Fortinet black logo

Handbook

Employing MMS Security features

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:768637
Download PDF

Employing MMS Security features

FortiOS Carrier includes all the Security features of FortiOS with extra features specific to MMS carrier networks.

Why scan MMS messages for viruses and malware?

The requirement for scanning MM1 content comes from the fact that MMS is an increasingly popular technique for propagating malware between mobile devices.

Example: COMMWARRIOR

This is a virus for Series 60 type cell phones, such as Nokia, operating Symbian OS version 6 [or higher]. The object of the virus is to spread to other phones using Bluetooth and MMS as transport avenues. The targets are selected from the contact list of the infected phone and also sought via Bluetooth searching for other Bluetooth-enabled devices (phones, printers, gaming devices etc.) in the proximity of the infected phone.

This virus is more than a proof of concept - it has proven successfully its ability to migrate from a zoo collection to being in-the-wild. Currently, this virus is being reported in over 18 different countries around Europe, Asia and North America.

When the virus first infects a cell phone, a prompt is displayed asking the recipient if they want to install “Caribe”. Symptoms of an infected phone may include rapid battery power loss due to constant efforts by the virus to spread to other phones via a Bluetooth seek-and-connect outreach.

The following variants among others are currently scanned by the FortiOS Carrier devices, in addition to more signatures that cover all known threats.

  • SymbOS/COMWAR.V10B!WORM
  • Aliases: SymbOS.Commwarrior.B, SymbOS/Commwar.B, SymbOS/Commwar.B!wm, SymbOS/Commwar.B-net, SymbOS/Commwarrior.b!sis, SymbOS/Comwar.B, SymbOS/Comwar.B!wm, SymbOS/Comwar.B-wm, SYMBOS_COMWAR.B, SymbOS/Comwar.1.0.B!wormSYMBOS/COMWAR.V10B.SP!WORM [Spanish version]
  • First Discovered In The Wild: July 04, 2007
  • Impact Level: 1
  • Virus Class: Worm
  • Virus Name Size: 23,320
  • SymbOS/Commwar.A!worm
  • Aliases: Commwarrior-A, SymbOS.Commwarrior.A [NAV], SymbOS/Commwar.A-net, SymbOS/Commwar_ezboot.A-ne, SymbOS/Comwar.A, SymbOS/Comwar.A-wm, SYMBOS_COMWAR.A [Trend]
  • First Discovered In The Wild: May 16 2005
  • Impact Level: 1
  • Virus Class: Worm
  • Virus Name Size: 27,936
  • SymbOS/Commwarriie.C-wm
  • Aliases: None
  • First Discovered In The Wild: Oct 17 2005
  • Impact Level: 1
  • Virus Class: File Virus
  • Virus Name Size: None

For the latest list of threats Fortinet devices detect, visit the FortiGuard Center.

MMS virus scanning

You can use MMS virus scanning to scan content contained within MMS messages for viruses. FortiOS Carrier virus scanning can be applied to the MM1, MM3, MM4, and MM7 interfaces to detect and remove content containing viruses at many points in an MMS network. Perhaps the most useful interface to apply virus scanning would be the MM1 interface to block viruses sent by mobile users before they get into the service provider network.

To go to MMS virus scanning, go to Security Profiles MMS Profile, select an existing or create a new profile, and expand MMS Scanning. See MMS scanning options.

This section includes:

MMS virus monitoring

To enable MMS virus monitoring, expand MMS Scanning and enable Monitor only for the selected MMS types.

This feature causes the FortiOS Carrier unit to record log messages when MMS scanning options find a virus, match a file name, or match content using any of the other MMS scanning options. Selecting this option enables reporting on viruses and other problems in MMS traffic without affecting users.

MMS virus scanning blocks messages (not just attachments)

To enable MMS virus scanning, expand MMS Scanning and enable Virus Scan for the selected MMS types.

Because MM1 and MM7 use HTTP, the oversize limits for HTTP and the HTTP antivirus port configurations also apply to MM1 and MM7 scanning. See

MM3 and MM4 use SMTP and the oversize limits for SMTP and the SMTP antivirus port configurations also apply to MM3 and MM4 scanning.

The message contents will be scanned for viruses, matched against the file extension blocking lists and scanned for banned words. All these items will be configured via the standard GUI interfaces available for the other protocols and will be controlled at the protection profile level with new options specifically for the MM1 messages.

The FortiOS Carrier unit extracts the sender’s Mobile Subscriber Integrated Services Digital Network Number (MSISDN) from the HTTP headers if available. The POST payload will be sent to the scan units which will parse the MMS content and scan each message data section. If any part of the data is to be blocked, the proxy will be informed, the connection to the MMSC will be reset and the Carrier-enabled FortiGate unit will return an HTTP 200 OK message with an m-send-conf payload to the client to prevent a retry. Finally the appropriate logging, alert, and replacement message events will be triggered.

For client notification, the x-mms-response-status and x-mms-response-text fields can also be customized as required.

Scanning MM1 retrieval messages

To scan MM1 retrieval messages, expand MMS Scanning and select Scan MM1 message retrieval.

Select to scan message retrievals that use MM1. If you enable Virus Scan for all MMS interfaces, messages are also scanned while being sent. In this case, you can disable MM1 message retrieval scanning to improve performance.

Configuring MMS virus scanning

To configure MMS virus scanning, expand MMS Scanning and enable Virus Scan.

Once applied to a security policy, the MMS protection profile will then perform virus scans on all traffic accepted by that policy.

Removing or replacing blocked messages

To remove blocked messages, expand MMS Scanning and select Remove Blocked for the selected MMS types.

Select Remove Blocked remove blocked content from each protocol and replace it with the replacement message. If FortiOS Carrier is to preserve the length of the message when removing blocked content, as may occur when billing is affected by the length of the message, select Constant.

If you only want to monitor blocked content, select Monitor Only.

Carrier Endpoint Block

A carrier endpoint defines a specific client on the carrier network. Typically the client IP address is used to identify the client, however on a carrier network this may be impractical when the client is using a mobile device. Other identifying information such as the MSIDSN number is used instead.

This information can be used to block a specific endpoint on the network. Reasons for blocking may include clients whose accounts have expired, clients from another carrier, clients who have sent malicious content (phishing, exploits, viruses, etc), or other violations of terms of use.

Enabling carrier endpoint blocking

To enable carrier endpoint blocking you first need to create a carrier endpoint filter list, and then enable it.

To enable carrier endpoint blocking - GUI
  1. Create a carrier endpoint filter list.
  2. Go to Security Profiles > MMS Profile.
  3. Select Create New, or select an existing profile to edit and select Edit.
  4. Expand MMS Scanning.
  5. Select one or more types of MMS messaging to enable endpoint blocking on.
  6. Select the carrier endpoint filter list to use in matching the endpoints to be blocked.
caution icon In MMS Profile, endpoints can only be blocked.
Create a carrier endpoint filter list

A carrier endpoint filter list contains one or more carrier endpoints to match. When used in MMS scanning entries in the filter list that are matched are blocked.

You can configure multiple filter lists for different purposes and groups of clients, such as blocking clients, clients with different levels of service agreements, and clients from other carriers. See Carrier endpoint filter lists configuration settings.

