Description:TECHNICAL FIELD
The present disclosure relates generally to email forensics, and more specifically relates to detecting unauthorized users using email forensics.

BACKGROUND ART
[0001] Phishing, credit card fraud, bank robbery, illegal downloading, industrial espionage, child pornography, kidnapping young people through chat rooms, frauds, cyber terrorism, creation and/or distribution of viruses, spam, and other offences are all included in the broad area of computer crime. All of these crimes either directly or indirectly involved computers. The development of the Internet sparked a new wave of criminal activity because people are now committing crimes and engaging in wrongdoing online. Internet crime has many different shapes and is committed in a variety of ways. The Internet is now accessible to everyone because of its extensive use and diverse user base. Unlike the older generation of users, some online criminals have grown up with this information superhighway.

[0002] Email has quickly taken over as the main form of communication around the globe. Billion of emails are sent and received each day around the globe. Email is abused just like criminal elements abuse other kinds of communication. Due to its ease, speed, and relative anonymity, email has evolved into a great tool for criminals. These crimes were committed by a particular group of criminals. Unlike crimes that employ computers as a tool, these crimes call for the criminals to have technical knowledge.

[0003] In some circumstances, you might need to use an email header analyzer. Cyberattack investigation can be done via email header analysis. When a hack occurs, the email headers will have malware or be marked as spam. To investigate the attack, you should run a header analysis on the emails sent during the attack. This can help you locate the perpetrator.as a botnet. As a result, it may be challenging to stop the initial spammer.

[0004] Nowadays, there are techniques that exists which can help track the IP addresses. For example, reference can be made to US6345283B1 which discloses forensic analysis of textual and binary data stored in the computer. Further, reference can be made to US patent application number US20020078382A1 which discloses identifying and detecting any configuration changes made to information systems within a network. However, none of the known techniques disclose techniques for identifying unauthorized users by tracking and tracing internet protocol address.

OBJECTS OF THE INVENTION

[0005] The principal object of the present invention is to provide techniques for identifying unauthorized users by tracking and tracing internet protocol (IP) address.

[0006] The principal object of the present invention is to provide techniques for tracking and tracing any internet protocol (IP) address from headers of an email.

[0007] Another object of the present invention is to provide techniques for identifying crucial information regarding the path a message travelled to reach its target audience.

[0008] Another object of the present invention is to provide techniques for detecting unauthorized users by determining if the user is legitimate for sending emails.

SUMMARY OF THE INVENTION

[0009] In one embodiment, a system for detecting unauthorized users is disclosed. The system comprises a server, a network, a plurality of user devices connected to the server via the network, wherein the plurality of user devices is configured to send email communication via the server and a hardware-based storage device. The hardware-based storage device stores information related to internet protocol (IP) address, the information related to IP address is extracted header of the email communication, the header includes location, email communication sender information and email authentication information.

[0010] In another embodiment, a method for detecting unauthorized users is disclosed. The method comprises sending, by a plurality of user devices, email communication via a server, storing, in a hardware-based storage device, information related to internet protocol (IP) address, wherein the information related to IP address is extracted header of the email communication, and the header includes location, email communication sender information and email authentication information.

BRIEF DESCRIPTION OF DRAWINGS
[0011] Figure 1 illustrates a system for detecting unauthorized user, in accordance with one embodiment of the present invention.
[0012] Figure 2 illustrates routing of a message through a plurality of servers, in accordance with one embodiment of the present invention.
[0013] Figure 3 illustrates a hardware-based storage device using user device, in accordance with the present invention.
[0014] Figure 4 illustrates a hardware-based storage device using an intermediate device, in accordance with the present invention.
[0015] Figure 5 illustrating a flowchart of a method for detecting unauthorized user, in accordance with the present invention.

