CN-121984714-A - Security handling method and device, storage medium and electronic equipment

Abstract

The disclosure provides a security disposal method and device, a storage medium and electronic equipment, and relates to the technical field of network security. The method comprises the steps of obtaining a sender policy framework detection result of a target mail, determining a first detection score of the target mail according to the sender policy framework detection result of the target mail, determining a security score of the target mail according to the first detection score of the target mail, a preset first dynamic weight and a preset initial score and combining a second detection policy, and processing the target mail according to the security score and a scoring threshold of the target mail. The sender policy framework detection result of the target mail is obtained and converted into a first detection score, and then the safety score of the target mail is comprehensively determined by combining the preset first dynamic weight, the preset initial score and the second detection policy, and finally differentiated mail treatment is performed according to a scoring threshold value, so that the overall performance of a mail safety detection system is remarkably improved.

Inventors

• FENG SEN
• GUO XINGXING
• Wu Dihang
• YANG RUI
• MENG XIANGZHEN
• LI PEILUN
• LUO QINGYONG
• XUE GANG
• Peng Lukang
• WANG YING
• XUE KE
• ZHANG KAIYUE
• Hao sai
• ZHU ZHONGQI
• CHEN LONG
• RUI CHEN
• LI YAN

Assignees

• 中国交通信息科技集团有限公司

Dates

Publication Date

20260505

Application Date

20251230

Claims (10)

1. 1. A method of safe disposal, comprising: acquiring a sender policy framework detection result of a target mail; Determining a first detection score of the target mail according to the detection result of the sender policy framework of the target mail; Determining the security score of the target mail according to the first detection score, the preset first dynamic weight and the preset initial score of the target mail and combining a second detection strategy; And processing the target mail according to the target mail security score and the score threshold.
2. 2. The method of claim 1, wherein determining a target mail first detection score based on the sender policy framework detection result of the target mail comprises: Reading the target mail source domain name, inquiring a sender policy framework detection record, and determining a configuration file, wherein the configuration file comprises a plurality of rule blocks, and each rule block comprises a key name and execution logic; Matching the detection result of the policy framework of the sender of the target mail with key names in the rule blocks respectively, and if the rule blocks are matched, determining execution logic corresponding to the matched key names of the rule blocks; And executing the execution logic corresponding to the matched key name of the rule block to determine a first detection score of the target mail.
3. 3. The method of claim 2, wherein the plurality of rule blocks includes at least one or more of a validation failure rule block, a validation soft failure rule block, a neutral policy rule block, a clear to send rule block, a DNS failure rule block, a no record rule block, a record format error, or a repeat DNS error rule block; triggering when the mail source IP is not authorized in the SPF record, and assigning a first detection score of the target mail as a first score; Triggering when the sender policy framework detection result is that the verification is soft failure, and assigning a first detection score of the target mail as a second score; Triggering when a neutral strategy is used in a sender strategy framework detection result, and assigning a first detection score of a target mail as a third score; triggering when the sender policy framework detection result is permission to send, and assigning a first detection score of the target mail as a fourth score; the execution logic of the DNS failure rule block comprises triggering when DNS analysis fails when inquiring the detection result of the sender policy framework, and assigning a first detection score of the target mail as a fifth score; triggering when no sender policy framework detects record in the domain name, assigning a first detection score of a target mail as a sixth score, and triggering the execution logic of the non-record rule block only once; The execution logic of the record format error or repeated DNS error rule block comprises triggering when the sender policy framework detects the record format error or the DNS query is in permanent error, and assigning the first detection score of the target mail as a seventh score.
4. 4. The method of claim 1, wherein the preset first dynamic weight is a weight occupied by the target mail first detection score in the target mail security score, the preset first dynamic weight being dynamically adjusted according to a scoring policy; according to the first detection score, the preset first dynamic weight and the preset initial score of the target mail, and in combination with a second detection strategy, determining the target mail security score comprises the following steps: Summing the first detection score of the target mail with a preset initial score, and calculating a product with the preset first dynamic weight to determine a first score; determining a second score according to the second detection strategy; and determining the target mail security score according to the first score and the second score.
5. 5. The method of claim 4, wherein the second detection policy comprises one or more of a DKIM verification score calculation and configuration corresponding to the second weight, DMARC alignment status score calculation and configuration corresponding to the third weight, mail content analysis score calculation and configuration corresponding to the fourth weight, sender reputation score calculation and configuration corresponding to the fifth weight, domain name history behavior score calculation and configuration corresponding to the sixth weight; Determining a second score according to the second detection strategy, including: calculating a DKIM verification score according to the DKIM verification result; Calculating DMARC an alignment state score based on DMARC alignment states; analyzing the mail content and calculating the mail content analysis score; Calculating a sender reputation score according to the sender historical reputation; calculating the historical behavior score of the domain name according to the historical behavior of the domain name; and calculating the product of the DKIM verification score and the second weight, the product of DMARC alignment state score and the second weight, the product of the mail content analysis score and the third weight, the product of the sender reputation score and the fourth weight, the product of the domain name historical behavior score and the fifth weight and the product of the domain name historical behavior score and the sixth weight respectively, and summing the products to determine a second score.
6. 6. The method of claim 1, wherein the scoring threshold comprises a clear threshold, an intercept threshold; And processing the target mail according to the target mail security score and the score threshold, wherein the processing comprises the following steps: if the security score of the target mail is lower than the release threshold, releasing the target mail; If the security score of the target mail is lower than the release threshold and the interception threshold, marking the target mail as to-be-verified, and executing secondary verification treatment; And if the security score of the target mail is lower than the interception threshold value, intercepting the target mail.
7. 7. A safety disposal device, comprising: The sender policy framework detection result acquisition module is used for acquiring a sender policy framework detection result of the target mail; The target mail first detection score determining module is used for determining a target mail first detection score according to the detection result of the sender policy framework of the target mail; the target mail security score determining module is used for determining the target mail security score according to the first detection score, the preset first dynamic weight and the preset initial score of the target mail and combining with a second detection strategy; and the mail handling module is used for handling the target mail according to the target mail security score and the score threshold.
8. 8. An electronic device, comprising: processor, and A memory for storing executable instructions of the processor; Wherein the processor is configured to perform the safety handling method of any one of claims 1-6 via execution of the executable instructions.
9. 9. A computer readable storage medium having stored thereon a computer program, wherein the computer program, when executed by a processor, implements the method of safety disposal of any one of claims 1 to 6.
10. 10. A computer program product comprising a computer program, characterized in that the computer program, when executed by a processor, implements the safety handling method of any of claims 1-6.