To create a carrier endpoint filter list - GUI
  1. Go to Security Profiles > Carrier Endpoint Filter Lists.
  2. Select Create New.
  3. Enter a descriptive name for the filter list, such as blocked_clients or CountryX_clients, and select OK.
  4. Select Create New to add one or more entries to the list.
  5. Select OK to return to display the list of filter lists.
Configuring endpoint filter list entries

For each single endpoint or group of endpoints have part of their identifying information in common, you create an entry in the endpoint filter list.

For example a blocked_clients filter list may include entries for single endpoints added as each one needs to be blocked and a group of clients from a country that does not allow certain services.

To configure an endpoint filter list entry - GUI
  1. Select Create New.
  2. Enter the following information and select OK.
Name Name of endpoint filter list. Select this name in an MMS protection profile.
Comments Optional description of the endpoint filter list.
Check/Uncheck All Select the check box to enable all endpoint patterns in the MMS filter list.

Clear the check box to disable all entries on the MMS filter list.

You can also select or clear individual check boxes to enable or disable individual endpoint patterns.
Pattern The pattern that FortiOS Carrier uses to match with endpoints. The pattern can be a single endpoint or consist of wildcards or Perl regular expressions that will match more than one endpoint. For more on wildcard and regular expressions, see Using wildcards and Perl regular expressions in the UTM guide.
Action Select the action taken by FortiOS Carrier for messages from a carrier endpoint that matches the endpoint pattern:

None - No action is taken.

Block - MMS messages from the endpoint are not delivered and FortiOS Carrier records a log message.

Exempt from mass MMS - MMS messages from the endpoint are delivered and are exempt from mass MMS filtering. Mass MMS filtering is configured in MMS protection profiles and is also called MMS Bulk Email Filtering and includes MMS message flood protection and MMS duplicate message detection. A valid use of mass MMS would be when a service provider notifies customers of a system-wide event such as a shutdown.

Exempt from all scanning - MMS messages from the endpoint are delivered and are exempt from all MMS protection profile scanning.
Content Archive MMS messages from the endpoint are delivered, the message content is DLP archived according to MMS DLP archive settings. Content archiving is also called DLP archiving.
Intercept MMS messages from the endpoint are delivered. Based on the quarantine configuration, attached files may be removed and quarantined.
Pattern Type The pattern type: Wildcard, Regular Expression, or Single Endpoint.
Enable Select to enable this endpoint filter pattern.
Blocking network access based on endpoints

You can use endpoint IP filtering to block traffic from source IP addresses associated with endpoints. You can also configure FortiOS Carrier to record log messages whenever endpoint IP filtering blocks traffic. Endpoint IP filtering blocks traffic at the IP level, before the traffic is accepted by a security policy.

To configure endpoint IP filtering, go to Security Profiles > IP Filter and add endpoints to the IP filter list. For each endpoint you can enable or disable both blocking traffic and logging blocked traffic.

note icon You cannot add endpoint patterns to the endpoint IP filter list. You must enter complete and specific endpoints that are valid for your network.
caution icon The only action available is block. You cannot use endpoint IP filtering to exempt endpoints from IP filtering or to content archive or quarantine communication sessions.

FortiOS Carrier looks in the current user context list for the endpoints in the IP filter list and extracts the source IP addresses for these endpoints. Then any communication session with a source IP address that matches one of these IP addresses is blocked at the IP level, before the communication session is accepted by a security policy.

FortiOS Carrier dynamically updates the list of IP addresses to block as the user context list changes. Only these updated IP addresses are blocked by endpoint IP filtering.

For information about the carrier endpoints and the user context list, including how entries are added to and removed from this list.

MMS Content Checksum

The MMS content checksum feature attempts to match checksums of known malicious MMS messages, and on a successful match it will be blocked. The checksums are applied to each part of the message—attached files and message body have separate checksums. These checksums are created with CRC-32, the same method as FortiAnalyzer checksums.

For example, if an MMS message contains a browser exploit in the message body, you can add the checksum for that message body to the list, and future occurrences of that exact message will be blocked. Content will be replaced by the content checksum block notification replacement message for that type of MMS message, and if it is enabled the event will be logged.

One possible implementation would to configure all .sis files to be intercepted. When one is found to be infected or malicious it would be added to the MMS content checksum list.

To use this feature a list of one or more malicious checksums must be created and then the feature is enabled using that list. For a detailed list of options, see MMS Content Checksum.

To configure an MMS content checksum list
  1. Go to Security Profiles > MMS Content Checksum.
  2. Select Create New.
  3. Enter a name for the list of checksums, and select OK.
  4. You are taken to the edit screen for that new list.

  5. Select Create New to add a checksum.
  6. Enter the Name and Checksum, and select OK.
  7. The checksum is added to the list.

To add more checksums to the list, repeat steps 4 and 5.

To remove a checksum from the list you can either delete the checksum or simply disable it and leave it in the list.

To enable MMS content checksums, expand MMS Scanning and select MMS Content Checksum for the selected MMS types. Select the checksum list to match.

Passing or blocking fragmented messages

Select to pass fragmented MM3 and MM4 messages. Fragmented MMS messages cannot be scanned for viruses. If you do not select these options, fragmented MM3 and MM4 message are blocked.

The Interval is the time in seconds before client comforting starts after the download has begun, and the time between sending subsequent data.

The Amount is the number of bytes sent by client or server comforting at each interval.

Client comforting

In general, client comting is available for for MM1 and MM7 messaging and provides a visual display of progress for web page loading or HTTP or FTP file downloads. Client comforting does this by sending the first few packets of the file or web page being downloaded to the client at configured time intervals so that the client is not aware that the download has been delayed. The client is the web browser or FTP client. Without client comforting, clients and their users have no indication that the download has started until the Carrier-enabled FortiGate unit has completely buffered and scanned the download. During this delay users may cancel or repeatedly retry the transfer, thinking it has failed.

The appearance of a client comforting message (for example, a progress bar) is client-dependent. In some instances, there will be no visual client comforting cue.

During client comforting, if the file being downloaded is found to be infected, then the Carrier-enabled FortiGate unit caches the URL and drops the connection. The client does not receive any notification of what happened because the download to the client had already started. Instead the download stops, and the user is left with a partially downloaded file.

If the user tries to download the same file again within a short period of time, then the cached URL is matched and the download is blocked. The client receives the Infection cache message replacement message as a notification that the download has been blocked. The number of URLs in the cache is limited by the size of the cache.

caution icon Client comforting can send unscanned (and therefore potentially infected) content to the client. Only enable client comforting if you are prepared to accept this risk. Keeping the client comforting interval high and the amount low will reduce the amount of potentially infected data that is downloaded.
MM1 and MM7 client comforting steps

Since MM1 and MM7 messages use HTTP, MM1 and MM7 client comforting operates like HTTP client comforting.

The following steps show how client comforting works for a download of a 1 Mbyte file with the client comforting interval set to 20 seconds and the client comforting amount set to 512 bytes.

  1. The client requests the file.
  2. The Carrier-enabled FortiGate unit buffers the file from the server. The connection is slow, so after 20 seconds about one half of the file has been buffered.
  3. The Carrier-enabled FortiGate unit continues buffering the file from the server, and also sends 512 bytes to the client.
  4. After 20 more seconds, the FortiGate unit sends the next 512 bytes of the buffered file to the client.
  5. When the file has been completely buffered, the client has received the following amount of data:
  6. ca * (T/ci) bytes == 512 * (40/20) == 512 * 2 == 1024 bytes,

    where ca is the client comforting amount, T is the buffering time and ci is the client comforting interval.

