RU2747638C1 - Method for protecting computer networks - Google Patents

Abstract

FIELD: computer technology.

SUBSTANCE: method of protecting computer networks is intended for use in attack detection systems in order to counteract quickly unauthorized influences in computer data transmission networks based on the TCP/IP family of communication protocols. A fragmented response is sent to the sender, fragments of which are sent at numerous small delay time intervals, after many intermediate responses sent at numerous small delay time intervals. Responses are sent to the sender, indicating the temporary unavailability of the recipient of e-mail messages, at numerous small delay time intervals. False responses are sent to the sender, containing a randomly selected error code in accordance with the SMTP protocol specification.

EFFECT: increased effectiveness of protection by reducing the possibility of a hacker detecting the fact of using security tools and preventing the collection of valid email recipient addresses for use as potential attack targets.

10 cl, 5 dwg

Description

The invention relates to telecommunications and can be used in intrusion detection systems for the purpose of promptly detecting and countering unauthorized influences in computer networks, in particular in a data transmission network of the "Internet" type, based on the family of communication protocols TCP / IP {Transmission Control Protocol / Internet Protocol ).

A known method of protecting computer networks "System for analyzing data transfer protocols in order to neutralize programs that send spam" according to RF patent No. 101234, class G06F 21/00, G06F 11/00, Appl. 23.07.2010. The known method includes the following sequence of actions. Reputation rules are set and recorded in the database, based on which it is determined whether a client is a spam bot. They accept a request from clients to the server and determine the protocol for transferring data between the client and the server, the presence of protocol errors, the number of requests coming from clients to the server, and client addresses. Exhibit reputation to clients from whom inquiries have been made in accordance with the used reputation rules. If spam bots using a spam-sending program are identified, they are sent to the addresses of the spam bots, from which requests are sent to the server of the disinfectant of the spam-sending program.

The disadvantage of this method is the relatively low effectiveness of protection, which is due to the lack of accounting for the attacker's ability to block and redirect the remedies sent to him for the treatment of a program that sends spam, as well as the lack of accounting for the attacker's ability to send spam from fake email addresses, which increases the ability to successfully implement some types of NDR (Non Delivery Report) attacks based on the return of mail messages to the sender, the recipient of which does not exist. In addition, another drawback that significantly affects the effectiveness of the method under consideration is the possibility of compromising the applied protection tools, which forces the attacker to change the strategy of malicious action.

A known method of protecting computer networks "Preventing unauthorized mass mailing of e-mail" according to RF patent No. 2472308, class H04W 4/12, G06F 15/167, Appl. May 19, 2011. The known method includes the following sequence of actions. Messages filtered on the mail server, recognized as a virus and spam, are not only flagged, moved to another mailbox or deleted, but copies of such messages are returned to the sender, due to which his mailbox becomes full and blocked, and the sending of unauthorized bulk e-mail from this address is stopped ... Mailboxes on e-mail servers are configured to block when overflowed, interrupting the sending of emails.

The disadvantage of this method is the relatively low efficiency and narrow scope. The narrow scope is due to the use of a method to counter an attacker who uses only one mailbox at a time for mass spam mailing and does not take into account the possibility of an attacker using multiple mailboxes for this purpose on different computers running spambots, which dramatically increases the attacker's capabilities. Poor protection performance is due to the blocking of mailboxes of e-mail servers, when they are overflowed due to intensive exchange of e-mail messages with an attacker, which will lead to a decrease in the speed or impossibility of information exchange of e-mail messages with authorized senders (denial of service). In addition, the lack of accounting for the attacker's ability to block and redirect spam messages sent back to him, as well as the lack of accounting for the attacker's ability to send bulk spam from fake email addresses increases the likelihood of successful implementation of some NDR attacks (Non-Delivery Report) based on on non-delivery of e-mail, such as "bounce message attack", "bouce-source" or "backscatter-attack", known and described, for example, in an article by Kaspersky K. Unlimited spam // Hacker, No. 07 (103), June 2007, on pp. 48-51 and will lead to regression (degradation) of the basic quality of the prototype method. Another drawback that significantly affects the effectiveness of the method under consideration is that the implementation of the specified approach to protection compromises the applied protection means and forces the attacker to continue the harmful effect and (or) change his strategy.

The closest in technical essence to the claimed is a method of protecting computer networks "Response delay management using connection informations" according to US patent No. 20070220600A1, class G06F 2/4 (2006.01), publ. 20.09.2007. The method consists in performing the following actions: N≥1 reference identifiers of authorized senders and recipients of e-mail messages are preset. Establish a network connection with the sender of the e-mail messages. A command is received from the sender that identifies the sender of the mail messages, the sender identifiers of the mail messages are extracted and compared with the reference identifiers of the authorized senders and recipients of the e-mail messages. If they match, a response is sent about the readiness of the recipient for the next stage of the mail transaction to the sender of the messages. Otherwise, the transmission rate of the generated response is reduced by time t _back and the generated response is sent to the sender after time t _back with a decrease in the transmission rate. In the case of receipt from the sender of the e-mail the team at the end of a network connection, before the expiry of the time t _ass sending a reply response, break the network connection to the sender of e-mail messages. Further, at each stage of the mail transaction, the cycle of receiving commands from the sender identifying the sender and recipients of mail messages, highlighting the sender and recipient identifiers of mail messages, comparing them with the reference identifiers of authorized senders and recipients of e-mail messages, breaking the connection with the sender in case of receiving commands from him to complete connections before the expiration of time t _backside sending a reply response. Increase the value of time delay t _butt that sends a response back to the sender e-mail in the case of repeated attempts to send messages unauthorized sender.

The known prototype method provides a higher protection efficiency in comparison with analogs due to the delay for a given time in response responses to the attacker's commands during the transmission of e-mail messages, which makes it possible to reduce the number of unwanted messages sent to them and, thereby, to reduce and (or) stop malicious impact of an intruder.

The disadvantage of the prototype method is its relatively low effectiveness of protection, which is due to the fact that the time delay in sending response responses to the attacker's commands, after his identification in the process of sending e-mail messages via SMTP, is carried out after a sufficiently long delay time t _back , the value which is increased in case of its repeated attempts to send e-mail messages. This can lead to the compromise of the applied protection means and forcing the attacker to further influence the computer networks and (or) change the applied strategy of influence, and also contributes to bypassing the applied protection means when the attacker sets sufficiently short timeouts for waiting for reply responses from the message recipient at various stages. the process of sending e-mail messages using the SMTP protocol. Sending response responses even after a sufficiently long delay time t _back allows an attacker to collect email recipient addresses at some point in time and use them as potential targets of an attack.

The aim of the claimed technical solution is to develop a method for protecting computer networks that improves the effectiveness of protection by reducing the possibility of an attacker discovering the fact of using protection means and preventing the collection of valid email recipient addresses for use as potential attack targets. Reducing the possibility of an attacker detecting the fact of using protection means is achieved by imitating a communication channel with poor quality at various stages of a mail transaction by sending a fragmented response response to the sender, fragments of which are sent at numerous small time delay intervals, after many intermediate responses sent at numerous small time intervals. , by sending back responses to the sender, indicating the temporary unavailability of the recipient of e-mail messages, at multiple short intervals of time delay, and by sending false responses to the sender containing a randomly selected error code in accordance with the specification of the SMTP protocol. To prevent the collection of valid email recipient addresses for use as potential attack targets, the attacker is deceived by sending false responses to the sender, confirming the presence of invalid email recipient addresses.

счетчик сформированных промежуточных откликов, хранящихся в массиве памяти V и массив памяти J для хранения матрицы соответствия d-му промежуточному отклику из массива V t-го сформированного значения времени задержки его направления отправителю сообщений электронной почты из массива памяти L. После этого задают массив памяти Р для хранения g фрагментов, на которые разделяют ответный отклик, направляемый отправителю сообщений, где g=1, 2, …, G, a G - общее количество сформированных фрагментов, на которые разделяют ответный отклик, направляемый отправителю сообщений. Далее задают массив памяти Z для хранения ƒ сформированных значений времени задержки передачи фрагментов ответного отклика отправителю сообщений электронной почты, где ƒ=1, 2, …, F, a F - общее количество сформированных значений времени задержки направления фрагментов ответного отклика отправителю сообщений электронной почты. Затем задают счетчик m сформированных фрагментов, хранящихся в массиве памяти Р, на которые разделяют ответный отклик. После этого задают массив памяти Н для хранения матрицы соответствия g-му фрагменту из массива Р ƒ-го сформированного значения времени его задержки из массива памяти Z. Далее задают массив памяти О для хранения u ответных откликов на команды отправителя сообщений электронной почты, содержащих код ошибки, указывающих на временную недоступность получателя сообщений электронной почты, в соответствии со спецификацией протокола SMTP, где u=1, 2, … U, a U - общее количество ответных откликов, содержащих код ошибки, на команды отправителя сообщений. После этого задают массив памяти X для хранения с значений времени задержки ответных откликов, содержащих код ошибки, через которые ответные отклики будут направлены отправителю, где с=1, 2, … С, а С - общее количество сформированных значений времени задержки направления ответных откликов. Далее задают счетчик b сформированных ответных откликов, содержащих код ошибки, хранящихся в массиве памяти О. Затем задают массив памяти Q для хранения матрицы соответствия u-му ответному отклику, содержащему код ошибки, из массива О ого сформированного значения времени его задержки из массива памяти X. Далее задают счетчик I_оа количества некорректных адресов получателей сообщений электронной почты и счетчик I_оаmах максимально возможного количества некорректных адресов получателей сообщений электронной почты. Затем задают множество {I}={I₁, I₂, …, I_i} подключений отправителя к получателям сообщений электронной почты, где I_i - идентификатор подключения отправителя сообщений электронной почты, который содержит в себе порядковый номер подключения отправителя к получателю сообщений электронной почты, i - максимальный порядковый номер подключения отправителя к получателю сообщений электронной почты. После этого задают массив памяти Е=[I₁, I₂, …, I_i] для хранения I_i идентификаторов, а также массив памяти Y для хранения а значений времени задержки обработки подключений отправителя, где а=1,2, … А, а А - общее количество значений времени задержки обработки подключений отправителя. Далее задают массив памяти W для хранения матрицы соответствия подключениям отправителя, из массива памяти Е, значений времени задержки перед их обработкой из массива памяти Y. В случае если после приема команды, инициирующей отправителя почтовых сообщений и идентифицирующей его, выделения из принятой команды идентификаторов отправителя сообщений, сравнения выделенных идентификаторов отправителя сообщений с опорными идентификаторами из массива памяти М, по результатам сравнения выделенные идентификаторы соответствуют опорным идентификаторам санкционированных отправителей сообщений из массива памяти М, то отправителю сообщений направляется ответный отклик о готовности к почтовой транзакции. В ином случае, если выделенные идентификаторы не соответствуют опорным идентификаторам санкционированных отправителей сообщений, то формируют R промежуточных откликов, которые будут направлены отправителю сообщений электронной почты перед ответным откликом. Далее запоминают R промежуточных откликов в массиве памяти V. Затем устанавливают значение счетчика

