Fortinet Document Library

Version:

Version:

Version:

Version:

Version:

Version:


Table of Contents

Administration Guide

Viewing sender, authentication and endpoint reputation

FortiMail tracks and displays the reputation statuses of SMTP clients (sender reputation), login accesses (authentication reputation), and carrier end points (endpoint reputation).

Viewing sender reputation statuses

The FortiMail unit tracks SMTP client behavior to limit deliveries of those clients sending excessive spam messages, infected email, or messages to invalid recipients. Should clients continue delivering these types of messages, their connection attempts are temporarily or permanently rejected. Sender reputation is managed by the FortiMail unit and requires no administration.

Monitor > Reputation > Sender Reputation displays the sender reputation score for each SMTP client.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

For more information on enabling sender reputation and configuring the score thresholds, see Configuring sender reputation options.

To view the sender reputation scores, go to Monitor > Reputation > Sender Reputation.

Viewing the sender reputation statuses

GUI item

Description

Search

(button)

Click to filter the displayed entries. For more information, see Filtering sender reputation score entries.

IP

The IP address of the SMTP client.

Location

Lists the GeoIP locations/country names.

Score

The SMTP client’s current sender reputation score.

State

Lists the action that the sender reputation feature is currently performing for delivery attempts from the SMTP client.

  • Score controlled: The action is determined by comparing the current Score value to the thresholds in the session profile.

Last Modified

Lists the time and date the sender reputation score was most recently modified.

Sender reputation is a predominantly automatic antispam feature, requiring little or no maintenance. For each connecting SMTP client (sometimes called a sender), the sender reputation feature records the sender IP address and the number of good email and bad email from the sender.

In this case, bad email is defined as:

  • Spam
  • Virus-infected
  • Unknown recipients
  • Invalid DKIM
  • Failed SPF check

The sender reputation feature calculates the sender’s current reputation score using the ratio of good email to bad email, and performs an action based on that score.

The FortiMail unit calculates the sender reputation score using statistics up to 12 hours old, with more recent statistics influencing the score more than older statistics. The sender reputation score decreases (improves) as time passes where the sender has not sent spam. The score itself ranges from 0 to 100, with 0 representing a completely acceptable sender, and 100 being a totally unacceptable sender.

To determine which action the FortiMail unit will perform after it calculates the sender reputation score, the FortiMail unit compares the score to three score thresholds which you can configure in the session profile:

  1. Throttle client at: For scores less than this threshold, senders are allowed to deliver email without restrictions. For scores greater than this threshold but less than the temporary fail threshold, senders are rate-limited in the number of email messages that they can deliver per hour, expressed as either an absolute number or as a percentage of the number sent during the previous hour. If a sender exceeds the limit and keeps sending email, the FortiMail unit will send temporary failure codes to the sender. See descriptions for Temporary fail in Configuring sender reputation options.
  2. Temporarily fail: For scores greater than this threshold but less than the reject threshold, the FortiMail unit replies to senders with a temporary failure code, delaying delivery and requiring senders to retry later when their score is reduced.
  3. Reject: For scores greater than this threshold, the FortiMail unit replies to senders with a rejection code.

If the SMTP client does not attempt any email deliveries for more than 12 hours, the SMTP client’s sender reputation entry is deleted, and a subsequent delivery attempt is regarded as a new SMTP client by the sender reputation feature.

Note

Although sender reputation entries are used for only 12 hours after last delivery attempt, the entry may still appear in list of sender reputation scores.

Filtering sender reputation score entries

You can filter sender reputation score entries that appear on the Display tab based on the IP address of the SMTP client, the score, state, and date/time of the last score modification.

To filter the sender reputation score entries
  1. Go to Monitor > Reputation > Sender Reputation.
  2. Click Search.
  3. A dialog appears.

  4. Configure one or more of the following:
  5. GUI item

    Description

    Field

    Select one of the following in the entries that you want to use to filter the display.

    • IP
    • Score
    • State
    • Last Modified

    Operation

    Select how to match the field’s contents, such as whether the row must contain the contents of Value.

    Case Sensitive

    Enable for case-sensitive filtering.

    Value

    Enter a pattern or exact value, based on your selection in Field and Operation.

    • IP: Enter the IP address of the SMTP client, such as 172.16.1.10, for the entry that you want to display.
    • Score: Enter the minimum and maximum of the range of scores of entries that you want to display.
    • State: Select the State of entries that you want to display.
    • Last modified: Select the year, month, day, and/or hour before or after the Last Modified value of entries that you want to display.

    Blank fields match any value. Regular expressions and wild cards are not supported.

