With the rising number of Internet users, electronic mail or email is increasingly used as a means of communication. This leads to an increase in email traffic between computers. Besides, a rapid proliferation of mobile telephones also increases email traffic.
A useful feature of email is that it can be broadcasted. In recent years, cases have been occurring with increasing frequency in which direct mail such as an advertisement is sent to an unspecified number of users through the use of broadcast email. Such nuisance email is called spam mail.
Spam mail causes a high volume of traffic. In addition, spam mail does not always contain an address for acknowledgment of receipt, which may produce a large number of unsent email messages. The processing of an excessive number of unsent email messages constitutes a DoS (Deny of Service) attack on a receiving server. Consequently, ISPs (Internet Service Providers), telecommunications carriers, companies, etc. need to have additional mail servers to deliver spam mail and send back unsent email.
Hereinafter, the outline of a conventional mail delivery system will be given referring to FIGS. 1 and 2. In the following description of processing operation, SMTP (Simple Mail Transfer Protocol) will be cited by way of example.
FIG. 1 is a diagram showing an example of a conventional mail delivery system. Referring to FIG. 1, the mail delivery system comprises a router 101 and mail servers 2-1 to 2-3. The router 101 is placed on the boundary of a network management domain 3 managed by an ISP, a carrier, a company or the like. The mail servers 2-1 to 2-3, which will be hereinafter referred to as MTA (Message Transfer Agent), are located within the network management domain 3. The mail delivery system further comprises the Internet and MTAs 2-4 and 2-5 outside the network management domain 3. In what follows, it will be assumed that a malicious user uses the MTA 2-4 and a regular user uses MTA 2-5. In FIG. 1, the MTAs 2-4 and 2-5 send email to the MTA 2-2 within the network management domain 3.
The router 101 in general forwards traffic to the MTAs 2-1 to 2-3 in the network management domain 3 without checking whether or not received traffic is email traffic. Accordingly, when having received a high volume of SMTP traffic 102 from the MTA 2-4, the router 101 forwards the SMTP traffic 102 to the MTA 2-2.
Similarly, having received SMTP traffic 103 from the MTA 2-5, the router 101 forwards the SMTP traffic 103 to the MTA 2-2. In such a case, if the SMTP traffic 102 from the router 101 to the MTA 2-2 is so heavy that the MTA 2-2 cannot deal with it, the MTA 2-2 cannot accept the SMTP traffic 103 sent from the MTA 2-5 via the router 101.
Besides, if the router 101 receives the SMTP traffic 103 from the MTA 2-5 when being tied up with transfer operation of the SMTP traffic 102 from the MTA 2-4, the router 101 is hindered from forwarding the SMTP traffic 103 to the MTA 2-2 by the SMTP traffic 102.
FIG. 2 is a diagram showing another example of a conventional mail delivery system. In FIG. 2, the MTA 2-2 in the network management domain 3 serves as a mail delivery server. In the case where an ISP or a carrier offers server hosting services, an outside user who has subscribed to the services may deliver spam mail using the MTA 2-2 in the network management domain 3. FIG. 2 shows the condition where the MTA 2-2 sends a high volume of SMTP traffic 104 to the MTAs 2-4 and 2-5, which imposes pressure on SMTP traffic 106 from the MTA 2-1 and SMTP traffic 105 from the MTA 2-3 in the router 101.
As is described above, the mail delivery system having only the general router 101 cannot handle high volume traffic caused by spam mail.
Recently, a firewall that can identify the L4 (Layer 4) has been utilized as a device for identifying email traffic. However, the firewall does not check the contents of application level data, and is not capable of determining whether or not email received from outside is spam mail.
In, for example, Japanese Patent Applications laid open No. 2003-283572 and No. 2003-283555, there are described conventional techniques for limiting the transmission band of offensive traffic of a DDoS (Distributed Denial of Service) attack while securing communication traffic for regular users. According to the techniques, when the suspicious offensive packet of the DDoS attack is detected, a gate device reports the transmission band limit value of the suspicious offensive packet to upstream communication devices. While limiting the transmission band of the suspicious offensive packet to the received transmission band limit value, the upstream communication devices repeatedly report the transmission band limit value to further upstream communication devices up to the upper-most stream, and each communication device limits the transmission band of the suspicious offensive packet.
Additionally, in, for example, Japanese Patent Application laid open No. 2003-283554, there is described another conventional technique. According to the technique, when the suspicious offensive packet of the DDoS attack is detected, a gate device transmits the suspicious signature and the regular condition of the suspicious offensive packet to upstream communication devices. Each of the communication devices cancels the transmission band limitation of the packet identified from the regular condition and a regular signature created based upon the suspicious signature while limiting the transmission band of the packet identified from the suspicious signature. Further, the communication devices repeatedly transmits the suspicious signature and the regular condition to further upstream communication devices up to the upper-most stream, and each communication device further limits the band by detecting the offensive packet from the suspicious offensive packets while implementing the band limitation of the suspicious offensive packet.
As just described, according to the conventional techniques, when a suspicious offensive packet is detected, a gate device transmits information for limiting the transmission band of the suspicious offensive packet to upstream communication devices, and each communication device limits the transmission band of the suspicious offensive packet. That is, it will be difficult to limit the transmission band of the suspicious offensive packet with one communication device.