Email has become a popular communication tool in daily life. Every day, large numbers of emails are sent through the Internet. While email brings much convenience to daily life, some emails, such as junk emails, are bothersome. In addition to junk emails, some emails are not allowed to enter a private network for security reasons. Typically, network security equipment coupled between the Internet and a private network is used to screen emails and email servers.
There are mainly four protocol used for sending or receiving email in the application layer of the Internet: Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP), Internet Mail Access Protocol (IMAP), and Hypertext Transfer Protocol (HTTP). Each protocol uses a fixed port to communicate with the transport layer of the Internet. SMTP, POP, IMAP, and HTTP use ports 25, 110, 143, and 80, respectively. SMTP, POP, and IMAP are known as typical email protocols, and are used by stand-alone email clients, such as Microsoft Outlook® and Outlook Express®. HTTP, which is an untypical email protocol, sends email as a webpage, and is used by free email services such as Hotmail® and Yahoo®.
One method commonly used in network security equipment to identify email is to analyze the Internet Protocol (IP) packet to access a source port number carried by the IP packet. The source port number can be used to identify emails sent using a typical email protocol. However, emails sent using HTTP may not be identified as emails. Instead, these mails are characterized as an ordinary webpage. Thus, junk emails which are often sent from mail servers may not be identified.