CN115334032B - Mail receiving method based on multiple protocols - Google Patents

Abstract

A mail receiving method based on multiple protocols comprises the following steps: creating a collection task; setting corresponding parameters to initialize a receiving task according to actual receiving demands; distributing the receiving lines; selecting an optimal line according to the actual active address of the target object; starting multi-thread collection; initializing a multithreading collection method according to the mailbox type of the target object in the mailbox collection process; monitoring a receiving strategy; starting the monitoring of the receiving strategy in the mail downloading process; completing a collection task; releasing the resources occupied by the mail receiving task, archiving and storing the downloaded mail, and displaying the log information and the statistical information in the mail receiving process. The invention overcomes the defects of the prior art, and has very outstanding actual combat effects aiming at the requirements of flow restriction, access downloading restriction measures of various complicated mailbox protocols and server control strategies, automatic selection of network lines and password-free collection.

Description

Mail receiving method based on multiple protocols

Technical Field

The invention relates to the technical field of communication, in particular to a mail receiving method based on multiple protocols.

Background

In the process of collecting and striking illegal crime by an online line, mailbox evidence collection and mail collection are often required for target objects of illegal crimes. The target mailbox of the illegal objects has a plurality of types, and the target mailbox is based on protocol types such as WebMail, POP3, IMAP, exchange and the like, and the sub-division types of different mail limiting strategies are arranged under each type. How to create a comprehensive mail receiving method compatible with various receiving modes based on the mail box types of multiple protocols and the control strategy of the server is always a difficult problem in the industry. In addition, in actual crime attack, a scene that the password of the mailbox account of the target object cannot be obtained is often encountered, and how to perform a password-free mailbox receiving aiming at mailbox Cookie and NTLM Hash and automatically select a network line aiming at an active area of the target object are all problems to be solved in actual work.

Disclosure of Invention

Aiming at the defects of the prior art, the invention provides a mail receiving method based on multiple protocols, overcomes the defects of the prior art, aims at the flow restriction and access downloading restriction measures of various complicated types of mailboxes and server control strategies, and the requirements of automatic selection and password-free receiving of network lines, and has very outstanding actual combat effects.

In order to achieve the above purpose, the invention is realized by the following technical scheme:

a mail receiving method based on multiple protocols comprises the following steps:

step S1: creating a collection task; setting corresponding parameters to initialize a receiving task according to actual receiving demands;

step S2: distributing the receiving lines; according to the actual active address of the target object, designating the country and region where the target object is located, and selecting an optimal line by the receiving program according to the information of the country and region;

step S3: starting multi-thread collection; in the mailbox receiving process, initializing a multithreading receiving method through the mailbox type of a target object, and carrying out data interaction and data downloading in a high concurrency mode;

step S4: monitoring a receiving strategy; starting the monitoring of the receiving strategy in the mail downloading process;

step S5: completing a collection task; releasing the resources occupied by the mail receiving task, archiving and storing the downloaded mail, and displaying the log information and the statistical information in the mail receiving process.

Preferably, the multithreaded mail receiving in step S3 specifically includes Cookie receiving, webMail receiving, IMAP receiving, POP3 receiving and Exchange receiving.

Preferably, the Cookie collecting flow specifically comprises the following steps:

step S311: acquiring mailbox Cookie information of the target object;

step S312: cookie analysis; obtaining a plurality of key value pair combinations through Cookie analysis, and setting the Cookie information into an HTTP request;

step S313: simulating an HTTP request; simulating an HTTP request data packet interacted by a client browser and a server program in the mailbox login and mail viewing process of a real user, and acquiring return information of a server through HTTP request disguising;

step S314: downloading mail; mail downloading is completed by acquiring mail downloading links in batches and request parameters of each downloading link and performing HTTP data packet sending and return data receiving by adopting multithreading.

