Fortigate SPAM Control

You can easily use a Fortigate to alleviate SPAM issues for your environment. The Fortigate SPAM control functionality is built into the Security Profile section of the device as “Email Filter”. You are able to create an Email Filter that will allow or block mail based on a listed set of criteria. Below is the Email Filtering Section of the FortiOS 5.0 Security Profiles document. This document does a wonderful job of explaining everything and it would be a waste for me to try and reinvent the wheel when it comes to Fortigate SPAM  Control.

Email filter concepts

You can configure the FortiGate unit to manage unsolicited commercial email by detecting and identifying spam messages from known or suspected spam servers.

The FortiGuard Antispam Service uses both a sender IP reputation database and a spam signature database, along with sophisticated spam filtering tools, to detect and block a wide range of spam messages. Using FortiGuard Antispam email filter profile settings, you can enable IP address checking, URL checking, email checksum checking, and spam submission. Updates to the IP reputation and spam signature databases are provided continuously via the global FortiGuard Distribution Network.

From the FortiGuard Antispam Service page in the FortiGuard Center, find out whether an IP address is blacklisted in the FortiGuard antispam IP reputation database, or whether a URL or email address is in the signature database.

Email filter techniques

The FortiGate unit has a number of techniques available to help detect spam. Some use the FortiGuard Antispam Service and require a subscription. The remainder use your DNS servers or use lists that you must maintain.

FortiGuard IP address check

The FortiGate unit queries the FortiGuard Antispam Service to determine if the IP address of the client delivering the email is blacklisted. A match will cause the FortiGate unit to treat delivered messages as spam.

The default setting of the smtp-spamhdrip CLI command is disable. If enabled, the FortiGate unit will check all the IP addresses in the header of SMTP email against the FortiGuard Antispam Service.

FortiGuard URL check

The FortiGate unit queries the FortiGuard Antispam service to determine if any URL in the message body is associated with spam. If any URL is blacklisted, the FortiGate unit determines that the email message is spam.

Detect phishing URLs in email

The FortiGate unit sends the URL links in email messages to FortiGuard to determine if the links are associated with a known phishing site. If such a link is detected, the link is removed from the message. The URL remains, but it is no longer a selectable hyperlink.

FortiGuard email checksum check

The FortiGate unit sends a hash of an email to the FortiGuard Antispam server, which compares the hash to hashes of known spam messages stored in the FortiGuard Antispam database. If the hash results match, the email is flagged as spam.

FortiGuard spam submission

Spam submission is a way you can inform the FortiGuard AntiSpam service of non-spam messages incorrectly marked as spam. When you enable this setting, the FortiGate unit adds a link to the end of every message marked as spam. You then select this link to inform the FortiGuard AntiSpam service when a message is incorrectly marked.

IP address black/white list check

The FortiGate unit compares the IP address of the client delivering the email to the addresses in the IP address black/white list specified in the email filter profile. If a match is found, the FortiGate unit will take the action configured for the matching black/white list entry against all delivered email. The default setting of the smtp-spamhdrip CLI command is disable. If enabled, the FortiGate unit will check all the IP addresses in the header of SMTP email against the specified IP address black/white list. For more information, see the FortiGate CLI Reference.

HELO DNS lookup

The FortiGate unit takes the domain name specified by the client in the HELO greeting sent when starting the SMTP session and does a DNS lookup to determine if the domain exists. If the lookup fails, the FortiGate unit determines that any messages delivered during the SMTP session are spam.

Banned word check

The FortiGate unit blocks email messages based on matching the content of the message with the words or patterns in the selected spam filter banned word list. This feature is only available in the CLI.

Order of spam filtering

The FortiGate unit checks for spam using various filtering techniques. The order in which the FortiGate unit uses these filters depends on the mail protocol used.

Filters requiring a query to a server and a reply (FortiGuard Antispam Service and DNSBL/ORDBL) are run simultaneously. To avoid delays, queries are sent while other filters are running. The first reply to trigger a spam action takes effect as soon as the reply is received.

Each spam filter passes the email to the next if no matches or problems are found. If the action in the filter is Mark as Spam, the FortiGate unit tags the email as spam according to the settings in the email filter profile.