  7. If the file does not contain a virus, the Carrier-enabled FortiGate unit sends the rest of the file to the client. If the file is infected, the FortiGate closes the data connection but cannot send a message to the client.

Server comforting

Server comforting can be selected for each protocol.

Similar to client comforting, you can use server comforting to prevent server connection timeouts that can occur while waiting for FortiOS Carrier to buffer and scan large POST requests from slow clients.

The Interval is the time in seconds before client and server comforting starts after the download has begun, and the time between sending subsequent data.

The Amount is the number of bytes sent by client or server comforting at each interval.

Handling oversized MMS messages

Select Block or Pass for files and email messages exceeding configured thresholds for each protocol.

The oversize threshold refers to the final size of the message, including attachments, after encoding by the client. Clients can use a variety of encoding types; some result in larger file sizes than the original attachment. As a result, a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the oversize threshold.

MM1 sample messages

Internet Protocol, Src Addr: 10.128.206.202 (10.128.206.202), Dst Addr: 10.129.192.190 (10.129.192.190)

Transmission Control Protocol, Src Port: 34322 (34322), Dst Port: http (80), Seq: 1, Ack: 1, Len: 1380

Source port: 34322 (34322)

Destination port: http (80)

Header length: 20 bytes

Flags: 0x0010 (ACK)

Window size: 24840

Checksum: 0x63c1 (correct)

HTTP proxy

Hypertext Transfer Protocol

POST / HTTP/1.1\r\n

Request Method: POST

Request URI: /

Request Version: HTTP/1.1

Host: 10.129.192.190\r\n

Accept: */*, application/vnd.wap.sic,application/vnd.wap.mms-message,text/x-hdml,image/mng,image/x-mng,video/mng,video/x-mng,image/bmp\r\n

Accept-Charset: utf-8,*\r\n

Accept-Language: en\r\n

Content-Length: 25902\r\n

Content-Type: application/vnd.wap.mms-message\r\n

User-Agent: Nokia7650/1.0 SymbianOS/6.1 Series60/0.9 Profile/MIDP-1.0 Configuration/CLDC-1.0 UP.Link/6.2.1\r\n

x-up-devcap-charset: utf-8\r\n

x-up-devcap-max-pdu: 102400\r\n

x-up-uplink: magh-ip.mi.vas.omnitel.it\r\n

x-wap-profile: "http://nds.nokia.com/uaprof/N7650r200.xml"\r\n

x-up-subno: 1046428312-826\r\n

x-up-calling-line-id: 393475171234\r\n

x-up-forwarded-for: 10.211.4.12\r\n

x-forwarded-for: 10.211.4.12\r\n

Via: 1.1 magh-ip.mi.vas.omnitel.it\r\n

\r\n

Scan engine

MMS Message Encapsulation, Type: m-send-req

X-Mms-Message-Type: m-send-req (0x80)

X-Mms-Transaction-ID: 1458481935

X-Mms-MMS-Version: 1.0

From: <insert address>

To: 3475171234/TYPE=PLMN

X-Mms-Message-Class: Personal (0x80)

X-Mms-Expiry: 21600.000000000 seconds

X-Mms-Priority: Normal (0x81)

X-Mms-Delivery-Report: No (0x81)

X-Mms-Read-Report: No (0x81)

Content-Type: application/vnd.wap.multipart.related; start=<1822989907>; type=application/smil

Start: <1822989907>

Type: application/smil

Data (Post)

Multipart body

Part: 1, content-type: text/plain

Content-Type: text/plain; charset=iso-10646-ucs-2; name=Ciao.txt

Charset: iso-10646-ucs-2

Name: Ciao.txt

Headers

Content-Location: Ciao.txt

Line-based text data: text/plain

\377\376C\000i\000a\000o\000

[Unreassembled Packet: MMSE]

Sender notifications and logging

In most cases you will notify the sender that they are causing problems on the network — either by sending malware content, flooding the network, or some other unwanted activity. The notification assumes the sender is unaware of their activity and will stop or correct it when notified.

However, senders who are notified may use this information to circumvent administration’s precautions. For example if flood notification is set to 1000 messages per minute, a notified user may simply reduce their message to 990 messages per minute if this flood is intentional. For this reason, not all problems include sender notifications.

There are two methods of notifying senders:

And three details to consider for logging and notifying administrators:

MMS notifications

MMS notifications enable you to customize notifications for many different situations and differently for all the supported MMS message protocols — MM1, MM3, MM4, and MM7.

MMS notification types include:

  • Content Filter
  • File Block
  • Carrier Endpoint Block
  • Flood
  • Duplicate
  • MMS Content Checksum
  • Virus Scan

Day of Week, Window start time and Window Duration define what days and what time of day alert notifications will be sent. This allows you to control what alerts are sent on weekends. It also lets you control when to start sending notifications each day. This can be useful if system maintenance is performed at the same time each night — you might want to start alert notifications after maintenance has completed. Another reason to limit the time alert messages are sent could be to limit message traffic to business hours.

Notifications screen for FortiOS Carrier MMS Profile

For MMS Notification options, see MMS Notifications.

Replacement messages

FortiGate units send replacement messages when messages or content is blocked, quarantined, or otherwise diverted from the receiver. In it’s place a message is sent to notify the receiver what happened.

With FortiOS Carrier MMS replacement messages, send and receive message types are supported separately and receive their own custom replacement messages. This allows the network to potentially notify both the sender and receiver of the problem.

For example the replacement message MM1 send-req file block message is sent to the device that sent one or more files that were banned. The default message that is sent is This device has sent %%NUM_MSG%% messages containing banned files in the last %%DURATION%% hours. The two variables are replaced by the appropriate values.

Replacement messages are not as detailed or specific as MMS notifications, but they are also not as complicated to configure. They are also useful when content has been removed from an MMS message that was still delivered.

Logging and reporting

With each virus infection, or file block, a syslog message is generated. The format of this syslog message is similar to:

2005-09-22 19:15:47 deviceid=FGT5001ABCDEF1234 logid=0211060ABC type=virus subtype=infected level=warning src=10.1.2.3 dst=10.2.3.4 srcintf=port1 dstintf=port2 service=mm1 status=blocked from="<sending MSISDN>" to="<receiving MSISDN>” file="eicar.com.txt" virus="EICAR_TEST_FILE" msg="The file eicar.com.txt is infected with EICAR_TEST_FILE. ref http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=quickSearchDirectly&virusName=EICAR_TEST_FILE”

Note that the from and to fields are samples and not real values.

MMS logging options

You can enable logging in an MMS protection profile to write event log messages when the MMS protection profile options that you have enabled perform an action. For example, if you enable MMS antivirus protection, you could also use the MMS protection profile logging options to write an event log message every time a virus is detected.

To record these log messages you must first configure how the FortiOS Carrier unit stores log messages.

To configure MMS content archiving, go to Security Profiles > MMS Profile. Select Create New or select the Edit icon beside an existing profile. Expand MMS Bulk AntiSpam Detection > Logging. Complete the fields as described in the following table and select OK. For more a detailed list of options, see Logging.

SNMP

A simple SNMP trap will be generated to inform the operators’ alerting system that a virus has been detected. This SNMP trap could contain the sending and receiving MSISDN, however the initial solution would reflect the current behavior, i.e. only the fact that a virus has been detected will be communicated.

