Configuring FortiGuard Updates and AntiSPAM Queries

Configuring FortiGuard updates and antispam queries

The Maintenance > FortiGuard > Update tab displays the most recent updates to

FortiGuard Antivirus engines, antivirus definitions, and FortiGuard antispam definitions

(antispam heuristic rules). You can also configure how the FortiMail unit will retrieve updates.

FortiGuard AntiSpam packages for FortiMail units are not the same as those provided to FortiGate units. To support FortiMail’s more full-featured antispam scans, FortiGuard AntiSpam packages for FortiMail contain platform-specific additional updates.

For example, FortiGuard AntiSpam packages for FortiMail contain heuristic antispam rules used by the a heuristic scan. Updates add to, remove from, and re-order the list of heuristic rules so that the current most common methods spammers use are ranked highest in the list. As a result, even if you configure a lower percentage of heuristic rules to be used by that scan, with regular updates, the heuristic scan automatically adjusts to use whichever heuristic rules are currently most effective. This helps to achieve an effective spam catch rate, while both reducing administrative overhead and improving performance by using the least necessary amount of FortiMail system resources.

FortiMail units receive updates from the FortiGuard Distribution Network (FDN), a world-wide network of FortiGuard Distribution Servers (FDS). FortiMail units connect to the FDN by connecting to the FDS nearest to the FortiMail unit by its configured time zone.

In addition to manual update requests, FortiMail units support two kinds of automatic update mechanisms:

scheduled updates, by which the FortiMail unit periodically polls the FDN to determine if there are any available updates
push updates, by which the FDN notifies FortiMail units when updates become available

For information on configuring scheduled updates, see “Configuring scheduled updates” on page 240. For information on configuring push updates, see “Configuring push updates” on page 241.

You may want to configure both scheduled and push updates. In this way, if the network experiences temporary problems such as connectivity issues that interfere with either method, the other method may still provide your FortiMail unit with updated protection. You can alternatively manually update the FortiMail unit by uploading an update file. For more information on uploading updates, see “License Information widget” on page 176.

For FortiGuard Antispam and FortiGuard Antivirus update connectivity requirements and troubleshooting information, see “Troubleshoot FortiGuard connection issues” on page 707.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view or change the currently installed FortiGuard status

Go to Maintenance > FortiGuard > Update.

Figure 95:Update tab

Configure the following:

GUI item	Description
FortiGuard Service Status
Name	The name of the updatable item, such as Anti Virus Definition.
Version	The version number of the item currently installed on the FortiMail unit.
Expiry Date	The expiry date of the license for the item.
Last Update Attempt	The date and time when the FortiMail unit last attempted to download an update.
Last Update Status	The result of the last update attempt. • No updates: Indicates the last update attempt was successful but no new updates are available. • Installed updates: Indicates the last update attempt was successful and new updates were installed. • Other messages, such as Network Error, indicate that the FortiMail unit could not connect to the FDN, or other error conditions. For more information, see “Troubleshoot FortiGuard connection issues” on page 707.
Included signatures	Displays the total number of the virus and spam signatures.
FortiGuard distribution network	The result of the previous scheduled update (TCP 443) connection attempt to the FortiGuard Distribution Network (FDN) or, if enabled and configured, the override server. • Available: Indicates that the FortiMail unit successfully connected to the FDN. • Unavailable: Indicates that the FortiMail unit could not connect to the FDN. For more information, see “Verifying connectivity with FortiGuard services” on page 237. • Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN. To test the connection, click Refresh.
Push update	The result of the previous push update (UDP 9443) connection attempt from the FDN. • Available: Indicates that the FDN successfully connected to the FortiMail unit to send push updates. For more information, see “Configuring push updates” on page 241. • Unavailable: Indicates that the FDN could not connect to the FortiMail unit. For more information, see “Troubleshoot FortiGuard connection issues” on page 707. • Unknown: Indicates that the FortiMail unit has not yet attempted to connect to the FDN. To test the connection, click Refresh.
GUI item	Description
Refresh (button)	Click to test the scheduled (TCP 443) and push (UDP 9443) update connection of the FortiMail unit to the FDN or, if enabled, the IP address configured in Use override server address. When the test completes, the tab refreshes and results beside FortiGuard distribution network. Time required varies by the speed of the FortiMail unit’s network connection, and the number of timeouts that occur before the connection attempt is successful or the FortiMail unit determines that it cannot connect. Note: This does not test the connection for FortiGuard Antispam rating queries, which occurs over a different connection and must be tested separately. For details, see “Configuring FortiGuard updates and antispam queries” on page 233.
Use override server address	Enable to override the default FortiGuard Distribution Server (FDS) to which the FortiMail unit connects for updates, then enter the IP address of the override public or private FDS. For more information, see “Verifying connectivity with FortiGuard services” on page 237.
Allow push update	Enable to allow the FortiMail unit to accept push notifications (UDP 9443). If the FortiMail unit is behind a NAT device, you may also need to enable and configure Use override push IP. For details, see “Configuring push updates” on page 241. Push notifications only notify the FortiMail unit that an update is available. They do not transmit the update itself. After receiving a push notification, the FortiMail unit then initiates a separate TCP 443 connection, similar to scheduled updates, in order to the FDN to download the update.