Description

Security handling method and device, storage medium and electronic equipment Technical Field The disclosure relates to the technical field of network security, and in particular relates to a security disposal method and device, a storage medium and electronic equipment. Background Existing mail gateways often employ fixed qualifiers (Pass, fail, softFail, neutral) to determine the legitimacy of mail when processing sender policy framework (Sender Policy Framework, SPF) test results, which lacks flexibility and accuracy. When the mail system faces a complex mail environment and various attack means, the simple binary or quaternary judgment mode is difficult to adapt to the requirement of a complex scene. It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art. Disclosure of Invention The present disclosure provides a secure disposal method and apparatus, a storage medium, and an electronic device, which overcome, at least to some extent, the problem of difficulty in adapting to complex scenes due to the related art. Other features and advantages of the present disclosure will be apparent from the following detailed description, or may be learned in part by the practice of the disclosure. According to one aspect of the present disclosure, there is provided a safety handling method comprising: acquiring a sender policy framework detection result of a target mail; Determining a first detection score of the target mail according to the detection result of the sender policy framework of the target mail; Determining the security score of the target mail according to the first detection score, the preset first dynamic weight and the preset initial score of the target mail and combining a second detection strategy; And processing the target mail according to the target mail security score and the score threshold. In some embodiments, determining a first detection score for the target mail according to the sender policy framework detection result of the target mail includes: Reading the target mail source domain name, inquiring a sender policy framework detection record, and determining a configuration file, wherein the configuration file comprises a plurality of rule blocks, and each rule block comprises a key name and execution logic; Matching the detection result of the policy framework of the sender of the target mail with key names in the rule blocks respectively, and if the rule blocks are matched, determining execution logic corresponding to the matched key names of the rule blocks; And executing the execution logic corresponding to the matched key name of the rule block to determine a first detection score of the target mail. In some embodiments, the plurality of rule blocks includes at least one or more combinations of a validation failure rule block, a validation soft failure rule block, a neutral policy rule block, a clear to send rule block, a DNS failure rule block, a no record rule block, a record format error or a repeat DNS error rule block; triggering when the mail source IP is not authorized in the SPF record, and assigning a first detection score of the target mail as a first score; Triggering when the sender policy framework detection result is that the verification is soft failure, and assigning a first detection score of the target mail as a second score; Triggering when a neutral strategy is used in a sender strategy framework detection result, and assigning a first detection score of a target mail as a third score; triggering when the sender policy framework detection result is permission to send, and assigning a first detection score of the target mail as a fourth score; the execution logic of the DNS failure rule block comprises triggering when DNS analysis fails when inquiring the detection result of the sender policy framework, and assigning a first detection score of the target mail as a fifth score; triggering when no sender policy framework detects record in the domain name, assigning a first detection score of a target mail as a sixth score, and triggering the execution logic of the non-record rule block only once; The execution logic of the record format error or repeated DNS error rule block comprises triggering when the sender policy framework detects the record format error or the DNS query is in permanent error, and assigning the first detection score of the target mail as a seventh score. In some embodiments, the preset first dynamic weight is a weight occupied by the target mail first detection score in the target mail security score, and the preset first dynamic weight is dynamically adjusted according to a scoring policy; according to the first detection score, the preset first dynamic weight and the preset initial score of the target mail, and in combination wit