MMS content-based Antispam protection

Expand MMS Scanning and select Content Filter in an MMS protection profile to create content filter block/allowlists that block or allow MMS messages based on the content of the message.

Overview

A school computer lab may block age-inappropriate content. A place of business may block unproductive content. A public access internet cafe may block offensive and graphic content. Each installation has its own requirements for what content needs to be blocked, and in what language.

FortiOS Carrier provides the ability to create custom local dictionaries, blocklists, and allowlists in multiple languages enables you to protect your customers from malicious content around the world.

Configurable dictionary

You can create a dictionary of configurable terms and phrases using the CLI. The text of MMS messages will be searched for these terms and phrases. Add content filter lists that contain content that you want to match in MMS messages. For every match found, a score is added. If enough matches are found to set the total score above the configured threshold, the MMS message is blocked.

You can add words, phrases, wild cards and Perl regular expressions to create content patterns that match content in MMS messages. For more on wildcard and regular expressions, see Using wildcards and Perl regular expressions in the UTM guide.

For each pattern you can select Block or Exempt.

  • Block adds an antispam blocklist pattern. A match with a block pattern blocks a message depending on the score of the pattern and the content filter threshold.
  • Exempt adds an antispam allowlist pattern. A match with an exempt pattern allows the message to proceed through the FortiOS Carrier unit, even if other content patterns in the same content filter list would block it.

If a pattern contains a single word, the FortiOS Carrier unit searches for the word in MMS messages. If the pattern contains a phrase, the FortiOS Carrier unit searches for all of the words in the phrase. If the pattern contains a phrase in quotation marks, the FortiOS Carrier unit searches for the whole phrase.

You can create patterns with Simplified Chinese, Traditional Chinese, Cyrillic, French, Japanese, Korean, Spanish, Thai, or Western character sets.

Blocklisting

Blocklisting is the practice of banning entries on the list. For example if an IP address continuously sends viruses, it may be added to the blocklist. That means any computers that consult that list will not communicate with that IP address.

Sometimes computers or devices can be added to blocklists for a temporary problem, such as a virus that is removed when notified. However, as a rule short of contacting the administrator in person to manually be removed form the blocklist, users have to wait and they generally will be removed after a period without problem.

Allowlisting

Allowlisting is the practice of adding all critical IP addresses to a list, such as company email and web servers. Then if those servers become infected and start sending spam or viruses, those servers are not blocked. This allows the critical traffic through, even if there might be some malicious traffic as well. Blocking all traffic from your company servers would halt company productivity.

Scores and thresholds

Each content pattern includes a score. When a MMS message is matched with a pattern the score is recorded. If a message matches more than one pattern or matches the same pattern more than once, the score for the message increases. When the total score for a message equals or exceeds the threshold the message is blocked.

The default score for a content filter list entry is 10 and the default threshold is 10. This means that by default a message is blocked by a single match. You can change the scores and threshold so that messages can only be blocked if there are multiple matches. For example, you may only want to block messages that contain the phrase “example” if it appears twice. To do this, add the “example” pattern, set action to block and score to 5. Keep the threshold at 10. If “example” is found twice or more in a message the score adds up 10 (or more) and the message is blocked.

Configuring content-based antispam protection

To apply content-based antispam protection - CLI

config webfilter content

edit <filter_table_number>

set name <filter_table_name>

config entries

edit <phrase or regexp you want to block>

set action {block | exempt}

set lang <phrase language>

set pattern-type {wildcard | regexp}

set score <phrase score>

set status {enable | disable}

end

end

Configuring sender notifications

When someone on the MMS network sends an MMS message that is blocked, in most cases you will notify the sender. Typically an administrator is notified in addition to the sender so action can be taken if required. There are two types of sender notifications available in FortiOS Carrier: MMS notifications, and Replacement Messages.

MMS notifications

MMS notifications to senders are configured in Security Profiles > MMS Profile, under MMS Notifications.

In this section you can configure up to four different notification recipients for any combination of MM1/3/4/7 protocol MMS messages. Also for MM7 messages the message type can be submit.REQ or deliver.REQ.

Useful settings include:

  • delay in message based on notification type
  • limit on notifications per second to prevent a flood
  • schedules for notifications
  • log in details for MM7 messages.

For more information on MMS notifications, see Notifying message flood senders and receivers and MMS Notifications.

Replacement messages

Replacement messages are features common to both FortiOS and FortiOS Carrier, however FortiOS Carrier has additional messages for the MMS traffic.

While each MMS protocol has its own different rec placement messages, the one common to all MMS protocols is the MMS blocked content replacement message. This is the message that the receiver of the message sees when their content is blocked.

MMS DLP archiving

You can use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or the FortiGuard Analysis and Management service. DLP archiving is available for FortiAnalyzer when you add a FortiAnalyzer unit to the FortiOS Carrier configuration. The FortiGuard Analysis and Management server becomes available when you subscribe to the FortiGuard Analysis and Management Service.

You can configure full DLP archiving and summary DLP archiving. Full DLP archiving includes all content, for example, full email DLP archiving includes complete email messages and attachments. Summary DLP archiving includes just the meta data about the content, for example, email message summary records include only the email header.

You can archive MM1, MM3, MM4, and MM7 content.

Configuring MMS DLP archiving

Select DLP archive options to archive MM1, MM3, MM4, and MM7 sessions. For each protocol you can archive just session metadata (Summary), or metadata and a copy of the associated file or message (Full).

In addition to MMS protection profile DLP archive options you can:

  • Archive MM1 and MM7 message floods
  • Archive MM1 and MM7 duplicate messages
  • Select DLP archiving for carrier endpoint patterns in a Carrier Endpoint List and select the Carrier Endpoint Block option in the MMS Scanning section of an MMS Protection Profile

FortiOS Carrier only allows one sixteenth of its memory for transferring content archive files. For example, for Carrier-enabled FortiGate units with 128 MB RAM, only 8 MB of memory is used when transferring content archive files. Best practices dictate to not enable full content archiving if antivirus scanning is also configured because of these memory constraints.

To configure MMS DLP archiving - GUI
  1. Go to Security Profiles > MMS Profile.
  2. Select Create New or select the Edit icon beside an existing profile.
  3. Expand MMS Bulk AntiSpam Detection > Content Archive.
  4. Complete the fields as described in DLP Archive options.
  5. Select OK.

Viewing DLP archives

You can view DLP archives from the Carrier-enabled FortiGate unit GUI. Archives are historical logs that are stored on a log device that supports archiving, such as a FortiAnalyzer unit.

These logs are accessed from either Log & Report > DLP Archive or if you subscribed to the FortiCloud service, you can view log archives from there.

The DLP Archive menu is only visible if one of the following is true.

  • You have configured the FortiGate unit for remote logging and archiving to a FortiAnalyzer unit.
  • You have subscribed to FortiCloud.

The following tabs are available when you are viewing DLP archives for one of these protocols.

  • E-mail to view POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS, and spam email archives.
  • Web to view HTTP and HTTPS archives.
  • FTP to view FTP archives.
  • IM to view AIM, ICQ, MSN, and Yahoo! archives.
  • MMS to view MMS archives.
  • VoIP to view session control (SIP, SIMPLE and SCCP) archives.

If you need to view log archives in Raw format, select Raw beside the Column Settings icon.

Employing MMS Security features

FortiOS Carrier includes all the Security features of FortiOS with extra features specific to MMS carrier networks.