сформированных промежуточных откликов, хранящихся в массиве памяти V, равным R. После этого формируют Т значений времени задержки промежуточных откликов отправителю сообщений. Запоминают Т значений времени задержки промежуточных откликов отправителю сообщений в массиве памяти L. Далее запоминают в массиве памяти J соответствие d-му промежуточному отклику из массива V t-то сформированного значения времени его задержки из массива памяти L. После этого считывают из массива памяти J первый из R сформированных промежуточных откликов и из массива памяти L первое из Т сформированных значений времени задержки. Далее направляют отправителю сообщений первый из R сформированных промежуточных откликов через первое из Т сформированных значений времени задержки. Затем удаляют первый из R сформированных промежуточных откликов и первое из Т сформированных значений времени задержки, а также запись об их соответствии из массивов памяти V, L и J соответственно. После этого уменьшают значение счетчика

сформированных промежуточных откликов, хранящихся в массиве памяти V на единицу. В случае получения после отправки промежуточного отклика команды на завершение сетевого соединения от отправителя сообщений электронной почты значения I_c и I_s уменьшаются на единицу, а сетевое соединение с отправителем почтовых сообщений завершается. В ином случае, если после отправки промежуточного отклика команды на завершение сетевого соединения от отправителя сообщений электронной почты не последовало, то считывают значение счетчика

сформированных промежуточных откликов. При выполнении условия

≠ 0, считывают очередной (d+1)-й из ранее сформированных R промежуточных откликов. Направляют очередной (d+1)-й из ранее сформированных R промежуточных откликов через (t+1)-е значение времени задержки отправителю сообщений электронной почты, и так до тех пор, пока не будет выполнено условие

=1. Формируют G фрагментов, на которые разделяют ответный отклик, направляемый отправителю сообщений, после выполнения условия

=1. Далее запоминают G фрагментов, на которые разделяется ответный отклик, направляемый отправителю сообщений. Затем устанавливают значение счетчика т сформированных фрагментов, на которые разделяют ответный отклик, равным G. После этого формируют F значений времени задержки для каждого из фрагментов, на которые разделяют ответный отклик отправителю. Далее запоминают F значений времени задержки для каждого из фрагментов, на которые разделяют ответный отклик отправителю в массиве памяти Z. Затем запоминают в массиве памяти Н соответствия g-му фрагменту из массива памяти Р ƒ-го сформированного значения времени его задержки из массива памяти Z. После этого считывают из массива памяти Р первый из G сформированных фрагментов ответного отклика и из массива памяти Z первое из F сформированных значений времени задержки. Далее направляют отправителю сообщений первый из G фрагментов ответного отклика через первое из Z сформированных значений времени задержки. Затем удаляют первый из G сформированных фрагментов ответного отклика и первое из F сформированных значений времени задержки, а также запись об их соответствии из массивов памяти Р, Z и Н соответственно. После этого уменьшают значение счетчика m сформированных фрагментов ответного отклика, на единицу. В случае получения после отправки фрагмента ответного отклика команды на завершение сетевого соединения от отправителя сообщений электронной почты, значения I_c и I_s уменьшаются на единицу, а сетевое соединение с отправителем почтовых сообщений завершается. В ином случае, если после отправки фрагмента ответного отклика команды на завершение сетевого соединения от отправителя сообщений электронной почты не последовало, то считывают значение счетчика m сформированных фрагментов ответного отклика. Далее если значение счетчика m≠0, то считывают очередной (g+1)-й из ранее сформированных G фрагментов ответного отклика. После этого направляют очередной (g+1)-й из ранее сформированных G фрагментов ответного отклика через (ƒ+1)-е значение времени задержки отправителю сообщений электронной почты, и так до тех пор, пока не будет выполнено условие m=0. В случае, если после приема от отправителя сообщений команды на начало почтовой транзакции, идентифицирующей отправителя сообщений электронной почты, выделения из принятой команды идентификаторов отправителя сообщений, сравнения выделенных идентификаторов отправителя сообщений с опорными идентификаторами из массива памяти М, выделенные идентификаторы соответствуют опорным идентификаторам санкционированных отправителей сообщений из массива памяти М, то отправителю сообщений направляется ответный отклик о приеме полученной команды и начале почтовой транзакции. В ином случае, если по результатам сравнения выделенные идентификаторы не соответствуют опорным идентификаторам санкционированных отправителей сообщений из массива памяти М, то для ответа на принятую команду отправителя сообщений формируют U ответных откликов, содержащих код ошибки, указывающий на временную недоступность получателя сообщений электронной почты, в соответствии со спецификацией протокола SMTP. После этого запоминают U ответных откликов, содержащих код ошибки в массиве памяти О. Далее устанавливают значение счетчика b сформированных ответных откликов, содержащих код ошибки, хранящихся в массиве памяти О, равным U. Затем формируют С значений времени задержки ответных откликов, содержащих код ошибки, через которые ответные отклики будут направлены отправителю. После этого запоминают С значений времени задержки ответных откликов, содержащих код ошибки, через которые ответные отклики будут направлены отправителю в массиве памяти X. Далее запоминают в массиве памяти Q соответствие u-му ответному отклику, содержащему код ошибки, из массива памяти О ого сформированного значения времени его задержки из массива памяти X. Затем считывают из массива памяти О первый из U сформированных ответных откликов, содержащих код ошибки и из массива памяти X первое из С сформированных значений времени задержки. После этого направляют отправителю сообщений первый из U сформированных ответных откликов, содержащих код ошибки, через первое из С сформированных значений времени задержки. Далее удаляют первый из U сформированных ответных откликов, содержащих код ошибки и первое из С сформированных значений времени задержки, а также запись об их соответствии из массивов памяти О, X и Q соответственно. Затем уменьшают значение счетчика b сформированных ответных откликов, содержащих код ошибки, хранящихся в массиве памяти О на единицу. В случае получения от отправителя сообщений на полученный отклик, содержащий код ошибки, команды о разрыве установленного соединения, значения I_c и I_s уменьшаются на единицу, а сетевое соединение с отправителем почтовых сообщений завершается. В ином случае, если после отправки u-то ответного отклика, содержащего код ошибки, от отправителя сообщений электронной почты команды на разрыв соединения не последовало, а последовала повторная команда на начало почтовой транзакции, то считывают значение счетчика b сформированных ответных откликов, содержащих код ошибки. В случае если значение счетчика b ≠ 0, что говорит о том, что еще не все ответные отклики, содержащие код ошибки, направлены отправителю сообщений электронной почты, то считывают очередной (u+1)-й из U ранее сформированных ответных откликов, содержащих код ошибки. Затем направляют отправителю сообщений электронной почты (u+1)-й ответный отклик, содержащих код ошибки, через (с+1)-е значение времени задержки, и так до тех пор, пока не будет выполнено условие b=0. После приема от отправителя сообщений команды, указывающей получателей сообщений электронной почты, выделения из принятой команды идентификаторов получателей сообщений электронной почты, сравнения выделенных идентификаторов с идентификаторами санкционированных получателей из массива М, если выделенные идентификаторы получателей сообщений электронной почты не совпадают с идентификаторами санкционированных получателей из массива М, то после сравнения значения счетчика I_c количества подключений отправителя сообщений с I_сmах максимально возможным количеством подключений отправителя сообщений, при выполнении условия I_с≥I_сmах значения I_c и I_s уменьшаются на единицу, а сетевое соединение с отправителем почтовых сообщений завершается. При невыполнении условия I_с≥I_сmах считывают полученные от отправителя некорректные адреса получателей сообщений электронной почты, не принадлежащие идентификаторам санкционированных получателей из массива памяти М. Далее сравнивают значение счетчика I_оа количества некорректных адресов получателей сообщений электронной почты с I_оаmах максимально возможным количеством полученных некорректных адресов получателей сообщений электронной почты. В случае выполнения условия I_оа≥I_oаmах формируют I_oа ложных откликов отправителю, подтверждающих наличие некорректных адресов получателей сообщений электронной почты. Затем направляют отправителю I_oа откликов, подтверждающих наличие некорректных адреса получателей сообщений электронной почты отправителю сообщений электронной почты, значения I_c и I_s уменьшаются на единицу, а сетевое соединение с отправителем почтовых сообщений завершается. В случае невыполнения условия I_оа≥I_oаmах формируют I_оа ложных откликов с сообщением об ошибке, направляют I_оа откликов с ложным сообщением об ошибке отправителю сообщений электронной почты, в случае получения на отклик с ложным сообщением об ошибке от отправителя сообщений команды о разрыве установленного соединения, значения I_c и I_s уменьшаются на единицу, а сетевое соединение с отправителем почтовых сообщений завершается. В ином случае, если после направления отклика с ложным сообщением об ошибке отправителю, от него поступила повторная команда, то принимают от отправителя повторную команду с исправленной ошибкой. Далее вновь формируют отклик с ложным сообщением об ошибке, направляют его отправителю и так до тех пор, пока не будет получена команда от отправителя сообщений о разрыве установленного соединения. Если выделенные идентификаторы получателей сообщений электронной почты совпадают с идентификаторами санкционированных получателей из массива памяти М, то считывают количество подключений отправителя. Затем устанавливают значение счетчика I_c количества подключений отправителя сообщений равным i. Далее сравнивают значение счетчика I_c количества подключений отправителя сообщений с I_сmах максимально возможным количеством подключений отправителя сообщений. При выполнении условия I_с≥I_сmax задают каждому из множества {I} подключений отправителя идентификатор I_i. После этого запоминают идентификатор каждого из подключений отправителя в массиве памяти Е. Далее формируют для каждого из подключений отправителя, характеризуемого идентификатором из массива памяти Е, значение времени задержки его обработки. Затем запоминают А значений времени задержки обработки подключений отправителя в массиве памяти Y. После этого запоминают в массиве памяти W соответствие каждому подключению, характеризуемому идентификатором из массива памяти Е, значения времени задержки перед его обработкой из массива памяти Y. Далее обрабатывают первое из подключений отправителя через время задержки перед его обработкой. После этого удаляют идентификатор первого из обработанных подключений и соответствующее ему значение времени задержки перед его обработкой, а также запись об их соответствии из массивов памяти Е, А и W соответственно. Затем уменьшают значение счетчика I_c количества подключений отправителя сообщений на единицу. В случае если значение счетчика I_c ≠ 0, то обрабатывают очередное из подключений отправителя и так до тех пор, пока не будет выполнено условие I_c = 0. При невыполнении условия I_c≥I_сmах направляют отправителю ответный отклик.This goal is achieved by the fact that in the known method for protecting computer networks, N≥1 reference identifiers of authorized senders and recipients of e-mail messages are preset. After that, set I _c counter of the number of connections of the sender of messages and I _{сmax the} maximum possible number of connections of the sender of e-mail messages. Next, set the delay time t _butt that sends back a response to the sender of email messages. Then, an array of memory is defined M for storing the reference identifiers of authorized senders and recipients of e-mail messages. Then set the I _s counter of the total number of connections of all senders of e-mail messages and I _{smax the} maximum possible number of connections of all senders of e-mail messages. Next, a network connection is established with the sender of mail messages. Then the value of the counter I _{c of the} number of connections from the message sender is increased by one and the value of the counter I _{s of the} total number of connections from all message senders is increased. After that, the value of the counter I _{s of the} number of connections from all message senders is _{compared with I smax with the} maximum possible number of connections of all message senders. When the condition I _s ≥I smax is _satisfied , the values of I _c and I _{s are} decreased by one and the network connection with the sender of mail messages is terminated. Otherwise, if the condition I _s ≥I _{smax is} not met, a response is sent to the sender, initiating the beginning of an SMTP session from the receiver's side. A command is then received to initiate and identify the sender of the mail messages. The message sender identifiers are extracted from the received command and the allocated message sender identifiers are compared with the reference identifiers from the memory array M. If, based on the comparison results, the allocated identifiers correspond to the reference identifiers of authorized message senders from the memory array M, then a response is sent to the sender of messages about readiness for mail transactions. When receiving a command to terminate the network connection from the sender of e-mail messages, at time t _back before sending a response, the values of I _c and I _{s are} decreased by one and the network connection with the sender of mail messages is terminated. Otherwise, if at time t _ass response before sending response teams to the completion of the sender's e-mail network connection is not followed, then sent back to the sender response. After that, a command is received from the sender of the messages to start a mail transaction, which identifies the sender of the e-mail messages. Next, the message sender identifiers are extracted from the received command and the selected message sender identifiers are compared with the reference identifiers from the memory array M. If, according to the comparison results, the selected identifiers correspond to the reference identifiers of authorized message senders from the memory array M, then a response is sent to the sender of messages on the receipt of the received commands and the start of a mail transaction. Otherwise, if, according to the comparison results, the allocated identifiers do not correspond to the reference identifiers of the authorized senders of messages from the memory array M, then a response is generated. Then set t _back the delay time for transmitting the generated response response. Then, after the expiration of time t _back , the generated response is sent to the sender. In the case of receiving at time t _back, before sending a response response, a command to terminate the network connection from the sender of e-mail messages, the I _c and I _s values are decreased by one. Then, the network connection with the sender of the mail messages is terminated. Otherwise, if at time t _ass response before sending response teams to the completion of the sender's e-mail network connection is not followed, then sent back to the sender response. Thereafter, a command is received from the sender of the messages indicating the recipients of the e-mail message. Next, the value of the counter I _{c of the} number of connections of the message sender is _{compared with I сmax of the} maximum possible number of connections of the message sender. When the condition I _c ≥I сmax is _satisfied , the values of I _c and I _{s are} reduced by one, after which the network connection with the sender of mail messages is terminated. If the condition I _c ≥I _{сmax is} not met, the message recipient identifiers are extracted from the received command. Then, the allocated identifiers of message recipients are compared with the reference identifiers from the memory array M. If, according to the comparison results, the allocated identifiers do not correspond to the reference identifiers of the authorized recipients of messages from the memory array M, then a response is generated. Next, set t _back the delay time for transmitting the generated response response, and after the time t _back, send the generated response response to the sender. In the case of receiving at time t _back before sending the response response of the command to complete the network connection from the sender of the e-mail messages, the values of I _c and I _{s are} decreased by one. Then, the network connection with the sender of the mail messages is terminated. Otherwise, if at time t _ass response before sending response teams to the completion of the sender's e-mail network connection is not followed, then sent back to the sender response. If, according to the comparison results, the allocated identifiers correspond to the reference identifiers of the authorized recipients of messages from the memory array M, then a response is sent to the sender of messages about the readiness to continue the mail transaction. After that, the next command is received, initiating the transfer of mail data. Then send to the sender of the messages a response response about the readiness to receive the text of the e-mail message. Next, the text of the e-mail message is received and the mail transaction is completed by sending a response confirming the transaction. Then the values of I _c and I _{s are} decreased by one and the network connection with the sender of mail messages is terminated. In the preset data, an L memory array is additionally set for storing t generated values of the delay time of intermediate responses to the sender of e-mail messages, where t = 1, 2, ..., T, and T is the total number of generated values of the delay time of intermediate responses to the sender of messages. Next, V is a memory array for storing d intermediate responses to the sender of email messages, where d = 1,2 ... R, and R is the total number of intermediate responses that will be sent to the sender of email messages before the response message. Then ask