DETAILED DESCRIPTION OF THE INVENTION
[0016] While the present invention is described herein by way of example using embodiments and illustrative drawings, those skilled in the art will recognize that the invention is not limited to the embodiments of drawing or drawings described and are not intended to represent the scale of the various components. Further, some components that may form a part of the invention may not be illustrated in certain figures, for ease of illustration, and such omissions do not limit the embodiments outlined in any way. It should be understood that the drawings and the detailed description thereto are not intended to limit the invention to the particular form disclosed, but on the contrary, the invention is to cover all modifications, equivalents, and alternatives falling within the scope of the present invention as defined by the appended claim.
[0017] As used throughout this description, the word "may" is used in a permissive sense (i.e. meaning having the potential to), rather than the mandatory sense, (i.e. meaning must). Further, the words "a" or "an" mean "at least one” and the word “plurality” means “one or more” unless otherwise mentioned. Furthermore, the terminology and phraseology used herein are solely used for descriptive purposes and should not be construed as limiting in scope. Language such as "including," "comprising," "having," "containing," or "involving," and variations thereof, is intended to be broad and encompass the subject matter listed thereafter, equivalents, and additional subject matter not recited, and is not intended to exclude other additives, components, integers, or steps. Likewise, the term "comprising" is considered synonymous with the terms "including" or "containing" for applicable legal purposes. Any discussion of documents, acts, materials, devices, articles, and the like are included in the specification solely for the purpose of providing a context for the present invention. It is not suggested or represented that any or all these matters form part of the prior art base or were common general knowledge in the field relevant to the present invention.
[0018] In this disclosure, whenever a composition or an element or a group of elements is preceded with the transitional phrase “comprising”, it is understood that we also contemplate the same composition, element, or group of elements with transitional phrases “consisting of”, “consisting”, “selected from the group of consisting of, “including”, or “is” preceding the recitation of the composition, element or group of elements and vice versa.
[0019] The present invention is described hereinafter by various embodiments with reference to the accompanying drawing, wherein reference numerals used in the accompanying drawing correspond to the like elements throughout the description. This invention may, however, be embodied in many different forms and should not be construed as limited to the embodiment set forth herein. Rather, the embodiment is provided so that this disclosure will be thorough and complete and will fully convey the scope of the invention to those skilled in the art. In the following detailed description, numeric values and ranges are provided for various aspects of the implementations described. These values and ranges are to be treated as examples only and are not intended to limit the scope of the claims. In addition, several materials are identified as suitable for various facets of the implementations. These materials are to be treated as exemplary and are not intended to limit the scope of the invention.
[0020] Referring to FIG. 1, a system 100 for detecting unauthorized users is illustrated. The system 100 shows a server 102 and a plurality of user devices 104 connected with the server 102 via a network 106. The plurality of user devices 104 may try to establish a connection with the server 102 for sending communications. In one embodiment, the communications may include sending emails to other users. As shown in FIG. 1, the user devices 104 may be any computing devices which are compatible to access the internet, for example, but not limited to, mobile device, computer device, laptop, tablets, etc.
[0021] The server 102 may be placed at a physical location and a plurality of user devices 104 from all over the world access the server 102. The server 102 may be any server responsible for handling email communications. As explained above, the server 102 is able to recognize a user device 104 from the plurality of user devices 104 using a unique internet protocol (IP) address associated with each of the user device 102. Generally, the IP address is divided into multiple sub parts which can help the server identify the user device more efficiently and quickly. In addition to recognizing the user device, the server 102 is also able to identify location of the user device 104 from which the request for accessing the content is being sent. The tracing of location of the user device 104 generally helps the server 102 to take appropriate actions in case the user devices 104 are trying to access an unauthorized content from the server 102.
[0022] In one embodiment, any IP address can be traced and tracked. Any IP address may include IP address of any user device 104. In one embodiment, the IP information may include public address of a web server to reveal geographic information, holder information and registration information of the server. In one embodiment, the IP address may be IPv4 or IPv6 addresses. In one embodiment, the IP address may be 32-bit or 64-bit address. In one embodiment, the IP address may be associated with email communications. The email communications may include headers in them. The headers may include IP addresses.
[0023] Although, only one server 102 is shown, there may be a plurality of servers which may be placed at different locations. For example, FIG. 2 shows requests being routed to server 102 via a plurality of servers. Thus, to access the server 102 placed at location 4, the request from the user device 104 may be routed through servers placed at location 1, location 2, location 3. Thus, a visual route may be created for the request routed from the user device 104 for accessing the content from the server 102. In order to identify a user device 104 which is trying to access the content from the server 102 in an unauthorized way, it is necessary to identify the visual route of the request. Thus, once the visual route is traced, it is then easy to identify the user device 102.
[0024] Referring to FIG. 3 now, a hardware-based device 300 for tracking and tracing of IP address and creating visual route of email is provided. The hardware-based device 300 may be in the form of an IP address investigator kit which can have multiple functions. In one embodiment, the device 300 may be used to provide complete details about the IP address, for example, but not limited to, IP address, location of the IP address, the visual route followed by the email to reach a server, IP address from the email communication, etc.
[0025] In one embodiment, the device 300 also identifies crucial information regarding the path an email message travelled to reach its target audience, the sender's IP address, the sender and recipient's identities, the time the email message was sent and received, the email client used, the internet service provider (ISP), and other specifics that would make sense to non-IT persons are included in the information.
[0026] In one embodiment, the device 300 also informs about the sender's IP address, Sender Policy Framework (SPF), Domain Keys Identified Mail (DKIM), and DMARC status after analyzing the email header. Only a selection of email authentication techniques, including SPF, DKIM, and DMARC, are utilized to show mail services and ISPs that senders are legitimately permitted to send email from a specific domain. They give you the ability to confirm that an email sending server is actually employing your domain to send emails. It will then give us information about the analysis of that mail after confirming these authentications.
[0027] The device 300 will review the email header, as well as run SPF, DKIM, and DMARC checks as well as provide the sender's identity and IP address. ISPs and mail services can use a number of email authentication techniques, such as SPF (Sender Policy Framework), DKIM (Domain Keys Identified Mail), and DMARC, to verify that senders are legitimately permitted to send email from a specific domain (Domain-based Message Authentication).
[0028] They can also be used to confirm that the email sending server via which the email is being sent is in fact sending emails from your domain. It will then provide information about the analysis of that mail after confirming these authentications.
[0029] The hardware-based device 300 can study the key elements of the message, which can be useful if any forensic analysis is required or if anybody has to validate the key elements like who is the actual sender of that letter, among many other authentications that are frequently confirmed. The invention, which relates to computer applied technology and information security, suggests a supported method by exposing the structure concealed within the sending-receiving address details of bulk mailings, and as a result, the suspicious degree to community is examined by mail and attachment content.
[0030] In one embodiment, the hardware-based device 300 may be a storage device. For example, the hardware-based device 300 may be a universal serial bus (USB) storage device. However, the device 300 is not limited to the USB storage device and may include any storage device.
[0031] The user device 104 may store all the information relating to the IP address, such as location of the server, visual route of the request. A user can access the stored information via the hardware-based storage device 300. The storage device 300 may include a storage component 302, a plurality of connectors 304 for connecting with the user device 104, a power component 306 and a plurality of busses 308.
[0032] The information about the IP address may be stored in the storage component 302. The storage component 302 may be a non-volatile component and hence can retain its value even when the power is removed. To power the storage device 300, the storage device 300 may be connected to the user device 104. Once the storage device 300 is connected to the user device 104, the storage device 300 may be powered using the power component 306. To connect the storage device 300 with the user device 104, the plurality of connectors 304 may be used. The plurality of connectors 304 may include a plurality of pins which can be inserted into openings provided into the user device 104. The data can be transferred between the user devices 104 and the storage device 300 using the plurality of busses 308.
[0033] In one embodiment, the information about the IP address may be stored in an intermediate device 400. This embodiment is shown in FIG. 4. The hardware-based storage device 300 may be connected with the intermediate device 400 to access the information about the IP address. The accessed information can then be stored in the storage device 104. In one embodiment, the information about the IP address may be accessed by a network administrator or a network expert.
[0034] In one embodiment, the user device 104 and the intermediate device 402 may also store IP addresses from the headers of the email communication. The hardware-based storage device 300 may then while accessing the IP address from the user device 104 and the intermediate device 402 can also access and store the IP address from email communication.
[0035] In one embodiment, the hardware-based storage device 300 may also provide scalable and flexible IPv4/IPv6 address management solutions. In another embodiment, the hardware-based storage device 300 may also provide open-source, lightweight, and cross-platform network scanner. In another embodiment, the hardware-based storage device 300 may also provide techniques for exploring Http servers, browsing shared resources on remote computers, and command-line support.
[0036] Referring to FIG. 5 now, a method 500 for detecting unauthorized users is illustrated. At step 502, the method comprises sending email message from a plurality of user devices 104 via the server 102. At step 504, the method comprises tracking and tracing IP addresses from headers of the email message. At step 506, the method comprises information from the headers of the email message. At step 508, the method comprises storing the IP address and information extracted from headers of email message in the hardware-based storage device 300.
[0037] The various actions, acts, blocks, steps, or the like in the flow diagram may be performed in the order presented, in a different order or simultaneously. Further, in some embodiments, some of the actions, acts, blocks, steps, or the like may be omitted, added, modified, skipped, or the like without departing from the scope of the invention.
[0038] Although particular embodiments of the invention have been described in detail for purposes of illustration, various modifications and enhancements may be made without departing from the spirit and scope of the invention.
, Claims:I/We Claim:
1. A system (100) for detecting unauthorized users, the system comprises:
a server (102);
a network (106);
a plurality of user devices (104) connected to the server via the network, wherein the plurality of user devices are configured to send email communication via the server;
a hardware-based storage device, wherein:
the hardware-based storage device (300) stores information related to internet protocol (IP) address,
the information related to IP address is extracted header of the email communication,
the header includes location, email communication sender information and email authentication information.

