In recent years, targeted attacks aimed at a specific company or a personal computer have been rapidly increasing. Particularly, targeted attacks at companies, government organizations, or the like by spoofed emails have been rapidly increasing. A mail sent by a targeted attack is called a targeted attack mail. The targeted attack mail is a virus mail sent to a specific company or organization as a target for the purpose of stealing confidential information. When an attached file with a malicious code is opened, an illegitimate or spoofed activity in which, for example, personal information is leaked out is performed.
An antivirus software according to the related art registers spoofed program collation information as a signature of problematic program. In addition, the antivirus software blocks viral infection by detecting an attached file or the like that matches the signature. However, the antivirus software is normally not useful in an attack mail that uses a program that has a signature which is not registered. Moreover, there are many cases where it is difficult for the antivirus software to detect at first glance that an attached file or text is suspicious if it is carefully written. Therefore, viral infection may not be completely blocked. In addition, there are limitations on strictly checking the consistency of an email header, an attached file, text, a sender address, and the like by each user.
As a countermeasure technique according to the related art, there is sending domain authentication. This is a technique in which the legitimacy of a sending mail server and the trail of a transmission path are achieved on the server side. Specifically, sending domain authentication checks the domain of an email address and verifies whether or not the email is sent from a legitimate server. In addition, sending domain authentication proves that the address of the sender is legitimate. For example, this technique is disclosed in Japanese Laid-open Patent Publication No. 2006-134313.
As types of sending domain authentication, there are mainly two types of authentication including authentication by an IP address and authentication by an e-signature. The authentication by an IP address is, for example, authentication using Sender Policy Framework (SPF) or Sender ID. The authentication by an IP address opens association between the domain of an email server and the IP address of a sender (SPF records) to a Domain Name System (DNS) server. The DNS server is inquired of the sender IP address during reception and collation is performed, thereby confirming that the address of the sender is legitimate. Details of this technique are disclosed in, for example, Sender Policy Framework Project Overview.
The authentication by an e-signature is, for example, Domain Keys Identified Mail (DKIM). DKIM opens public key information of an email server to a DNS server, adds an e-signature as a secret key, and sends an email. In addition, DKIM inquires the DNS server of the public key information during reception and performs collation of the e-signature, thereby confirming that the address of a sender is legitimate. This technique is disclosed in, for example, DKIM.org.