the counter of the generated intermediate responses stored in the memory array V and the memory array J for storing the matrix of correspondence with the d-th intermediate response from the array V of the t-th generated value of the delay time for sending it to the sender of e-mail messages from the memory array L. After that, the memory array P is set for storing g fragments into which the response response sent to the message sender is divided, where g = 1, 2, ..., G, and G is the total number of formed fragments into which the response response sent to the message sender is divided. Next, a memory array Z is set for storing ƒ generated values of the delay time for the transmission of response fragments to the sender of e-mail messages, where ƒ = 1, 2, ..., F, and F is the total number of generated values of the delay time for sending response fragments to the sender of e-mail messages. Then set the counter m generated fragments stored in the memory array P, into which the response is divided. After that, an array of memory H is set to store the matrix of correspondence to the g-th fragment from the array P of the ƒ-th generated value of its delay time from the memory array Z. Next, an array of memory O is set to store u response responses to commands from the sender of e-mail messages containing an error code indicating the temporary unavailability of the recipient of e-mail messages, in accordance with the specification of the SMTP protocol, where u = 1, 2,… U, and U is the total number of responses containing an error code to the commands of the sender of the messages. After that, a memory array X is set to store the delay times of response responses containing an error code, through which response responses will be sent to the sender, where c = 1, 2, ... C, and C is the total number of generated values of the delay time for sending response responses. Next, set the counter b of the generated response responses containing the error code stored in the memory array O. Then set the memory array Q to store the matrix of correspondence with the u-th response containing the error code from the Oth array of the generated value of its delay time from the memory array X Next, set the counter I _{oa of the} number of invalid addresses of recipients of e-mail messages and the counter I _{oa of the} maximum possible number of invalid addresses of recipients of e-mail messages. Then set the set {I} = {I ₁ , I ₂ , ..., I _i } of the sender's connections to recipients of e-mail messages, where I _i is the connection identifier of the sender of e-mail messages, which contains the sequence number of the sender's connection to the recipient of e-mail messages. e-mail, i is the maximum sequence number of the sender's connection to the recipient of e-mail messages. After that, an array of memory E = [I ₁ , I ₂ , ..., I _i ] is set for storing I _i identifiers, as well as an array of memory Y for storing a values of the processing delay of the sender's connections, where a = 1.2, ... A, and A is the total number of sender connection processing latency values. Next, the memory array W is set to store the matrix of correspondence to the sender's connections, from the memory array E, the delay time values before their processing from the memory array Y. If, after receiving the command that initiates the sender of mail messages and identifies him, allocating the sender identifiers from the received command , comparing the selected identifiers of the sender of messages with the reference identifiers from the memory array M, according to the results of the comparison, the allocated identifiers correspond to the reference identifiers of the authorized senders of the messages from the memory array M, then a response is sent to the sender of the messages about readiness for a mail transaction. Otherwise, if the allocated identifiers do not match the reference identifiers of the authorized message senders, then R intermediate responses are generated, which will be sent to the sender of the email messages before the response response. Next, R intermediate responses are stored in the memory array V. Then the counter value is set

generated intermediate responses stored in the memory array V equal to R. After that, T values of the delay time of intermediate responses to the message sender are generated. T values of the delay time of intermediate responses to the sender of messages are stored in the memory array L. Then the correspondence to the d-th intermediate response from the array V is stored in the memory array J; the t-formed value of its delay time from the memory array L is then read from the memory array J. from the R generated intermediate responses and from the memory array L the first of the T generated delay time values. Next, the first of the R generated intermediate responses is sent to the message sender through the first of the T generated delay time values. Then the first of the R generated intermediate responses and the first of the T generated delay time values are removed, as well as a record of their correspondence from the memory arrays V, L and J, respectively. After that, the counter value is decreased

generated intermediate responses stored in the memory array V per unit. If, after sending an intermediate response, a command to terminate a network connection from the sender of e-mail messages is received, the values of I _c and I _{s are} decreased by one, and the network connection with the sender of mail messages is terminated. Otherwise, if after sending an intermediate response there is no command to terminate the network connection from the sender of e-mail messages, then the counter value is read

generated intermediate responses. When the condition is met

≠ 0, read the next (d + 1) th of the previously generated R intermediate responses. The next (d + 1) -th of the previously generated R intermediate responses is sent through the (t + 1) -th value of the delay time to the sender of e-mail messages, and so on until the condition is met

= 1. G fragments are formed, into which the response response sent to the message sender is divided after the condition