Use override push Enable to override the IP address and default port number to which

IP the FDN sends push notifications.

When enabled, the FortiMail unit notifies the FDN to send push updates to the IP address and port number that you enter (for example, a virtual IP/port forward on a NAT device that will forward push notifications to the FortiMail unit).
When disabled, the FortiMail unit notifies the FDN to send push updates to the FortiMail unit’s IP address, using the default port number (UDP 9443). This is useful only if the FortiMail unit has a public network IP address.

For more information, see “Configuring push updates” on page 241.

This option is available only if Allow push update is enabled.

GUI item	Description
Scheduled update	Enable to perform updates according to a schedule, then select one of the following as the frequency of update requests. When the FortiMail unit requests an update at the scheduled time, results appear in Last Update Status. • Every: Select to request to update once every 1 to 23 hours, then select the number of hours between each update request. • Daily: Select to request to update once a day, then select the hour of the day to check for updates. • Weekly: Select to request to update once a week, then select the day of the week, the hour, and the minute of the day to check for updates. If you select 00 minutes, the update request occurs at a randomly determined time within the selected hour.
Apply (button)	Click to save configuration changes on this tab and, if you have enabled Allow push update, notify the FDN of the destination IP address and port number for push notifications to this FortiMail unit.
Update Now (button)	Click to manually initiate a FortiGuard Antivirus and FortiGuard Antispam engine and definition update request. Results will appear in Last Update Status. Time required varies by the availability of updates, size of the updates, and speed of the FortiMail unit’s network connection.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4

Configuring Centralized Administration

Leave a reply

Configuring centralized administration

Maintenance > System > Central Management lets you use a FortiManager unit to manage your FortiMail unit’s configuration and firmware.

The latest FortiManager releases support centralized management of FortiMail v3.0 MR4 and

MR5 releases. For FortiMail v4.0 releases, centralized management will be supported in FortiManager v4.2 and later releases. Refer to FortiManager release notes for details about supported FortiMail versions. For information on configuring a FortiManager unit to manage or provide services to your other Fortinet brand devices, see the FortiManager Administration Guide.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To configure centralized administration

Go to Maintenance > System > Central Management.

Figure 94:Central Management tab

Configure the following:

GUI item	Description
Enable central management	Enable to use a FortiManager unit to manage FortiMail configuration revisions and firmware. For details, see “Backing up your configuration using a FortiManager unit” on page 221 and “Restoring the firmware” on page 222. If the FortiManager unit is not configured to automatically register new devices, you must also add the FortiMail unit to the FortiManager unit’s device list. For details, see the FortiManager Administration Guide.
IP	Enter the IP address of the FortiManager unit.
Allow automatic backup of configuration on logout	If enabled, and if the FortiMail unit’s configuration has changed, the FortiMail unit will send a configuration backup to the FortiManager unit when the FortiMail administrator logs out of the web UI. Alternatively or in addition to this option, configuration backups can also be performed manually. For details, see “Backup and restore” on page 218.
Allow configuration updates initiated by the management server	If enabled, the FortiMail unit accepts configuration connections from the FortiManager unit.