Why scan MMS messages for viruses and malware?

The requirement for scanning MM1 content comes from the fact that MMS is an increasingly popular technique for propagating malware between mobile devices.

Example: COMMWARRIOR

This is a virus for Series 60 type cell phones, such as Nokia, operating Symbian OS version 6 [or higher]. The object of the virus is to spread to other phones using Bluetooth and MMS as transport avenues. The targets are selected from the contact list of the infected phone and also sought via Bluetooth searching for other Bluetooth-enabled devices (phones, printers, gaming devices etc.) in the proximity of the infected phone.

This virus is more than a proof of concept - it has proven successfully its ability to migrate from a zoo collection to being in-the-wild. Currently, this virus is being reported in over 18 different countries around Europe, Asia and North America.

When the virus first infects a cell phone, a prompt is displayed asking the recipient if they want to install “Caribe”. Symptoms of an infected phone may include rapid battery power loss due to constant efforts by the virus to spread to other phones via a Bluetooth seek-and-connect outreach.

The following variants among others are currently scanned by the FortiOS Carrier devices, in addition to more signatures that cover all known threats.

  • SymbOS/COMWAR.V10B!WORM
  • Aliases: SymbOS.Commwarrior.B, SymbOS/Commwar.B, SymbOS/Commwar.B!wm, SymbOS/Commwar.B-net, SymbOS/Commwarrior.b!sis, SymbOS/Comwar.B, SymbOS/Comwar.B!wm, SymbOS/Comwar.B-wm, SYMBOS_COMWAR.B, SymbOS/Comwar.1.0.B!wormSYMBOS/COMWAR.V10B.SP!WORM [Spanish version]
  • First Discovered In The Wild: July 04, 2007
  • Impact Level: 1
  • Virus Class: Worm
  • Virus Name Size: 23,320
  • SymbOS/Commwar.A!worm
  • Aliases: Commwarrior-A, SymbOS.Commwarrior.A [NAV], SymbOS/Commwar.A-net, SymbOS/Commwar_ezboot.A-ne, SymbOS/Comwar.A, SymbOS/Comwar.A-wm, SYMBOS_COMWAR.A [Trend]
  • First Discovered In The Wild: May 16 2005
  • Impact Level: 1
  • Virus Class: Worm
  • Virus Name Size: 27,936
  • SymbOS/Commwarriie.C-wm
  • Aliases: None
  • First Discovered In The Wild: Oct 17 2005
  • Impact Level: 1
  • Virus Class: File Virus
  • Virus Name Size: None

For the latest list of threats Fortinet devices detect, visit the FortiGuard Center.

MMS virus scanning

You can use MMS virus scanning to scan content contained within MMS messages for viruses. FortiOS Carrier virus scanning can be applied to the MM1, MM3, MM4, and MM7 interfaces to detect and remove content containing viruses at many points in an MMS network. Perhaps the most useful interface to apply virus scanning would be the MM1 interface to block viruses sent by mobile users before they get into the service provider network.

To go to MMS virus scanning, go to Security Profiles MMS Profile, select an existing or create a new profile, and expand MMS Scanning. See MMS scanning options.

This section includes:

MMS virus monitoring

To enable MMS virus monitoring, expand MMS Scanning and enable Monitor only for the selected MMS types.

This feature causes the FortiOS Carrier unit to record log messages when MMS scanning options find a virus, match a file name, or match content using any of the other MMS scanning options. Selecting this option enables reporting on viruses and other problems in MMS traffic without affecting users.

MMS virus scanning blocks messages (not just attachments)

To enable MMS virus scanning, expand MMS Scanning and enable Virus Scan for the selected MMS types.

Because MM1 and MM7 use HTTP, the oversize limits for HTTP and the HTTP antivirus port configurations also apply to MM1 and MM7 scanning. See

MM3 and MM4 use SMTP and the oversize limits for SMTP and the SMTP antivirus port configurations also apply to MM3 and MM4 scanning.

The message contents will be scanned for viruses, matched against the file extension blocking lists and scanned for banned words. All these items will be configured via the standard GUI interfaces available for the other protocols and will be controlled at the protection profile level with new options specifically for the MM1 messages.

The FortiOS Carrier unit extracts the sender’s Mobile Subscriber Integrated Services Digital Network Number (MSISDN) from the HTTP headers if available. The POST payload will be sent to the scan units which will parse the MMS content and scan each message data section. If any part of the data is to be blocked, the proxy will be informed, the connection to the MMSC will be reset and the Carrier-enabled FortiGate unit will return an HTTP 200 OK message with an m-send-conf payload to the client to prevent a retry. Finally the appropriate logging, alert, and replacement message events will be triggered.

For client notification, the x-mms-response-status and x-mms-response-text fields can also be customized as required.

Scanning MM1 retrieval messages

To scan MM1 retrieval messages, expand MMS Scanning and select Scan MM1 message retrieval.

Select to scan message retrievals that use MM1. If you enable Virus Scan for all MMS interfaces, messages are also scanned while being sent. In this case, you can disable MM1 message retrieval scanning to improve performance.

Configuring MMS virus scanning

To configure MMS virus scanning, expand MMS Scanning and enable Virus Scan.

Once applied to a security policy, the MMS protection profile will then perform virus scans on all traffic accepted by that policy.

Removing or replacing blocked messages

To remove blocked messages, expand MMS Scanning and select Remove Blocked for the selected MMS types.

Select Remove Blocked remove blocked content from each protocol and replace it with the replacement message. If FortiOS Carrier is to preserve the length of the message when removing blocked content, as may occur when billing is affected by the length of the message, select Constant.

If you only want to monitor blocked content, select Monitor Only.

Carrier Endpoint Block

A carrier endpoint defines a specific client on the carrier network. Typically the client IP address is used to identify the client, however on a carrier network this may be impractical when the client is using a mobile device. Other identifying information such as the MSIDSN number is used instead.

This information can be used to block a specific endpoint on the network. Reasons for blocking may include clients whose accounts have expired, clients from another carrier, clients who have sent malicious content (phishing, exploits, viruses, etc), or other violations of terms of use.

Enabling carrier endpoint blocking

To enable carrier endpoint blocking you first need to create a carrier endpoint filter list, and then enable it.

To enable carrier endpoint blocking - GUI
  1. Create a carrier endpoint filter list.
  2. Go to Security Profiles > MMS Profile.
  3. Select Create New, or select an existing profile to edit and select Edit.
  4. Expand MMS Scanning.
  5. Select one or more types of MMS messaging to enable endpoint blocking on.
  6. Select the carrier endpoint filter list to use in matching the endpoints to be blocked.
caution icon In MMS Profile, endpoints can only be blocked.
Create a carrier endpoint filter list

A carrier endpoint filter list contains one or more carrier endpoints to match. When used in MMS scanning entries in the filter list that are matched are blocked.

You can configure multiple filter lists for different purposes and groups of clients, such as blocking clients, clients with different levels of service agreements, and clients from other carriers. See Carrier endpoint filter lists configuration settings.

To create a carrier endpoint filter list - GUI
  1. Go to Security Profiles > Carrier Endpoint Filter Lists.
  2. Select Create New.
  3. Enter a descriptive name for the filter list, such as blocked_clients or CountryX_clients, and select OK.
  4. Select Create New to add one or more entries to the list.
  5. Select OK to return to display the list of filter lists.
Configuring endpoint filter list entries

For each single endpoint or group of endpoints have part of their identifying information in common, you create an entry in the endpoint filter list.

