request history stored in the distribution-request-history storage unit 32e (see (3) in
Configuration of the mail server in the second embodiment.
Next, the configuration of the mail server in the second embodiment will be described with reference to
As shown in
The communication controller 41 controls transfer of data that is both transmitted or received via a network. For example, the communication controller 41 sends and receives e-mails, receives account information, sends new-virus-infected-terminal identification information, and so forth according to communication protocols called SMTP/POP3.
The storage unit 42 stores both data used for various types of processing executed by the processing unit 43 and results of various types of processing executed by the processing unit 43. As components particularly relating to features of the present invention, as shown in
The processing unit 43 executes various types of processing on the basis of both data transferred from the communication controller 41 and data stored in the storage unit 42. As a component particularly relating to a feature of the present invention, as shown in
The received-account-information storage unit 42b stores account information of an e-mail with a new virus. The account information is received from the mail gateway 30. The infected-terminal-identification-information extracting unit 43a obtains the account information from the received-account-information storage unit 42b. Furthermore, the infected-terminal-identification-information extracting unit 43a obtains the reception time of the e-mail with the new virus with reference to mail archive information that is stored in the mail-archive-information storage unit 42a. For example, from an e-mail which is both received from the mail gateway 30 and addressed to “mail3.jp.xyz.com”, as shown in
Then, with reference to the distribution request history stored in the distribution-request-history storage unit 42c, the infected-terminal-identification-information extracting unit 43a extracts an IP address that serves as new-virus-infected-terminal identification information, using both the obtained account information and the reception time of the e-mail with the new virus. For example, with reference to the distribution request history on and after “November 24, 2006 (Fri.), 15:40:09” in the distribution request history stored in the distribution-request-history storage unit 42c, as shown in
Similarly to the mail server 10 in the first embodiment, the mail server 40 sends the extracted new-virus-infected-terminal identification information to the router 20 via the communication controller 41 (see (4) in
Since both the configuration of the router and the functions of components of the router in the second embodiment are the same as both the configuration of the router and the functions of components of the router in the first embodiment, so that description of the configuration of the router and the functions of components of the router in the second embodiment will be omitted.
Procedure of processing executed by the mail gateway in the second embodiment.
Next, processing executed by the mail gateway 30 in the second embodiment will be described with reference to
At the mail gateway 30 in the second embodiment, first, when definitions of new viruses have been added to the virus definition file stored in the virus-definition-file storage unit 32a (Yes in operation S2601), the e-mail-with-new-virus identifying unit 33a checks the mail archive information stored in the mail-archive-information storage unit 32b (operation S2602). When no e-mail with a new virus, i.e., no e-mail with a new virus, is identified by the e-mail-with-new-virus identifying unit 33a (No in operation S2602), the e-mail-with-new-virus identifying unit 33a exits the procedure of
On the other hand, when an e-mail with a new virus, i.e., an e-mail with a new virus, is identified by the e-mail-with-new-virus identifying unit 33a (Yes in operation S2602), the account-information obtaining unit 33b obtains account information from information of the e-mail with the new virus, stored in the identified-e-mail-with-new-virus storage unit 32c (operation S2603). For example, as shown in
Then, the infected-terminal-identification-information extracting unit 33c refers to the obtained account information and the distribution request history stored in the distribution-request-history storage unit 32e (operation S2604). When an IP address of a terminal that requested distribution of the e-mail with the new virus is extracted by the infected-terminal-identification-information extracting unit 33c (Yes in operation S2604), the mail gateway 30 sends the extracted IP address which serves as new-virus-infected-terminal identification information to a router directly connected to the mail gateway 30 (operation S2605). The procedure of
On the other hand, when no IP address of a terminal that requested distribution of the e-mail with the new virus is extracted by the infected-terminal-identification-information extracting unit 33c (No in operation S2604), the mail gateway 30 reports the account information “aaa” together with the message ID “AAAAAAAA.11111111@jp.xyz.com” to the mail server 40 (operation S2606). The procedure of
When an e-mail with a new virus, i.e., an e-mail having a new virus attached to the e-mail, is identified by the infected-terminal-identification-information extracting unit 33c (Yes in operation S2602), information of the e-mail with the new virus may be deleted from the mail archive information stored in the mail-archive-information storage unit 32b. However, according to an aspect of an embodiment, the information need not necessarily be deleted.