Maintaining The System

Leave a reply

Maintaining the system

The Maintenance menu contains features for use during scheduled maintenance: updates, backups, restoration, and centralized administration.

Also use it to configure FortiGuard Antispam query connectivity.

Backup and restore
Configuring centralized administration
Configuring FortiGuard updates and antispam queries

Backup and restore

Before installing FortiMail firmware or making significant configuration changes, back up your FortiMail configuration. Backups let you revert to your previous configuration if the new configuration does not function correctly. Backups let you compare changes in configuration.

A complete configuration backup consists of several parts:

core configuration file (fml.cfg), including the local certificates
Bayesian databases
mail queues
system, per-domain, and per-user black/white list databases
email users’ address books
images and language files for customized appearance of the web UI and webmail To access those parts of the web UI, your administrator account’s:
Domain must be System
access profile must have Read-Write permission to all categories

For details, see “About administrator account permissions and domains” on page 290.

Page 218

In addition, although they are not part of the configuration, you may want to back up the following data:

email archives
log files
generated report files
mailboxes

Alternatively, if you only want to back up your core configuration file, you can back up the FortiMail unit’s configuration to a FortiManager unit. For details, see “Backing up your configuration using a FortiManager unit” on page 221.

To back up the configuration file

Although mailboxes and quarantines cannot be downloaded to your management computer, you can configure the FortiMail unit to back up mail data by storing it externally, on a NAS server. For details, see “Selecting the mail data storage location” on page 376.

Go to Maintenance > System > Configuration.
In the Backup Configuration area:
- Select Local PC
- Enable System configuration.
- Click Backup.

Your management computer downloads the configuration file. Time required varies by the size of the file and the speed of your network connection. You can restore the backup configuration later when required. For details, see “Restoring the configuration” on page 692.

FortiMail v4.0 configuration backing up to a FortiManager unit is supported in FortiManager v4.2 and newer releases. See “Backing up your configuration using a FortiManager unit” on page 221. Also see “Configuring centralized administration” on page 232.

To back up the Bayesian databases

Go to Maintenance > AntiSpam > Database Maintenance.
Click Backup Bayesian database.

Your management computer downloads the database file. Time required varies by the size of the file and the speed of your network connection.

To back up the mail queues

Go to Maintenance > System > Mail Queue.
Click Backup Queue.

Your management computer downloads the database file. Time required varies by the size of the file and the speed of your network connection.

To back up the black/white list database

Go to Maintenance > AntiSpam > Black/White List Maintenance.
Click Export Black/White List.

Your management computer downloads the database file. The time required varies by the size of the file and the speed of your network connection.

To back up email users’ accounts (server mode only)

Go to User > User > User.
Click Export .CSV.

Your management computer downloads the user account spreadsheet file. Time required varies by the size of the file and the speed of your network connection.

To back up the global address book (server mode only)

Go to Mail Settings > Address Book > Contacts.
Click
On the pop-up menu, select CSV.

You are prompted for a location to save the file. Follow the prompts and click Save.

Your management computer downloads the address book spreadsheet file. Time required varies by the size of the file and the speed of your network connection.

To back up customized appearances of the web UI and webmail UI

Go to System > Configuration > Appearance.
In Administration interface, for each image file, save the image to your management computer.

Methods vary by web browser. For example, you might need to click and drag the images into a folder on your management computer in order to save them to that folder. For instructions, see your browser’s documentation.

Click the arrow to expand Webmail interface.
For each webmail language, click the name of the language to select it, then click Download.

Your management computer downloads the language file. Time required varies by the size of the file and the speed of your network connection.

To back up email archivesGo to Maintenance > System > Mail Data.

In addition to downloading email archives to your management computer, you can configure the FortiMail unit to store email archives on an SFTP or FTP server. For details, see “Managing archived email” on page 203 and “Configuring email archiving accounts” on page 656.

Continue using the instructions in “Configuring mailbox backups” on page 227.

Pages: 1 2 3 4

Viewing Generated Reports

Leave a reply

Viewing generated reports

The Report tab displays the list of reports generated from the report profiles. You can delete, view, and/or download generated reports.

