Fortinet black logo

Administration Guide

Configuring endpoint reputation

Configuring endpoint reputation

Go to Security > Endpoint Reputation to manually blocklist carrier end points, to exempt them from automatic blocklisting due to their reputation score, and to view the list of automatically blocklisted carrier end points.

This section contains the following topics:

About endpoint reputation

A carrier end point is any device on the periphery of a carrier’s or Internet service provider’s (ISP) network. It could be, for example, a subscriber’s GSM cellular phone, wireless PDA, or computer using DSL service.

Carrier end points

Unlike MTAs, computers in homes and small offices and mobile devices such as laptops and cellular phones that send email may not have a static IP address. Cellular phones’ IP addresses especially may change very frequently. After a device leaves the network or changes its IP address, its dynamic IP address may be reused by another device. Because of this, a sender reputation score that is directly associated with an SMTP client’s IP address may not function well. A device sending spam could start again with a clean sender reputation score simply by rejoining the network to get another IP address, and an innocent device could be accidentally blocklisted when it receives an IP address that was previously used by a spammer.

To control spam from SMTP clients with dynamic IP addresses, you can use the endpoint reputation score method instead.

The endpoint reputation score method does not directly use the IP address as the SMTP client’s unique identifier. Instead, it uses the subscriber ID, login ID, MSISDN, or other identifier. (An MSISDN is the number associated with a mobile device, such as a SIM card on a cellular phone network.) The IP address is only temporarily associated with this identifier while the device is joined to the network.

When a device joins the network of its service provider, such as a cellular phone carrier or DSL provider, it may use a protocol such as PPPoE or PPPoA which supports authentication. The network access server (NAS) queries the remote authentication dial-in user server (RADIUS) for authentication and access authorization. If successful, the RADIUS server then creates a record which associates the device’s MSISDN, subscriber ID, or other identifier with its current IP address.

The server, next acting as a RADIUS client, sends an accounting request with the mapping to the FortiMail unit. (The FortiMail unit acts as an auxiliary accounting server if the endpoint reputation daemon is enabled.) The FortiMail unit then stores the mappings, and uses them for the endpoint reputation feature.

When the device leaves the network or changes its IP address, the RADIUS server acting as a client requests that the FortiMail unit stop accounting (that is, remove its local record of the IP-to-MSISDN/subscriber ID mapping). The FortiMail unit keeps the reputation score associated with the MSISDN or subscriber ID, which will be re-mapped to the new IP address on the next time that the mobile device joins the network.

The endpoint reputation feature can be used with traditional email, but it can also be used with MMS text messages.

The multimedia messaging service (MMS) protocol transmits graphics, animations, audio, and video between mobile phones. There are eight interfaces defined for the MMS standard, referred to as MM1 through MM8. MM3 uses SMTP to transmit text messages to and from mobile phones. Because it can be used to transmit content, spammers can also use MMS to send spam.

You can blocklist MSISDNs or subscriber IDs to reduce MMS and email spam.

In addition to manually blocklisting or exempting MSISDNs and subscriber IDs, you can configure automatic blocklisting based on endpoint reputation score. If a carrier end point sends email or text messages that the FortiMail unit detects as spam, the endpoint reputation score increases. You can configure session profiles to log or block, for a period of time, email and text messages from carrier end points whose endpoint reputation score exceeds the threshold during the automatic blocklisting window. For information on enabling endpoint reputation scans in session profiles and configuring the score threshold and automatic blocklisting duration, see Configuring session profiles. For information on configuring the automatic blocklisting window, see Configuring the endpoint reputation score window.