= 1. Next, G fragments are stored, into which the response response sent to the sender of the messages is divided. Then the counter value m of the generated fragments is set, into which the response response is divided, equal to G. After that, F delay times are generated for each of the fragments into which the response response to the sender is divided. Next, F values of the delay time are stored for each of the fragments, into which the response response to the sender is divided in the memory array Z. Then, the correspondences to the g-th fragment from the memory array of the P -th generated value of its delay time from the memory array Z are stored in the memory array H. After that, the first of the G generated fragments of the response response is read from the memory array P and the first of the F generated values of the delay time from the memory array Z. Next, the first of the G fragments of the response response is sent to the sender of the messages through the first of the Z generated delay time values. Then, the first of the G generated fragments of the response response and the first of the F generated values of the delay time are removed, as well as a record of their correspondence from the memory arrays P, Z and H, respectively. After that, the value of the counter m of the generated fragments of the response response is decreased by one. If, after sending a fragment of the response response, a command to terminate the network connection from the sender of the e-mail messages is received, the values of I _c and I _{s are} decreased by one, and the network connection with the sender of the mail messages is terminated. Otherwise, if, after sending a fragment of the response response, there is no command to complete the network connection from the sender of e-mail messages, then the value of the counter m of the generated response fragments is read. Further, if the value of the counter is m ≠ 0, then the next (g + 1) -th of the previously generated G fragments of the response is read. After that, the next (g + 1) th of the previously generated G fragments of the response response is sent through the (ƒ + 1) th value of the delay time to the sender of e-mail messages, and so on until the condition m = 0 is satisfied. If, after receiving from the sender of messages a command to start a mail transaction identifying the sender of e-mail messages, extracting sender identifiers from the received command, comparing the selected sender identifiers of messages with reference identifiers from the memory array M, the allocated identifiers correspond to the supporting identifiers of authorized senders of messages from the memory array M, then a response is sent to the sender of the messages about the receipt of the received command and the beginning of the mail transaction. Otherwise, if, according to the comparison results, the selected identifiers do not correspond to the reference identifiers of authorized senders of messages from the memory array M, then U response responses are generated to respond to the received command of the sender of messages containing an error code indicating the temporary unavailability of the recipient of e-mail messages, in accordance with with the specification of the SMTP protocol. After that, U response responses containing the error code in the memory array O are stored. Next, the counter value b of the generated response responses containing the error code stored in the memory array O is set equal to U. Then, C values of the delay time of the response responses containing the error code are formed, through which responses will be sent to the sender. After that, the C values of the delay time of the response responses containing the error code are stored, through which the response responses will be sent to the sender in the memory array X. Then, in the memory array Q, the correspondence to the u-th response response containing the error code is stored in the memory array O th generated value the time of its delay from the memory array X. Then the first of the U generated response responses containing the error code is read from the memory array O and the first of the C generated delay time values from the memory array X. After that, the first of the U generated response responses containing the error code is sent to the message sender through the first of the C generated delay time values. Next, the first of the U generated response responses containing the error code and the first of the C generated delay time values are removed, as well as a record of their correspondence from the memory arrays O, X and Q, respectively. Then, the value of the counter b of the generated response responses containing the error code stored in the memory array O is decreased by one. In the case of receiving messages from the sender to the received response containing an error code, commands to disconnect the established connection, the values of I _c and I _{s are} decreased by one, and the network connection with the sender of mail messages is terminated. Otherwise, if, after sending u a response containing an error code, the sender of e-mail messages did not receive a command to terminate the connection, but a repeated command to start a mail transaction followed, then the counter value b of generated response responses containing an error code is read ... If the counter value b ≠ 0, which means that not all response responses containing an error code have been sent to the sender of e-mail messages, then the next (u + 1) -th of U previously generated response responses containing the code errors. The (u + 1) th response response containing the error code is then sent to the sender of the e-mail messages after the (c + 1) th delay time value, and so on until the condition b = 0 is satisfied. After receiving from the sender of messages a command indicating recipients of e-mail messages, extracting from the received command identifiers of recipients of e-mail messages, comparing the allocated identifiers with identifiers of authorized recipients from array M, if the distinguished identifiers of recipients of e-mail messages do not match with identifiers of authorized recipients from array M , then after comparing the value of the counter I _{c of the} number of connections of the sender of messages with I _{сmax the} maximum possible number of connections of the sender of messages, when the condition I _with ≥I _{сmax is satisfied, the} values of I _c and I _s decrease by one, and the network connection with the sender of mail messages ends. If the condition I _with ≥I _{сmax is} not met, the incorrect addresses of recipients of e-mail messages received from the sender are read that do not belong to the identifiers of authorized recipients from the memory array M. Next, the value of the counter I _{oa of the} number of invalid addresses of recipients of e-mail messages is _{compared with I about the} maximum possible number of received incorrect e-mail recipient addresses. In the case of the conditions I _oa ≥I _oamah form I _oa false responses to the sender to confirm the presence of incorrect e-mail recipients. _{Then, I oa} responses are sent to the sender, confirming the presence of invalid addresses of recipients of e-mail messages to the sender of e-mails, the values of I _c and I _{s are} decreased by one, and the network connection with the sender of mail messages is terminated. In case of default conditions I _oa ≥I _oamah form I _oa false response with an error message, I sent _oa response to a false error message to the sender of email messages, in the case of obtaining a response to a false error message from the sender of the command posts set break connection, the values of I _c and I _{s are} decreased by one, and the network connection with the sender of mail messages is terminated. Otherwise, if after sending a response with a false error message to the sender, a repeated command is received from him, then a repeated command with a corrected error is received from the sender. Then, a response is again formed with a false error message, sent to the sender, and so on until a command is received from the sender of messages about the disconnection of the established connection. If the allocated recipient IDs of the e-mail messages match the authorized recipient IDs from the memory array M, then the sender's connection count is read. Then the value of the counter I is set _{with the} number of connections of the message sender equal to i. Next, the value of the counter I _{c of the} number of connections of the message sender is _{compared with I сmax of the} maximum possible number of connections of the message sender. When the condition I _with ≥I сmax is _satisfied, each of the set {I} of connections of the sender is assigned the identifier I _i . After that, the identifier of each of the sender's connections is stored in the memory array E. Then, for each of the sender's connections, characterized by the identifier from the memory array E, the value of its processing delay is formed. Then, A values of the processing delay time for the sender's connections are stored in the memory array Y. After that, in the memory array W, the correspondence to each connection, characterized by the identifier from the memory array E, the delay time values before processing it from the memory array Y is stored. Then the first of the sender's connections is processed through the delay time before processing it. After that, the identifier of the first of the processed connections and the corresponding value of the delay time before processing it, as well as the record of their correspondence from the memory arrays E, A and W, respectively, are deleted. Then the value of the counter I _{c of the} number of connections of the message sender is decreased by one. If the value of the counter I _c ≠ 0, then process the next of the sender's connections and so on until the condition I _c = 0. If the condition I _c ≥I _{сmax is} not met, a response is sent to the sender.

The value of the delay time for each of the intermediate responses to the sender of e-mail messages, before sending the response by the recipient, is selected in the range from 0.1 to 1 second.

The number of intermediate replies to be sent to the sender of e-mail messages before the recipient sends a response is selected from 10,000 to 25,000.

The delay time for each of the response fragments sent to the sender of the e-mail messages is selected in the range from 0.1 to 1 second.

The size of the fragments into which to split the response to the unauthorized sender of e-mail messages is selected in the range from 1 to 4 bytes.

The maximum possible number of connections of the sender of e-mail messages I _сmax , select from 5 to 10 connections.

Delay times for response responses containing an error code are selected from 0.1 to 1 second.

The number of responses containing an error code indicating the temporary unavailability of the recipient of e-mail messages is selected from 100 to 2000.

The delay values before processing the sender's connections are selectable in the range from 1 to 10 seconds.

For each false response to an unauthorized sender of e-mail messages, the error code value is randomly selected from standard SMTP error codes.

Thanks to the new set of essential features in the claimed method, an increase in the effectiveness of protection is provided by reducing the possibility of an attacker detecting the fact of using protection means and preventing the collection of valid email recipient addresses for use as potential attack targets. Reducing the possibility of an attacker detecting the fact of using protection means is achieved by imitating a communication channel with poor quality at various stages of a mail transaction by sending a fragmented response response to the sender, fragments of which are sent at numerous small time delay intervals, after many intermediate responses sent at numerous small time intervals. , by sending back responses to the sender, indicating the temporary unavailability of the recipient of e-mail messages, at multiple short intervals of time delay, and by sending false responses to the sender containing a randomly selected error code in accordance with the specification of the SMTP protocol. To prevent the collection of valid email recipient addresses for use as potential attack targets, the attacker is deceived by sending false responses to the sender, confirming the presence of invalid email recipient addresses.

The claimed objects of the invention are illustrated by drawings, which show:

fig. 1 - Scheme of establishing a network connection and the operation of the SMTP protocol;

fig. 2a - Block diagram of the sequence of actions that implement the claimed method of protecting computer networks;

fig. 2b - Block diagram of the sequence of actions that implement the claimed method of protecting computer networks;

fig. 3 - Fragment of a mail transaction at the time of formation and sending of intermediate responses to an unauthorized sender with fagging of the last intermediate response before the response;

fig. 4 - Fragment of a mail transaction at the time of formation and sending to an unauthorized sender of a false response, containing an error code indicating the temporary unavailability of the recipient of messages;

fig. 5 - Fragment of a mail transaction at the time of formation and sending to an unauthorized sender of a false response containing an error code.

The implementation of the claimed method is explained as follows. It is known that unsolicited e-mail (spam), where spam is understood as mass mailing of commercial and other advertisements or other types of messages (information) to persons who did not express a desire to receive them, constitutes from 60% to 90% of all e-mails sent worldwide. ... According to Kaspersky Lab data, in Q1 2020 the average share of spam in global mail traffic was 54.61%, the share of spam in traffic in the Russian segment of the Internet also peaked in January 2020 and amounted to 52.08%, and the top five countries in terms of The number of outgoing spam was topped by Russia, accounting for 20.74% of all junk traffic. To combat spam, a number of systems and techniques have been developed and applied for a long time, and most of the known methods of protection against spam are known and described, for example, in the article by S. S. Kovalev, M. G. Shishaev. Modern methods of protection against unwanted mailing // Proceedings of the Kola Scientific Center of the Russian Academy of Sciences, issue 7 (information technology issue 2 4/2011 (7)), on pp. 100-111. The main ones are Bayesian filtering, methods based on formal protocol rules, procedural methods, sender authentication, methods using checksums and block lists, etc. However, all these methods are based mainly on detecting and blocking already received spam messages. and, in fact, they are reactive, reacting to the fact of a perfect malicious impact, and therefore they are effective only when using known spam message templates. In addition, some of the known methods implement attempts to so-called forceful demonstrative blocking of spam messages, for example, methods such as redirecting spam messages to their senders, sending malware treatment tools designed to send viral spam messages to identified spam sources, etc. etc. The use of such countermeasures, on the one hand, leads to the compromise of the applied protection tools, which contributes to their subsequent bypass and / or a change in the strategy of malicious action by the attacker. On the other hand, the effectiveness of protection tools that implement these methods is limited by their resource capabilities, since these methods are computationally intensive and require powerful processors with large amounts of memory for effective use, while the resource of attackers can be practically unlimited, which is confirmed by their the ability to carry out large-scale DOS and DDOS attacks based on mass mailing of spam with the involvement of spambots, which is described, for example, in the article “United Russia” sites were subjected to a large-scale DDoS attack - INTERFAX.RU. URL: https://www.interfax.ru/russia/609414 (date of treatment 05/26/2020).

In this regard, fundamentally new approaches to combating spam, based on preventing the delivery of spam messages from an attacker to a mail server, are gaining relevance. These approaches shift the focus on combating spam towards proactive protection, which makes it difficult or impossible to collect email addresses that are potential targets of an attack and imposes a limitation on the computing resource used by the attacker and causes "depletion" of its resources during the mail transaction without significant computational costs. sides of the protected computer network. However, the well-known technical solutions discussed above, which implement the issues of proactive protection of computer networks against mass mailing of spam messages, are still insufficiently developed and have significant drawbacks, and the tasks of bringing such protection measures into compliance with the (centralized) idea of countering spam are just beginning to be formulated by individual authors and their cooperatives.

Thus, a number of contradictions arise between the effectiveness of protecting computer networks from spam messages and the ability of attackers to compromise protection tools and identify email addresses of computer network clients, as well as between the need to manage the resource capabilities of an attacker to organize mass mailing of spam messages and the lack of technical solutions for the dynamic management of the parameters of a mail transaction with an attacker. The claimed method is aimed at eliminating these contradictions.

The claimed method is implemented as follows. The SMTP protocol is designed to transport e-mail objects across many computer networks, as is known and described, for example, in the technical specifications (RFC, Request for Comments) of the Internet (see, for example, https://tools.ietf.org/html/ rfc5321). In RFC 821, see https://tools.ietf.org/html/rfc82l, the two hosts participating in an SMTP transaction are described as SMTP-sender (sender) and SMTP-receiver (receiver). An SMTP session is initiated when the sender connects to the recipient and the recipient responds with an appropriate message, as shown in FIG. 1. After the sender has sent the invitation message (greeting) and the recipient has received it, the latter usually sends an EHLO command to the server, identifying the sender. After organizing the communication channel and agreeing on the parameters, the sender usually initiates a mail transaction, consisting of a sequence of commands specifying the sender and recipient of the e-mail message, as well as the transfer of the message content (including all headers and other structures). SMTP commands and message data are transmitted from sender to recipient via a communication channel in the form of strings. The recipient responds with a response to each of the received commands, which contains a three-digit number (transmitted as three numeric characters), usually followed by a line of text and represents an acknowledgment (or a rejection containing a message with a temporary or permanent error code) transmitted in the form of lines the recipient to the sender through the communication channel. The dialogue between the sender and the receiver is carried out in stages (command - response - command ...), as shown in FIG. 1. In accordance with RFC 5321, the response text can contain several lines, the number of which is not limited, but in such cases the text must be marked so that the sender can know when the text is complete. This requires the use of a special format for multi-line responses, specifying that each line (except the last) begins with a response code, followed by a hyphen (-), and then text. The last line uses a space instead of a hyphen, followed by text. In multi-line responses, the codes on each line must match. In some cases, data important to the sender is transmitted in the response text.