FortiMail units can generate reports automatically, according to the schedule that you configure in the report profile, or manually, when you select a report profile and click Generate. For more information, see “Configuring report profiles and generating reports” on page 676.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view and generate reports

Go to Monitor > Report > Report.

Figure 87:Report tab

GUI item	Description
Delete (button)	Click to delete the selected item.
Download (button)	Click to create a PDF version of the report.
Report File Name	Lists the name of the generated report, and the date and time at which it was generated. For example, Report 1-2008-03-31-2112 is a report named Report 1, generated on March 31, 2008 at 9:12 PM. To view an individual section of the report in HTML format, click + next to the report name to expand the list of HTML files that comprise the report, then double-click one of the file names.
Last Access Time	Lists the date and time when the FortiMail unit completed the generated report.
Size	Lists the file size of the report in HTML format, in bytes.

To view the report in PDF file format, mark the check box in the corresponding row and click On the pop-up menu, select Download PDF.
To view the report in HTML file format, you can view all sections of the report together, or you can view report sections individually.

To view all report sections together, mark the check box in the row corresponding to the report, such as treportprofile-2011-06-27-1039, then click Download and select Download HTML. Your browser downloads a file with an archive (.tgz.gz) file extension to your management computer. To view the report, first extract the report files from the archive, then open the HTML files in your web browser.
Each Query Selection in the report becomes a separate HTML file. You can view the report as individual HTML files. In the row corresponding to the report that you want to view, click + next to the report name to expand the list of sections, then double-click the file name of the section that you want to view, such as html. The report appears in a new browser window.

Figure 88:Viewing a generated report (HTML file format, Mail by Sender)

Viewing Log Messages

1 Reply

Viewing log messages

The Log submenu displays locally stored log files. If you configured the FortiMail unit to store log messages locally (that is, to the hard disk), you can view the log messages currently stored in each log file.

Logs stored remotely cannot be viewed from the web UI of the FortiMail unit. If you require the ability to view logs from the web UI, also enable local storage. For details, see “Configuring logging to the hard disk” on page 672.

The Log submenu includes the following tabs, one for each log type:

History: Where you can view the log of sent and undelivered SMTP email messages.
Event: Where you can view the log of administrator activities and system events.
AntiSpam: Where you can view the log of email detected as spam.
AntiVirus: Where you can view the log of email detected as infected by a virus.
Encryption: Where you can view the log of IBE encryption. For more information about using IBE, see “Configuring IBE encryption” on page 357.

For more information on log types, see “FortiMail log types” on page 667.

Each tab contains a similar display.

The lists are sorted by the time range of the log messages contained in the log file, with the most recent log files appearing near the top of the list.

For example, the current log file would appear at the top of the list, above a rolled log file whose time might range from 2008-05-08 11:59:36 Thu to 2008-05-29 10:44:02 Thu.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view the list of log files and their contents

Go to Monitor > Log.
Click the tab corresponding to the type of log file that you want to view (History, Event, AntiVirus, AntiSpam, or Encryption).

Figure 81:Antispam log tab

GUI item	Description
Download (button)	Click to download the report in one of several formats: • Normal Format for a log file that can be viewed with a plain text editor such as Microsoft Notepad. • CSV Format for a comma-separated value (.csv) file that can be viewed in a spreadsheet application such as Microsoft Excel or OpenOffice Calc. • Compressed Format for a plain text log file like Normal Format, except that it is compressed and stored within a .gz archive.
Search (button)	Click to search all log files of this type. Unlike the search when viewing the contents of an individual log file, this search displays results regardless of which log file contains them. For more information, see “Searching log messages” on page 212.
Start Time	Lists the beginning of the log file’s time range.
End Time	Lists the end of the log file’s time range.
Size	Lists the size of the log file in bytes.

To view messages contained in logs:
- double-click a log file to display the file’s log messages

To view the current page’s worth of the log messages as an HTML table, right-click and select Export to Table. The table appears in a new tab. To download the table, click and drag to select the whole table, then copy and paste it into a rich text editor such as Microsoft Word or OpenOffice Writer.

click a row to select its log file, click Download, then select a format option

Alternatively, to display a set of log messages that may reside in multiple, separate log files:

If the log files are of the same type (for example, all antispam logs), click Search. For details, see “Searching log messages” on page 212.
If the log messages are of different types but all caused by the same email session ID, you can do a cross-search to find and display all correlating log messages. For details, see “Cross-searching log messages” on page 214.