Preferably, the WebMail collecting flow uses the acquired mailbox account password to collect the mail, and the method specifically comprises the following steps:

step S321: logging in a password; analyzing the login process of the target mailbox in detail, requesting HTTP address, HTTP header information and Post parameter of the request, and then simulating and transmitting a data packet containing the encrypted account password through the HTTP request;

step S322: identifying a verification code; aiming at a part of mailbox needing to log in the verification code, providing verification code identification comprising numbers, letters, cases and Chinese characters, and sending the identified verification code to a server through a third party verification code identification component to finish login authentication;

step S323: traversing the mail folder; after finishing the mailbox login, starting to traverse the mail clip list of the target user, wherein the mail clip list comprises an inbox, a sent mail box, a draft box, deleted mail, junk mail, archive mail and custom mail clip information;

step S324: downloading mail; mail downloading links and request parameters of each downloading link are obtained in batches, HTTP data packet sending and return data receiving are executed by multithreading, and mail downloading is completed;

step S325: mail has no mark; and checking and modifying the unread state of the mail again aiming at the mail with unread original state in the mailbox, and if the mail is the mail with read state, the mail is not affected.

Preferably, the IMAP recovery procedure specifically includes the following steps:

step S331: configuring an IMAP server; the method comprises the steps of including IMAP server address, IMAP server encryption information, IMAP server communication port and other configuration information;

step S332: authorizing login; establishing TCP connection by using the IMAP server address information configured in the step S331, and sending mailbox account authentication and mailbox encryption password in a preset encryption mode to complete authorized login;

step S333: traversing the mail folder; traversing the mail clip LIST through an LIST instruction, and circularly inquiring and traversing the mail LIST through a Fetch instruction;

step S334: downloading mail; mail downloading is completed by obtaining mail contents in batches and writing the mail contents into a local storage by using multiple threads.

Preferably, the POP3 collection procedure specifically includes the following steps:

step S341: configuring a POP3 server; configuration information such as POP3 server address, POP3 server encryption information, POP3 server communication port and the like is included;

step S342: authorizing login; establishing TCP connection by using the address information of the POP3 server configured in the first step, and sending mailbox account authentication and mailbox encryption passwords in a preset encryption mode to complete authorized login;

step S343: traversing an inbox; traversing mail ID LIST of inbox by UIDL instruction, and circularly carrying out mailbox query and traversal of inbox LIST by LIST instruction;

step S344: downloading mail; mail downloading is completed by obtaining mail contents in batches and writing the mail contents into a local storage by using multiple threads.

Preferably, the Exchange recovery process specifically includes the following steps:

step S351: the NTLM Hash is collected; intercepting an NTLM Hash value of a target object in a network sniffing mode, a flow monitoring mode and the like;

step S352: NTLM Hash parsing; through mailbox information, domain control Domain and 32-bit NTLM Hash character strings of the incoming target object, an autonomous developed NTLM Hash analysis program is used for completing analysis of data and disguising of local authorization information;

step S353: authorizing login; after NTLM Hash analysis in step S352, the local computer has performed authorization information masquerading. At the moment, simulating the login of the Exchange mailbox;

step S354: traversing the mail; traversing the mail clip list by using Exchange receiving protocol to complete ID list statistics and mail content inquiry of all mails;

step S355: downloading mail; mail downloading is completed by obtaining mail contents in batches and writing the mail contents into a local storage by using multiple threads.

The invention provides a mail receiving method based on multiple protocols. The beneficial effects are as follows: in the mail receiving method based on multiple protocols, IP lines can be intelligently selected according to the regions where the target mailbox and the target object are frequently logged in the executing process, so that the safety is improved, and abnormal reminding of a server is prevented. And the method comprises the steps of Cookie collection, webMail collection, IMAP collection, POP3 collection and Exchange collection, and can flexibly adopt different collection modes in face of different scenes and requirements. The mail receiving method based on the multi-protocol adopts a distributed receiving mechanism, can realize high concurrency and multiple lines Cheng Shouxin in a short period, and meets the receiving requirement of mass mails. The mail receiving method based on the multiple protocols aims at different mailbox types and has a server flow monitoring strategy. And (3) limiting the daily flow of the mail downloading of part of mailboxes, limiting the maximum mail downloading quantity of part of mailboxes per hour, and the like, and automatically carrying out flow statistics and speed adjustment.

Drawings

In order to more clearly illustrate the invention or the technical solutions in the prior art, the drawings used in the description of the prior art will be briefly described below.

FIG. 1 is a flow chart of the steps of the present invention;

FIG. 2 is a block diagram of a Cookie receiving flow in the present invention;

FIG. 3 is a block diagram of a WebMail message receiving flow in the present invention;

fig. 4 is a block diagram of a POP3 reception flow in the present invention;

fig. 5 is a block diagram of an IMAP reception flow in the present invention;

FIG. 6 is a block diagram of an Exchange message flow in the present invention.