Below is an example of a multi-line response:

250-First line

250-Second line

250-234 Text starting with a number

250 Last line

After the message is complete, the sender can request a disconnect or initiate the next mail transaction. There are three stages in a mail transaction. The start of the transaction is the MAIL command, which identifies the sender. This is followed by one or more RCPT commands that indicate the recipients of the message. The last stage of the transaction begins with the DATA command, which initiates the transmission of mail data, and ends with the end of mail indicator, which also confirms the transaction. Each email object consists of an envelope and content. The SMTP envelope is transmitted as a series of SMTP protocol elements. The envelope contains the sender address (to which error reports should be returned) and one or more recipient addresses, as well as additional information for protocol extensions.

To transfer information between remote local area networks by means of interaction protocols, a communication channel is established, which is understood as information flows from the sender to the recipient. The structure of message packets is known, and the principle of packet transmission in computer networks is also known, which makes it possible to analyze the source and destination identifiers of information flows and generate reference identifiers. So, the set of fields of the addresses of the sender and recipient of a packet of messages are identifiers of information flows. In addition, the domain specified or specified by the SMTP client will identify the sender and final recipient of the message. In other cases where SMTP clients are bundled with POP protocol implementations as per RFC 937 https://tools.ietf.org/html/rfc937, RFC 1939 https://tools.ietf.org/html/rfcl939 and IMAP as per with RFC 3501 https://tools.ietf.org/html/rfc3501 or the client resides inside an isolated transport environment, the identified domain will determine the intermediate recipient through which all e-mail messages will be broadcast.

FIG. 2 shows a block diagram of the sequence of actions that implement the claimed method of protecting computer networks, in which the following designations are adopted:

N≥1 - base of reference identifiers of authorized senders and recipients of e-mail messages;

I _c - counter of the number of connections of the message sender;

I _cmax - the maximum possible number of connections from the sender of e-mail messages;

M is a memory array for storing reference identifiers of authorized senders and recipients of e-mail messages;

I _s - counter of the total number of connections of all senders of e-mail messages;

I _smax - the maximum possible number of connections for all senders of e-mail messages;

L is a memory array for storing t generated values of the delay time of intermediate responses to the sender of e-mail messages, where t = 1, 2, ..., T, and T is the total number of generated values of the delay time of intermediate responses to the sender of messages;

V is a memory array for storing d intermediate responses to the sender of email messages, where d = 1, 2 ... R, and R is the total number of intermediate responses that will be sent to the sender of email messages before the response message;

- счетчик сформированных промежуточных откликов, хранящихся в массиве памяти V;

- counter of generated intermediate responses stored in the memory array V;

J - an array of memory for storing a matrix of correspondence to the d-th intermediate response from the array V of the t-th generated value of the delay time for sending it to the sender of e-mail messages from the memory array L;

Р - memory array for storing g fragments into which the response response sent to the message sender is divided, where g = 1, 2, ..., G, and G is the total number of formed fragments into which the response response sent to the message sender is divided;

Z is a memory array for storing ƒ generated values of the delay time for the transmission of response fragments to the sender of e-mail messages, where ƒ = 1, 2,…, F, and F is the total number of generated values of the delay time for sending response fragments to the sender of e-mail messages;

m - counter of formed fragments, into which the response is divided, stored in the memory array P;

H - an array of memory for storing the matrix of correspondence to the g-th fragment from the array P ƒ -th generated value of its delay time from the memory array Z;

О is an array of memory for storing u response responses containing an error code indicating the temporary unavailability of the recipient of e-mail messages, in accordance with the SMTP protocol specification, where u = 1, 2, ... U, and U is the total number of response responses containing the code errors, on the commands of the message sender;

X is an array of memory for storing with delay time values of response responses to the sender of e-mail messages containing an error code, through which response responses will be sent to the sender, where с = 1, 2, ... С, and С is the total number of generated values of the response time delay replies to the sender of e-mail messages containing an error code;

b - counter of generated response responses containing an error code stored in the memory array O;

Q is a memory array for storing a matrix of correspondence with the u-th response containing the error code from the O array with the generated value of its delay time from the memory array X;

I _oa - counter of the number of invalid addresses of recipients of e-mail messages;

I _oamax - counter of the maximum possible number of incorrect recipient email addresses;

{I} = {I ₁ , I ₂ , ..., I _i } set of sender connections, where I _i is the connection identifier of the sender of e-mail messages, which contains the sequence number of the sender's connection to the recipient of e-mail messages, i is the maximum sequence number connecting the sender to the recipient of e-mail messages;

E = [I ₁ , I ₂ , ..., I _i ] memory array for storing I _i connection identifiers of the sender of e-mail messages;

Y is an array of memory for storing a values of the processing delay of the sender's connections, where a = 1, 2, ... A, and A is the total number of values of the processing delay of the sender's connections;

W - an array of memory for storing the correspondence to the sender's connections, from the memory array E, the delay values before processing them from the memory array Y.

To improve the effectiveness of protection by reducing the likelihood of an attacker discovering the fact of using protection means, they simulate a communication channel with poor quality. To do this, in order to exclude the possibility of an attacker identifying security means by long delays in response from the recipient of e-mail messages, and also to prevent the possibility of bypassing security means by setting short timeouts for waiting for response responses, the predefined data are additionally set (see. block 1 in Fig. 2a) a memory array L for storing t generated values of the delay time of intermediate responses to the sender of e-mail messages, where t = 1, 2, ..., T, and T is the total number of generated values of the delay time of intermediate responses to the sender of messages. The use of time intervals t, during which intermediate replies will be sent to the sender of messages, is used to increase the time of dialogue with the sender of spam messages in the course of a mail transaction, for example, as shown in FIG. 3.

Then set (see block 1 in Fig.2a) a memory array V for storing d intermediate responses to the sender of email messages, where d = 1, 2 ... R, and R is the total number of intermediate responses that will be sent to the sender of email messages before reply message. In order to define an array of memory, statically or dynamically allocate the amount of RAM (in bytes).

счетчик сформированных промежуточных откликов, хранящихся в массиве памяти V. Счетчик сформированных промежуточных откликов позволяет осуществлять их учет и отследить момент отправки последнего промежуточного отклика, который впоследствии необходимо будет разделить на фрагменты, направляемые через сформированные значения времени задержки каждый, также в целях увеличения продолжительности времени диалога с отправителем спам-сообщений в процессе почтовой транзакции.Next, set (see block 1 in Fig.2a)

counter of generated intermediate responses stored in the memory array V. The counter of generated intermediate responses allows them to be counted and track the moment of sending the last intermediate response, which will subsequently need to be divided into fragments sent through the generated delay time values each, also in order to increase the duration of the dialogue time with the sender of spam messages in the course of a mail transaction.

After that, a memory array J is set (see block 1 in Fig. 2a) to store the matrix of correspondence to the d-th intermediate response from the array V of the t-th generated value of the delay time for sending it to the sender of e-mail messages from the memory array L.

Then, to increase the effectiveness of the protection method and reduce the likelihood of an attacker detecting the fact of using protection means, the response response to the sender is split into fragments and these fragments are sent to the sender at numerous small time intervals, which makes it impossible for an attacker to bypass the means of protection of the computer network by using short timeouts. waiting for a response, for example, as shown in FIG. 3. For this, in the preset data additionally set (see block 1 in Fig. 2a) a memory array P for storing g fragments into which the response response sent to the message sender is divided, where g = 1, 2, ..., G, a G is the total number of formed fragments into which the response response sent to the sender of the messages is divided.

Then, a memory array Z is set (see block 1 in Fig. 2a) for storing анных generated values of the delay time for the transmission of response fragments to the sender of e-mail messages, where ƒ = 1, 2, ..., F, and F is the total number of generated time values delays in sending response fragments to the sender of e-mail messages.

Next, set (see block 1 in Fig.2a) a counter m of formed fragments, into which the response is divided, stored in the memory array P.

After that, a memory array H is set (see block 1 in Fig. 2a) for storing the matrix of correspondence to the g-th fragment from the array P of the сформиров-th generated value of its delay time from the memory array Z.

Further, to improve the effectiveness of the protection method and increase the time of dialogue with the attacker, a response will be sent to him containing an error code indicating the temporary unavailability of recipients of e-mail messages, for example, such as "450 Requested mail action not taken: mailbox unavailable", in accordance with RFC 5321 (see, for example, https://tools.ietf.org/html/rfc5321), which is shown in FIG. 4. To do this, set (see block 1 in Fig. 2a) an array of memory O for storing and response responses containing an error code indicating the temporary unavailability of the recipient of e-mail messages, in accordance with the specification of the SMTP protocol, to the commands of the sender of e-mail messages , where u = 1, 2,… U, and U is the total number of response responses containing an error code to the commands of the message sender.

Next, a memory array X is set (see block 1 in Fig. 2a) for storing the delay times of response responses containing an error code, through which response responses will be sent to the sender, where c = 1, 2, ... C, and C is the total the number of generated values for the delay time for sending response responses containing an error code to the sender of e-mail messages. Then set (see block 1 in Fig.2a) counter b generated response responses containing the error code stored in the memory array O.

Then set (see block 1 in Fig. 2a) a memory array Q for storing the matrix of correspondence to the u-th response containing the error code from the array О с-th generated value of its delay time from the memory array X.

To prevent the collection of valid recipient email addresses, for example by implementing directory harvest attacks (DHA) to collect email recipient email addresses (see, for example, https://en.wikipedia.org/wiki/Directory_Harvest_Attack), allowing to pick up valid email addresses in the domain using various permutations of common user names and misleading about the true email addresses of message recipients are preset (see block 1 in Fig.2a) I _osh - counter of the number of invalid email addresses of message recipients and I _errors - a counter of the maximum possible number of invalid email addresses of message recipients.

Further, to account for network connections in order to exclude the possibility of an attacker to overload computers of recipients of a computer network due to an excessive number of network connections, set (see block 1 in Fig. 2a) a set {I} = {I ₁ , I ₂ , ..., I _i } of connections of the sender to recipients of e-mail messages, where I _i is the connection identifier of the sender of e-mail messages, which contains the sequence number of the sender's connection to the recipient of e-mail messages, i is the maximum sequence number of the connection between the sender and the recipient of e-mail messages. This is due to the fact that, according to the SMTP protocol specification, one sender of e-mail messages can establish several network connections, which is known and described, for example, in the technical specifications (RFC, Request for Comments) of the Internet (see, for example, https: //tools.ietf.org/html/rfc5321).

After that, set (see block 1 in Fig. 2a) E = [I ₁ , I ₂ , ..., I _i ] a memory array for storing I _i identifiers.

Next, a memory array Y is set (see block 1 in Fig. 2a) for storing a values of the processing delay time for the sender's connections, where a = 1, 2, ... the time the recipients of e-mail messages had a conversation with the attacker.

Then set (see block 1 in Fig. 2a) a memory array W for storing the matrix of correspondence to the sender's connections from the memory array E, the delay values before processing them from the memory array Y.