For descriptions of individual log messages, see the FortiMail Log Message Reference.

Log messages can appear in either raw or formatted views.

Raw view displays log messages exactly as they appear in the plain text log file.
Formatted view displays log messages in a columnar format. Each log field in a log message appears in its own column, aligned with the same field in other log messages, for rapid visual comparison. When displaying log messages in formatted view, you can customize the log view by hiding, displaying and arranging columns and/or by filtering columns, refining your view to include only those log messages and fields that you want to see.

By default, log messages always appear in columnar format, with one log field per column. However, when viewing this columnar display, you can also view the log message in raw format by hovering your mouse over the index number of the log message, in the # column, as shown in Table .

Figure 82:Log messages

Table 19:Viewing log messages at Monitor > Log

GUI item	Description
Level	Select the severity level that a log message must equal or exceed in order to appear. For more information, see “Log message severity levels” on page 668.
Save View (button)	Click to save the customized view. Future log message reports appear in this view.
Search (button)	Click to search the currently displayed log file. For more information, see “Searching log messages” on page 212. Alternatively, if you want to search all log files of that type. For details, see “Viewing log messages” on page 206.
Back (button)	Click to return the view before a search.
Subtype (event log only)	Select one of the following subtypes that a log message must match in order to appear: • ALL: Display all log messages, and do not filter out any subtype. • Configuration: Display only log messages containing subtype=config. • Admin User: Display only log messages containing subtype=admin. • Web Mail: Display only log messages containing subtype=webmail. • System: Display only log messages containing subtype=system. • HA: Display only log messages containing subtype=ha. • Update: Display only log messages containing subtype=update. • POP3: Display only log messages containing subtype=pop3. • IMAP: Display only log messages containing subtype=imap. • SMTP: Display only log messages containing subtype=smtp. • OTHERS: Display all lines that have a subtype value that is not any of the above subtypes, from Configuration to SMTP. This option appears only when displaying the event log. Log subtypes reflect types selected when enabling logging. For details, see “FortiMail log types” on page 667.

When hovering your mouse cursor over a log message, that row is temporarily highlighted; however, this temporary highlight automatically follows the cursor, and will move to a different row if you move your mouse. To create a row highlight that does not move when you move your mouse, click anywhere in the row of the log message.

For information on individual log messages, see the FortiMail Log Message Reference.

Pages: 1 2 3 4

Managing Archived Email

Leave a reply

Managing archived email

You can archive email according to criteria you specify. For details, see “Email archiving workflow” on page 656.

You can view and search archived email through the web UI. You can also download them, forward them to an email address, and use them to train the Bayesian databases.

For more information on Bayesian database training, see “Training the Bayesian databases” on page 645.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read-Write permission to the Others category

For details, see “About administrator account permissions and domains” on page 290.

To view archived email

Go to Monitor > Archive > Archive Accounts.
Select the email archive account you want to view and click View. For details about email archive accounts, see “Configuring email archiving accounts” on page 656.
From the Archive Folder drop-down list, select Inbox to view the good mail mailboxes, or select Bulk to view the spam mailboxes.
Double-click the name of the email archive mailbox that you want to view.

A list of archived email appears.

Figure 79:Contents an archive mailbox

GUI item	Description
View (button)	To view the message, click its check box and click View. You can also view the message by double-clicking the message.
Send (button)	Select the check box of each email that you want to send to an email address as a mailbox (.mbox) file, then click this button.
Export (button)	Select the check box of email that you want to download and click Export to download a mailbox (.mbox) file or an archive (.tar.gz) file containing individual email (.eml) files.
Train Bayesian Database (button)	Mark the check box of each email message to use to train Bayesian databases then click this button. For more information, see “To train Bayesian databases with archived mail” on page 204.
Back (button)	Click to return to the list of archive mailboxes.

