Antispam tuning
- If the spam catch rate is low, see Troubleshoot antispam issues for fine tuning instructions.
- Use block and safe lists with caution. They are simple and efficient tools for fighting spam and enhancing performance. They can also cause false positives and false negatives if not used properly, however. For example, a safe list entry *.edu would allow all mail from the .edu top level domain to bypass the FortiMail unit's antispam scans.
- Do not safelist protected domains. Because safe lists bypass antispam scans, email with spoofed sender addresses in the protected domains could bypass antispam features.
- To prevent directory harvest attacks (DHA), use a combination of recipient verification and sender reputation.
- To prevent delivery status notification (DSN) spam, enable bounce verification.
DHA is one a common method used by spammers. It utilizes recipient verification in an attempt to determine an email server’s valid email addresses so that they can be added to a spam database.
If Recipient address Verification (accessed through Domain & User > Domain > Domain) is enabled, each recipient address will be verified with the protected email server. For email destined for invalid recipient addresses, the FortiMail unit will return User Unknown
messages to the SMTP client. However, spammers will utilize this response to guess and learn valid recipient addresses.
To prevent this, enable Enable sender reputation checking in session profiles (located in Profile > Session > Session). Sender reputation weighs each SMTP client’s IP address and assigns them a score. If the SMTP client sends several email messages to unknown recipients, the sender’s reputation score is increased significantly. When the sender reputation score exceeds the threshold, the SMTP client’s SMTP sessions are terminated at connection level.
Spammers may sometimes use the DSN mechanism to bypass antispam measures. In this attack, sometimes called “backscatter”, the spammer spoofs the email address of a legitimate sender and intentionally sends spam to an undeliverable recipient, expecting that the recipient’s email server will send a DSN back to the sender to notify him/her of the delivery failure. Because this attack utilizes innocent email servers and a standard notification mechanism, many antispam mechanisms may be unable to detect the difference between legitimate and spoofed DSN.
To prevent this, enable bounce address tagging and verification (located in Security > Bounce Verification > Setting) and configure it with an active key. In addition, disable both the Bypass bounce verification option (located in Domain & User > Domain > Domain) and the Bypass bounce verification check option (located in Profile > Session > Session). It is also recommended to select Use antispam profile settings for the Bounce verification action option (located in Security > Bounce Verification > Setting). Finally, verify that all email, both incoming and outgoing, is routed through the FortiMail unit. The FortiMail unit cannot tag email, or recognize legitimate DSN for previously sent email, if all email does not pass through it.