Detailed Description

In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings.

As shown in fig. 1 to 6, the present invention provides a mail receiving method based on multiple protocols, which includes a Cookie receiving process, a WebMail receiving process, a POP3 receiving process, an IMAP receiving process, an Exchange receiving process, and a receiving monitoring process.

The method specifically comprises the following steps that the Cookie is received, the account number and the password of a target mailbox are not required to be actually acquired, and mail receiving is directly completed through the Cookie acquired through a special channel:

step S311: acquiring mailbox Cookie information of the target object; in actual case handling, mailbox Cookie information of the target object may be accidentally intercepted. Such as traffic monitoring equipment, local area network monitoring software, wireless WIFI framing equipment, etc.;

step S312: cookie analysis; cookies are actually a string that some websites store on their local terminals for the purpose of identifying the user's identity and performing session tracking. A plurality of key value pair combinations can be obtained through Cookie analysis, and then the Cookie information is set in an HTTP request head, so that the aim of authentication and authorization through a server is fulfilled;

step S313: simulating an HTTP request; simulating an HTTP request data packet interacted by a client browser and a server program in the mailbox login and mail viewing process of a real user, and acquiring return information of a server through HTTP request disguising; since HTTP request emulation is completely consistent with the user actually using browser access, mail servers cannot be identified and distinguished.

Step S314: downloading mail; mail downloading is completed by acquiring mail downloading links in batches and request parameters of each downloading link and performing HTTP data packet sending and return data receiving by adopting multithreading.

The WebMail collecting flow adopts the acquired mailbox account password to collect the mail, and is characterized in that the mail is traceless, no trace is left in the mailbox, and the read and unread state of the mail is not changed. The method specifically comprises the following steps:

step S321: logging in a password; analyzing the login process of the target mailbox in detail, requesting HTTP address, HTTP header information and Post parameter of the request, and then simulating and transmitting a data packet containing the encrypted account password through the HTTP request;

step S322: identifying a verification code; aiming at a part of mailbox needing to log in the verification code, providing verification code identification comprising numbers, letters, cases and Chinese characters, and sending the identified verification code to a server through a third party verification code identification component to finish login authentication;

step S323: traversing the mail folder; after finishing the mailbox login, starting to traverse the mail clip list of the target user, wherein the mail clip list comprises an inbox, a sent mail box, a draft box, deleted mail, junk mail, archive mail and custom mail clip information;

step S324: downloading mail; mail downloading links and request parameters of each downloading link are obtained in batches, HTTP data packet sending and return data receiving are executed by multithreading, and mail downloading is completed;

step S325: mail has no mark; and checking and modifying the unread state of the mail again aiming at the mail with unread original state in the mailbox, and if the mail is the mail with read state, the mail is not affected.

The IMAP protocol is totally called Internet Message Access Protocol, also called interactive mail access protocol, and the IMAP mail receiving flow can realize mail receiving of all mail clips; the collecting flow comprises the following steps:

step S331: configuring an IMAP server; the method comprises the steps of including IMAP server address, IMAP server encryption information, IMAP server communication port and other configuration information;

step S332: authorizing login; establishing TCP connection by using the IMAP server address information configured in the step S331, and sending mailbox account authentication and mailbox encryption password in a preset encryption mode to complete authorized login;

step S333: traversing the mail folder; traversing the mail clip LIST through an LIST instruction, and circularly inquiring and traversing the mail LIST through a Fetch instruction;

step S334: downloading mail; mail downloading is completed by obtaining mail contents in batches and writing the mail contents into a local storage by using multiple threads.

The POP3 protocol is collectively referred to as Post Office Protocol version3, and the POP3 receipt flow is primarily directed to mail collection in the inbox. The collecting flow comprises the following steps:

step S341: configuring a POP3 server; configuration information such as POP3 server address, POP3 server encryption information, POP3 server communication port and the like is included;

step S342: authorizing login; establishing TCP connection by using the address information of the POP3 server configured in the first step, and sending mailbox account authentication and mailbox encryption passwords in a preset encryption mode to complete authorized login;

step S343: traversing an inbox; traversing mail ID LIST of inbox by UIDL instruction, and circularly carrying out mailbox query and traversal of inbox LIST by LIST instruction;

step S344: downloading mail; mail downloading is completed by obtaining mail contents in batches and writing the mail contents into a local storage by using multiple threads.