Procedure of processing executed by the mail server in the second embodiment.
Next, processing executed by the mail server 40 in the second embodiment will be described with reference to
At the mail server 40 in the second embodiment, first, when account information is received from the mail gateway 30 (Yes in operation S2701), the infected-terminal-identification-information extracting unit 43a obtains the account information. Furthermore, with reference to the mail archive information stored in the mail-archive-information storage unit 42a, the infected-terminal-identification-information extracting unit 43a obtains a reception time of an e-mail with a new virus (operation S2702).
For example, from an e-mail which is both received from the mail gateway 30 and addressed to “mail3.jp.xyz.com”, as shown in
Then, with reference to the distribution request history, the infected-terminal-identification-information extracting unit 43a extracts an IP address of the terminal that requested distribution of the e-mail with the new virus, as new-virus-infected-terminal identification information, using both the account information and the reception time (operation 2703). For example, with reference to the distribution request history on and after “November 24, 2006 (Fri.), 15:40:09” in the distribution request history stored in the distribution-request-history storage unit 42c, shown in
Then, the mail server 40 in the second embodiment sends the extracted new-virus-infected-terminal identification information to the router 20 directly connected to the mail server 40 (operation S2704). The procedure of
The procedure of processing executed by the router 20 in the second embodiment is the same as the procedure in the first embodiment, described earlier with reference to
In the second embodiment described above, when a mail server has extracted new-virus-infected-terminal identification information with reference to a distribution request history, the mail server sends the new-virus-infected-terminal identification information to a router. In a third embodiment described below, when no new-virus-infected-terminal identification information is extracted by a mail server with reference to a distribution request history, the mail server deletes information of a relevant e-mail with a new virus.
Overview and features of a mail system according to the third embodiment.
First, main features of a mail system according to the third embodiment will be described with reference to
Similarly to the mail system according to the second embodiment, the mail system according to the second embodiment includes a mail gateway, a plurality of mail servers, and a router. For example, as shown in
Similarly to the second embodiment, first, when definitions of new viruses have been added to the virus definition file, the mail gateway in the mail system according to the third embodiment checks the mail archive information to identify an e-mail with a new virus, i.e., an e-mail to which a new virus is attached. Then, the mail gateway obtains account information of the identified e-mail with the new virus. When the obtained account information is not included in the distribution request history, the mail gateway reports the account information to the other mail servers (see (1) to (3) in
Similarly to the second embodiment, when each of the mail servers in the mail system according to the third embodiment receives the account information from the mail gateway, each of the mail servers obtains the account information. Furthermore, each of the mail servers obtains the reception time of the e-mail with the new virus with reference to the mail archive information. For example, when the third mail server receives an e-mail addressed to “mail3.jp.xyz.com”, as shown in
Then, with reference to the distribution request history, each of the mail servers in the mail system according to the third embodiment extracts an IP address that serves as new-virus-infected-terminal identification information, using both the obtained account information and the reception time of the e-mail with the new virus. When the distribution request history does not include any distribution request from the terminal having the account information on and after the time of reception of the e-mail with the new virus from the mail gateway, the mail server deletes information of the e-mail with the new virus from the mail archive information stored in the mail server.
That is, with reference to the distribution request history on and after “November 24, 2006 (Fri.), 15:40:09” in the distribution request history, when no request from the terminal having the account information “aaa” is included (see (4) in
Configuration of the mail server in the third embodiment.