To use the endpoint reputation feature
  1. Enter the following CLI command to start the endpoint reputation daemon:

config antispam setting

set carrier-endpoint-status enable

end

  1. On the web UI, go to Security > Endpoint Reputation and configure the settings described in Manually blocklisting endpoints, Exempting endpoints from endpoint reputation, and Configuring the endpoint reputation score window.
  2. Go to Profile > Session > Session. Mark the check box of the Enable Endpoint Reputation option, then select either Reject or Monitor from Action. For details, see Configuring session profiles.
  3. Go to Policy > IP Policy > IP Policy. Select the session profile in an IP-based policy. For details, see Controlling email based on IP addresses.
  4. If you enable antispam, antivirus, and history logging, you can go to Monitor > Log to view endpoint reputation-related log messages. For details, see Configuring logging and Viewing log messages.

Manually blocklisting endpoints

The Blocklist tab lets you manually blocklist carrier end points by subscriber ID, MSISDN, or other identifier.

MSISDN numbers or subscriber IDs listed on the block list will have their email or text messages blocked as long as their identifier appears on the block list.

Note

You can alternatively blocklist subscriber IDs or MSISDNs automatically, based on their reputation score. For more information, see Viewing endpoint reputation statuses.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To edit a manual carrier endpoint block list
  1. Go to Security > Endpoint Reputation > Blocklist.
  2. Click New to add an entry. (Entries cannot be edited, only deleted.)
  3. A single-field dialog appears.

  4. In Endpoint ID, type the MSISDN, subscriber ID, or other identifier for the carrier end point that you want to add to the list.
  5. Click Create.

Exempting endpoints from endpoint reputation

The Exempt tab lets you manually exempt carrier end points (by MSISDN, subscriber ID, or other identifiers) from automatic blocklisting due to their endpoint reputation score.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To add an exemption
  1. Go to Security > Endpoint Reputation > Exempt.
  2. Click New to add an entry. (Entries cannot be edited, only deleted.)
  3. A dialog appears.

  4. In Endpoint ID, type the MSISDN, subscriber ID, or other identifier for the carrier end point that you want to exempt.
  5. Click Create.

Filtering manual endpoint block list entries

You can filter manual endpoint block list entries on the Blocklist and Exempt tabs based on the MSISDN, subscriber ID, or other identifier of the sender.

To filter entries
  1. Go to Security > Endpoint Reputation > Blocklist or AntiSpam > Endpoint Reputation > Exempt.
  2. Click the Search button.
  3. A dialog appears.

  4. In the Value field, enter the identifier of the carrier endpoint, such as the subscriber ID or MSISDN, for the entry or entries that you want to display.
  5. A blank field matches any value. Use an asterisk (*) to match multiple patterns, such as typing 46* to match 46701123456, 46701123457, and so forth. Regular expressions are not supported.

  6. Select Case Sensitive if capitalization is part of the search requirement.
  7. Under Operation, select Contain or Wildcard to set the search method.
  8. Click Search.
  9. The tab appears again showing just entries that match your filter criteria. To remove the filter criteria and display all entries, click the tab to refresh its view.

Configuring the endpoint reputation score window

The Settings tab lets you configure the window size for calculating the reputation score for automatic endpoint reputation-based blocklisting.

In addition to manually blocklisting or exempting carrier end points based on their MSISDNs or subscriber IDs, you can configure automatic blocklisting based on endpoint reputation score. If an MSISDN or subscriber ID sends email or text messages that the FortiMail unit detects as spam or infected, the endpoint reputation score increases. You can configure session profiles to log or block, for a period of time, email and text messages from carrier end points whose reputation score exceeds the threshold during the automatic blocklisting window. For information on enabling endpoint reputation scans in session profiles and configuring the score threshold and automatic blocklisting duration, see Configuring session profiles.

For more information on the role of the automatic blocklisting window in the endpoint reputation scan, see Configuring endpoint reputation.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To configure the automatic endpoint blocklisting window
  1. Go to Security > Endpoint Reputation > Settings.
  2. In Auto blocklist window size, enter the number of previous minutes in which events will be used to calculate the current endpoint reputation score.
  3. For example, if the window of time was 15, detections of spam or viruses within the last 0-15 minutes are counted towards the current score; but, detections of spam or viruses older than 15 minutes would not count towards the current score.