2. The system as claimed in claim 1, wherein the hardware-based storage device is a universal serial bus (USB) storage device.

3. The system as claimed in claim 1, wherein the header further stores a route of the email communication from sender to a target device via the server.

4. The system as claimed in claim 1, wherein unauthorized users are determined by determining whether the user device from which the email communication is sent is legitimate user device.

5. The system as claimed in claim 1, wherein the information from the header is identified using one or more techniques including Sender Policy Framework, Domain Keys Identified Mail, and DKIM, and Domain-based Message Authentication, Reporting and Conformance.

6. A method for detecting unauthorized users using a system as claimed in claim 1, wherein the method comprises:
sending, by a plurality of user devices, email communication via a server;
storing, in a hardware-based storage device, information related to internet protocol (IP) address, wherein:
the information related to IP address is extracted header of the email communication,
the header includes location, email communication sender information and email authentication information.

7. The method as claimed in claim 6, wherein the hardware-based storage device is a universal serial bus (USB) storage device.

8. The method as claimed in claim 6, wherein the header further stores a route of the email communication from sender to a target device via the server.

9. The method as claimed in claim 6, wherein unauthorized users are determined by determining whether the user device from which the email communication is sent is legitimate user device.

10. The method as claimed in claim 6, wherein the information from the header is identified using one or more techniques including Sender Policy Framework, Domain Keys Identified Mail, and DKIM, and Domain-based Message Authentication, Reporting and Conformance.

Dated this 22nd Sept, 2022