Fortigate Tutorial – Spam Filtering

 

Fortiguard uses the industry standard definition of spam as Unsolicite Bulk Email.

Here are the Spam Filtering Methods implemented by Fortinet to its appliances:

1. IP Address Check

2. URL Check

3. Email Checksum Check

4. Spam Submission

5. Block/White List

6. HELO DNS Lookup

7. Return E-mail DNS check

8. Banned Words

9. MIME check

10. DNS Blackhole List (DNSBL) and Open Relay Database List (ORDBL)

 

II. Fortiguar AntiSpam

Global Filters

1. FortiIP Sender IP Reputation Database (based on the reputation of the IP)

2. FortiSig 1 – contains “spamvertised URLs” – matches URLs in the email

3. FortiSig 2 – contains “spamvertised email address”

4. FortiSig 3 – checks for spam objecte checksums

5. FortiRule – the global filter uses dynamically updated heuristic rules to identify spam using: header, body, mime header and attachment

6. Customized Filters: IP address, banned word etc.

 

III. Spam actions:

You have the possibility to tag SPAM with the following Actions:

a. Tag for: IPAM, POP3, SMTP -> this features tags the spam with [SPAM] at the beginning of the Email Subject

b. Drop: SMTP -> you can drop emails only using SMTP of course

 

IV. Banned Word List

You can add words and add a score for each word. If your total score(more banned words in the email) go over a specific threshold, then the email is processed according with the profile you defined.

 

V. IP Address Filter

You can add a profile and a list of IP

IP Trust – if a Fortigate is behind a Mail Transfer Unit(MTU), it may be unnecesarry to check the email IP address because, they are internet and of course are trusted. To enabled this option you can use the “iptrust” command from the CLI.

 

VI. MIME Header Checks

Fortigate checks the MIME header key-value pair of the incoming email to the list pair in the sequence.

A MIME Header Check can only be configured using the “config spamfilter mheader” command from the CLI.

 

The DNSBL (DNS Blackhole List) and ORDBL (Open Relay Database List) can only be configured from the CLI and only for SMTP with the following command:

config spamfilter dnsbl

 

The Fortimail and Fortigate can support the following:

1. Wildlist Virus Protection -> This can be supported by both applications

2. Legacy Virus Protection -> This can only be supported by the Fortimail

3. Advanced Spam Filter -> This can be supported by both, but it is very limited in the Fortigate

4. Email Quarantine -> This can only be supported by the Fortimail or a Fortigate with FortiAnalyzer

5. Email Archiving -> Supported by both

6. Email routing -> Supported only by the Fortimail

 

 

Share: