Viewing sender, authentication and endpoint reputation

FortiMail tracks and displays the reputation statuses of SMTP clients (sender reputation), login accesses (authentication reputation), and carrier end points (endpoint reputation).

Viewing sender reputation statuses

The FortiMail unit tracks SMTP client behavior to limit deliveries of those clients sending excessive spam messages, infected email, or messages to invalid recipients. Should clients continue delivering these types of messages, their connection attempts are temporarily or permanently rejected. Sender reputation is managed by the FortiMail unit and requires no administration.

Monitor > Reputation > Sender Reputation displays the sender reputation score for each SMTP client.

For more information on enabling sender reputation and configuring the score thresholds, see Configuring sender reputation options.

To view the sender reputation scores, go to Monitor > Reputation > Sender Reputation.

Viewing the sender reputation statuses

GUI item	Description
Search (button)	Click to filter the displayed entries. For more information, see Filtering sender reputation score entries.
Clear (button)	Click to remove any search filter conditions.
IP	The IP address of the SMTP client.
Location	Lists the GeoIP locations/country names.
Score	The SMTP client’s current sender reputation score.
State	Lists the action that the sender reputation feature is currently performing for delivery attempts from the SMTP client. Score controlled: The action is determined by comparing the current Score value to the thresholds in the session profile.
Last Modified	Lists the time and date the sender reputation score was most recently modified.

Sender reputation is a predominantly automatic antispam feature, requiring little or no maintenance. For each connecting SMTP client (sometimes called a sender), the sender reputation feature records the sender IP address and the number of good email and bad email from the sender.

In this case, bad email is defined as:

Spam
Virus-infected
Unknown recipients
Invalid DKIM
Failed SPF check

The sender reputation feature calculates the sender’s current reputation score using the ratio of good email to bad email, and performs an action based on that score.

The FortiMail unit calculates the sender reputation score using statistics up to 12 hours old, with more recent statistics influencing the score more than older statistics. The sender reputation score decreases (improves) as time passes where the sender has not sent spam. The score itself ranges from 0 to 100, with 0 representing a completely acceptable sender, and 100 being a totally unacceptable sender.

To determine which action the FortiMail unit will perform after it calculates the sender reputation score, the FortiMail unit compares the score to three score thresholds which you can configure in the session profile:

Throttle client at: For scores less than this threshold, senders are allowed to deliver email without restrictions. For scores greater than this threshold but less than the temporary fail threshold, senders are rate-limited in the number of email messages that they can deliver per hour, expressed as either an absolute number or as a percentage of the number sent during the previous hour. If a sender exceeds the limit and keeps sending email, the FortiMail unit will send temporary failure codes to the sender. See descriptions for Temporary fail in Configuring sender reputation options.
Temporarily fail: For scores greater than this threshold but less than the reject threshold, the FortiMail unit replies to senders with a temporary failure code, delaying delivery and requiring senders to retry later when their score is reduced.
Reject: For scores greater than this threshold, the FortiMail unit replies to senders with a rejection code.

If the SMTP client does not attempt any email deliveries for more than 12 hours, the SMTP client’s sender reputation entry is deleted, and a subsequent delivery attempt is regarded as a new SMTP client by the sender reputation feature.

Although sender reputation entries are used for only 12 hours after last delivery attempt, the entry may still appear in list of sender reputation scores.

Filtering sender reputation score entries

You can filter sender reputation score entries that appear on the Display tab based on the IP address of the SMTP client, the score, state, and date/time of the last score modification.

To filter the sender reputation score entries

Go to Monitor > Reputation > Sender Reputation.
Click Search.

A dialog appears.

Configure one or more of the following:

GUI item	Description
Field	Select one of the following in the entries that you want to use to filter the display. IP Score State Last Modified
Operation	Select how to match the field’s contents, such as whether the row must contain the contents of Value.
Case Sensitive	Enable for case-sensitive filtering.
Value	Enter a pattern or exact value, based on your selection in Field and Operation. IP: Enter the IP address of the SMTP client, such as `172.16.1.10`, for the entry that you want to display. Score: Enter the minimum and maximum of the range of scores of entries that you want to display. State: Select the State of entries that you want to display. Last modified: Select the year, month, day, and/or hour before or after the Last Modified value of entries that you want to display.