Next, the configuration of the mail server in the third embodiment will be described with reference to
As shown in
The received-account-information storage unit 42b stores account information of an e-mail with a new virus. The account information is received from the mail gateway 30. The account information is stored in the received-account-information storage unit 42b. From the account information, the infected-terminal-identification-information extracting unit 43a obtains the account information. Furthermore, with reference to the mail archive information stored in the mail-archive-information storage unit 42a, the infected-terminal-identification-information extracting unit 43a obtains the reception time of the e-mail with the new virus. For example, as shown in
Then, with reference to the distribution request history stored in the distribution-request-history storage unit 42c, the infected-terminal-identification-information extracting unit 43a extracts an IP address that serves as new-virus-infected-terminal identification information, using both the obtained account information and the reception time of the e-mail with new virus. When the distribution request history does not include any distribution request from the terminal having the account information on and after the time of reception by the mail server of the e-mail with the new virus from the mail gateway, the infected-terminal-identification-information extracting unit 43a deletes information of the e-mail with the new virus from the mail archive information stored in the mail-archive-information storage unit 42a. For example, with reference to the distribution request history on and after “November 24, 2006 (Fri.), 15:40:09” in the distribution request history stored in the distribution-request-history storage unit 42c, when no request from the terminal having the account information “aaa” is included (see (4) in
Procedure of processing executed by the mail server in the third embodiment.
Next, processing executed by a mail server 40 in the third embodiment will be described with reference to
At the mail server 40 in the third embodiment, when account information is received from the mail gateway 30 (Yes in operation S2901), first, the infected-terminal-identification-information extracting unit 43a obtains the account information. Furthermore, with reference to the mail archive information stored in the mail-archive-information storage unit 42a, the infected-terminal-identification-information extracting unit 43a obtains the reception time of the e-mail with the new virus (operation S2902). For example, as shown in
Then, the infected-terminal-identification-information extracting unit 43a refers to the distribution request history using both the account information and the reception time (operation S2903). An IP address of a terminal that requested distribution of the e-mail with the new virus which serves as new-virus-infected-terminal identification information. When the IP address is extracted by the infected-terminal-identification-information extracting unit 43a (Yes in operation S2903), the mail server 40 sends the extracted new-virus-infected-terminal identification information to the router 20 directly connected to the mail server 40 (operation S2904). The procedure of
On the other hand, when no IP address of a terminal that requested distribution of the e-mail with the new virus is extracted by the infected-terminal-identification-information extracting unit 43a (No in operation S2903), the infected-terminal-identification-information extracting unit 43a deletes information of the e-mail with the new virus from the mail archive information stored in the mail-archive-information storage unit 42a (operation S2905). The procedure of
The first to third embodiments described above relate to cases where an IP address used as terminal identification information of a terminal is fixed. A fourth embodiment described below relates to a case where an IP address used as terminal identification information of a terminal is changed each time the terminal connects to a network.
Overview and features of a mail system according to the fourth embodiment.
First, main features of a mail system according to the fourth embodiment will be described with reference to
Similarly to the first embodiment, in the mail system according to the fourth embodiment, as shown in
The mail server in the mail system according to the fourth embodiment issues an IP address to a terminal as terminal identification information on each occasion of authentication of connection of the terminal to a network, using an authentication account that serve as client user identification for identifying a client user that operates the terminal. The mail server is connected to an authentication server that stores access management information in which authentication accounts are associated individually with IP addresses. The authentication account corresponds to “client user identification information” in claims.
For example, as shown in
In response to a distribution request from a terminal owned by the client user having the authentication account “AA” and the account information “aaa” and having an IP address “192.168.20.15” to which the client user is assigned, the mail server in the mail system according to the fourth embodiment distributes e-mails addressed to “aaa@jp.xyz.com” to the terminal via the router.
Furthermore, the IP address in the distribution request history serves as terminal identification information of the terminal. As shown in
Then, similarly to the first embodiment, when definitions of new viruses have been added to the virus definition file, the mail server in the mail system according to the fourth embodiment checks the mail archive information to identify an e-mail with a new virus, i.e., an e-mail having a new virus attached to the e-mail.
