Antispam tuning

• If the spam catch rate is low, see “Troubleshoot antispam issues” on page 712 for fine tuning instructions.
• Use black and white lists with caution. They are simple and efficient tools for fighting spam and enhancing performance. They can also cause false positives and false negatives if not used properly, however. For example, a white list entry *.edu would allow all mail from the .edu top level domain to bypass the FortiMail unit’s antispam scans.
• Do not whitelist protected domains. Because white lists bypass antispam scans, email with spoofed sender addresses in the protected domains could bypass antispam features.
• To prevent directory harvest attacks (DHA), use a combination of recipient verification and sender reputation.

DHA is one a common method used by spammers. It utilizes recipient verification in an attempt to determine an email server’s valid email addresses so that they can be added to a spam database.

If Recipient address Verification (accessed through Mail Settings > Domains > Domains) is enabled, each recipient address will be verified with the protected email server. For email destined for invalid recipient addresses, the FortiMail unit will return User Unknown messages to the SMTP client. However, spammers will utilize this response to guess and learn valid recipient addresses.

To prevent this, enable Enable sender reputation checking in session profiles (located in Profile > Session > Session). Sender reputation weighs each SMTP client’s IP address and assigns them a score. If the SMTP client sends several email messages to unknown recipients, the sender’s reputation score is increased significantly. When the sender reputation score exceeds the threshold, the SMTP client’s SMTP sessions are terminated at connection level.

• To prevent delivery status notification (DSN) spam, enable bounce verification.

Spammers may sometimes use the DSN mechanism to bypass antispam measures. In this attack, sometimes called “backscatter”, the spammer spoofs the email address of a legitimate sender and intentionally sends spam to an undeliverable recipient, expecting that the recipient’s email server will send a DSN back to the sender to notify him/her of the delivery failure. Because this attack utilizes innocent email servers and a standard notification mechanism, many antispam mechanisms may be unable to detect the difference between legitimate and spoofed DSN.

To prevent this, enable bounce address tagging and verification (located in AntiSpam > Bounce Verification > Settings) and configure it with an active key. In addition, disable both the Bypass bounce verification option (located in Mail Settings > Domains > Domains) and the Bypass bounce verification check option (located in Profile > Session > Session). It is also recommended to select Use antispam profile settings for the Bounce verification action option (located in AntiSpam > Bounce Verification > Settings). Finally, verify that all email, both incoming and outgoing, is routed through the FortiMail unit. The FortiMail unit cannot tag email, or recognize legitimate DSN for previously sent email, if all email does not pass through it.