Blank fields match any value. Regular expressions and wild cards are not supported.

Click Search.

The Display tab appears again, but its contents are restricted to entries that match your filter criteria. To remove the filter criteria and display all entries, click Clear.

Viewing authentication reputation statuses

FortiMail tracks login attempt failures of CLI, mail and web access. To configure the authentication tracking settings, see Configuring authentication reputation.

To view the authentication reputation statuses

Go to Monitor > Reputation > Authentication Reputation.
If Authentication Reputation is set to Enable or Monitor only (see Configuring authentication reputation), this page displays the following information:

GUI item	Description
IP	Lists the blocked IP addresses.
Location	Lists the GeoIP locations/country names.
Violation	List the violation reasons.
Access	Lists the access type: CLI, Mail, or Web. For details see Configuring authentication reputation.
Expiry Time	If Authentication Reputation is set to Enable under Security > Authentication Reputation > Setting, this column displays when the blocking period will end. The blocking period is also configurable under Security > Authentication Reputation > Setting. If Authentication Reputation is set to Monitor only, this column displays "To be blocked".

Viewing endpoint reputation statuses

Go to Monitor > Reputation > Endpoint Reputation to view the current list of carrier end points (by their MSISDN, subscriber ID, or other identifier) that were caught by FortiMail for sending spam. For general procedures about how to configure endpoint reputation, see Configuring endpoint reputation.

The Endpoint Reputation tab is not enabled by default. You must use the following CLI commands to enable the feature and then the tab will appear on the GUI:

config antispam settings

set carrier-endpoint-status enable

end

If a carrier end point has attempted to deliver during the automatic blocklisting window a number of spam text messages that is greater than the automatic endpoint blocklisting threshold, FortiMail unit adds the carrier end point to the automatic endpoint block list for the duration configured in the session profile. While the carrier end point is on the automatic block list and it does not expire, all text messages or email messages from it will be rejected. For information on configuring the automatic block list window, see Configuring the endpoint reputation score window. For information on enabling the endpoint reputation scan and configuring the automatic block list threshold in a session profile, see Configuring session profiles.

You can alternatively blocklist MSISDNs/subscriber IDs manually. For more information, see Manually blocklisting endpoints.

You can exempt MSISDNs/subscriber IDs from automatic blocklisting. For more information, see Exempting endpoints from endpoint reputation.

To view the automatic endpoint reputation block list, go to Monitor > Reputation > Endpoint Reputation.

GUI item	Description
Move (button)	To move entries to the manual endpoint block list or safe list, in the check box column, mark the check boxes of entries that you want to move, then click Move.
Search (button)	Click to filter the displayed entries. For more information, see Filtering automatic endpoint block list entries.
Clear (button)	Click to remove any search filter conditions.
Endpoint ID	Lists the mobile subscriber IDSN (MSISDN), subscriber ID, login ID, or other unique identifier for the carrier end point.
Score	Lists the number of text messages or email messages that the FortiMail has detected as spam or infected from the MSISDN/subscriber ID during the automatic endpoint block list window.
Expire	Lists the time at which the automatic endpoint blocklisting entry expires and is removed from the list. N/A appears if the endpoint ID has not reached the threshold yet.

Filtering automatic endpoint block list entries

You can filter automatic endpoint block list entries that appear on the Endpoint Reputation tab based on the MSISDN, subscriber ID, or other sender identifier.

To filter the endpoint block list entries

Go to Monitor > Reputation > Endpoint Reputation.
Click Search.

GUI item	Description
Field	Displays one option: Endpoint ID.
Operation	Select how to match the field’s contents, such as whether the row must contain the contents of Value.
Value	Enter the identifier of the carrier end point, such as the subscriber ID or MSISDN, for the entry that you want to display. A blank field matches any value. Use an asterisk (``) to match multiple patterns, such as typing `46` to match 46701123456, 46701123457, and so forth. Regular expressions are not supported.
A? (Case Sensitive)	Enable for case-sensitive filtering.

Click Search.

The Auto Blocklist tab appears again, but its contents are restricted to entries that match your filter criteria. To remove the filter criteria and display all entries, click Clear.