After establishing a network connection with the sender of e-mail messages (see block 2 in Fig.2a), increasing the values of I _c (see block 3 in Fig.2a) and I _s (see block 4 in Fig.2a), comparisons I _s and I _smax (see block 5 in Fig. 2a), if the condition I _s ≥I smax is _{satisfied, the} values of I _c and I _s decrease by one (see block 76 in Fig. 2b), and the network connection with the sender of mail message ends (see block 77 in Fig. 2b). Otherwise, an initiating SMTP session is sent to the sender of e-mail messages (see block 6 in Fig. 2a), a response is received (see block 7 in Fig. 2a), a command identifying the sender of mail messages is extracted from the received command (see block 8 in Fig.2a) the sender identifiers of the messages and are compared (see block 9 in Fig.2a) with the reference identifiers from the memory array M. If, based on the comparison results, the allocated identifiers correspond to the reference identifiers of the authorized message senders from the memory array M, then the sender of the messages is sent (see block 34 in FIG. 2a) a mail transaction readiness response. Otherwise, if the allocated identifiers do not correspond to the reference identifiers of the authorized message senders, then R intermediate responses are generated (see block 10 in Fig. 2a), which will be sent to the sender of the email messages before the response response.

After that (see block 11 in Fig.2a), R intermediate responses are stored in the memory array V.

сформированных промежуточных откликов, хранящихся в массиве памяти V, равным R.Next, set (see block 12 in Fig.2a) the value of the counter

generated intermediate responses stored in the memory array V equal to R.

Then form (see block 13 in Fig. 2a) T values of the delay time of intermediate responses to the message sender.

After that, T values of the delay time of intermediate responses to the message sender are stored (see block 14 in Fig. 2a) in the memory array L.

Next, remember (see block 15 in Fig. 2a) in the memory array J the correspondence to the d-th intermediate response from the array V of the t-th generated value of its delay time from the memory array L.

Then read (see block 16 in Fig. 2a) from the memory array J the first of the R generated intermediate responses and from the memory array L the first of the T generated delay time values.

After that, the first of the R generated intermediate responses is sent (see block 17 in Fig. 2a) to the message sender through the first of the T generated delay time values.

Next, remove (see block 18 in Fig. 2a) the first of the R generated intermediate responses and the first of the T generated delay time values, as well as a record of their correspondence from the memory arrays V, L and J, respectively.

сформированных промежуточных откликов, хранящихся в массиве памяти V на единицу.Then decrease (see block 19 in Fig.2a) the value of the counter

generated intermediate responses stored in the memory array V per unit.

сформированных промежуточных откликов. Отправка получателю сообщений электронной почты команды на завершение сетевого соединения в большинстве случаев не будет осуществлена, так как для сбора адресов электронной почты или массовой рассылки сообщений электронной почты злоумышленники применяют специализированные программные средства и спам-ботов соответственно, которые функционируют в автоматическом режиме и не в состоянии интеллектуально реагировать на изменение продолжительности времени диалога со средствами защиты.In the case of receiving (see block 20 in Fig.2a) after sending the intermediate response of the command to complete the network connection from the sender of e-mail messages, the values of I _c and I _s decrease (see block 76 in Fig.2b) by one, and the network connection with the sender of mail messages is completed (see block 77 in Fig. 2b). Otherwise, if after sending the intermediate response there is no command to complete the network connection from the sender of e-mail messages, then read (see block 21 in Fig.2a) the value of the counter

generated intermediate responses. In most cases, the command to end the network connection will not be sent to the recipient of e-mail messages, since attackers use specialized software and spambots, respectively, to collect e-mail addresses or send bulk e-mail messages, which function in automatic mode and are not able to intelligently respond to changes in the duration of the dialogue with the means of protection.

≠0 считывают (см. блок 16 на фиг. 2а) очередной (d+1)-й из ранее сформированных R промежуточных откликов.Further, under the condition

≠ 0 read (see block 16 in Fig. 2a) the next (d + 1) th of the previously generated R intermediate responses.

=1, указывающего на то, что все промежуточные отклики, кроме последнего, направлены отправителю сообщений электронной почты.After that, the next (d + 1) th of the previously generated R intermediate responses is sent (see block 17 in Fig. 2a) through the (t + 1) -e value of the delay time to the sender of the e-mail messages, and so on until the condition will not be met

= 1, indicating that all but the last intermediate replies were sent to the sender of the e-mail messages.

=1.Then, to increase the effectiveness of the protection method, by reducing the likelihood of an attacker detecting the fact of using protection means, the response response to the sender's commands is split into fragments and these fragments are sent to the sender at numerous small time intervals, which makes it impossible for an attacker to bypass the means of protection using short timeouts. waiting for a response, for example, as shown in FIG. 3. For this, G fragments are formed (see block 22 in Fig. 2a) into which the response response sent to the message sender after the condition

= 1.

Next, G fragments are stored (see block 23 in Fig. 2a) into which the response response sent to the message sender is divided.

After that, set (see block 24 in Fig.2a) the value of the counter m of formed fragments, into which the response is divided, equal to G.

Then form (see block 25 in Fig. 2a) F values of the delay time for each of the fragments, into which the response is divided to the sender.

Next, store (see block 26 in Fig. 2a) F values of the delay time for each of the fragments into which the response is divided to the sender in the memory array Z.

After that, memorize (see block 27 in Fig. 2a) in the memory array H the correspondence to the g-th fragment from the memory array P ƒ -th generated value of its delay time from the memory array Z.

Then read (see block 28 in Fig. 2a) from the memory array P the first of the G generated fragments of the response response and from the memory array Z the first of the F generated delay time values.

Next, the first of the G fragments of the response response is sent (see block 29 in Fig. 2a) to the message sender through the first of the Z generated delay times.

After that, the first of the G generated fragments of the response response and the first of the F generated delay time values are deleted (see block 30 in Fig. 2a), as well as a record of their correspondence from the memory arrays P, Z and H, respectively.

Then the value of the counter m of the generated fragments of the response response is reduced (see block 31 in Fig. 2a) by one. This ensures that the sent response fragments are accounted for.

In case of receiving, after sending the fragment response command response to the completion of the network connection from the sender's e-mail messages the value I _c and I _s is reduced by one (see. The block 76 in FIG. 2b), and a network connection with the sender mail ends (see. The block 77 in Fig.2b). Otherwise, if, after sending a fragment of the response response, there is no command to terminate the network connection from the sender of e-mail messages, then read (see block 33 in Fig. 2a) the value of the counter m of generated fragments of the response response.

If the value of the counter m ≠ 0, then read (see block 28 in Fig. 2a) the next (g + 1) th of the previously generated G fragments of the response.

After that, the next (g + 1) th of the previously generated G fragments of the response response is sent (see block 29 in Fig. 2a) through the (ƒ + 1) -e value of the delay time to the sender of the e-mail messages, and so on, until the condition m = 0 is met, which means that all fragments of the response are sent to the sender, that is, it has been transmitted in full.

If, after receiving (see block 35 in Fig. 2a) from the sender of messages, a command to start a mail transaction identifying the sender of e-mail messages is extracted (see block 36 in Fig. 2a) from the received command of message sender identifiers, comparison (see block 37 in Fig. 2a) of the allocated sender identifiers of messages with reference identifiers from the memory array M, the allocated identifiers correspond to the reference identifiers of authorized senders of messages from the memory array M, then the sender of messages is sent (see block 38 in Fig. 2a) a response a response about the receipt of the command received and the start of a mail transaction. Otherwise, if, according to the comparison results, the allocated identifiers do not correspond to the reference identifiers of authorized message senders from the memory array M, then for a response to the received command the message sender is formed (see block 39 in Fig.2a) U response responses containing an error code indicating the temporary unavailability of the recipient of e-mail messages, in accordance with the specification of the SMTP protocol. This ensures an increase in the effectiveness of protection due to misleading the attacker and an increase in the duration of the dialogue interaction with him.

Next, they store (see block 40 in Fig.2b) U response responses containing the error code in the memory array O.

Then set (see block 41 in Fig. 2b) the value of the counter b generated response responses containing the error code stored in the memory array O, equal to U.

After that, C values of the delay time of the response responses containing the error code are generated (see block 42 in Fig. 2b), through which the response responses will be sent to the sender.

Next, they store (see block 43 in Fig. 2b) C values of the delay time of the response responses containing the error code, through which the response responses will be sent to the sender in the memory array X.

After that, the memory array Q is stored (see block 44 in Fig. 2b) in the memory array Q corresponding to the u-th response containing the error code from the memory array O of the c-th generated value of its delay time from the memory array X.

Read (see block 45 in Fig. 2b) from the memory array O the first of the U generated response responses containing the error code and from the memory array X the first of the C generated delay time values.

Then the first of the U generated response responses containing the error code is sent (see block 46 in FIG. 2b) to the message sender through the first of the C generated delay times, as shown in FIG. four.

Then remove (see block 47 in Fig. 2b) the first of the U generated response responses containing the error code and the first of the C generated delay time values, as well as a record of their correspondence from memory arrays O, X and Q, respectively.

After that, the value of the counter b of the generated response responses containing the error code stored in the memory array O by one is decreased (see block 48 in Fig. 2b).

In the case of receiving (see block 49 in Fig.2b) from the sender of messages to the received response containing an error code, the command to disconnect the established connection, the values of I _c and I _{s are} reduced by one (see block 76 in Fig.2b), and the network connection with the sender of mail messages is terminated (see block 77 in Fig. 2b). If, after sending the u-th response containing an error code, the sender of the e-mail messages did not receive a command to terminate the connection, but a repeated command to start the mail transaction followed, then the counter value b of generated response responses containing the error code is read.

If the counter value b ≠ 0 (see block 50 in Fig.2b), which indicates that not all response responses containing an error code have been sent to the sender of e-mail messages, then read (see block 45 on Fig. 2b) the next (u + 1) th of U previously generated response responses containing an error code.

Then send (see block 46 in Fig.2b) to the sender of e-mail messages (u + 1) -th response response containing the error code through the (c + 1) -th value of the delay time, and so on until the condition b = 0 will be satisfied (see block 50 in Fig. 2b).

After receiving (see block 51 in Fig. 2b) from the message sender, a command indicating recipients of e-mail messages, extracting (see block 52 in Fig. 2b) from the received command identifiers of recipients of e-mail messages, comparison (see block 53 on Fig. 2b) isolated identifiers with identifiers of authorized recipients from array M, if the selected identifiers of recipients of e-mail messages do not coincide with identifiers of authorized recipients from array M, then after comparison (see block 54 in Fig. 2b) the values of the counter I _{c of the} number of connections of the sender of messages with I _{сmax the} maximum possible number of connections of the sender of messages, when the condition I _c ≥I cmax is _{satisfied, the} values of I _c and I _s decrease by one (see block 76 in Fig.2b), and the network connection with the sender of mail messages is terminated (see . block 77 in Fig. 2b). If the condition I _c > I _{сmax is} not met, the incorrect addresses of recipients of e-mail messages received from the sender are read (see block 51 in Fig.2b) that do not belong to the identifiers of authorized recipients from the memory array M.

After that, compare (see block 55 in Fig. 2b) the value of the counter I _{oa of the} number of incorrect recipient email addresses I _{oamax with the} maximum possible number of received incorrect recipient email addresses.

If the condition I _oa - I _{oamax is fulfilled , I oa} false responses to the sender are generated (see block 56 in Fig. 2b), confirming the presence of incorrect recipient addresses of e-mail messages.

The responses are sent (see block 57 in Fig. 2b) to the sender I _{oa of} responses confirming the presence of incorrect recipient addresses of e-mail messages to the sender of e-mail messages, the values of I _c and I _{s are} reduced by one (see block 76 in Fig. 2b), and the network connection with the sender of mail messages is terminated (see block 77 in Fig. 2b).

