Duplicate message protection
The convenience offered by MM1 and MM4 messaging can be abused by users sending spam or other unwanted messages. Often, the same message will be sent by multiple subscribers. The message can be spam, viral marketing, or worm-generated messages. MMS duplicate prevention can help prevent this type of abuse by keeping track of the messages being sent.
- Using message fingerprints to identify duplicate messages
- Messages from any sender to any recipient Setting duplicate message thresholds Duplicate message actions
- Notifying duplicate message senders and receivers
- Viewing DLP archived messages
- Order of operations: flood checking before duplicate checking
- Bypassing duplicate message detection based on user’s carrier endpoints
- Configuring duplicate message detection
- Sending administrator alert notifications
Duplicate message protection for MM1 messages prevents multiple subscribers from sending duplicate messages to your MMSC. Duplicate message protection for MM4 messages prevents another service provider from sending duplicate messages from the same subscriber to your MMSC. This can help prevent a potential flood that would otherwise become widespread between carriers.
MM1 and MM4 duplicate message protection
The FortiOS Carrier unit keeps track of the sent messages. If the same message appears more often than the threshold value you configure, then action is taken. Possible actions are logging the duplicates, blocking or intercepting duplicate messages, archiving the duplicate messages, and sending an alert to inform an administrator that duplicates are occurring.
With this highly configurable system, you can prevent the transmission of duplicate messages when there are more than you determine is acceptable.
For detailed configuration options, see Duplicate Message.
Using message fingerprints to identify duplicate messages
The Carrier-enabled FortiGate unit detects duplicates by keeping a record of all the messages travelling on the network and comparing new messages to those that have already been sent.
Rather than save the messages, the FortiOS carrier creates a checksum using the message body and subject. This serves as a fingerprint to identify the message. If another message with the same message body and subject appears, the fingerprint will also be the same and the Carrier-enabled FortiGate unit will recognize it as a duplicate.
By creating and saving message fingerprints instead of saving the messages, the Carrier-enabled FortiGate unit can save resources and time.
Messages from any sender to any recipient
Duplicate message detection will detect duplicate messages regardless of the sender or recipient. To do this, message fingerprints are generated using only the message body and subject. The sender, recipient, and other header information is not included.
If multiple messages appear with the same subject and message body, the Carrier-enabled FortiGate unit will recognize them as being the same.
Setting duplicate message thresholds
The FortiOS Carrier recognizes all duplicate messages, but it will take action when it detects a volume of duplicate messages that exceed the duplicate threshold you set. The threshold defines the maximum number of duplicate messages allowed, the period during which the messages are considered, and the length of time the duplicate message can not be sent by anyone.
For example, you may determine that once a duplicate message is sent more than 300 times in an hour, any attempt to send the same duplicate message will be blocked for 30 minutes.
If a particular duplicate message exceeds the duplicate message threshold and is blocked, any further attempts to send the same message will re-start the block period.
Using the example above, if the duplicate message count exceeds the duplicate threshold, any attempt to send a copy of the duplicate message will be blocked for 30 minutes. If a subscriber tries to send a copy of the message after waiting 15 minutes, the message will be blocked and the block period will be reset to 30 minutes. The block period must expire with no attempts to send a duplicate message. Only then will a subscriber be allowed to send the message. Non-duplicate messages will not reset the block period.
Duplicate message actions
When the Carrier-enabled FortiGate unit detects that a duplicate message has exceeded duplicate threshold, it can take any combination of the five actions you configure for the duplicate threshold.
Log Add a log entry indicating that a duplicate message event has occurred.
You must also enable logging for MMS Scanning > Bulk Messages
in the Logging section of the MMS protection profile.
All messages Save all the messages that exceed the duplicate threshold in the DLP archive.
First message only Save the first message to exceed the duplicate threshold in the DLP archive. Subsequent messages that exceed the duplicate threshold will not be saved.
Intercept Messages that exceed the duplicate threshold are passed to the recip- ients, but if quarantine is enabled for intercepted messages, a copy of each message is also quarantined for later examination. If the quar- antine of intercepted messages is disabled, the Intercept action has no effect.
Block Messages that exceed the duplicate threshold are blocked and will not be delivered to the message recipients. If quarantine is enabled for blocked messages, a copy of each blocked message is quarantined for later examination.
Alert Notification If the duplicate threshold is exceeded, the Carrier-enabled FortiGate unit will send an MMS duplicate message notification message.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
Don't Forget To visit the YouTube Channel for the latest Fortinet Training Videos and Question / Answer sessions!
- FortinetGuru YouTube Channel
- FortiSwitch Training Videos
Cybersecurity Videos and Training Available Via: Office of The CISO Security Training Videos