More specifically, as shown in
Then, similarly to the first embodiment, the mail server in the mail system according to the fourth embodiment obtains account information of the identified e-mail with the new virus. For example, the mail server obtains account information “aaa” from the identified e-mail with the new virus (see (2) in
Then, from the distribution request history, the mail server in the mail system according to the fourth embodiment extracts both the IP address issued to the terminal by the authentication server at the time of a distribution request of the e-mail with a new virus and the distribution request time of the distribution request of the e-mail with the new virus by the terminal.
More specifically, with reference to the distribution request history shown in
Then, in order to request to search for a current IP address, the mail server in the mail system according to the fourth embodiment sends the extracted IP address and the extracted distribution request time to the authentication server. That is, the mail server sends the IP address “192.168.20.15” and the distribution request time “November 24, 2006 (Fri.), 15:42:12” to the authentication server (see (4) in
Then, the authentication server in the mail system according to the fourth embodiment receives the IP address and the distribution request time which were sent from the mail server (see (5) in
More specifically, from the access management information on and before the distribution request time, the authentication server extracts an authentication account to which the IP address was issued. For example, from the access management information shown in
When a new IP address has been issued to the terminal authenticated on the basis of the authentication account, the authentication server in the mail system according to the fourth embodiment extracts the new IP address as new-virus-infected-terminal identification information.
For example, as shown in
Then, the authentication server in the mail system according to the fourth embodiment sends the new-virus-infected-terminal identification information to the mail server. The mail server extracts the received new-virus-infected-terminal identification information. The mail server sends the new-virus-infected-terminal identification information to the broadband router. Similarly to the first embodiment, when the new-virus-infected terminal is included in terminals whose traffic is relayed by the broadband router, the broadband router quarantines the new-virus-infected terminal from the network.
That is, similarly to the first embodiment, as shown in
Configuration of the mail server in the fourth embodiment.
Next, the configuration of the mail server in the fourth embodiment will be described with reference to
As shown in
The communication controller 11 controls transfer of data transmitted or received via a network. More specifically, the communication controller 11 sends and receives e-mails, receives definitions of new viruses, carries out communications with the authentication server, sends new-virus-infected-terminal identification information, and so forth according to communication protocols called SMTP/POP3.
Similarly to the first embodiment, when definitions of new viruses have been added to the virus definition file, the e-mail-with-new-virus identifying unit 13a checks the mail archive information to identify an e-mail with a new virus. The account-information obtaining unit 13b obtains account information from the e-mail with the new virus. For example, the e-mail-with-new-virus identifying unit 13a identifies an e-mail with a new virus addressed to a destination mail address “aaa@jp.xyz.com.” The account-information obtaining unit 13b obtains account information “aaa” from the e-mail with the new virus.
With reference to both the account information stored in the obtained-account-information storage unit 12d and the distribution request history stored in the distribution-request-history storage unit 12e , from the distribution request history, the infected-terminal-identification-information extracting unit 13c extracts both the IP address issued by the authentication server to the terminal at the time of the distribution request of the e-mail with the new virus and the distribution request time of the distribution request of the e-mail with the new virus by the terminal.
More specifically, as shown in
The communication controller 11 sends the IP address and the distribution request time which were obtained by the infected-terminal-identification-information extracting unit 13c to the authentication server in order to request to search for a current IP address.
Furthermore, the communication controller 11 receives and extracts the IP address extracted by the authentication server. The IP address serves as new-virus-infected-terminal identification information. The communication controller 11 sends the IP address to the router 20.
Configuration of the authentication server in the fourth embodiment.
Next, the configuration of the authentication server in the fourth embodiment will be described with reference to
As shown in
The communication controller 51 receives authentication account from terminals, IP addresses and distribution request times from the mail server 10. The communication controller 51 sends new-virus-infected-terminal identification information to the mail server 10, and so forth.