In case of failure conditions I _OA ≥I _oamah form (see block 58 in Figure 2b..) I _aa false responses with an error message, in accordance with the SMTP protocol specification, such as "552 Command execution interrupted: exceeded dedicated memory "Or" 501 Syntax error in parameters or arguments ", etc. (see, for example, https://tools.ietf.org/html/rfc5321) and send (see block 59 in Fig. 2b) I _oa responses with a false error message to the sender of the e-mail messages, as shown in FIG. five.

In the case of receiving a response with a false error message from the sender of messages to disconnect the established connection, the values of I _c and I _{s are} reduced by one (see block 76 in Fig.2b), and the network connection with the sender of mail messages is terminated (see. block 77 in Fig. 2b). Otherwise, if, after sending a response with a false error message to the sender, a repeated command is received from him, then a repeated command with a corrected error is received from the sender (see block 58 in FIG. 2b) a response with a false error message is sent (see block 59 in Fig. 2b) to its sender, and so on until a command is received from the sender of messages about the disconnection of the established connection.

If the selected identifiers of recipients of e-mail messages coincide with the identifiers of authorized recipients from the memory array M (see block 53 in Fig.2b), then the number of connections of the sender of e-mail messages is read, the value of the counter I _{c of the} number of connections of the sender of messages is equal to i, and the comparison ( see block 62 in Fig. 2b) the value of the counter I _{c of the} number of connections of the message sender with I _{сmax the} maximum possible number of connections of the message sender.

When the condition I _with ≥I cmax is _satisfied, each of the set {I} of the sender's connections is assigned an identifier I _i and the identifier of each of the sender's connections is stored (see block 63 in Fig. 2b) in the memory array E.

Form (see block 64 in Fig. 2b) for each of the connections of the sender, characterized by the identifier from the memory array E, the value of the delay of its processing.

Memorize (see block 65 in Fig. 2b) A values of the processing delay of the sender's connections in the memory array Y.

Memorize (see block 66 in Fig. 2b) in the memory array W the correspondence to each connection, characterized by the identifier from the memory array E, the value of the delay time before its processing from the memory array Y.

The first of the sender's connections is processed (see block 67 in Fig. 2b) after a delay time before it is processed.

Delete (see block 68 in Fig. 2b) the identifier of the first of the processed connections and the corresponding value of the delay time before its processing, as well as the record of their correspondence from the memory arrays E, A and W, respectively.

Decrease (see block 69 in Fig. 2b) the value of the counter I _{c of the} number of connections of the message sender by one.

If the value of the counter I _c ≠ 0 (see block 70 in Fig.2b), then process (see block 67 in Fig.2b) the next of the sender's connections, and so on until the condition I _c = 0.

If the condition I _c ≥I _{cmax is} not met, a response is sent to the sender (see block 71 in Fig. 2b). After that, the next command is received (see block 72 in Fig. 2b), the next command initiating the transmission of mail data is sent to the sender of the messages (see block 73 in Fig. 2b), a response response about the readiness to receive the text of the e-mail message is received (see block 74 in Fig. 2b) the text of the e-mail message and the mail transaction is completed (see block 75 in Fig. 2b) by transmitting a response confirming the end of the transaction. _{Then the values of I c} and I _{s are} decreased (see block 76 in Fig. 2b) by one and the network connection with the sender of mail messages is completed (see block 77 in Fig. 2b).

To eliminate the possibility of bypassing security measures by setting short timeouts by an attacker to wait for reply replies from the recipient of messages at various stages of the process of sending e-mail messages via SMTP, the value of the delay time for each of the intermediate replies to the sender of e-mail messages before the recipient sends a reply reply , is selected in the range from 0.1 to 1 second.

To increase the time of dialogue with the attacker, the number of intermediate responses sent to the sender of e-mail messages before sending a response by the recipient is selected in the range from 10,000 to 25,000.

To eliminate the possibility of bypassing security measures by setting short timeouts by an attacker to wait for reply responses from the recipient of messages at various stages of the process of sending e-mail messages using SMTP, the delay time value for each of the fragments of the reply response sent to the sender of e-mail messages is selected in within 0.1 to 1 second.

To increase the time of dialogue with the attacker, the size of the fragments into which the response to the unauthorized sender of e-mail messages is split is selected in the range from 1 to 4 bytes.

To prevent an attacker from implementing denial-of-service attacks due to an excessive number of network connections, the maximum possible number of connections of the sender of e-mail messages I _cmax is selected in the range from 5 to 10 connections.

To exclude the possibility of bypassing security measures due to the setting by an attacker of short timeouts for waiting for reply responses from the recipient of messages at various stages of the process of sending e-mail messages using the SMTP protocol, the delay time for reply responses containing an error code is selected in the range from 0.1 to 1 second.

To increase the time of dialogue with the attacker, the number of responses containing an error code indicating the temporary unavailability of the recipient of e-mail messages is selected in the range from 100 to 2000.

To avoid the overload of recipient computers due to the significant number of connections from authorized senders of messages and to prevent denial of service from authorized senders, the delay time before processing the connections of the sender is selected in the range from 1 to 10 seconds. This achieves sequential processing of connections with message senders without breaking them after the connection timeout expires.

For each false response to an unauthorized sender of e-mail messages, the error code value is randomly selected from standard SMTP error codes.

Thus, the claimed method provides the achievement of the formulated goal, which is to increase the effectiveness of protection by reducing the possibility of an attacker discovering the fact of using protection means and preventing the collection of valid email recipient addresses for use as potential attack targets. Reducing the possibility of an attacker detecting the fact of using protection means is achieved by imitating a communication channel with poor quality at various stages of a mail transaction by sending a fragmented response response to the sender, fragments of which are sent at numerous small time delay intervals, after many intermediate responses sent at numerous small time intervals. , by sending back responses to the sender, indicating the temporary unavailability of the recipient of e-mail messages, at multiple short intervals of time delay, and by sending false responses to the sender containing a randomly selected error code in accordance with the specification of the SMTP protocol. To prevent the collection of valid email recipient addresses for use as potential attack targets, the attacker is deceived by sending false responses to the sender, confirming the presence of invalid email recipient addresses.

Claims (10)

1. A method for protecting computer networks, which preliminarily sets N≥1 reference identifiers of authorized senders and recipients of e-mail messages, I _c counter of the number of connections of the sender of messages, I _{cmax the} maximum possible number of connections of the sender of e-mail, t _back the delay time through which the response is transmitted to the sender of e-mail messages, M memory array for storing the reference identifiers of authorized senders and recipients of e-mail messages, I _s counter of the total number of connections of all senders of e-mail messages, I _{smax the} maximum possible number of connections of all senders of e-mail messages, establish a network connection with the sender of mail messages, increase the value of the counter I _{c of the} number of connections from the sender of messages by one, increase the value of the counter I _{s of the} total number of connections from all senders messages, compare the value of the counter of the number of connections from all senders of messages with I _{smax with the} maximum possible number of connections of all senders of messages, when the condition I _s ≥I _{smax is satisfied} , the values of I _c and I _{s are} reduced by one, and the network connection with the sender of mail messages is terminated. Otherwise, if the condition I _s ≥I _{smax is} not met, a response is sent to the sender that initiates the start of an SMTP session from the recipient's side, a command is received that initiates the sender of mail messages and identifies him, the message sender identifiers are extracted from the received command, the allocated message sender identifiers are compared with the reference identifiers of the memory array M, if the results of comparing the allocated reference identifiers match the identifiers of senders authorized messages from the memory array M, the response is sent back to the sender of readiness for postal transaction messages in case of receiving during the n t _ass Before sending a response response command to stop by the sender e-mail network connection reduces the values of I _c and I _s on the unit, complete the network connection to the mail sender, otherwise, if at time t _ass before sending a response team response to completion of the network connection no e-mail messages were sent from the sender, then send a response to the sender, receive a command from the sender to start a mail transaction identifying the sender of e-mail messages, extract the sender's identifiers from the received command, compare the selected sender identifiers with the reference identifiers from the memory array M if, according to the comparison results, the selected identifiers correspond to the reference identifiers of authorized senders of messages from the memory array M, then a response is sent to the sender of messages about the receipt of the command received and the beginning of the mail traffic otherwise, if, according to the comparison results, the selected identifiers do not correspond to the reference identifiers of authorized senders of messages from the memory array M, then they form a response response, set t _back the delay time for transmitting the generated response response, after the expiration of time t _back, send the generated response response to the sender, if at time t _back, before sending a response response, the command to end the network connection from the sender of e-mail messages decreases the values of I _c and I _s by one, terminate the network connection with the sender of mail messages, otherwise, if at time t _back before sending there was no response from the sender of the e-mail message to the command to terminate the network connection, then a response response is sent to the sender, a command indicating the recipients of the e-mail message is received from the sender of the messages, the value of the counter I is compared _{with the} number of connections from the ruler of messages with I _{cmax the} maximum possible number of connections of the message sender, when the condition I _c ≥I cmax is _satisfied , the values of I _c and I _{s are} reduced by one, the network connection with the sender of mail messages is terminated, if the condition I _c > I _{cmax is not met} , they are separated from the received command identifiers of message recipients, compare the allocated identifiers of message recipients with the reference identifiers from the memory array M, if, according to the comparison results, the allocated identifiers do not correspond to the reference identifiers of the authorized recipients of messages from the memory array M, then form a response, set t _back the delay time of transmission of the generated response response, after the expiration of time t _back , the generated response is sent back to the sender, if received at time t _back, before sending the response response, the command to terminate the network connection from the sender of e-mail messages, the values of I _c and I _{s are} decreased by one, completing by a network connection to the sender of e-mail messages, otherwise, if at time t _ass before sending a response response team to complete the network connection from the sender of the e-mail messages are not followed, then sent to the sender back a response if the results of comparing the selected identifiers correspond to the reference IDs of authorized recipients of messages from the memory array M, then send a response response to the sender of messages about the readiness to continue the mail transaction, receive the next command initiating the transmission of mail data, send a response response about the readiness to receive the text of the email message to the sender of the messages, receive the text of the email message, complete the mail transaction by transmitting a response confirming the transaction, decrease the values of I _c and I _s by one, complete the network connection with the sender of mail messages, characterized in that L an array of memory for storing t generated values of the delay time of intermediate responses to the sender of e-mail messages, where t = 1, 2, ..., T, and T is the total number of formed values of the delay time of intermediate responses to the sender of messages, V is a memory array for storing d intermediate responses to the sender of e-mail messages, d = 1, 2 ... R, where R is the total number of intermediate replies that will be sent to the sender of e-mail messages before the reply message,