For example a blocked_clients filter list may include entries for single endpoints added as each one needs to be blocked and a group of clients from a country that does not allow certain services.

To configure an endpoint filter list entry - GUI
  1. Select Create New.
  2. Enter the following information and select OK.
Name Name of endpoint filter list. Select this name in an MMS protection profile.
Comments Optional description of the endpoint filter list.
Check/Uncheck All Select the check box to enable all endpoint patterns in the MMS filter list.

Clear the check box to disable all entries on the MMS filter list.

You can also select or clear individual check boxes to enable or disable individual endpoint patterns.
Pattern The pattern that FortiOS Carrier uses to match with endpoints. The pattern can be a single endpoint or consist of wildcards or Perl regular expressions that will match more than one endpoint. For more on wildcard and regular expressions, see Using wildcards and Perl regular expressions in the UTM guide.
Action Select the action taken by FortiOS Carrier for messages from a carrier endpoint that matches the endpoint pattern:

None - No action is taken.

Block - MMS messages from the endpoint are not delivered and FortiOS Carrier records a log message.

Exempt from mass MMS - MMS messages from the endpoint are delivered and are exempt from mass MMS filtering. Mass MMS filtering is configured in MMS protection profiles and is also called MMS Bulk Email Filtering and includes MMS message flood protection and MMS duplicate message detection. A valid use of mass MMS would be when a service provider notifies customers of a system-wide event such as a shutdown.

Exempt from all scanning - MMS messages from the endpoint are delivered and are exempt from all MMS protection profile scanning.
Content Archive MMS messages from the endpoint are delivered, the message content is DLP archived according to MMS DLP archive settings. Content archiving is also called DLP archiving.
Intercept MMS messages from the endpoint are delivered. Based on the quarantine configuration, attached files may be removed and quarantined.
Pattern Type The pattern type: Wildcard, Regular Expression, or Single Endpoint.
Enable Select to enable this endpoint filter pattern.
Blocking network access based on endpoints

You can use endpoint IP filtering to block traffic from source IP addresses associated with endpoints. You can also configure FortiOS Carrier to record log messages whenever endpoint IP filtering blocks traffic. Endpoint IP filtering blocks traffic at the IP level, before the traffic is accepted by a security policy.

To configure endpoint IP filtering, go to Security Profiles > IP Filter and add endpoints to the IP filter list. For each endpoint you can enable or disable both blocking traffic and logging blocked traffic.

note icon You cannot add endpoint patterns to the endpoint IP filter list. You must enter complete and specific endpoints that are valid for your network.
caution icon The only action available is block. You cannot use endpoint IP filtering to exempt endpoints from IP filtering or to content archive or quarantine communication sessions.

FortiOS Carrier looks in the current user context list for the endpoints in the IP filter list and extracts the source IP addresses for these endpoints. Then any communication session with a source IP address that matches one of these IP addresses is blocked at the IP level, before the communication session is accepted by a security policy.

FortiOS Carrier dynamically updates the list of IP addresses to block as the user context list changes. Only these updated IP addresses are blocked by endpoint IP filtering.

For information about the carrier endpoints and the user context list, including how entries are added to and removed from this list.

MMS Content Checksum

The MMS content checksum feature attempts to match checksums of known malicious MMS messages, and on a successful match it will be blocked. The checksums are applied to each part of the message—attached files and message body have separate checksums. These checksums are created with CRC-32, the same method as FortiAnalyzer checksums.

For example, if an MMS message contains a browser exploit in the message body, you can add the checksum for that message body to the list, and future occurrences of that exact message will be blocked. Content will be replaced by the content checksum block notification replacement message for that type of MMS message, and if it is enabled the event will be logged.

One possible implementation would to configure all .sis files to be intercepted. When one is found to be infected or malicious it would be added to the MMS content checksum list.

To use this feature a list of one or more malicious checksums must be created and then the feature is enabled using that list. For a detailed list of options, see MMS Content Checksum.

To configure an MMS content checksum list
  1. Go to Security Profiles > MMS Content Checksum.
  2. Select Create New.
  3. Enter a name for the list of checksums, and select OK.
  4. You are taken to the edit screen for that new list.

  5. Select Create New to add a checksum.
  6. Enter the Name and Checksum, and select OK.
  7. The checksum is added to the list.

To add more checksums to the list, repeat steps 4 and 5.

To remove a checksum from the list you can either delete the checksum or simply disable it and leave it in the list.

To enable MMS content checksums, expand MMS Scanning and select MMS Content Checksum for the selected MMS types. Select the checksum list to match.

Passing or blocking fragmented messages

Select to pass fragmented MM3 and MM4 messages. Fragmented MMS messages cannot be scanned for viruses. If you do not select these options, fragmented MM3 and MM4 message are blocked.

The Interval is the time in seconds before client comforting starts after the download has begun, and the time between sending subsequent data.

The Amount is the number of bytes sent by client or server comforting at each interval.

Client comforting

In general, client comting is available for for MM1 and MM7 messaging and provides a visual display of progress for web page loading or HTTP or FTP file downloads. Client comforting does this by sending the first few packets of the file or web page being downloaded to the client at configured time intervals so that the client is not aware that the download has been delayed. The client is the web browser or FTP client. Without client comforting, clients and their users have no indication that the download has started until the Carrier-enabled FortiGate unit has completely buffered and scanned the download. During this delay users may cancel or repeatedly retry the transfer, thinking it has failed.

The appearance of a client comforting message (for example, a progress bar) is client-dependent. In some instances, there will be no visual client comforting cue.

During client comforting, if the file being downloaded is found to be infected, then the Carrier-enabled FortiGate unit caches the URL and drops the connection. The client does not receive any notification of what happened because the download to the client had already started. Instead the download stops, and the user is left with a partially downloaded file.

If the user tries to download the same file again within a short period of time, then the cached URL is matched and the download is blocked. The client receives the Infection cache message replacement message as a notification that the download has been blocked. The number of URLs in the cache is limited by the size of the cache.

caution icon Client comforting can send unscanned (and therefore potentially infected) content to the client. Only enable client comforting if you are prepared to accept this risk. Keeping the client comforting interval high and the amount low will reduce the amount of potentially infected data that is downloaded.
MM1 and MM7 client comforting steps

Since MM1 and MM7 messages use HTTP, MM1 and MM7 client comforting operates like HTTP client comforting.

The following steps show how client comforting works for a download of a 1 Mbyte file with the client comforting interval set to 20 seconds and the client comforting amount set to 512 bytes.

  1. The client requests the file.
  2. The Carrier-enabled FortiGate unit buffers the file from the server. The connection is slow, so after 20 seconds about one half of the file has been buffered.
  3. The Carrier-enabled FortiGate unit continues buffering the file from the server, and also sends 512 bytes to the client.
  4. After 20 more seconds, the FortiGate unit sends the next 512 bytes of the buffered file to the client.
  5. When the file has been completely buffered, the client has received the following amount of data:
  6. ca * (T/ci) bytes == 512 * (40/20) == 512 * 2 == 1024 bytes,

    where ca is the client comforting amount, T is the buffering time and ci is the client comforting interval.

