Post on 17-Dec-2015
FortiGate Email Filtering
Module Objectives
• By the end of this module participants will be able to:• Identify the email filtering methods used on the
FortiGate device
• Configure banned word, IP address and email address filters
• Define firewall policies using email filter profiles
• Identify the differences between the email filtering capabilities of the FortiGate and FortiMail units
Email Filtering
Email filtering
SPAM?
Email Filtering
Email filtering
SPAM?• FortiGate unit can detect and manage spam email
Spam Actions
Tag Discard
Subject: Free Stuff
Subject: [SPAM] Free Stuff
Spam Actions
Tag Discard
Subject: Free Stuff
Subject: [SPAM] Free Stuff• Tag to add a custom phrase/word to subject line or a MIME header and value to body of an email message•Discard to immediately drop connection if spam is detected
Email Filtering Methods
• The FortiGate unit uses a number of techniques to help detect spam• Some use the FortiGuard Antispam service and require
a subscription• Others use DNS servers or filters created on the device
Click here to read more about the email filtering methods used on the FortiGate unit
FortiGuard IP Address Check
Received: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000
FortiGuard IP Address Check
Received: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000
• FortiGate unit queries the FortiGuard Antispam Service to determine if the source IP address of the sender is blacklisted• A match will cause the FortiGate unit to
treat the message as spam
FortiGuard URL and Email Address Check
Visit our web site at www.acme.com tolearn more about this great offer orsend an email to deals@acme.com.
FortiGuard URL and Email Address Check
Visit our web site at www.acme.com tolearn more about this great offer orsend an email to deals@acme.com.
• FortiGate unit queries the FortiGuard Antispam Service to determine if any URLs or email addresses in the message are associated with spam
FortiGuard Email Checksum Check
Our online pharmacy offersgreat prices on all yourprescription medications.
hash
FortiGuard Email Checksum Check
Our online pharmacy offersgreat prices on all yourprescription medications.
• The FortiGate unit sends a hash of the email message to the FortiGuard Antispam Service• FortiGuard Antispam Service compares the hash received to hashes of known spam messages
hash
IP Address Black/White List (BWL)
Received: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000
Mark as Clear
Mark as Spam
Mark as Reject
IP Address Black/White List (BWL)
Received: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000
• The FortiGate unit compares the IP address of the sender of an email message to the IP addresses specified in the email filter profile• An administrator can add to or edit the
IP addresses and configure the action to take
Mark as Clear
Mark as Spam
Mark as Reject
Email Address Black/White List (BWL)
From: bsmith@acme.com
• The FortiGate unit compares the email address of the sender of an email message to the email addresses specified in the email filter profile• An administrator can add to or edit the
email addresses and configure the action to take
• Wild card and regular expressions can be used to define the email address
Mark as Clear
Mark as Spam
Click here to read more using regular expressions
HELO DNS Lookup
DNSReceived: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000
HELO DNS Lookup
DNSReceived: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000
• The FortiGate unit compares the source domain name of an email message to the registered IP address in DNS• If a domain is capable of sending mail,
it should be capable of receiving mail routed by DNS records
• SMTP only
Return Email DNS Check
DNS
From: bsmith@acme.com
A or MX record
Return Email DNS Check
DNS
From: bsmith@acme.com
A or MX record
• The FortiGate unit compares the address domain of an incoming email message to the registered IP address in DNS
Banned Word Check
Let us fill all your prescriptiondrugs. Visit our online pharmacyfor great prices on prescription medications. We offer the widestselection of popular drugs.
Banned words
DrugsScore=10
PharmacyScore=5
PrescriptionScore=5
Threshold=18
10 +5 +5 =20
Click here to read more using regular expressions
Banned Word Check
Let us fill all your prescriptiondrugs. Visit our online pharmacyfor great prices on prescription medications. We offer the widestselection of popular drugs.
Banned words
DrugsScore=10
PharmacyScore=5
PrescriptionScore=5
Threshold=18
10 +5 +5 =20
• The FortiGate unit can block email based on words or patterns in the message• A score is assigned to any banned words in the message• If the threshold is exceeded, the message is marked as spam•Wildcards and regular expressions can be used to define the banned words
Click here to read more using regular expressions
MIME Headers Check
MIME-Version: 1.0Content-Type: multipart/mixed;X-Mailer: Microsoft Office Outlook, Build 11.0.5510X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165X-Distribution: Bulk
Header list
X-Distribution=Bulk
Mark as Clear
Mark as Spam
MIME Headers Check
MIME-Version: 1.0Content-Type: multipart/mixed;X-Mailer: Microsoft Office Outlook, Build 11.0.5510X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165X-Distribution: Bulk
Header list
X-Distribution=Bulk
Mark as Clear
Mark as Spam• The FortiGate unit can check the MIME header information of incoming email messages• If a match is found on the header list
configured on the device, the corresponding action is taken
• Configured through CLI only• config spamfilter mheader
DNSBL and ORDBL Check
Received: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000
DNSBL
ORDBL
DNSBL and ORDBL Check
Received: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000
DNSBL
ORDBL• The FortiGate unit can compare the IP address or domain name of incoming email message against third-party DNSBL and ORDBL lists• Match IP addresses or domain names of
known spammers
• Configured though CLI only• config spamfilter dnsbl
• config spamfilter ordbl
FortiGuard Email Filtering Options
Cache
IP address:10.10.10.1
URL: www.acme.com
Message checksum:x65Fsd34c
FortiGuard Email Filtering Options
Cache
IP address:10.10.10.1
URL: www.acme.com
Message checksum:x65Fsd34c
• Caching improves performance by reducing FortiGate unit requests to FortiGuard servers• Small amount of FortiGate system memory dedicated to the cache• TTL settings controls the number of second query results are cached• Alternate port number of 8888 can be configured for access to FortiGuard servers
Email Filter ProfileEmail filter profile: Class_Email_Filter
Firewall policy
Email Filter ProfileEmail filter profile: Class_Email_Filter
Firewall policy
• Enable email filtering operations on a protocol-by-protocol basis in email filter profile• Profile in turn applied to firewall policy• Any traffic being examined by the
policy will have the email filter operations applied to it
FortiMail Email Filtering
• Enhanced set of features for detecting and blocking spam• Some techniques not available
on FortiGate units
• Stand-alone email filtering system• Second layer of protection in
addition to FortiGate
• Legacy virus protection• Email quarantine
Student Resources
Click here to view the list of resources used in this module