For SMTP and SMTPS, if the action is discard, the email message is discarded or dropped.

If the action in the filter is Mark as Clear, the email is exempt from any remaining filters. If the action in the filter is Mark as Reject, the email session is dropped. Rejected SMTP or SMTPS email messages are substituted with a configurable replacement message.

Order of SMTP and SMTPS spam filtering

The FortiGate unit scans SMTP and SMTPS email for spam in the order given below. SMTPS spam filtering is available on FortiGate units that support SSL content scanning and inspection.

1. IP address black/white list (BWL) check on last hop IP
2. DNSBL & ORDBL check on last hop IP, FortiGuard Antispam IP check on last hop IP, HELO DNS lookup
3. MIME headers check, E-mail address BWL check
4. Banned word check on email subject
5. IP address BWL check (for IPs extracted from “Received” headers)
6. Banned word check on email body
7. Return email DNS check, FortiGuard Antispam email checksum check, FortiGuard Antispam URL check, DNSBL & ORDBL check on public IP extracted from header.

Order of IMAP, POP3, IMAPS and POP3S spam filtering

The FortiGate unit scans IMAP, POP3, IMAPS and POP3S email for spam in the order given below. IMAPS and POP3S spam filtering is available on FortiGate units that support SSL content scanning and inspection.

1. MIME headers check, E-mail address BWL check
2. Banned word check on email subject
3. IP BWL check
4. Banned word check on email body
5. Return email DNS check, FortiGuard Antispam email checksum check, FortiGuard Antispam URL check, DNSBL & ORDBL check.

Enable email filtering

Unlike antivirus protection, no single control enables all email filtering. Your FortiGate unit uses many techniques to detect spam; some may not be appropriate for every situation. For this reason, when you enable email filtering, you must then choose when techniques are applied to email traffic.

To enable email filtering

1. Go to Security Profiles > Email Filter > Profile. The default email filter profile is presented. You can edit this profile or create a new one.
2. Select the Inspection Mode. Proxy detection involves buffering the file and examining it as a whole. Advantages of proxy-based detection include a more thorough examination of attachments, especially archive formats and nesting. Flow-based detection examines the file as it passes through the FortiGate unit without any buffering. Advantages of flow-based detection include speed and no interruption of detection during conserve mode.
3. Select Enable Spam Detection and Filtering.
4. If you wish to leave everything in it’s default setting you can select OK or Apply.

Once you have enabled the email filter you can further specify what protocols to inspect.

Configure email traffic types to inspect

The FortiGate unit examines IMAP, POP3, and SMTP email traffic. If your FortiGate unit supports content inspection, it can also examine IMAPS, POP3S, and SMTPS traffic. The options that you will see in the profile window are IMAP, POP3 and SMTP

To select the email traffic types to inspect

  1. Go to Security Profiles > Email Filter > Profile.
  2. The default email filter profile is presented. To edit another profile, select it from the drop down in the Edit Email Filter Profile title bar.
  3. Select Enable Spam Detection and Filtering.
  4. Select the types of email that you want the FortiGate unit to examine when using this email filter profile.
  5. Select Apply.

The traffic types you enable will be examined according to the settings in the email filter profile.

Configure the spam action

When spam is detected, the FortiGate unit will deal with it according to the  Spam Action setting in the email filter profile. Note that POP3S, IMAPS and SMTPS spam filtering is available only on FortiGate units that support SSL content scanning and inspection. POP3, IMAP, POP3S and IMAPS mail can only be tagged. SMTP and SMTPS mail can be set to Discard or Tagged:

  • Discard: When the spam action is set to Discard, messages detected as spam are deleted. No notification is sent to the sender or recipient.
  • Tagged: When the spam action is set to Tagged, messages detected as spam are labelled and delivered normally. The text used for the label is set in the T ag Format field and the label is placed in the subject or the message header, as set with the T ag Location

To configure the spam action

  1. Go to Security Profiles > Email Filter > Profile
  2. down in the Edit Email Filter Profile title bar.
  3. Select Enable Spam Detection and Filtering.
  4. filter profile
  5. Select Apply.
  6. The Spam Action row has a drop-down selection under the SMTP traffic type. Select Discard or Tagged.