- counter of generated intermediate responses stored in the memory array V, J - memory array for storing the matrix of correspondence with the d-th intermediate response from the array V t-th generated value of the delay time for sending it to the sender of e-mail messages from the memory array L, P - memory array for storing g fragments into which the response response sent to the message sender is divided, where g = 1, 2, ..., G, and G is the total number of formed fragments into which the response response sent to the message sender is divided, Z is the memory array for storing ƒ generated values of the delay time for sending response fragments to the sender of e-mail messages, where ƒ = 1, 2, ..., F, a F is the total number of generated values of the delay time for sending response fragments to the sender of e-mail messages, m is the counter of formed fragments stored in the memory array P, into which the response is shared, H is the memory array for storing the matrix of correspondence to the g-th fragment from the array P Р -th generated value of its delay time from the memory array Z, O is the memory array for storing u response responses containing an error code indicating the temporary unavailability of the recipient of e-mail messages, in accordance with specification of the SMTP protocol, for the commands of the sender of e-mail messages, where u = 1, 2, ... U, and U is the total number of response responses containing an error code to the commands of the sender of messages, X is a memory array for storing the delay times of response responses containing an error code through which reply responses will be sent to the sender, where c = 1, 2, ... С, and С is the total number of generated values of the delay time for sending response responses containing an error code to the sender of e-mail messages, b is the counter of generated responses responses containing the error code, stored in the memory array O, Q is the memory array for storing the matrix of the u-th response, containing an error code from the O array, the generated value of its delay time from the memory array X, I _oa - counter of the number of incorrect recipient email addresses, I _oamax - counter of the maximum possible number of incorrect recipient email addresses, { I} = (I ₁ , I ₂ , ..., I _i } - the set of connections of the sender to recipients of e-mail messages, where I _i is the connection identifier of the sender of e-mail messages, which contains the sequence number of the connection between the sender and the recipient of e-mail messages, i is the maximum serial number of the sender's connection to the recipient of e-mail messages, E = [I ₁ , I ₂ , ..., I _i ] is a memory array for storing I _i identifiers, Y is a memory array for storing a values of the processing delay of sender's connections, where a = 1, 2, ... A, and A is the total number of values of the processing delay time for the sender's connections, W is the array n memory for storing the matrix of correspondence to the sender's connections, from the memory array E, the delay time values before their processing from the memory array Y, if after receiving the command that initiates the sender of mail messages and identifying him, separating the message sender identifiers from the received command, comparing the allocated identifiers the sender of messages with reference identifiers from the memory array M, based on the comparison results, the allocated identifiers correspond to the reference identifiers of authorized senders of messages from the memory array M, then a response is sent to the sender of messages about readiness for a mail transaction, and if the allocated identifiers do not correspond to the reference identifiers of authorized senders of messages, then form R intermediate responses that will be sent to the sender of e-mail messages before the response response, store R intermediate responses in the memory array V, set counter value

generated intermediate responses stored in the memory array V, equal to R, form T values of the delay time of intermediate responses to the message sender, store T values of the delay time of intermediate responses to the message sender in the memory array L, store in the memory array J the correspondence to the d-th intermediate response from the array V of the t-th generated value of its delay time from the memory array L, read from the memory array J the first of the R generated intermediate responses and from the memory array L the first of the T generated delay time values, send the message sender the first of the R generated intermediate responses through the first of T generated values of the delay time, remove the first of the R generated intermediate responses and the first of the T generated values of the delay time, as well as a record of their correspondence from the memory arrays V, L and J, respectively, decrease the counter value

generated intermediate responses stored in the memory array V by one, if after sending an intermediate response, a command to terminate a network connection from the sender of e-mail messages is received, the values of I _c and I _{s are} reduced by one, and the network connection with the sender of mail messages is terminated, otherwise if after sending an intermediate response there is no command to terminate the network connection from the sender of e-mail messages, then the counter value is read

generated intermediate responses, when the condition

read the next (d + 1) -th of the previously generated R intermediate responses, send the next (d + 1) -th of the previously generated R intermediate responses through the (t + 1) -th value of the delay time to the sender of e-mail messages, and so on until until the condition is met

form G fragments, into which the response is divided, sent to the sender of messages after the condition

memorize G fragments into which the response response sent to the sender is divided, set the counter value m of formed fragments into which the response response is divided equal to G, form F delay time values for each of the fragments into which the response response to the sender is divided, store F values the delay time for each of the fragments into which the response response to the sender is divided in the memory array Z, the correspondences to the g-th fragment from the memory array P -th generated value of its delay time from the memory array Z are stored in the memory array H, read from the memory array P the first of G generated fragments of the response response and from the memory array Z the first of F formed values of the delay time, send the first of G fragments of the response response to the message sender through the first of Z generated values of the delay time, remove the first of the G formed fragments of the response response and the first from F formed values of the delay time, as well as a record of their correspondence from memory arrays P, Z and H, respectively, decrease the value of the counter m of generated fragments of the response response by one, if after sending a fragment of the response response of the command to complete the network connection from the sender of e-mail messages, the value I _c and I _{s are} decreased by one, and the network connection with the sender of mail messages is terminated, otherwise, if after sending a fragment of the response response, there is no command to terminate the network connection from the sender of email messages, then the counter value m of generated fragments of the response response is read , if the value of the counter is m ≠ 0, then the next (g + 1) th of the previously generated G fragments of the response is read, the next (g + 1) th of the previously formed G fragments of the response is sent through (1 + 1 ) -th value of the delay time to the sender of e-mail messages, and so on until until the condition m = 0 is satisfied, if, after receiving from the sender of messages, a command to start a mail transaction identifying the sender of email messages, extracting from the received command identifiers of the sender of messages, comparing the selected identifiers of the sender of messages with reference identifiers from the memory array M , the allocated identifiers correspond to the reference identifiers of the authorized senders of messages from the memory array M, then a response is sent to the sender of the messages about the receipt of the received command and the beginning of the mail transaction, otherwise, if, based on the comparison results, the allocated identifiers do not correspond to the reference identifiers of the authorized senders of messages from the memory array M , then in order to respond to the received command of the message sender, U response responses are generated containing an error code indicating the temporary unavailability of the recipient of e-mail messages, in accordance with the specification for to SMTP, store U response responses containing the error code in the memory array O, set the counter value b of the generated response responses containing the error code stored in the memory array O equal to U, form C values of the delay time of the response responses containing the error code through which response responses will be sent to the sender, store C values of the delay time of response responses containing the error code, through which response responses will be sent to the sender in the memory array X, store in the memory array Q the correspondence to the u-th response containing the error code from the memory array About the c-th generated value of its delay time from the memory array X, read from the memory array O the first of U generated response responses containing the error code and from the memory array X the first of the C generated delay time values, send the message sender the first of U generated response responses containing an error code through the first of C sf formatted values of the delay time, remove the first of the U generated response responses containing the error code and the first of the generated values of the delay time, as well as a record of their correspondence from the memory arrays O, X and Q, respectively, decrease the value of the counter b of the generated response responses containing the error code stored in the memory array O by one, in case of receiving messages from the sender to the received response containing an error code, the command to break the established connection, the values of I _c and I _{s are} reduced by one, and the network connection with the sender of mail messages is terminated, in Otherwise, if, after sending the u-th response containing an error code, the sender of the e-mail messages did not receive a command to disconnect the connection, but a repeated command to start the mail transaction followed, then the value of the counter b of the generated response responses containing the error code is read, if the counter value b ≠ 0, which indicates that m, that not all response responses containing an error code have been sent to the sender of e-mail messages, then the next (u + 1) -th of U previously generated response responses containing an error code are read and sent to the sender of e-mail messages (u + 1) -th response, containing an error code, after the (s + 1) -th value of the delay time, and so on until the condition b = 0 is satisfied, after receiving a command from the sender of messages indicating recipients of e-mail messages, highlighting from the received command of identifiers of recipients of e-mail messages, comparing the allocated identifiers with identifiers of authorized recipients from array M, if the selected identifiers of recipients of e-mail messages do not coincide with identifiers of authorized recipients from array M, then after comparing the value of the counter I _{c the} number of connections of the message sender with I _cmax as many connections as possible for the sender of the message nd, if the condition I _c ≥I cmax is _{satisfied, the} values of I _c and I _{s are} reduced by one, and the network connection with the sender of mail messages is terminated, if the condition I _c ≥I _{cmax is} not met, the incorrect addresses of recipients of e-mail messages that do not belong to identifiers of authorized recipients from the memory array M, compare the value of the counter I _{oa of the} number of incorrect recipient email addresses with I _{oamax with the} maximum possible number of incorrect recipient email addresses received, if the condition I _oa ≥I _{oamax is met} , I _oa false responses to the sender are generated, confirming the presence of invalid recipient email addresses, send the sender I _oa responses confirming the existence of incorrect recipient email addresses to the sender of email messages, the I _c and I _s values are decremented by one, and the network connection with the sender m of mail messages is terminated, if the condition is not met I _oa ≥I _oamax generate I _oa false responses with an error message, send I _oa responses with a false error message to the sender of email messages, in case of receiving a response with a false error message from the sender of messages of the command to disconnect the established connection, the values of I _c and I _{s are} reduced by one, and the network connection with the sender of mail messages is terminated, otherwise, if after sending a response with a false error message to the sender, he received a second command, then a second command is received from the sender. a command with a corrected error, again form a response with a false error message, send it to the sender, and so on until a command is received from the sender of messages about the disconnection of the established connection, if the distinguished identifiers of the recipients of the e-mail messages match the identifiers of the authorized recipients from memory array M, then read the number of sender connections, set the counter value I _{c of the} number of messages sender connections equal to i, compare the counter value I _{c of the} number of messages sender connections with I _{cmax with the} maximum possible number of messages sender connections, when the condition I _c ≥I _{cmax is} set to each of the set {I} of the sender's connections identifier I _i , the identifier of each of the sender's connections in the memory array E is stored, for each of the sender's connections, characterized by the identifier from the memory array E, the value of the processing delay time is stored, A values of the processing delay time for the sender's connections are stored in the memory array Y, store in the memory array W the correspondence to each connection, characterized by an identifier from the memory array E, the delay time values before processing it from the memory array Y, process the first of the sender's connections after the delay time before its processing bot, delete the identifier of the first of the processed connections and the corresponding value of the delay time before processing it, as well as the record of their correspondence from the memory arrays E, A and W, respectively, decrease the value of the counter I _{c of the} number of connections of the message sender by one, if the value counter I _c ≠ 0, then the next of the sender's connections is processed, and so on until the condition I _c = 0 is met, if the condition I _c ≥I _{cmax is} not met, a response is sent to the sender. 2. The method according to claim 1, characterized in that the value of the delay time for each of the intermediate responses to the sender of the e-mail messages, before sending the response by the recipient, is selected in the range from 0.1 to 1 second. 3. A method according to claim 1, characterized in that the number of intermediate responses sent to the sender of the e-mail messages before the recipient sends a response is selected in the range from 10,000 to 25,000. 4. The method according to claim 1, characterized in that the value of the delay time for each of the response fragments sent to the sender of the e-mail messages is selected in the range from 0.1 to 1 second. 5. The method according to claim 1, characterized in that the size of the fragments into which the response response to the unauthorized sender of e-mail messages is split is selected in the range from 1 to 4 bytes. 6. The method according to claim 1, characterized in that the maximum possible number of connections of the sender of e-mail messages I _{cmax is} selected in the range from 5 to 10 connections. 7. The method according to claim 1, characterized in that the delay times of the response responses containing the error code are selected in the range from 0.1 to 1 second. 8. The method according to claim 1, characterized in that the number of response responses containing an error code indicating the temporary unavailability of the recipient of e-mail messages is selected in the range from 100 to 2000. 9. The method according to claim 1, characterized in that the values of the delay time before processing the sender's connections are selected in the range from 1 to 10 seconds. 10. The method of claim 1, wherein for each false response to an unauthorized sender of e-mail messages, the error code value is randomly selected from standard SMTP error codes.

Images