  6. Click Search.
  7. The Display tab appears again, but its contents are restricted to entries that match your filter criteria. To remove the filter criteria and display all entries, click the Display tab to refresh its view.

Viewing authentication reputation statuses

FortiMail tracks login attempt failures of CLI, mail and web access. To configure the authentication tracking settings, see Configuring authentication reputation.

To view the authentication reputation statuses
  1. Go to Monitor > Reputation > Authentication Reputation.
  2. If Authentication Reputation is set to Enable (see Configuring authentication reputation), this page displays the following information:
  3. GUI item

    Description

    IP

    Lists the blocked IP addresses.

    Location

    Lists the GeoIP locations/country names.

    Violation

    List the violation reasons.

    Access

    Lists the access type: CLI, Mail, or Web. For details see Configuring authentication reputation.

    Expiry Time

    Displays when the blocking period will end. The blocking period is configurable under Security > Authentication Reputation > Setting. For details see Configuring authentication reputation.

  4. If it is set to Monitor only (see Configuring authentication reputation), this page displays the following information:
  5. GUI item

    Description

    IP

    Lists the IP addresses with login failures.

    Location

    Lists the GeoIP locations/country names.

    Score

    Displays the reputation scores. An IP/score in red color means that the IP address would have been blocked if the reputation setting was set to Enable instead of Monitor only.

Viewing endpoint reputation statuses

Go to Monitor > Reputation > Endpoint Reputation to view the current list of carrier end points (by their MSISDN, subscriber ID, or other identifier) that were caught by FortiMail for sending spam. For general procedures about how to configure endpoint reputation, see Configuring endpoint reputation.

Note

The Endpoint Reputation tab is not enabled by default. You must use the following CLI commands to enable the feature and then the tab will appear on the GUI:

config antispam settings

set carrier-endpoint-status enable

end

If a carrier end point has attempted to deliver during the automatic blocklisting window a number of spam text messages that is greater than the automatic endpoint blocklisting threshold, FortiMail unit adds the carrier end point to the automatic endpoint block list for the duration configured in the session profile. While the carrier end point is on the automatic block list and it does not expire, all text messages or email messages from it will be rejected. For information on configuring the automatic block list window, see Configuring the endpoint reputation score window. For information on enabling the endpoint reputation scan and configuring the automatic block list threshold in a session profile, see Configuring session profiles.

Note

You can alternatively blocklist MSISDNs/subscriber IDs manually. For more information, see Manually blocklisting endpoints.

 

Note

You can exempt MSISDNs/subscriber IDs from automatic blocklisting. For more information, see Exempting endpoints from endpoint reputation.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Block/Safe List category

For details, see About administrator account permissions and domains.

To view the automatic endpoint reputation block list, go to Monitor > Reputation > Endpoint Reputation.

GUI item

Description

Move

(button)

To move entries to the manual endpoint block list or safe list, in the check box column, mark the check boxes of entries that you want to move, then click Move.

Search

(button)

Click to filter the displayed entries. For more information, see Filtering automatic endpoint block list entries.

Endpoint ID

Lists the mobile subscriber IDSN (MSISDN), subscriber ID, login ID, or other unique identifier for the carrier end point.

Score

Lists the number of text messages or email messages that the FortiMail has detected as spam or infected from the MSISDN/subscriber ID during the automatic endpoint block list window.

Expire

Lists the time at which the automatic endpoint blocklisting entry expires and is removed from the list.

N/A appears if the endpoint ID has not reached the threshold yet.

Filtering automatic endpoint block list entries

You can filter automatic endpoint block list entries that appear on the Endpoint Reputation tab based on the MSISDN, subscriber ID, or other sender identifier.

To filter the endpoint block list entries
  1. Go to Monitor > Reputation > Endpoint Reputation.
  2. Click Search.
  3. GUI item

    Description

    Field

    Displays one option: Endpoint ID.

    Operation

    Select how to match the field’s contents, such as whether the row must contain the contents of Value.

    Value

    Enter the identifier of the carrier end point, such as the subscriber ID or MSISDN, for the entry that you want to display.

    A blank field matches any value. Use an asterisk (*) to match multiple patterns, such as typing 46* to match 46701123456, 46701123457, and so forth. Regular expressions are not supported.

    A? (Case Sensitive)

    Enable for case-sensitive filtering.

  4. Click Search.
  5. The Auto Blocklist tab appears again, but its contents are restricted to entries that match your filter criteria. To remove the filter criteria and display all entries, click the Auto Blocklist tab to refresh its view.