To train Bayesian databases with archived mail

Go to Monitor > Archive > Archive Accounts.
Select the email archive account you want to view and click View. For details about email archive accounts, see “Configuring email archiving accounts” on page 656.
From the Archive Folder drop-down list, select Inbox to view the good mail mailboxes, or select Bulk to view the spam mailboxes.
Double-click the name of the email archive mailbox that you want to use to train the Bayesian databases.
In the check box column, mark the check box of each email that you want to use to train the Bayesian databases. To use all messages for training, select the check box above the first message to mark the check boxes of all email on the current page.
Click Train Bayesian Database.

Figure 80: Training a Bayesian database using archived email

Select whether to use the messages as spam or non-spam (known as innocent messages) email.
Select the database you want to train: global, per-domain (group), or personal.
- Global requires no further information.
- For per-domain database training, select the domain.
- For personal database training, select the domain in Group database, then select the name of the user.
Click Apply.

Viewing the Endpoint Reputation Statuses

Leave a reply

Viewing the endpoint reputation statuses

Go to Monitor > Endpoint Reputation > Auto Blacklist to view the current list of carrier end points (by their MSISDN, subscriber ID, or other identifier) that were caught by FortiMail for sending spam. For general procedures about how to configure endpoint reputation, see “Configuring endpoint reputation” on page 639.

If a carrier end point has attempted to deliver during the automatic blacklisting window a number of spam text messages that is greater than the automatic endpoint blacklisting threshold, FortiMail unit adds the carrier end point to the automatic endpoint black list for the duration configured in the session profile. While the carrier end point is on the automatic black list and it does not expire, all text messages or email messages from it will be rejected. For information on configuring the automatic black list window, see “Configuring the endpoint reputation score window” on page 643. For information on enabling the endpoint reputation scan and configuring the automatic black list threshold in a session profile, see “Configuring session profiles” on page 482.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read or Read-Write permission to the Black/White List category For details, see “About administrator account permissions and domains” on page 290.

To view the automatic endpoint reputation black list, go to Monitor > Endpoint Reputation > Auto Blacklist.

Figure 77:Viewing endpoint reputation scores

Table 18:Auto Blacklist tab

GUI item	Description
Move (button)	To move entries to the manual endpoint black list or white list, in the check box column, mark the check boxes of entries that you want to move, then click Move.
Search (button)	Click to filter the displayed entries. For more information, see “Filtering automatic endpoint black list entries” on page 202.
Endpoint ID	Lists the mobile subscriber IDSN (MSISDN), subscriber ID, login ID, or other unique identifier for the carrier end point.
Score	Lists the number of text messages or email messages that the FortiMail has detected as spam or infected from the MSISDN/subscriber ID during the automatic endpoint black list window.
Expire	Lists the time at which the automatic endpoint blacklisting entry expires and is removed from the list. N/A appears if the endpoint ID has not reached the threshold yet.

Filtering automatic endpoint black list entries

You can filter automatic endpoint black list entries that appear on the Auto Blacklist tab based on the MSISDN, subscriber ID, or other sender identifier.

To filter the endpoint black list entries

Go to Monitor > Endpoint Reputation > Auto Blacklist.
Click Search.

Figure 78:A dialog appears.Search Dialog

GUI item	Description
Field	Displays one option: Endpoint ID.
Operation	Select how to match the field’s contents, such as whether the row must contain the contents of Value.
Case Sensitive	Enable for case-sensitive filtering.
Value	Enter the identifier of the carrier end point, such as the subscriber ID or MSISDN, for the entry that you want to display. A blank field matches any value. Use an asterisk () to match multiple patterns, such as typing 46 to match 46701123456, 46701123457, and so forth. Regular expressions are not supported.

Click Search.

The Auto Blacklist tab appears again, but its contents are restricted to entries that match your filter criteria. To remove the filter criteria and display all entries, click the Auto Blacklist tab to refresh its view.

Viewing The Sender Reputation Statuses

Leave a reply

Viewing the sender reputation statuses

The FortiMail unit tracks SMTP client behavior to limit deliveries of those clients sending excessive spam messages, infected email, or messages to invalid recipients. Should clients continue delivering these types of messages, their connection attempts are temporarily or permanently rejected. Sender reputation is managed by the FortiMail unit and requires no administration.