  7. If the file does not contain a virus, the Carrier-enabled FortiGate unit sends the rest of the file to the client. If the file is infected, the FortiGate closes the data connection but cannot send a message to the client.

Server comforting

Server comforting can be selected for each protocol.

Similar to client comforting, you can use server comforting to prevent server connection timeouts that can occur while waiting for FortiOS Carrier to buffer and scan large POST requests from slow clients.

The Interval is the time in seconds before client and server comforting starts after the download has begun, and the time between sending subsequent data.

The Amount is the number of bytes sent by client or server comforting at each interval.

Handling oversized MMS messages

Select Block or Pass for files and email messages exceeding configured thresholds for each protocol.

The oversize threshold refers to the final size of the message, including attachments, after encoding by the client. Clients can use a variety of encoding types; some result in larger file sizes than the original attachment. As a result, a file may be blocked or logged as oversized even if the attachment is several megabytes smaller than the oversize threshold.

MM1 sample messages

Internet Protocol, Src Addr: 10.128.206.202 (10.128.206.202), Dst Addr: 10.129.192.190 (10.129.192.190)

Transmission Control Protocol, Src Port: 34322 (34322), Dst Port: http (80), Seq: 1, Ack: 1, Len: 1380

Source port: 34322 (34322)

Destination port: http (80)

Header length: 20 bytes

Flags: 0x0010 (ACK)

Window size: 24840

Checksum: 0x63c1 (correct)

HTTP proxy

Hypertext Transfer Protocol

POST / HTTP/1.1\r\n

Request Method: POST

Request URI: /

Request Version: HTTP/1.1

Host: 10.129.192.190\r\n

Accept: */*, application/vnd.wap.sic,application/vnd.wap.mms-message,text/x-hdml,image/mng,image/x-mng,video/mng,video/x-mng,image/bmp\r\n

Accept-Charset: utf-8,*\r\n

Accept-Language: en\r\n

Content-Length: 25902\r\n

Content-Type: application/vnd.wap.mms-message\r\n

User-Agent: Nokia7650/1.0 SymbianOS/6.1 Series60/0.9 Profile/MIDP-1.0 Configuration/CLDC-1.0 UP.Link/6.2.1\r\n

x-up-devcap-charset: utf-8\r\n

x-up-devcap-max-pdu: 102400\r\n

x-up-uplink: magh-ip.mi.vas.omnitel.it\r\n

x-wap-profile: "http://nds.nokia.com/uaprof/N7650r200.xml"\r\n

x-up-subno: 1046428312-826\r\n

x-up-calling-line-id: 393475171234\r\n

x-up-forwarded-for: 10.211.4.12\r\n

x-forwarded-for: 10.211.4.12\r\n

Via: 1.1 magh-ip.mi.vas.omnitel.it\r\n

\r\n

Scan engine

MMS Message Encapsulation, Type: m-send-req

X-Mms-Message-Type: m-send-req (0x80)

X-Mms-Transaction-ID: 1458481935

X-Mms-MMS-Version: 1.0

From: <insert address>

To: 3475171234/TYPE=PLMN

X-Mms-Message-Class: Personal (0x80)

X-Mms-Expiry: 21600.000000000 seconds

X-Mms-Priority: Normal (0x81)

X-Mms-Delivery-Report: No (0x81)

X-Mms-Read-Report: No (0x81)

Content-Type: application/vnd.wap.multipart.related; start=<1822989907>; type=application/smil

Start: <1822989907>

Type: application/smil

Data (Post)

Multipart body

Part: 1, content-type: text/plain

Content-Type: text/plain; charset=iso-10646-ucs-2; name=Ciao.txt

Charset: iso-10646-ucs-2

Name: Ciao.txt

Headers

Content-Location: Ciao.txt

Line-based text data: text/plain

\377\376C\000i\000a\000o\000

[Unreassembled Packet: MMSE]

Sender notifications and logging

In most cases you will notify the sender that they are causing problems on the network — either by sending malware content, flooding the network, or some other unwanted activity. The notification assumes the sender is unaware of their activity and will stop or correct it when notified.

However, senders who are notified may use this information to circumvent administration’s precautions. For example if flood notification is set to 1000 messages per minute, a notified user may simply reduce their message to 990 messages per minute if this flood is intentional. For this reason, not all problems include sender notifications.

There are two methods of notifying senders:

And three details to consider for logging and notifying administrators:

MMS notifications

MMS notifications enable you to customize notifications for many different situations and differently for all the supported MMS message protocols — MM1, MM3, MM4, and MM7.

MMS notification types include:

  • Content Filter
  • File Block
  • Carrier Endpoint Block
  • Flood
  • Duplicate
  • MMS Content Checksum
  • Virus Scan

Day of Week, Window start time and Window Duration define what days and what time of day alert notifications will be sent. This allows you to control what alerts are sent on weekends. It also lets you control when to start sending notifications each day. This can be useful if system maintenance is performed at the same time each night — you might want to start alert notifications after maintenance has completed. Another reason to limit the time alert messages are sent could be to limit message traffic to business hours.

Notifications screen for FortiOS Carrier MMS Profile

For MMS Notification options, see MMS Notifications.

Replacement messages

FortiGate units send replacement messages when messages or content is blocked, quarantined, or otherwise diverted from the receiver. In it’s place a message is sent to notify the receiver what happened.

With FortiOS Carrier MMS replacement messages, send and receive message types are supported separately and receive their own custom replacement messages. This allows the network to potentially notify both the sender and receiver of the problem.

For example the replacement message MM1 send-req file block message is sent to the device that sent one or more files that were banned. The default message that is sent is This device has sent %%NUM_MSG%% messages containing banned files in the last %%DURATION%% hours. The two variables are replaced by the appropriate values.

Replacement messages are not as detailed or specific as MMS notifications, but they are also not as complicated to configure. They are also useful when content has been removed from an MMS message that was still delivered.

Logging and reporting

With each virus infection, or file block, a syslog message is generated. The format of this syslog message is similar to:

2005-09-22 19:15:47 deviceid=FGT5001ABCDEF1234 logid=0211060ABC type=virus subtype=infected level=warning src=10.1.2.3 dst=10.2.3.4 srcintf=port1 dstintf=port2 service=mm1 status=blocked from="<sending MSISDN>" to="<receiving MSISDN>” file="eicar.com.txt" virus="EICAR_TEST_FILE" msg="The file eicar.com.txt is infected with EICAR_TEST_FILE. ref http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=quickSearchDirectly&virusName=EICAR_TEST_FILE”

Note that the from and to fields are samples and not real values.

MMS logging options

You can enable logging in an MMS protection profile to write event log messages when the MMS protection profile options that you have enabled perform an action. For example, if you enable MMS antivirus protection, you could also use the MMS protection profile logging options to write an event log message every time a virus is detected.

To record these log messages you must first configure how the FortiOS Carrier unit stores log messages.

To configure MMS content archiving, go to Security Profiles > MMS Profile. Select Create New or select the Edit icon beside an existing profile. Expand MMS Bulk AntiSpam Detection > Logging. Complete the fields as described in the following table and select OK. For more a detailed list of options, see Logging.

SNMP

A simple SNMP trap will be generated to inform the operators’ alerting system that a virus has been detected. This SNMP trap could contain the sending and receiving MSISDN, however the initial solution would reflect the current behavior, i.e. only the fact that a virus has been detected will be communicated.