No selection is available for POP3 or IMAP traffic. Tagged is the only applicable action for those traffic types.

By default, the tag location for any traffic set to Tagged is Subject and the tag format is Spam. If you want to change these settings, continue with “Configure the tag location” on  page 47 and “Configure  the tag format” on page 47.

  1. Select Apply.

Select the edited email filter profile in a security policy, and the traffic controlled by the security policy will be scanned according to the settings you configured. You may select the email filter profile in more than one security policy if required.

Configure the tag location

When the spam action is set to Tagged, the Tag Location setting determines where the tag is applied in the message.

To configure the tag location

  1. Go to Security Profiles > Email Filter > Profile.
  2. The default email filter profile is presented. To edit another profile, select it from the drop down in the Edit Email Filter Profile title bar.
  3. Select Enable Spam Detection and Filtering.
  4. Select the types of email that you want the FortiGate unit to examine when using this email filter profile.
  5. Select Apply.
  6. The Tag Location row has two options for each traffic type. Note that if the spam action for SMTP traffic is set to discard, the tag location will not be available. Select the tag location:
  • Subject: The FortiGate unit inserts the tag at the beginning of the message subject. For example, if the message subject is “Buy stuff!” and the tag is “[spam]”, the new message subject is “[spam] Buy stuff!” if the message is detected as spam.
  • MIME: The FortiGate unit inserts the tag into the message header. With most mail readers and web-based mail services, the tag will not be visible. Despite this, you can still set up a rule based on the presence or absence of the tag.
  1. Select Apply.

Configure the tag format

When the spam action is set to Tagged, the Tag Format setting determines what text is used as the tag applied to the message.

To configure the tag format

  1. Go to Security Profiles > Email Filter > Profile
  2. down in the Edit Email Filter Profile title bar.
  3. Select Enable Spam Detection and Filtering.
  4. filter profile.
  5. Select Apply.
  6. The Tag Format row has a field for each traffic type. Note that if the spam action for SMTP traffic is set to discard, the tag format will not be available.Enter the text the FortiGate unit will use as the tag for each traffic type.
  7. Select Apply.

Configure FortiGuard email filters

FortiGuard email filtering techniques us FortiGuard services to detect the presence of spam among your email. A FortiGuard subscription is required to use the FortiGuard email filters. You can enable the following types of FortiGuard email filtering:

FortiGuard IP address checking When you enable FortiGuard IP address checking, your FortiGate unit will submit the IP address of the client to the FortiGuard service for checking. If the IP address exists in the FortiGuard IP address black list, your FortiGate unit will treat the message as spam.
FortiGuard URL checking When you enable FortiGuard URL checking, your FortiGate unit will submit all URLs appearing in the email message body to the FortiGuard service for checking. If a URL exists in the FortiGuard URL black list, your FortiGate unit will treat the message as spam.
FortiGuard phishing

URL detection

When you enable FortiGuard phishing URL detection, your FortiGate unit will submit all URL hyperlinks appearing in the email message body to the FortiGuard service for checking. If a URL exists in the FortiGuard URL phishing list, your FortiGate unit will remove the hyperlink from the message. The URL will remain in place, but it will no longer be a selectable hyperlink.
FortiGuard email checksum checking When you enable FortiGuard email checksum checking, your FortiGate unit will submit a checksum of each email message to the FortiGuard service for checking. If a checksum exists in the FortiGuard checksum black list, your FortiGate unit will treat the message as spam.
FortiGuard spam submission When you enable FortiGuard email checksum checking, your FortiGate unit will append a link to the end of every message detected as spam. This link allows email users to “correct” the FortiGuard service by informing it that the message is not spam.

Carefully consider the use of the Spam submission option on email leaving your network. Users not familiar with the feature may click the link on spam messages because they are curious. This will reduce the accuracy of the feature.

To enable FortiGuard email filtering

  1. Go to Security Profiles > Email Filter > Profile
  2. down in the Edit Email Filter Profile title bar.
  3. Select Enable Spam Detection and Filtering.
  4. filter profile.
  5. Select Apply.
  6. Under the heading FortiGuard Spam Filtering, select one or more of the following options:
  • IP Address Check.
  • URL Check.
  • Detect Phishing URLs in Email.
  • E-mail Checksum Check.
  • Spam Submission.
  1. Select Apply.