The Exchange receiving flow can also collect mails under the condition that the account password is not obtained, and can receive the mails through the NTLM Hash obtained by a special channel. The collecting flow comprises the following steps:

step S351: the NTLM Hash is collected; in actual case handling work, particularly in a domain control scene, the NTLM Hash value of the target object can be intercepted in a network sniffing mode, a flow monitoring mode and the like;

step S352: NTLM Hash parsing; through mailbox information, domain control Domain and 32-bit NTLM Hash character strings of the incoming target object, an autonomous developed NTLM Hash analysis program is used for completing analysis of data and disguising of local authorization information;

step S353: authorizing login; after NTLM Hash analysis in step S352, the local computer has performed authorization information masquerading. At the moment, simulating the login of the Exchange mailbox; to achieve the effect of bypassing the server authentication authorization;

step S354: traversing the mail; traversing the mail clip list by using Exchange receiving protocol to complete ID list statistics and mail content inquiry of all mails;

step S355: downloading mail; mail downloading is completed by obtaining mail contents in batches and writing the mail contents into a local storage by using multiple threads.

The receiving monitoring flow is responsible for resource occupation monitoring of the whole receiving task, server limiting measure monitoring, receiving progress monitoring and the like.

The method specifically comprises the following steps:

step S1: creating a collection task; setting parameters such as mailbox receiving type, total receiving or appointed mailbox receiving quantity, total receiving or appointed sending time, single receiving or polling receiving and the like to initialize receiving tasks according to actual receiving requirements;

step S2: distributing the receiving lines; according to the actual active address of the target object, the country and the region where the target object is located are designated, the receiving program automatically selects the optimal line according to the information of the country and the region, the network line and the common line of the actual target object are kept in the similar region, and meanwhile, the network speed and the data downloading speed are considered;

step S3: starting multi-thread collection; in the mailbox receiving process, initializing a multithreading receiving method through the mailbox type of a target object, and carrying out data interaction and data downloading in a high concurrency mode;

step S4: monitoring a receiving strategy; and starting the monitoring of the receiving strategy in the mail downloading process. The mail receiving strategy monitoring has two main works, one is to monitor mail receiving statistics, flow limiting strategies and quantity limiting strategies of the mailbox, the other is to monitor mail receiving progress, and the mail receiving progress is fed back to a front-end user in a message queue mode;

step S5: completing a collection task; releasing the resources occupied by the mail receiving task, archiving and storing the downloaded mail, and displaying the log information and the statistical information in the mail receiving process.

The mail receiving method based on the multiple protocols can intelligently select the IP line according to the target mailbox and the region where the target object is frequently logged in the execution process, thereby improving the safety and preventing the server from abnormal reminding. And the method comprises the steps of Cookie collection, webMail collection, IMAP collection, POP3 collection and Exchange collection, and can flexibly adopt different collection modes in face of different scenes and requirements. The mail receiving method based on the multi-protocol adopts a distributed receiving mechanism, can realize high concurrency and multiple lines Cheng Shouxin in a short period, and meets the receiving requirement of mass mails. The mail receiving method based on the multiple protocols aims at different mailbox types and has a server flow monitoring strategy. And (3) limiting the daily flow of the mail downloading of part of mailboxes, limiting the maximum mail downloading quantity of part of mailboxes per hour, and the like, and automatically carrying out flow statistics and speed adjustment.

The above embodiments are only for illustrating the technical solution of the present invention, and are not limiting; although the invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical scheme described in the foregoing embodiments can be modified or some technical features thereof can be replaced by equivalents; such modifications and substitutions do not depart from the spirit and scope of the technical solutions of the embodiments of the present invention.