The storage unit 52 stores data used for various types of processing executed by the processing unit 53. As a component particularly relating to a feature of the present invention, as shown in
As access management information, the access-management-information storage unit 52a stores an IP address issued by the authentication server 50 after the access-management-information storage unit 52a received an authentication account from the terminal which a client user operates. For example, as shown in
The processing unit 53 executes various types of processing on the basis of both data transferred from the communication controller 51 and data stored in the storage unit 52. As a component particularly relating to a feature of the present invention, as shown in
With reference to the IP address and the distribution request time which have been received from the mail server 10 and to the access management information stored in the access-management-information storage unit 52a, the infected-terminal-identification-information extracting unit 53a extracts an authentication account associated with the terminal that received the e-mail with the new virus.
More specifically, the infected-terminal-identification-information extracting unit 53a extracts an authentication account to which the IP address was issued from the access management information on and before the distribution request time. For example, as shown in
Then, when a new IP address has been issued as a result of authentication of the authentication account, the infected-terminal-identification-information extracting unit 53a extracts the new IP address as new-virus-infected-terminal identification information.
For example, as shown in
The authentication server 50 sends the new-virus-infected-terminal identification information extracted by the infected-terminal-identification-information extracting unit 53a to the mail server 10. For example, the authentication server 50 sends the IP address “192.168.20.100” as new-virus-infected-terminal identification information.
The configuration of the router and the functions of components of the router in the fourth embodiment are the same as those in the first embodiment, described earlier with reference to
Procedure of processing executed by the mail server in the fourth embodiment.
Next, processing executed by the mail server 10 in the fourth embodiment will be described with reference to
At the mail server 10 in the fourth embodiment, first, when definitions of new viruses have been added to the virus definition file stored in the virus-definition-file storage unit 12a (Yes in operation S3701), the e-mail-with-new-virus identifying unit 13a checks the mail archive information stored in the mail-archive-information storage unit 12b (operation S3702). At the mail server 10, when no e-mail with a new virus, i.e., no e-mail having a new virus attached to the e-mail, is identified by the e-mail-with-new-virus identifying unit 13a (No in operation S3702), the procedure of
On the other hand, when an e-mail with a new virus, i.e., an e-mail to which a new virus is attached, is identified by the e-mail-with-new-virus identifying unit 13a (Yes in operation S3702), the account-information obtaining unit 13b obtains account information from information of the e-mail having with the new virus attached to the e-mail (operation S3703). The information of the e-mail with the new virus is stored in the identified-e-mail-with-new-virus storage unit 12c. For example, the account-information obtaining unit 13b obtains account information “aaa” from the identified e-mail with the new virus (see (2) in
Then, with reference to both the obtained account information and the distribution request history stored in the distribution-request-history storage unit 12e , from the distribution request history, the infected-terminal-identification-information extracting unit 13c extracts both an IP address issued by the authentication server to the terminal at the time of the distribution request of the e-mail with the new virus and the distribution request time of the distribution request of the e-mail with the new virus by the terminal (operation S3704). More specifically, as shown in
Then, the mail server 10 sends the IP address and the distribution request time that have been extracted by the infected-terminal-identification-information extracting unit 13c to the authentication server (operation S3705).
Then, when the mail server 10 receives a new IP address from the authentication server 50 as new-virus-infected-terminal identification information (Yes in operation S3706), the mail server 10 sends the new IP address extracted as new-virus-infected-terminal identification information to the router 20 (operation S3707). The procedure of
Procedure of processing executed by the authentication server in the fourth embodiment.
Next, processing executed by the authentication server 50 in the fourth embodiment will be described with reference to
At the authentication server 50 in the fourth embodiment, first, upon receiving an IP address and a distribution request time from the mail server 10 (Yes in operation S3801), with reference to the received IP address and the received distribution request time and to the access management information stored in the access-management-information storage unit 52a, the infected-terminal-identification-information extracting unit 53a extracts an authentication account associated with the terminal that received the e-mail with the new virus (operation S3802).