Select the edited email filter profile in a security policy, and the traffic controlled by the security policy will be scanned according to the settings you configured. You may select the email filter profile in more than one security policy if required.

Configure local email filters

Local email filtering techniques us your own resources, whether DNS checks or IP address and email address lists that you maintain. You can enable three types of local filtering:

  • Black and white list (BWL) checking (includes email addresses and IP addresses)
  • HELO DNS lookup
  • Return email DNS checking

Enabling IP address and email address black/white list checking

When you email enable black/white list (BWL) checking, your FortiGate unit will perform IP address BWL checking and email address BWL checking.

IP address BWL checking matches client IP addresses with IP addresses in the selected email BWL list and acts according to the action configured for the IP address in the list: allow the message, reject it, or mark it as spam.

Email address BWL checking matches sender email addresses with email addresses in the selected email BWL list acts according to the action configured for the email address in the list: allow the message or mark it as spam.

Before you can enable IP address and email address black/white list spam filtering you must create an email black/white list.

To create an email black/white list

  1. Go to Security Profiles > Email Filter > Email List.
  2. Select Create New.
  3. Enter a name for the BWL list.
  4. Optionally, enter a description or comments about the list.
  5. Select OK to save the list.

 

When a new back/white list is created, it is empty. To perform any actions, you must add IP and email addresses to the list.

To add an IP address to an email black/white list

  1. Go to Security Profiles > Email Filter > Email List.
  2. Edit a list.
  3. Select Create New.
  4. Select IP/Netmask.
  5. Enter the IP address or netmask in the IP/netmask field.
  6. Select the action:
  • Mark as Clear: Messages from clients with matching IP addresses will be allowed, bypassing further email filtering.
  • Mark as Reject: Messages from clients with matching IP addresses will be rejected. The FortiGate unit will return a reject message to the client. Mark as Reject only applies to mail delivered by SMTP. If an IP address black/white list is used with POP3 or IMAP mail, addresses configured with the Mark as Reject action will be marked as spam.
  • Mark as Spam: Messages from clients with matching IP addresses will be treated as spam, subject to the action configured in the applicable email filter profile. For more information, see “Configur e the spam action” on page 46.
  1. By default, the address is enabled and the FortiGate unit will perform the action if the address is detected. To disable checking for the address, clear the Enable check box.
  2. Select OK.

To add an email address to an email black/white list

  1. Go to Security Profiles > Email Filter > Email List.
  2. Edit a list.
  3. Select Create New.
  4. Select Email Address.
  5. Enter the email address in the Email Address
  6. If you need to enter a pattern in the Email Address field, select whether to use wildcards or regular expressions to specify the pattern.

Wildcard uses an asterisk (“*”) to match any number of any character. For example, *@example.com will match all addresses ending in @example.com.

Regular expressions use Perl regular expression syntax. See

http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular expressions.

  1. Select the action:
  • Mark as Spam: Messages with matching reply-to email addresses will be treated as spam, subject to the action configured in the applicable email filter profile. For more information, see “Configur e the spam action” on page 46.
  • Mark as Clear: Messages with matching reply-to addresses will be allowed, bypassing further email filtering.
  1. By default, the address is enabled and the FortiGate unit will perform the action if the address is detected. To disable checking for the address, clear the Enable check box.
  2. Select OK to save the address.

To enable IP address black/white list checking

  1. Go to Security Profiles > Email Filter > Profile.
  2. The default email filter profile is presented. To edit another profile, select it from the drop down in the Edit Email Filter Profile title bar.
  3. Select Enable Spam Detection and Filtering and select Apply.
  4. Under the heading Local Spam Filtering, select BWL Check.
  5. Select the IP address black/white list to use from the drop-down list.
  6. Select Apply.

Select the email filter profile in a security policy, and the traffic accepted by the security policy will be scanned according to the settings you configured.