Claims (1)

1. A mail receiving method based on multiple protocols is characterized in that: the method comprises the following steps:

step S1: creating a collection task; setting corresponding parameters to initialize a receiving task according to actual receiving demands;

step S2: distributing the receiving lines; according to the actual active address of the target object, designating the country and region where the target object is located, and selecting an optimal line by the receiving program according to the information of the country and region;

step S3: starting multi-thread collection; in the mailbox receiving process, initializing a multithreading receiving method according to the protocol type supported by the mailbox of the target object, and carrying out data interaction and data downloading in a high concurrency mode;

step S4: monitoring a receiving strategy; starting the monitoring of the receiving strategy in the mail downloading process;

step S5: completing a collection task; releasing the resources occupied by the mail receiving task, archiving and storing the downloaded mail, and displaying log information and statistical information in the mail receiving process;

the multithreaded mail receiving in the step S3 specifically includes Cookie receiving, webMail receiving, IMAP receiving, POP3 receiving and Exchange receiving;

the Cookie collecting flow specifically comprises the following steps:

step S311: acquiring mailbox Cookie information of the target object;

step S312: cookie analysis; obtaining a plurality of key value pair combinations through Cookie analysis, and setting the Cookie information into an HTTP request;

step S313: simulating an HTTP request; simulating an HTTP request data packet interacted by a client browser and a server program in the mailbox login and mail viewing process of a real user, and acquiring return information of a server through HTTP request disguising;

step S314: downloading mail; mail downloading links and request parameters of each downloading link are obtained in batches, HTTP data packet sending and return data receiving are executed by multithreading, and mail downloading is completed;

the WebMail receiving flow adopts the acquired mailbox account password to receive the mail, and specifically comprises the following steps:

step S321: logging in a password; analyzing the login process of the target mailbox in detail, requesting HTTP address, HTTP header information and Post parameter of the request, and then simulating and transmitting a data packet containing the encrypted account password through the HTTP request;

step S322: identifying a verification code; aiming at a part of mailbox needing to log in the verification code, providing verification code identification comprising numbers, letters, cases and Chinese characters, and sending the identified verification code to a server through a third party verification code identification component to finish login authentication;

step S323: traversing the mail folder; after finishing the mailbox login, starting to traverse the mail clip list of the target user, wherein the mail clip list comprises an inbox, a sent mail box, a draft box, deleted mail, junk mail, archive mail and custom mail clip information;

step S324: downloading mail; mail downloading links and request parameters of each downloading link are obtained in batches, HTTP data packet sending and return data receiving are executed by multithreading, and mail downloading is completed;

step S325: mail has no mark; checking and modifying the unread state of the mail again aiming at the mail with unread original state in the mailbox, and if the mail is the mail with read state, the mail is not affected;

the IMAP collecting flow specifically comprises the following steps:

step S331: configuring an IMAP server; the method comprises the steps of IMAP server addresses, IMAP server encryption information and IMAP server communication port configuration information;

step S332: authorizing login; establishing TCP connection by using the IMAP server address information configured in the step S331, and sending mailbox account authentication and mailbox encryption password in a preset encryption mode to complete authorized login;

step S333: traversing the mail folder; traversing the mail clip LIST through an LIST instruction, and circularly inquiring and traversing the mail LIST through a Fetch instruction;

step S334: downloading mail; mail downloading is completed by obtaining mail contents in batches and writing the mail contents into a local storage by using multiple threads;

the POP3 collecting flow specifically comprises the following steps:

step S341: configuring a POP3 server; the method comprises the steps of POP3 server addresses, POP3 server encryption information and POP3 server communication port configuration information;

step S342: authorizing login; establishing TCP connection by using the address information of the POP3 server configured in the first step, and sending mailbox account authentication and mailbox encryption passwords in a preset encryption mode to complete authorized login;

step S343: traversing an inbox; traversing mail ID LIST of inbox by UIDL instruction, and circularly carrying out mailbox query and traversal of inbox LIST by LIST instruction;

step S344: downloading mail; mail downloading is completed by obtaining mail contents in batches and writing the mail contents into a local storage by using multiple threads;

the Exchange collection flow specifically comprises the following steps:

step S351: the NTLM Hash is collected; intercepting an NTLM Hash value of a target object in a network sniffing and flow monitoring mode;

step S352: NTLM Hash parsing; through mailbox information, domain control Domain and 32-bit NTLM Hash character strings of the incoming target object, an autonomous developed NTLM Hash analysis program is used for completing analysis of data and disguising of local authorization information;

step S353: authorizing login; after NTLM Hash analysis in step S352, the local computer performs authorization information masquerading, and then simulates the Exchange mailbox login;

step S354: traversing the mail; traversing the mail clip list by using Exchange receiving protocol to complete ID list statistics and mail content inquiry of all mails;

step S355: downloading mail; mail downloading is completed by obtaining mail contents in batches and writing the mail contents into a local storage by using multiple threads.