  4. Click Apply.

Configuring endpoint reputation

Go to Security > Endpoint Reputation to manually blocklist carrier end points, to exempt them from automatic blocklisting due to their reputation score, and to view the list of automatically blocklisted carrier end points.

This section contains the following topics:

About endpoint reputation

A carrier end point is any device on the periphery of a carrier’s or Internet service provider’s (ISP) network. It could be, for example, a subscriber’s GSM cellular phone, wireless PDA, or computer using DSL service.

Carrier end points

Unlike MTAs, computers in homes and small offices and mobile devices such as laptops and cellular phones that send email may not have a static IP address. Cellular phones’ IP addresses especially may change very frequently. After a device leaves the network or changes its IP address, its dynamic IP address may be reused by another device. Because of this, a sender reputation score that is directly associated with an SMTP client’s IP address may not function well. A device sending spam could start again with a clean sender reputation score simply by rejoining the network to get another IP address, and an innocent device could be accidentally blocklisted when it receives an IP address that was previously used by a spammer.

To control spam from SMTP clients with dynamic IP addresses, you can use the endpoint reputation score method instead.

The endpoint reputation score method does not directly use the IP address as the SMTP client’s unique identifier. Instead, it uses the subscriber ID, login ID, MSISDN, or other identifier. (An MSISDN is the number associated with a mobile device, such as a SIM card on a cellular phone network.) The IP address is only temporarily associated with this identifier while the device is joined to the network.

When a device joins the network of its service provider, such as a cellular phone carrier or DSL provider, it may use a protocol such as PPPoE or PPPoA which supports authentication. The network access server (NAS) queries the remote authentication dial-in user server (RADIUS) for authentication and access authorization. If successful, the RADIUS server then creates a record which associates the device’s MSISDN, subscriber ID, or other identifier with its current IP address.

The server, next acting as a RADIUS client, sends an accounting request with the mapping to the FortiMail unit. (The FortiMail unit acts as an auxiliary accounting server if the endpoint reputation daemon is enabled.) The FortiMail unit then stores the mappings, and uses them for the endpoint reputation feature.

When the device leaves the network or changes its IP address, the RADIUS server acting as a client requests that the FortiMail unit stop accounting (that is, remove its local record of the IP-to-MSISDN/subscriber ID mapping). The FortiMail unit keeps the reputation score associated with the MSISDN or subscriber ID, which will be re-mapped to the new IP address on the next time that the mobile device joins the network.

The endpoint reputation feature can be used with traditional email, but it can also be used with MMS text messages.

The multimedia messaging service (MMS) protocol transmits graphics, animations, audio, and video between mobile phones. There are eight interfaces defined for the MMS standard, referred to as MM1 through MM8. MM3 uses SMTP to transmit text messages to and from mobile phones. Because it can be used to transmit content, spammers can also use MMS to send spam.

You can blocklist MSISDNs or subscriber IDs to reduce MMS and email spam.

In addition to manually blocklisting or exempting MSISDNs and subscriber IDs, you can configure automatic blocklisting based on endpoint reputation score. If a carrier end point sends email or text messages that the FortiMail unit detects as spam, the endpoint reputation score increases. You can configure session profiles to log or block, for a period of time, email and text messages from carrier end points whose endpoint reputation score exceeds the threshold during the automatic blocklisting window. For information on enabling endpoint reputation scans in session profiles and configuring the score threshold and automatic blocklisting duration, see Configuring session profiles. For information on configuring the automatic blocklisting window, see Configuring the endpoint reputation score window.

