FortiGate Email Filtering

Module Objectives

• By the end of this module participants will be able to:• Identify the email filtering methods used on the

FortiGate device

• Configure banned word, IP address and email address filters

• Define firewall policies using email filter profiles

• Identify the differences between the email filtering capabilities of the FortiGate and FortiMail units

Email Filtering

Email filtering

SPAM?

Email Filtering

Email filtering

SPAM?• FortiGate unit can detect and manage spam email

Spam Actions

Tag Discard

Subject: Free Stuff

Subject: [SPAM] Free Stuff

Spam Actions

Tag Discard

Subject: Free Stuff

Subject: [SPAM] Free Stuff• Tag to add a custom phrase/word to subject line or a MIME header and value to body of an email message•Discard to immediately drop connection if spam is detected

Email Filtering Methods

• The FortiGate unit uses a number of techniques to help detect spam• Some use the FortiGuard Antispam service and require

a subscription• Others use DNS servers or filters created on the device

Click here to read more about the email filtering methods used on the FortiGate unit

FortiGuard IP Address Check

Received: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000

FortiGuard IP Address Check

Received: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000

• FortiGate unit queries the FortiGuard Antispam Service to determine if the source IP address of the sender is blacklisted• A match will cause the FortiGate unit to

treat the message as spam

FortiGuard URL and Email Address Check

Visit our web site at www.acme.com tolearn more about this great offer orsend an email to deals@acme.com.

FortiGuard URL and Email Address Check

Visit our web site at www.acme.com tolearn more about this great offer orsend an email to deals@acme.com.

• FortiGate unit queries the FortiGuard Antispam Service to determine if any URLs or email addresses in the message are associated with spam

FortiGuard Email Checksum Check

Our online pharmacy offersgreat prices on all yourprescription medications.

hash

FortiGuard Email Checksum Check

Our online pharmacy offersgreat prices on all yourprescription medications.

• The FortiGate unit sends a hash of the email message to the FortiGuard Antispam Service• FortiGuard Antispam Service compares the hash received to hashes of known spam messages

hash

IP Address Black/White List (BWL)

Received: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000

Mark as Clear

Mark as Spam

Mark as Reject

IP Address Black/White List (BWL)

Received: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000

• The FortiGate unit compares the IP address of the sender of an email message to the IP addresses specified in the email filter profile• An administrator can add to or edit the

IP addresses and configure the action to take

Mark as Clear

Mark as Spam

Mark as Reject

Email Address Black/White List (BWL)

From: bsmith@acme.com

• The FortiGate unit compares the email address of the sender of an email message to the email addresses specified in the email filter profile• An administrator can add to or edit the

email addresses and configure the action to take

• Wild card and regular expressions can be used to define the email address

Mark as Clear

Mark as Spam

Click here to read more using regular expressions

HELO DNS Lookup

DNSReceived: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000

HELO DNS Lookup

DNSReceived: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000

• The FortiGate unit compares the source domain name of an email message to the registered IP address in DNS• If a domain is capable of sending mail,

it should be capable of receiving mail routed by DNS records

• SMTP only

Return Email DNS Check

DNS

From: bsmith@acme.com

A or MX record

Return Email DNS Check

DNS

From: bsmith@acme.com

A or MX record

• The FortiGate unit compares the address domain of an incoming email message to the registered IP address in DNS

Banned Word Check

Let us fill all your prescriptiondrugs. Visit our online pharmacyfor great prices on prescription medications. We offer the widestselection of popular drugs.

Banned words

DrugsScore=10

PharmacyScore=5

PrescriptionScore=5

Threshold=18

10 +5 +5 =20

Click here to read more using regular expressions

Banned Word Check

Let us fill all your prescriptiondrugs. Visit our online pharmacyfor great prices on prescription medications. We offer the widestselection of popular drugs.

Banned words

DrugsScore=10

PharmacyScore=5

PrescriptionScore=5

Threshold=18

10 +5 +5 =20

• The FortiGate unit can block email based on words or patterns in the message• A score is assigned to any banned words in the message• If the threshold is exceeded, the message is marked as spam•Wildcards and regular expressions can be used to define the banned words

Click here to read more using regular expressions

MIME Headers Check

MIME-Version: 1.0Content-Type: multipart/mixed;X-Mailer: Microsoft Office Outlook, Build 11.0.5510X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165X-Distribution: Bulk

Header list

X-Distribution=Bulk

Mark as Clear

Mark as Spam

MIME Headers Check

MIME-Version: 1.0Content-Type: multipart/mixed;X-Mailer: Microsoft Office Outlook, Build 11.0.5510X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165X-Distribution: Bulk

Header list

X-Distribution=Bulk

Mark as Clear

Mark as Spam• The FortiGate unit can check the MIME header information of incoming email messages• If a match is found on the header list

configured on the device, the corresponding action is taken

• Configured through CLI only• config spamfilter mheader

DNSBL and ORDBL Check

Received: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000

DNSBL

ORDBL

DNSBL and ORDBL Check

Received: from mail.acme.com (10.10.10.1)by classroom.fortinet.com with SMTP; 30 Sept 2010 02:27:02 -0000

DNSBL

ORDBL• The FortiGate unit can compare the IP address or domain name of incoming email message against third-party DNSBL and ORDBL lists• Match IP addresses or domain names of

known spammers

• Configured though CLI only• config spamfilter dnsbl

• config spamfilter ordbl

FortiGuard Email Filtering Options

Cache

IP address:10.10.10.1

URL: www.acme.com

Message checksum:x65Fsd34c

FortiGuard Email Filtering Options

Cache

IP address:10.10.10.1

URL: www.acme.com

Message checksum:x65Fsd34c

• Caching improves performance by reducing FortiGate unit requests to FortiGuard servers• Small amount of FortiGate system memory dedicated to the cache• TTL settings controls the number of second query results are cached• Alternate port number of 8888 can be configured for access to FortiGuard servers

Email Filter ProfileEmail filter profile: Class_Email_Filter

Firewall policy

Email Filter ProfileEmail filter profile: Class_Email_Filter

Firewall policy

• Enable email filtering operations on a protocol-by-protocol basis in email filter profile• Profile in turn applied to firewall policy• Any traffic being examined by the

policy will have the email filter operations applied to it

FortiMail Email Filtering

• Enhanced set of features for detecting and blocking spam• Some techniques not available

on FortiGate units

• Stand-alone email filtering system• Second layer of protection in

addition to FortiGate

• Legacy virus protection• Email quarantine

Student Resources

Click here to view the list of resources used in this module