Monitor > Sender Reputation > Display displays the sender reputation score for each SMTP client.

To access this part of the web UI, your administrator account’s:

Domain must be System
access profile must have Read-Write permission to the Policy category

For details, see “About administrator account permissions and domains” on page 290.

For more information on enabling sender reputation and configuring the score thresholds, see “Configuring sender reputation options” on page 485.

To view the sender reputation scores, go to Monitor > Sender Reputation > Display.

Figure 75:Display tab

Table 17:Viewing the sender reputation statuses

GUI item	Description
Search (button)	Click to filter the displayed entries. For more information, see “Filtering sender reputation score entries” on page 199.
IP	The IP address of the SMTP client.
Score	The SMTP client’s current sender reputation score.
State	Lists the action that the sender reputation feature is currently performing for delivery attempts from the SMTP client. • Score controlled: The action is determined by comparing the current Score value to the thresholds in the session profile.
Last Modified	Lists the time and date the sender reputation score was most recently modified.

Sender reputation is a predominantly automatic antispam feature, requiring little or no maintenance. For each connecting SMTP client (sometimes called a sender), the sender reputation feature records the sender IP address and the number of good email and bad email from the sender.

In this case, bad email is defined as:

Spam
Virus-infected
Unknown recipients
Invalid DKIM
Failed SPF check

The sender reputation feature calculates the sender’s current reputation score using the ratio of good email to bad email. and performs an action based on that score.

The FortiMail unit calculates the sender reputation score using statistics up to 12 hours old, with more recent statistics influencing the score more than older statistics. The sender reputation score decreases (improves) as time passes where the sender has not sent spam. The score itself ranges from 0 to 100, with 0 representing a completely acceptable sender, and 100 being a totally unacceptable sender.

To determine which action the FortiMail unit will perform after it calculates the sender reputation score, the FortiMail unit compares the score to three score thresholds which you can configure in the session profile:

Throttle client at: For scores less than this threshold, senders are allowed to deliver email without restrictions. For scores greater than this threshold but less than the temporary fail threshold, senders are rate-limited in the number of email messages that they can deliver per hour, expressed as either an absolute number or as a percentage of the number sent during the previous hour. If a sender exceeds the limit and keeps sending email, the FortiMail unit will send temporary failure codes to the sender. See descriptions for Temporary fail in “Configuring sender reputation options” on page 485.
Temporarily fail: For scores greater than this threshold but less than the reject threshold, the FortiMail unit replies to senders with a temporary failure code, delaying delivery and requiring senders to retry later when their score is reduced.
Reject: For scores greater than this threshold, the FortiMail unit replies to senders with a rejection code.

If the SMTP client does not attempt any email deliveries for more than 12 hours, the SMTP client’s sender reputation entry is deleted, and a subsequent delivery attempt is regarded as a new SMTP client by the sender reputation feature.

Filtering sender reputation score entries

You can filter sender reputation score entries that appear on the Display tab based on the IP address of the SMTP client, the score, state, and date/time of the last score modification.

To filter the sender reputation score entries 1. Go to Monitor > Sender Reputation > Display.

Click Search.

A dialog appears.

Figure 76:Search dialog

Configure one or more of the following:

GUI item	Description
Field	Select one of the following in the entries that you want to use to filter the display. • IP • Score • State • Last Modified
Operation	Select how to match the field’s contents, such as whether the row must contain the contents of Value.
Case Sensitive	Enable for case-sensitive filtering.
Value	Enter a pattern or exact value, based on your selection in Field and Operation. • IP: Enter the IP address of the SMTP client, such as 172.16.1.10, for the entry that you want to display. • Score: Enter the minimum and maximum of the range of scores of entries that you want to display. • State: Select the State of entries that you want to display. • Last modified: Select the year, month, day, and/or hour before or after the Last Modified value of entries that you want to display.

Blank fields match any value. Regular expressions and wild cards are not supported.

Click Search.

The Display tab appears again, but its contents are restricted to entries that match your filter criteria. To remove the filter criteria and display all entries, click the Display tab to refresh its view.