To use the endpoint reputation feature
  1. Enter the following CLI command to start the endpoint reputation daemon:

config antispam setting

set carrier-endpoint-status enable

end

  1. On the web UI, go to Security > Endpoint Reputation and configure the settings described in Manually blocklisting endpoints, Exempting endpoints from endpoint reputation, and Configuring the endpoint reputation score window.
  2. Go to Profile > Session > Session. Mark the check box of the Enable Endpoint Reputation option, then select either Reject or Monitor from Action. For details, see Configuring session profiles.
  3. Go to Policy > IP Policy > IP Policy. Select the session profile in an IP-based policy. For details, see Controlling email based on IP addresses.
  4. If you enable antispam, antivirus, and history logging, you can go to Monitor > Log to view endpoint reputation-related log messages. For details, see Configuring logging and Viewing log messages.

Manually blocklisting endpoints

The Blocklist tab lets you manually blocklist carrier end points by subscriber ID, MSISDN, or other identifier.

MSISDN numbers or subscriber IDs listed on the block list will have their email or text messages blocked as long as their identifier appears on the block list.

Note

You can alternatively blocklist subscriber IDs or MSISDNs automatically, based on their reputation score. For more information, see Viewing endpoint reputation statuses.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To edit a manual carrier endpoint block list
  1. Go to Security > Endpoint Reputation > Blocklist.
  2. Click New to add an entry. (Entries cannot be edited, only deleted.)
  3. A single-field dialog appears.

  4. In Endpoint ID, type the MSISDN, subscriber ID, or other identifier for the carrier end point that you want to add to the list.
  5. Click Create.

Exempting endpoints from endpoint reputation

The Exempt tab lets you manually exempt carrier end points (by MSISDN, subscriber ID, or other identifiers) from automatic blocklisting due to their endpoint reputation score.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To add an exemption
  1. Go to Security > Endpoint Reputation > Exempt.
  2. Click New to add an entry. (Entries cannot be edited, only deleted.)
  3. A dialog appears.

  4. In Endpoint ID, type the MSISDN, subscriber ID, or other identifier for the carrier end point that you want to exempt.
  5. Click Create.

Filtering manual endpoint block list entries

You can filter manual endpoint block list entries on the Blocklist and Exempt tabs based on the MSISDN, subscriber ID, or other identifier of the sender.

To filter entries
  1. Go to Security > Endpoint Reputation > Blocklist or AntiSpam > Endpoint Reputation > Exempt.
  2. Click the Search button.
  3. A dialog appears.

  4. In the Value field, enter the identifier of the carrier endpoint, such as the subscriber ID or MSISDN, for the entry or entries that you want to display.
  5. A blank field matches any value. Use an asterisk (*) to match multiple patterns, such as typing 46* to match 46701123456, 46701123457, and so forth. Regular expressions are not supported.

  6. Select Case Sensitive if capitalization is part of the search requirement.
  7. Under Operation, select Contain or Wildcard to set the search method.
  8. Click Search.
  9. The tab appears again showing just entries that match your filter criteria. To remove the filter criteria and display all entries, click the tab to refresh its view.

Configuring the endpoint reputation score window

The Settings tab lets you configure the window size for calculating the reputation score for automatic endpoint reputation-based blocklisting.

In addition to manually blocklisting or exempting carrier end points based on their MSISDNs or subscriber IDs, you can configure automatic blocklisting based on endpoint reputation score. If an MSISDN or subscriber ID sends email or text messages that the FortiMail unit detects as spam or infected, the endpoint reputation score increases. You can configure session profiles to log or block, for a period of time, email and text messages from carrier end points whose reputation score exceeds the threshold during the automatic blocklisting window. For information on enabling endpoint reputation scans in session profiles and configuring the score threshold and automatic blocklisting duration, see Configuring session profiles.

For more information on the role of the automatic blocklisting window in the endpoint reputation scan, see Configuring endpoint reputation.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

To configure the automatic endpoint blocklisting window
  1. Go to Security > Endpoint Reputation > Settings.
  2. In Auto blocklist window size, enter the number of previous minutes in which events will be used to calculate the current endpoint reputation score.
  3. For example, if the window of time was 15, detections of spam or viruses within the last 0-15 minutes are counted towards the current score; but, detections of spam or viruses older than 15 minutes would not count towards the current score.

  4. Click Apply.