Viewing sender, authentication and endpoint reputation

FortiMail tracks and displays the reputation statuses of SMTP clients (sender reputation), login accesses (authentication reputation), and carrier end points (endpoint reputation).

Viewing sender reputation statuses

The FortiMail unit tracks SMTP client behavior to limit deliveries of those clients sending excessive spam messages, infected email, or messages to invalid recipients. Should clients continue delivering these types of messages, their connection attempts are temporarily or permanently rejected. Sender reputation is managed by the FortiMail unit and requires no administration.

Monitor > Reputation > Sender Reputation displays the sender reputation score for each SMTP client.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read-Write permission to the Policy category

For details, see About administrator account permissions and domains.

For more information on enabling sender reputation and configuring the score thresholds, see Configuring sender reputation options.

To view the sender reputation scores, go to Monitor > Reputation > Sender Reputation.

Viewing the sender reputation statuses

GUI item

Description

Search

(button)

Click to filter the displayed entries. For more information, see Filtering sender reputation score entries.

IP

The IP address of the SMTP client.

Location

Lists the GeoIP locations/country names.

Score

The SMTP client’s current sender reputation score.

State

Lists the action that the sender reputation feature is currently performing for delivery attempts from the SMTP client.

  • Score controlled: The action is determined by comparing the current Score value to the thresholds in the session profile.

Last Modified

Lists the time and date the sender reputation score was most recently modified.

Sender reputation is a predominantly automatic antispam feature, requiring little or no maintenance. For each connecting SMTP client (sometimes called a sender), the sender reputation feature records the sender IP address and the number of good email and bad email from the sender.

In this case, bad email is defined as:

  • Spam
  • Virus-infected
  • Unknown recipients
  • Invalid DKIM
  • Failed SPF check

The sender reputation feature calculates the sender’s current reputation score using the ratio of good email to bad email, and performs an action based on that score.

The FortiMail unit calculates the sender reputation score using statistics up to 12 hours old, with more recent statistics influencing the score more than older statistics. The sender reputation score decreases (improves) as time passes where the sender has not sent spam. The score itself ranges from 0 to 100, with 0 representing a completely acceptable sender, and 100 being a totally unacceptable sender.

To determine which action the FortiMail unit will perform after it calculates the sender reputation score, the FortiMail unit compares the score to three score thresholds which you can configure in the session profile:

  1. Throttle client at: For scores less than this threshold, senders are allowed to deliver email without restrictions. For scores greater than this threshold but less than the temporary fail threshold, senders are rate-limited in the number of email messages that they can deliver per hour, expressed as either an absolute number or as a percentage of the number sent during the previous hour. If a sender exceeds the limit and keeps sending email, the FortiMail unit will send temporary failure codes to the sender. See descriptions for Temporary fail in Configuring sender reputation options.
  2. Temporarily fail: For scores greater than this threshold but less than the reject threshold, the FortiMail unit replies to senders with a temporary failure code, delaying delivery and requiring senders to retry later when their score is reduced.
  3. Reject: For scores greater than this threshold, the FortiMail unit replies to senders with a rejection code.

If the SMTP client does not attempt any email deliveries for more than 12 hours, the SMTP client’s sender reputation entry is deleted, and a subsequent delivery attempt is regarded as a new SMTP client by the sender reputation feature.

Note

Although sender reputation entries are used for only 12 hours after last delivery attempt, the entry may still appear in list of sender reputation scores.

Filtering sender reputation score entries

You can filter sender reputation score entries that appear on the Display tab based on the IP address of the SMTP client, the score, state, and date/time of the last score modification.

To filter the sender reputation score entries
  1. Go to Monitor > Reputation > Sender Reputation.
  2. Click Search.
  3. A dialog appears.

  4. Configure one or more of the following:
  5. GUI item

    Description

    Field

    Select one of the following in the entries that you want to use to filter the display.

    • IP
    • Score
    • State
    • Last Modified

    Operation

    Select how to match the field’s contents, such as whether the row must contain the contents of Value.

    Case Sensitive

    Enable for case-sensitive filtering.

    Value

    Enter a pattern or exact value, based on your selection in Field and Operation.

    • IP: Enter the IP address of the SMTP client, such as 172.16.1.10, for the entry that you want to display.
    • Score: Enter the minimum and maximum of the range of scores of entries that you want to display.
    • State: Select the State of entries that you want to display.
    • Last modified: Select the year, month, day, and/or hour before or after the Last Modified value of entries that you want to display.

    Blank fields match any value. Regular expressions and wild cards are not supported.