MMS content-based Antispam protection

Expand MMS Scanning and select Content Filter in an MMS protection profile to create content filter block/allowlists that block or allow MMS messages based on the content of the message.

Overview

A school computer lab may block age-inappropriate content. A place of business may block unproductive content. A public access internet cafe may block offensive and graphic content. Each installation has its own requirements for what content needs to be blocked, and in what language.

FortiOS Carrier provides the ability to create custom local dictionaries, blocklists, and allowlists in multiple languages enables you to protect your customers from malicious content around the world.

Configurable dictionary

You can create a dictionary of configurable terms and phrases using the CLI. The text of MMS messages will be searched for these terms and phrases. Add content filter lists that contain content that you want to match in MMS messages. For every match found, a score is added. If enough matches are found to set the total score above the configured threshold, the MMS message is blocked.

You can add words, phrases, wild cards and Perl regular expressions to create content patterns that match content in MMS messages. For more on wildcard and regular expressions, see Using wildcards and Perl regular expressions in the UTM guide.

For each pattern you can select Block or Exempt.

  • Block adds an antispam blocklist pattern. A match with a block pattern blocks a message depending on the score of the pattern and the content filter threshold.
  • Exempt adds an antispam allowlist pattern. A match with an exempt pattern allows the message to proceed through the FortiOS Carrier unit, even if other content patterns in the same content filter list would block it.

If a pattern contains a single word, the FortiOS Carrier unit searches for the word in MMS messages. If the pattern contains a phrase, the FortiOS Carrier unit searches for all of the words in the phrase. If the pattern contains a phrase in quotation marks, the FortiOS Carrier unit searches for the whole phrase.

You can create patterns with Simplified Chinese, Traditional Chinese, Cyrillic, French, Japanese, Korean, Spanish, Thai, or Western character sets.

Blocklisting

Blocklisting is the practice of banning entries on the list. For example if an IP address continuously sends viruses, it may be added to the blocklist. That means any computers that consult that list will not communicate with that IP address.

Sometimes computers or devices can be added to blocklists for a temporary problem, such as a virus that is removed when notified. However, as a rule short of contacting the administrator in person to manually be removed form the blocklist, users have to wait and they generally will be removed after a period without problem.

Allowlisting

Allowlisting is the practice of adding all critical IP addresses to a list, such as company email and web servers. Then if those servers become infected and start sending spam or viruses, those servers are not blocked. This allows the critical traffic through, even if there might be some malicious traffic as well. Blocking all traffic from your company servers would halt company productivity.

Scores and thresholds

Each content pattern includes a score. When a MMS message is matched with a pattern the score is recorded. If a message matches more than one pattern or matches the same pattern more than once, the score for the message increases. When the total score for a message equals or exceeds the threshold the message is blocked.

The default score for a content filter list entry is 10 and the default threshold is 10. This means that by default a message is blocked by a single match. You can change the scores and threshold so that messages can only be blocked if there are multiple matches. For example, you may only want to block messages that contain the phrase “example” if it appears twice. To do this, add the “example” pattern, set action to block and score to 5. Keep the threshold at 10. If “example” is found twice or more in a message the score adds up 10 (or more) and the message is blocked.

Configuring content-based antispam protection

To apply content-based antispam protection - CLI

config webfilter content

edit <filter_table_number>

set name <filter_table_name>

config entries

edit <phrase or regexp you want to block>

set action {block | exempt}

set lang <phrase language>

set pattern-type {wildcard | regexp}

set score <phrase score>

set status {enable | disable}

end

end

Configuring sender notifications

When someone on the MMS network sends an MMS message that is blocked, in most cases you will notify the sender. Typically an administrator is notified in addition to the sender so action can be taken if required. There are two types of sender notifications available in FortiOS Carrier: MMS notifications, and Replacement Messages.

MMS notifications

MMS notifications to senders are configured in Security Profiles > MMS Profile, under MMS Notifications.

In this section you can configure up to four different notification recipients for any combination of MM1/3/4/7 protocol MMS messages. Also for MM7 messages the message type can be submit.REQ or deliver.REQ.

Useful settings include:

  • delay in message based on notification type
  • limit on notifications per second to prevent a flood
  • schedules for notifications
  • log in details for MM7 messages.

For more information on MMS notifications, see Notifying message flood senders and receivers and MMS Notifications.

Replacement messages

Replacement messages are features common to both FortiOS and FortiOS Carrier, however FortiOS Carrier has additional messages for the MMS traffic.

While each MMS protocol has its own different rec placement messages, the one common to all MMS protocols is the MMS blocked content replacement message. This is the message that the receiver of the message sees when their content is blocked.

MMS DLP archiving

You can use DLP archiving to collect and view historical logs that have been archived to a FortiAnalyzer unit or the FortiGuard Analysis and Management service. DLP archiving is available for FortiAnalyzer when you add a FortiAnalyzer unit to the FortiOS Carrier configuration. The FortiGuard Analysis and Management server becomes available when you subscribe to the FortiGuard Analysis and Management Service.

You can configure full DLP archiving and summary DLP archiving. Full DLP archiving includes all content, for example, full email DLP archiving includes complete email messages and attachments. Summary DLP archiving includes just the meta data about the content, for example, email message summary records include only the email header.

You can archive MM1, MM3, MM4, and MM7 content.

Configuring MMS DLP archiving

Select DLP archive options to archive MM1, MM3, MM4, and MM7 sessions. For each protocol you can archive just session metadata (Summary), or metadata and a copy of the associated file or message (Full).

In addition to MMS protection profile DLP archive options you can:

  • Archive MM1 and MM7 message floods
  • Archive MM1 and MM7 duplicate messages
  • Select DLP archiving for carrier endpoint patterns in a Carrier Endpoint List and select the Carrier Endpoint Block option in the MMS Scanning section of an MMS Protection Profile

FortiOS Carrier only allows one sixteenth of its memory for transferring content archive files. For example, for Carrier-enabled FortiGate units with 128 MB RAM, only 8 MB of memory is used when transferring content archive files. Best practices dictate to not enable full content archiving if antivirus scanning is also configured because of these memory constraints.

To configure MMS DLP archiving - GUI
  1. Go to Security Profiles > MMS Profile.
  2. Select Create New or select the Edit icon beside an existing profile.
  3. Expand MMS Bulk AntiSpam Detection > Content Archive.
  4. Complete the fields as described in DLP Archive options.
  5. Select OK.

Viewing DLP archives

You can view DLP archives from the Carrier-enabled FortiGate unit GUI. Archives are historical logs that are stored on a log device that supports archiving, such as a FortiAnalyzer unit.

These logs are accessed from either Log & Report > DLP Archive or if you subscribed to the FortiCloud service, you can view log archives from there.

The DLP Archive menu is only visible if one of the following is true.

  • You have configured the FortiGate unit for remote logging and archiving to a FortiAnalyzer unit.
  • You have subscribed to FortiCloud.

The following tabs are available when you are viewing DLP archives for one of these protocols.

  • E-mail to view POP3, IMAP, SMTP, POP3S, IMAPS, SMTPS, and spam email archives.
  • Web to view HTTP and HTTPS archives.
  • FTP to view FTP archives.
  • IM to view AIM, ICQ, MSN, and Yahoo! archives.
  • MMS to view MMS archives.
  • VoIP to view session control (SIP, SIMPLE and SCCP) archives.

If you need to view log archives in Raw format, select Raw beside the Column Settings icon.