Enabling HELO DNS lookup

Whenever a client opens an SMTP session with a server, the client sends a HELO command with the client domain name. When you enable HELO DNS lookup, your FortiGate unit will take the domain the client submits as part of the HELO greeting and send it to the configured DNS. If the domain does not exist, your FortiGate unit will treat all messages the client delivers as spam.

The HELO DNS lookup is available only for SMTP traffic.

To enable HELO DNS lookup

  1. Go to Security Profiles > Email Filter > Profile.
  2. The default email filter profile is presented. To edit another profile, select it from the drop down in the Edit Email Filter Profile title bar.
  3. Select Enable Spam Detection and Filtering and select Apply 4. Under the heading Local Spam Filtering, select HELO DNS Lookup.
  4. Select Apply.

Select the edited email filter profile in a security policy, and the traffic controlled by the security policy will be scanned according to the settings you configured. You may select the email filter profile in more than one security policy if required.

Enabling return email DNS checking

When you enable return email DNS checking, your FortiGate unit will take the domain in the reply-to email address and send it to the configured DNS. If the domain does not exist, your FortiGate unit will treat the message as spam.

To enable return email DNS check

  1. Go to Security Profiles > Email Filter > Profile.
  2. The default email filter profile is presented. To edit another profile, select it from the drop down in the Edit Email Filter Profile title bar.
  3. Select Enable Spam Detection and Filtering and select Apply
  4. Under the heading Local Spam Filtering, select Return E-mail DNS Check.
  5. Select Apply.

Select the edited email filter profile in a security policy, and the traffic controlled by the security policy will be scanned according to the settings you configured. You may select the email filter profile in more than one security policy if required.

Enabling banned word checking

When you enable banned word checking, your FortiGate unit will examine the email message for words appearing in the banned word list specified in the email filter profile. If the total score of the banned word discovered in the email message exceeds the threshold value set in the email filter profile, your FortiGate unit will treat the message as spam.

When determining the banned word score total for an email message, each banned word score is added once no matter how many times the word appears in the message. Use the command config spamfilter bword to add an email banned word list. Use the command config spamfilter profile to add a banned word list to an email filtering profile.

How content is evaluated

Every time the banned word filter detects a pattern in an email message, it adds the pattern score to the sum of scores for the message. You set this score when you create a new pattern to block content. The score can be any number from zero to 99999. Higher scores indicate more offensive content. When the total score equals or exceeds the threshold, the email message is considered as spam and treated according to the spam action configured in the email filter profile. The score for each pattern is counted only once, even if that pattern appears many times in the email message. The default score for banned word patterns is 10 and the default threshold is 10. This means that by default, an email message is blocked by a single match.

A pattern can be part of a word, a whole word, or a phrase. Multiple words entered as a pattern are treated as a phrase. The phrase must appear as entered to match. You can also use wildcards or regular expressions to have a pattern match multiple words or phrases.

For example, the FortiGate unit scans an email message that contains only this sentence: “The score for each word or phrase is counted only once, even if that word or phrase appears many times in the email message.”

Banned word

pattern

Pattern type Assigned score Score added to the sum for the entire

page

Comment
word Wildcard 20 20 The pattern appears twice but multiple occurrences are only counted once.
word phrase Wildcard 20 0 Although each word in the phrase appears in the message, the words do not appear together as they do in the pattern. There are no matches.
word*phrase Wildcard 20 20 The wildcard represents any number of any character. A match occurs as long as “word” appears before “phrase” regardless of what is in between them.
mail*age Wildcard 20 20 Since the wildcard character can represent any characters, this pattern is a match because “email message” appears in the message.

In this example, the message is treated as spam if the banned word threshold is set to 60 or less.

Adding words to a banned word list

Each banned word list contains a number of words, each having a score, and specifying where the FortiGate unit will search for the word (in the message subject, message body, or all which means both)

When the FortiGate unit accepts an email message containing one or more words in the banned word list specified in the active email filter profile, it totals the scores of the banned words in the email message. If the total is higher than the threshold set in the email filter profile, the email message will be detected as spam. If the total score is lower than the threshold, the message will be allowed to pass as normal.

The score of a banned word present in the message will be counted toward the score total only once, regardless of how many times the word appears in the message.

When you enter a word, set the Pattern-type to wildcards or regular expressions.