  6. Click Search.
  7. The Display tab appears again, but its contents are restricted to entries that match your filter criteria. To remove the filter criteria and display all entries, click the Display tab to refresh its view.

Viewing authentication reputation statuses

FortiMail tracks login attempt failures of CLI, mail and web access. To configure the authentication tracking settings, see Configuring authentication reputation.

To view the authentication reputation statuses
  1. Go to Monitor > Reputation > Authentication Reputation.
  2. If Authentication Reputation is set to Enable (see Configuring authentication reputation), this page displays the following information:
  3. GUI item

    Description

    IP

    Lists the blocked IP addresses.

    Location

    Lists the GeoIP locations/country names.

    Violation

    List the violation reasons.

    Access

    Lists the access type: CLI, Mail, or Web. For details see Configuring authentication reputation.

    Expiry Time

    Displays when the blocking period will end. The blocking period is configurable under Security > Authentication Reputation > Setting. For details see Configuring authentication reputation.

  4. If it is set to Monitor only (see Configuring authentication reputation), this page displays the following information:
  5. GUI item

    Description

    IP

    Lists the IP addresses with login failures.

    Location

    Lists the GeoIP locations/country names.

    Score

    Displays the reputation scores. An IP/score in red color means that the IP address would have been blocked if the reputation setting was set to Enable instead of Monitor only.

Viewing endpoint reputation statuses

Go to Monitor > Reputation > Endpoint Reputation to view the current list of carrier end points (by their MSISDN, subscriber ID, or other identifier) that were caught by FortiMail for sending spam. For general procedures about how to configure endpoint reputation, see Configuring endpoint reputation.

Note

The Endpoint Reputation tab is not enabled by default. You must use the following CLI commands to enable the feature and then the tab will appear on the GUI:

config antispam settings

set carrier-endpoint-status enable

end

If a carrier end point has attempted to deliver during the automatic blocklisting window a number of spam text messages that is greater than the automatic endpoint blocklisting threshold, FortiMail unit adds the carrier end point to the automatic endpoint block list for the duration configured in the session profile. While the carrier end point is on the automatic block list and it does not expire, all text messages or email messages from it will be rejected. For information on configuring the automatic block list window, see Configuring the endpoint reputation score window. For information on enabling the endpoint reputation scan and configuring the automatic block list threshold in a session profile, see Configuring session profiles.

Note

You can alternatively blocklist MSISDNs/subscriber IDs manually. For more information, see Manually blocklisting endpoints.

 

Note

You can exempt MSISDNs/subscriber IDs from automatic blocklisting. For more information, see Exempting endpoints from endpoint reputation.

To access this part of the web UI, your administrator account’s:

  • Domain must be System
  • access profile must have Read or Read-Write permission to the Block/Safe List category

For details, see About administrator account permissions and domains.

To view the automatic endpoint reputation block list, go to Monitor > Reputation > Endpoint Reputation.

GUI item

Description

Move

(button)

To move entries to the manual endpoint block list or safe list, in the check box column, mark the check boxes of entries that you want to move, then click Move.

Search

(button)

Click to filter the displayed entries. For more information, see Filtering automatic endpoint block list entries.

Endpoint ID

Lists the mobile subscriber IDSN (MSISDN), subscriber ID, login ID, or other unique identifier for the carrier end point.

Score

Lists the number of text messages or email messages that the FortiMail has detected as spam or infected from the MSISDN/subscriber ID during the automatic endpoint block list window.

Expire

Lists the time at which the automatic endpoint blocklisting entry expires and is removed from the list.

N/A appears if the endpoint ID has not reached the threshold yet.

Filtering automatic endpoint block list entries

You can filter automatic endpoint block list entries that appear on the Endpoint Reputation tab based on the MSISDN, subscriber ID, or other sender identifier.

To filter the endpoint block list entries
  1. Go to Monitor > Reputation > Endpoint Reputation.
  2. Click Search.
  3. GUI item

    Description

    Field

    Displays one option: Endpoint ID.

    Operation

    Select how to match the field’s contents, such as whether the row must contain the contents of Value.

    Value

    Enter the identifier of the carrier end point, such as the subscriber ID or MSISDN, for the entry that you want to display.

    A blank field matches any value. Use an asterisk (*) to match multiple patterns, such as typing 46* to match 46701123456, 46701123457, and so forth. Regular expressions are not supported.

    A? (Case Sensitive)

    Enable for case-sensitive filtering.

  4. Click Search.
  5. The Auto Blocklist tab appears again, but its contents are restricted to entries that match your filter criteria. To remove the filter criteria and display all entries, click the Auto Blocklist tab to refresh its view.