For example, as shown in
Then, when a new IP address has been issued to the terminal as a result of authentication of the authentication account (Yes in operation S3803), the infected-terminal-identification-information extracting unit 53a extracts the new IP address as new-virus-infected-terminal identification information (operation S3804).
For example, as shown in
Then, the authentication server 50 sends the new-virus-infected-terminal identification information extracted by the infected-terminal-identification-information extracting unit 53a to the mail server 10 (operation S3805). The procedure of
The procedure of processing executed by the router 20 in the fourth embodiment is the same as the procedure in the first embodiment, described earlier with reference to
Although the mail systems according to the first to fourth embodiments have been described above, the present invention can be embodied in various forms other than the embodiments described above. The following description will be directed to mail systems according to various other embodiments, regarding points (1) to (3).
(1) Sending of New-Virus-Infected-Terminal Identification Information.
In the first embodiment described earlier, when a router receives new-virus-infected-terminal identification information which is sent from a mail server and the router determines that no corresponding terminal is included in a sub-network that the router is in charge of, the router sends the new-virus-infected-terminal identification information to another terminal. However, the present invention is not limited to this case, and the mail server may send new-virus-infected-terminal identification information simultaneously to all routers.
Furthermore, in the first embodiment, an IP packet in which an IP address that serves as new-virus-infected-terminal identification information is specified both in an IP header and in data of the IP packet is sent to a router. However, the present invention is not limited to this case, and an IP packet in which an IP address that serves as new-virus-infected-terminal identification information is specified only in an IP header may be sent to a router.
(2) System Configuration, etc.
Furthermore, in the procedures executed in the embodiments described above, some or all of the operations that have been described as executed automatically may be executed manually (e.g., when definitions of new viruses have been added, an administrator of a mail server can instruct start of checking of mail archive information instead of automatically starting checking of the mail archive information). Alternatively, some or all the operations that have been described as executed manually can be executed automatically. Furthermore, the processing procedures, specific names, and information which includes various types of data or parameters, described in this specification or shown in the drawings, can be modified as desired unless otherwise specifically described.
Furthermore, the components of each of the devices shown in the drawings schematically represent functions, and the components need not necessarily be physically configured as shown. That is, the specific manner of separation and integration of individual processing units and individual storage units (e.g., shown in
(3) Terminal Identifying Program.
The embodiments may be implemented in software and/or computing hardware. Although various types of processing are executed by hardware logics in the first to fourth embodiments described above, the present invention is not limited to this case, and programs prepared in advance may be executed by computers. Now, an example of a computer that executes a terminal identifying program having the same functions as the mail server 10 in the mail system according to the first embodiment will be described with reference to
As shown in
The ROM 394 stores a terminal identifying program that exhibits the same functions as the mail server 10 in the first embodiment. That is, as shown in
When these programs 394a to 394c are read from the ROM 394 and executed by the CPU 393, as shown in
Furthermore, as shown in
The programs 394a to 394c need not necessarily be stored in the ROM 394 from the beginning. For example, the programs 394a to 394c may be stored on a portable physical medium that can be loaded to the computer 390, such as a flexible disk (FD), a compact disc read-only memory (CD-ROM), a magneto-optical (MO) disc, a digital versatile disc (DVD), or an IC card, or a fixed physical medium, such as a hard disk drive which is provided internally or externally to the computer 390, or another computer (or server) connected to the computer 390 via a public circuit, the Internet, a LAN, or a WAN, so that the computer 390 can read the programs and execute the programs.
The many features and advantages of the embodiments are apparent from the detailed specification and, thus, it is intended by the appended claims to cover all such features and advantages of the embodiments that fall within the true spirit and scope thereof. Further, since numerous modifications and changes will readily occur to those skilled in the art, it is not desired to limit the inventive embodiments to the exact construction and operation illustrated and described, and accordingly all suitable modifications and equivalents may be resorted to, falling within the scope thereof.
Number | Date | Country | Kind |
---|---|---|---|
JP2007-2859 | Jan 2007 | JP | national |