Wildcard uses an asterisk (“*”) to match any number of any character. For example, re* will match all words starting with “re”.

Regular expression uses Perl regular expression syntax. See

http://perldoc.perl.org/perlretut.html for detailed information about using Perl regular expressions.

Email filter examples

Configuring simple antispam protection

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable antispam protection on a FortiGate unit located in a satellite office.

Creating an email filter profile

Most email filter settings are configured in an email filter profile. Email filter profiles are selected in firewall policies. This way, you can create multiple email filter profiles, and tailor them to the traffic controlled by the security policy in which they are selected. In this example, you will create one email filter profile.

To create an email filter profile — web-based manager

  1. Go to Security Profiles > Email Filter > Profile.
  2. Select the Create New icon in the Edit Email Filter Profile window title.
  3. In the Name field, enter basic_emailfilter.
  4. Select Enable Spam Detection and Filtering.
  5. Ensure that IMAP, POP3, and SMTP are selected in the header row.

These header row selections enable or disable examination of each email traffic type. When disabled, the email traffic of that type is ignored by the FortiGate unit and no email filtering options are available.

  1. Under FortiGuard Spam Filtering, enable IP Address Check.
  2. Under FortiGuard Spam Filtering, enable URL Check.
  3. Under FortiGuard Spam Filtering, enable E-mail Checksum Check.
  4. Select OK to save the email filter profile.

To create an email filter profile — CLI
config spamfilter profile
edit basic_emailfilter
set options spamfsip spamfsurl spamfschksum

end

Selecting the email filter profile in a security policy

An email filter profile directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an email filter profile is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the email filter profile in a security policy — web-based manager

  1. Go to Policy > Policy > Policy.
  2. Create a new or edit a policy.
  3. Turn on email filtering.
  4. Select the basic_emailfilter profile from the list.
  5. Select OK to save the security policy.

To select the email filter profile in a security policy — CLI

config firewall policy
edit 1
set utm-status enable
set profile-protocol-options default
set spamfilter-profile basic_emailfilter

end

IMAP, POP3, and SMTP email traffic handled by the security policy you modified will be scanned for spam. Spam messages have the text “Spam” added to their subject lines. A small office may have only one security policy configured. If you have multiple policies, consider enabling spam scanning for all of them.

Blocking email from a user

Employees of the Example.com corporation have been receiving unwanted email messages from a former client at a company called example.net. The client’s email address is client@example.net. All ties between the company and the client have been severed, but the messages continue. The FortiGate unit can be configured to prevent these messages from being delivered.

To create the email address list

  1. Go to Security Profiles > Email Filter > Email List.
  2. Select Create New.
  3. Enter a name for the new email address list.
  4. Optionally, enter a descriptive comment for the email address list.
  5. Select OK to create the list.
  6. Select Create New to add a new entry to the email address list.
  7. Select Email Address.
  8. Enter client@example.net in the E-mail Address
  • If you wanted to prevent everyone’s email from the client’s company from getting through you could have used *@example.net instead.
  1. Leave Pattern Type set to the default, Wildcard.

10.Leave Action as Mark as Spam to have the FortiGate unit mark all messages from example.net as spam.

Now that the email address list is created, you must enable the email filter in the email filter profile.

To enable Email Filter

  1. Go to Security Profiles > Email Filter > Profile.
  2. Select the email filter profile that is used by the firewall policies handling email traffic from the email filter profile drop down list.
  3. In the row Tag Location, select Subject for all three mail protocols.
  4. In the row Tag Format, enter SPAM: in all three fields.
  5. Select Enable Spam Detection and Filtering.
  6. Ensure that the check boxes labeled IMAP, POP3, and SMTP in the header row are selected.
  7. Under Local Spam Filtering, enable BWL Check and select the email address list you created in the previous procedure from the drop down list.
  8. Select OK.

When this email filter profile is selected in a security policy, the FortiGate unit will add “SPAM:” to the subject of any email message from an address ending with @example.net for all email traffic handled by the security policy. Recipients can ignore the message or they can configure their email clients to automatically delete messages with “SPAM:” in the subject.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Ask your questions in the comments below!!! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Leave a Reply

Name *
Email *
Website